Michigan Next State to Adopt Insurance Data Security Model Law
Michigan is poised to become the next state to adopt a data security law similar to the Insurance Data Security Model Law (Model Law) advocated by the National Association of Insurance Commissioners (NAIC).
Michigan House Bill 6491, passed by the Michigan House during Michigan’s 99th Legislative Session on December 6, 2018, and passed by the Michigan Senate on December 19, 2018, was presented to its then-Governor Rick Snyder on December 27, 2018.
With this law, Michigan will join South Carolina, the first state to ratify a bill based on the NAIC Model Law, as a leader in adoption of the Model Law. Rhode Island has a similar bill pending in its legislature. Sponsored in part due to an increase in cyber-attacks which economically impact both the private and public sectors, HB6491 tightens cybersecurity regulations for insurers and increases consumer identity theft protections.
Last year, the NAIC approved the Insurance Data Security Model Law with the intent that it be adopted by states in order to comply with the New York State Department of Financial Services Cyber Security Regulations for Financial Services Companies (NYDFS Cybersecurity Regulation), 23 NYCRR 500, which was enacted in March 2017. The NAIC Model Law outlines a framework of generally accepted best practices in information security, as well as a legal framework for requiring insurance companies to implement such programs.
Over 20 states currently require businesses to maintain information security programs (or, information security mandates), similar to that recommended by the NAIC Model Law and required by the NYDFS Cybersecurity Regulation. The NAIC Model Law outlines component parts of a risk-based information security program, and requires certain oversight of the program, including oversight of third-party vendors. It also requires a written incident response plan, an annual certification of compliance, and certain investigative measures and documentation in response to cybersecurity events, as well as certain consumer and regulatory notification obligations.
The U.S. Treasury Department has also endorsed the model and recommended that Congress pass such a law if states do not implement uniform date breach notification requirements within the next five years.
While all 50 states have adopted data breach notification statutes, most states have yet to adopt a cyber security model law for the insurance industry like the one approved by the NAIC in 2017. It appears, however, that similar bills will be forthcoming and will supplement the information security mandates currently existing in many states.