August 3, 2020

What is the Insurance Model Law?

Many states have taken the North American Insurance Council (NAIC) Data Security Model law as the basis for crafting legislation to better define how the insurance industry within their state needs to protect
resident’s privacy. The purpose and intent of the legislation is to establish standards for data security and investigation of any events as well as notification to the State Insurance Commissioner of a cybersecurity event applicable to licensees. The law applies to insurers, insurance agents and other entities licensed by
the state department of insurance.

This legislation calls for a security program addressing a broad range of areas including the following condensed list:

•  Organizational structure and leadership of security
•  Data identification
• Risk management
• IT threats and vulnerabilities management
• Device management
• Access controls including staff and 3^rd party access to sensitive data
• Security monitoring and detection
• Incident response plan and program
• Staff training and awareness
• Encryption
• Backup and recovery
• Secure development for in house developed applications or testing for acquired applications

Although each state is implementing the legislation in their own timetable, the tri-state area of Ohio, Michigan and Indiana have all passed legislation. Each state has defined their own date by which licensees will need to comply with the legislation. 

Who does it apply to?

The legislation applies to licensee’s who hold a certificate of authority under the state’s Insurance Act. Small organizations of less than 25 employees are exempt from section 555 of the Michigan law.

What do I need to do to comply?

To comply with the act a business is required to have in place a robust cybersecurity program designed to protect the non-public information the business may handle. If unauthorized access is obtained, the cybersecurity program should be able to detect and respond in a structured and planned way.

For breaches impacting residents of the particular State, the business is required to notify the Director/ Commissioner/ Superintendent within the stipulated time.

Detail for licensees active in the Michigan insurance industry

Michigan legislature passed HB-6491 on December 19, 2018. This chapter imposed a timeframe for compliance as defined in the table below:

What does this mean to my company?

Basic steps required for compliance include:

• File an initial written report to the Organization’s Board of Directors or Executive Level Team to ensure the status of the security program and the ability to maintain compliance with the chapter of the act. Retain reports and compliance evidence for a minimum of five years.
• By February 15^th of each year, submit a report to the State of Michigan Insurance Director certifying compliance with the requirements of the chapter of the act. Retain evidence supporting this certification for a minimum of five years.
• Retain evidence supporting this certification for a minimum of 5 years.

If more than 250 consumers residing in Michigan are involved:

• Within 10 days of determining that a cyber event involving nonpublic data has occurred, notify the State Insurance Director.
• Provide updates to the State Insurance Director as more data relating to the incident becomes available.
  • Depending upon the number of affect clients, you may also be required to communicate with the clients impacted.
• Maintain all data related to an investigation for five years from the date of the event.
• The same obligation applies to businesses who have a 3^rd party vendor performing services and the 3^rd party vendor experiences a data breach.
• If the business must meet HIPAA reporting requirements, then complying with those requirements automatically makes the business compliant with the new Michigan insurance law requirements.

Dewpoint is here to help you meet the new standards. Contact us today for assistance or
to evaluate your current security program.