Michigan Insurance Data Security Law

The Michigan Insurance Data Security Law added Chapter 5A, MCL 500.550 to 500.565, to the Insurance Code of 1956. Effective January 20, 2021, the law established new data security requirements for licensed insurers and producers. Please see our FAQ for answers to frequently asked questions.

Reporting a Cybersecurity Event

All licensees are required to notify the Director as promptly as possible, but not later than 10 business days, after determining a cybersecurity event occurred involving nonpublic information. Licensees should utilize form FIS 2359: Notice of Cybersecurity Event. Please note that licensees have a continuing obligation to update and supplement this form regarding material changes to information previously provided relating to the cybersecurity event. Submission of the form and supplemental information should be submitted to DIFS-Cybersecurityforms@Michigan.gov.

All documents, materials, or other information that is provided to or requested by DIFS related to the Notice of Cybersecurity Event is confidential by law pursuant to MCL 500.563.

Insurer Certification

Due February 15 of each year (beginning February 15, 2022): Pursuant to MCL 500.555(9), each licensee that is an insurer domiciled in Michigan shall submit to the Director a written statement certifying that the insurer is in compliance with the requirements under MCL 500.555 unless an exception applies to the insurer. For certification, an insurer domiciled in Michigan should utilize FIS 2360 Information Security Program Annual Certification. If an exception applies, an insurer domiciled in Michigan should utilize Form FIS 2378 Domestic Insurer Exemption Certification. Each licensee that is an insurer domiciled in Michigan MUST submit either the FIS 2360 or FIS 2378 annually. The completed applicable form may be submitted electronically to DIFS-Cybersecurityforms@Michigan.gov.

Exceptions to the Information Security Program and Risk Assessment

Under MCL 500.565, certain licensees are exempt from developing, implementing, and maintaining a comprehensive written information security program as required by MCL 500.555. These licensees must meet one of the following requirements:

• Licensees subject to and in compliance with HIPAA and HIPAA regulations are not required to comply with MCL 500.555.
• Licensees with less than 25 employees, including independent contractors, are not required to comply with MCL 500.555. However, upon having 25 or more employees, including independent contractors, the licensee must comply within 180 days.
• A licensee’s employee, agent, representative, or designee, who is also a licensee, is not required to comply with MCL 500.555, as long as the employee, agent, representative, or designee is covered by its licensee’s information security program.

Note: The exceptions listed in MCL 500.565 do not apply to the notification of a cybersecurity breach requirements listed in MCL 500.559 and 500.561.