A law passed last December and signed by outgoing Governor Rick Snyder has placed Michigan on the leading edge of insurance data security.
Sean Hoar and Bindu Nair collaborated in this report published in Mondaq:
With this law, Michigan will join South Carolina, the first state to ratify a bill based on the NAIC Model Law, as a leader in adoption of the Model Law. Rhode Island has a similar bill pending in its legislature. Sponsored in part due to an increase in cyber-attacks which economically impact both the private and public sectors, HB6491 tightens cybersecurity regulations for insurers and increases consumer identity theft protections.
Last year, the NAIC approved the Insurance Data Security Model Law with the intent that it be adopted by states in order to comply with the New York State Department of Financial Services Cyber Security Regulations for Financial Services Companies (NYDFS Cybersecurity Regulation), 23 NYCRR 500, which was enacted in March 2017. The NAIC Model Law outlines a framework of generally accepted best practices in information security, as well as a legal framework for requiring insurance companies to implement such programs.
Over 20 states currently require businesses to maintain information security programs (or, information security mandates), similar to that recommended by the NAIC Model Law and required by the NYDFS Cybersecurity Regulation. The NAIC Model Law outlines component parts of a risk-based information security program, and requires certain oversight of the program, including oversight of third-party vendors. It also requires a written incident response plan, an annual certification of compliance, and certain investigative measures and documentation in response to cybersecurity events, as well as certain consumer and regulatory notification obligations.
