24/7 Rapid Response - On Call Transportation Attorneys | 24/7 Data Breach Response - breachresponse@lewisbrisbois.com

Michigan Information Security Standards Summary

Mich. Comp. Laws §§ 500.550 et seq. 

 

Subject Entities

Applies to licensed insurers or producers, other persons licensed or required to be licensed, authorized, or registered, or holding a certificate of authority under state Insurance Code of 1956.

Security Standard

Licensees must maintain a comprehensive written information security program that contains administrative, physical, and technical safeguards for the protection of nonpublic information, commensurate with:

  • The size and complexity of the licensee;
  • The nature and scope of the subject entity’s activities; and
  • The sensitivity of the nonpublic information used or in the subject entity’s possession, custody, or control.

Types of Data Covered 

Electronic; Paper and other non-electronic data also included when nonpublic information concerns medical or health information.

Definitions 

Consumer” means a resident whose nonpublic information is in the subject entity’s possession, custody, or control.

Cybersecurity event” means an event resulting in unauthorized access to or the disruption or misuse of an information system or nonpublic information stored on an information system.

Encrypted” means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.

Nonpublic Information” means electronic information not publicly available and:

  • Subject entity-related information, the tampering of or unauthorized disclosure, access, or use of would cause material adverse impact to the entity’s business, operations, or security;
  • Any information concerning a consumer that because of name, number, personal mark, or other identification can be used to identify the consumer, in combination with any one or more of the following data elements: 
    • Social Security number;
    • Driver’s license or state identification card number;
    • Financial account or payment card number;
    • Code or password that would permit access to a resident’s financial account; or
    • Biometric records.
  • Any information (except age or gender) in any form or medium by or derived from a health care provider or consumer, that can be used to identify a consumer and relates to: 
    • The physical, mental, or behavioral health/condition of a consumer or his or her family; 
    • The provision of health care to any consumer; or 
    • Payment for health care to any consumer.

Methods of Compliance 

Comprehensive information security program requirements: 

  • Designate one or more employees, affiliates, or outside vendors to be responsible for the comprehensive information security program;
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers;
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards to manage threats, including consideration of threats in each relevant area of the licensee’s operations, including:
    1. Employee training and management;
    2. Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal;
    3. Means for detecting, preventing, and responding to attacks, intrusions, or other security system failures.
  • Assess likelihood and potential damage of identified threats, considering the sensitivity of the nonpublic information;
  • Implement information safeguards to manage identified threats;
  • Annually assess the effectiveness of the safeguards’ key controls, systems, and procedures;
  • Monitor, evaluate, and adjust as appropriate the information security program consistent with any relevant changes in technology, sensitivity of nonpublic information, threats to the information, and changes to the licensee’s business; and
  • Develop an incident response plan to promptly respond to and recover from a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information, the licensee’s information systems, or the continued function of the licensee’s business or operations.

Risk Assessment Requirements: 

A subject entity must conduct a risk assessment pursuant to the statute. Based on the results of its risk assessment, a subject entity must:

  • Design its information security program to mitigate identified risks, commensurate with its size and complexity, the nature and scope of the its activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by or in the entity’s possession, custody, or control
  • Determine which of the following security measures are appropriate and implement:
    • Placing access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition;
    • Identifying and managing the data, personnel, devices, systems, and facilities that enable the licensee to achieve its business purposes in accordance with their relative importance to business objectives and the licensee’s risk strategy;
    • Restricting physical access to nonpublic information to authorized individuals only;
    • Adopting secure development practices for in-house developed applications;
    • Adding procedures for evaluating, assessing, or testing the security of externally developed applications;
    • Modifying the information system in accordance with the information security program;
    • Using effective controls such as multi-factor authentication for employees accessing nonpublic information;
    • Regularly testing and monitoring systems and procedures to detect attacks on, or intrusions into, information systems;
    • Developing, implementing, and maintaining procedures for the secure disposal of nonpublic information in any format.
  • Include cybersecurity risks in the licensee’s enterprise risk management process;
  • Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information;
  • Provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment

Statute imposes additional requirements and oversight obligations on a subject entity’s board of directors (where applicable).

Incident Response Plan Requirements: 

An incident response plan must include: 

  • The internal process for responding to a cybersecurity event;
  • The goals of the incident response plan;
  • The definition of clear roles, responsibilities, and levels of decision- making authority;
  • External and internal communications and information sharing;
  • Identification of requirements to remediate identified weaknesses in information systems and associated controls;
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and
  • The evaluation and revision as necessary of the incident response plan following a cybersecurity event.

Government Notice

A subject licensee must annually submit (no later than February 15) to the Director of Insurance and Financial Services a written statement certifying  compliance with the statute. Must maintain all documents supporting the certification for five (5) years and make available for inspection by the Director.

Enforcement

Statute does not create a private right of action.

 

Last updated: January 2024