Michigan enacted the Michigan Data Security Act on December 28, 2018, imposing stringent cybersecurity measures on any person (individual or corporate) licensed by the Michigan Department of Insurance and Financial Services. Based on the 2017 NAIC data security model law and nearly identical to the South Carolina Insurance Data Security Act, the Michigan statute will require insurance licensees to adopt a number of measures including a comprehensive written information security program (“WISP”), the submission of an annual certification of compliance to the Department of Insurance and Financial Services, and accelerated regulatory reporting to the Department in addition to individual and other notification obligations if a cybersecurity event exceeds certain thresholds.
Although the Michigan statute incorporates several notice and disclosure provisions currently contained in the Michigan ID Theft Prevention Act, in most key respects the law is identical to the South Carolina law, particularly regarding its key definitions, the implementation of a WISP, required security measures, the role of the board, third-party service providers, the incident response plan, and annual certifications and recordkeeping. However, unlike the South Carolina law, Michigan affords licensees 10 business days from the determination that a cybersecurity event has occurred to notify the director of the Department (unlike South Carolina’s 72-hour clock).
The law includes a phased implementation schedule, with all sections except for the WISP and third-party service provider oversight provisions taking effect on January 20, 2021. This includes the breach reporting provisions relating to cybersecurity event investigations, regulatory reporting, and individual notifications for breaches that were discovered or subject to notification after December 31, 2019. Licensees have until January 20, 2022 to implement the provisions regarding the WISP, and until January 20, 2023 to comply with the requirements relating to a licensee’s due diligence and oversight of third-party service providers, including requirements that third party service providers implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to or held by the third party service provider.