In 2018, former Michigan Governor Rick Snyder signed into law House Bill 6406 (Public Act 649 of 2018). This law exempts entities regulated by the insurance code from Michigan’s Identity Theft Protection Act. As of January 20, 2020, this law is in effect.

Overview of Michigan House Bill 6406

Michigan HB 6406 amends Michigan’s Identity Theft Protection Act (Public Act 452 of 2004).

Signed: December 28, 2018
Effective: January 20, 2020
Read the full text of HB 6406 regulation here.

Alignment with previously identified trends in changing data breach laws:

This new regulation aligns with a recently identified trend published this month in the RadarFirst 2020 regulatory trend ebook. States are now adopting insurance laws based on the Insurance Data Security Model Law from the National Association of Insurance Commissioners (NAIC).

On the same day that HB 6406 became law, Governor Snyder also signed House Bill 6491. This law, which becomes effective on January 20, 2021, amends the insurance code so that entities licensed by the Michigan Department of Insurance and Financial Services are subject to different data breach regulations than other industries. These regulations will be based on the NAIC Model Law. Michigan is the third state to adopt this law, after South Carolina and Ohio.

What Does This Mean for Privacy Professionals?

Under the NAIC Model Law, insurers and other entities licensed by a state department of insurance are required to:

  • Implement an information security program based on an internal risk assessment. The model law requires security measures to be implemented “based on careful, ongoing risk assessment for internal and external threats.”
  • Notify the state insurance commissioner of a “cybersecurity event.”

To comply with the model law’s requirements, it’s important to perform timely risk assessments of all incidents. This can help you determine the cause of the incident and take proper action to mitigate risk as well as provide accurate notification to the state insurance commissioner. This industry-specific carveout for data breach notification requirements adds to the overall increasing complexity of these regulatory requirements.

Additional Resources: