New Data Security Requirements for Michigan-Based Insurance Licensees – The National Law Review

new-data-security-requirements-for-michigan-based-insurance-licensees-–-the-national-law-review

Did you know that geoFence has a modern UI, that is secure and has the improved features that you need?

February 18, 2021


Subscribe to Latest Legal News and Analysis

  • Insurance Cybersecurity Certifications: A State Roundup
    by: James V. Fazio
    and Liisa M. Thomas
  • More States Consider Minimum Recycled Content Requirements
    by: Packaging Law at Keller and Heckman
  • “Consistent with Longstanding Principles of Law and Capitalism”:…
    by: Scott E. Waxman
  • English High Court Weighs in on MAC Clause in M&A Transaction
    by: Sergey Kvitkin
  • House Moves Forward on President Biden’s COVID-19 Stimulus Plan
    by: Harry Sporidis
    and Timothy Perrin
  • Metlife Stockholders Demand Futility Claims Dismissed
    by: Scott E. Waxman
  • Certain Cannabis Workers Are Not Protected by the NLRA
    by: Frank T. Mamat
    and Alex M. Petrik
  • Another Court Rejects Threadbare Allegations of So-Called Vicarious…
    by: Michael P. Daly
    and Deanna J. Hayes
  • Delaware Court of Chancery Finds Oral Agreement to Form a Joint…
    by: Scott E. Waxman
    and Serena M Hamann
  • Lease Dispute Series: Real Estate Taxes
    by: Michael C. Thelen
  • Executive Office for Immigration Review Update: Motion to Reconsider…
    by: Raymond G. Lahoud
  • Will COVID-19 Impact Your Eligibility for an Indiana Property Tax…
    by: Brent A. Auberry
    and Abraham M. Benson
  • The Top 7 Benefits of Being a Lawyer
    by: Practice Panther Blog
  • Old Dawg, New Tricks: Bankruptcy Successor Is Also Inter Partes Re-…
    by: Ravi Vohra
  • Even After Passage of Proposition 22, California Supreme Court…
    by: Kevin R. Vozzo
  • Attempts to Appeal Institution Decision Is SIPCOed
    by: Jiaxiao Zhang
  • New NCDEQ Secretary Just Announced by Governor Cooper
    by: Bradford A. De Vore
  • Comprehensive State Privacy Laws On the Move, How Should…
    by: Joseph J. Lazzarotti
  • Health and Personal Information of N.C. Residents Posted Online by…
    by: Linn F. Freedman
  • Trade Secret Law Evolution – Episode 33: An Overview of Forensic…
    by: Jordan D. Grotzinger
  • Mass. Court Grants Rent Relief to Restaurant Tenant Shut Down by…
    by: Edward M. Bloom
  • Patent Extension Requires Board or Court Reversal, Multiple Examiner…
    by: Jackie L. Toney
  • Recent FTC Settlement Serves as Reminder For Digital Health Developers
    by: Liisa M. Thomas
    and Julia K. Kadish
  • Two Bitcoin ETFs Approved for Sale in Canada
    by: Scott H. Kimpel
  • New EU Transparency Regulation to Apply from March 27, 2021
    by: Packaging Law at Keller and Heckman
  • Stick to the Fax: Conflicting Statements Made During Prosecution Lead…
    by: Thomas DaMario
  • OCR Continues to Enforce Its HIPAA Right of Access Initiative
    by: Linn F. Freedman
  • What AMCs May Expect in Health Care Policy Priorities from the New…
    by: Rebecca M. Schaefer
  • Hawaii Proposes Tax on Sugar-Sweetened Beverages
    by: Food and Drug Law at Keller and Heckman
  • Virginia Might Be the Next State to Enact a Privacy Law
    by: Deborah A. George
  • Stick to the Fax: Conflicting Statements Made During Prosecution Lead…
    by: Thomas DaMario
  • Beneficial Ownership Reporting Requirements Under the Corporate…
    by: Gary J. Kocher
    and Mary Burke Baker
  • Top 5 Employee Benefit Plan Opportunities for Employers to Consider…
    by: Adam B. Cantor
  • Regulators to Review Market Design and Reliability Following 2021…
    by: Catherine P. McCarthy
    and Michael W. Brooks
  • Report on FINRA’s 2021 Examination and Risk Monitoring Program
    by: William B. Mack
    and Richard M. Cutshall
  • What is M-E-A-T?
    by: L. Christine Lawson
  • Privacy Tip #272 – To Get Up to Speed on Facial Recognition…
    by: Linn F. Freedman
  • 2G or Not 2G: Patent License Applies to Future Generation Wireless…
    by: Thomas DaMario
  • IMS Insights Podcast: Episode 21 – The Post-COVID (Remote) Courtroom…
    by: Teresa Barber
    and Jeff Dahm
  • TCPA Regulatory Update — Compliance Dates Established for Reassigned…
    by: Russell H. Fox
    and Elana R. Safner
  • “New” Guidance from Acting Attorney General on Prosecutorial…
    by: Lindsey Olson Collins
  • A Closed Book: No Past Infringement, No Reading Between the Lines…
    by: Jodi Benassi
  • 11th Circuit Says Standing in Data Breach Case Requires Actual Harm
    by: Kathryn M. Rattigan
  • How Isolation and COVID Make Seniors More Vulnerable to Fraud and…
    by: Shana Siegel
  • Reimagining Jury Research: The Versatility of Online Community…
    by: Clint Townson, Ph.D.
  • Circuit Split Deepens as Eleventh Circuit Rejects “Risk of Identity…
    by: Melissa D DiGrande
  • TCPA Regulatory Update — Industry Shows Support for FCC Hospital…
    by: Russell H. Fox
    and Elana R. Safner
  • Restaurant Workers Qualify for Vaccines in Some States; May Qualify…
    by: Rachel E. Ehlers
    and Felice B. Ekelman
  • Advertising in the Time of Coronavirus
    by: Arthur Artinian
    and Georgina Rigg
  • Where to Open Shop: New Report Ranks the Best Places to Do Business…
    by: Nonnie L. Shivers
  • Why Tomorrow Is An Important Day For The California Legislature
    by: Keith Paul Bishop
  • TCPA Litigation Update — The TCPA’s Constitutionality After Barr v….
    by: Joshua Briones
    and Matthew Novian
  • City of Oldsmar, Florida Narrowly avoids ‘Hot Water’ in…
    by: Cameron Abbott
    and Rob Pulham
  • “PFAS Blueprint” In MN May Be Blueprint For Other States
    by: John Gardella
  • Minnesota Employer’s Handbook Disclaimer Fails on PTO Policy Under…
    by: Bruce J. Douglas
  • Industrial Comes Roaring Back to Record High Optimism
    by: Dana P. Palmer
  • Business Judgement Rule in Polish Commercial Companies Code –…
    by: Marcin S. Wnukowski
  • Whistleblower Attorney Challenges SEC Final Rule Changing Its…
    by: Lloyd B Chinn
    and Pinchos (Pinny) Goldberg
  • Oakland Approves COVID-19–Related ‘Hazard Pay’ Ordinance Requiring…
    by: Charles L. Thompson, IV
  • HSR and Section 8 Jurisdictional Thresholds Decrease Two Percent for…
    by: Brian K. McCalmon
    and Gregory G. Wrobel
  • Michigan-Based Insurance Licensees Now Subject to New Data Security…
    by: John J. Rolecki
    and Charumati Ganesh

February 17, 2021


Subscribe to Latest Legal News and Analysis

  • SEC Staff Issues No-Action Relief for Custody of Certain Loan…
    by: Ryan F. Helmrich
    and Nathan M. Iacovino
  • Do All Class Members Have Standing For Mere Statutory Violations? The…
    by: Rucha Desai
  • JUST OUT-Seventh Circuit Declines Thornley Rehearing, Affirming…
    by: Christina Lamoureux
  • An Alternative Approach to an ERISA Litigation Conundrum
    by: Michael H. Woolever
  • New Rules Prohibiting the Government’s Use of Certain ‘Guidance…
    by: Carolyn Fitzhugh McNiven
    and Mark L. Mattioli
  • BREAKING: President Biden Nominates Former Deputy General Counsel…
    by: Mark Theodore
    and Joshua S. Fox
  • Evaluating Foreign Investment in RCEP Member States From a Dispute…
    by: Raja Bose
    and Robert L. Houston
  • Pennsylvania Governor Vetoes Bill Extending Reach of Business…
    by: Jolena Jeffrey
  • Recent Developments on U.S. Ban on American Investment in Chinese…
    by: Jeffrey G. Richardson
    and Zhiguo Du
  • Washington Department of Ecology Preparing New Rule to Assess…
    by: Ankur K. Tohan
    and Molly K. Barker
  • Mexico’s National Hydrocarbons Commission Agreement on Hydrocarbon…
    by: Erick Hernández Gallego
  • National Academies Committee Recommends EPA Improve Its Use of…
    by: Lynn L. Bergeson
    and Carla N. Hutton
  • COVID-19: EEOC Withdraws Proposed Rules on Employer Wellness…
    by: Scott G. Kobil
    and Erinn L. Rigney
  • A Pair of Federal Courts Find No Vicarious Liability Under the TCPA
    by: Dwayne D. Sam
  • Portfolio Company Insolvency: Risk Mitigation Strategies for Fund…
    by: Jonathan M. Weiss
    and Alexandra V Bargoot
  • The Antecedent Delegation Agreement: “Russian Doll Questions”…
    by: Gilbert A. Samberg
  • Virginia Passes Consumer Privacy Law; Other States May Follow
    by: Jason C. Gavejian
    and Joseph J. Lazzarotti
  • Broad New Data Privacy Legislation Supported by Florida Governor and…
    by: Hayden R. Dempsey
    and Kate Black
  • The DOL’s New Missing Participant Guidance: Tips for Applying it…
    by: Belinda S. Morgan
    and Arthur T. Phillips
  • Weekly IRS Roundup February 8 – February 12, 2021
    by: McDermott Will & Emery
  • Getting Back to Basics: Intermittent FMLA Leave
    by: Delaney M. Busch
  • M&A Pre-Flight Check: Avoiding Common Issues in Aerospace &…
    by: Zachary M. Turke
    and Rambod Peykar
  • Disruptionware V: Malicious Cyber Actors Attack a Florida Water…
    by: Jason G. Weiss
  • NO ESCAPE: ViSalus Can’t Shake Loose of $925MM TCPA Judgment In Bid…
    by: Eric J. Troutman
  • Employment Law This Week: OSHA’s Updated COVID-19 Guidance, CDC’s New…
    by: George Carroll Whipple, III
  • Copy Cats II: Nexus of Copying Required to Substantiate Non-…
    by: Kenneth E. Jenkins, PhD
    and Jeffery C. Giering, PhD
  • COBRA Subsidies for Involuntary Termination or Reduction in Hours –…
    by: Paul M Hamburger
    and Annie (Chenxiaoyang) Zhang
  • United States-Canada COVID-19 Travel Restrictions
    by: Alexandra LaCombe
  • BIPA Litigation Against Manufacturers and Vendors of Biometric…
    by: Christina Lamoureux
    and Kristin L. Bryan
  • Serving on Your Community Association’s ARC, ACC, or ARB? Take Note…
    by: Allen N. Trask, III
    and Amy H. Wooten
  • U.S. Users Targeted with Phishing Scams More than Users in Other…
    by: Linn F. Freedman
  • New General Counsel for Labor Board May Change Fate of ‘Scabby the…
    by: Jonathan J. Spitz
    and Richard F. Vitarelli
  • Helping the Show Go On: Shuttered Venue Operators Grants
    by: Curtis R. Hearn
    and Joshua A. DeCuir
  • Acting NLRB General Counsel Rescinds 10 Trump-Era Guidance Memos
    by: Frank T. Mamat
    and Alex M. Petrik
  • Understanding the Enforce and Protect Act — and Preparing for Its…
    by: Matthew R. Kinsman
    and Randy Rucker
  • It’s Here: How Law Firms Must Prepare for the Rise of “New Law”
    by: Scott Brennan
  • EDPS Publishes Opinion on Digital Services Act and Digital Markets Act
    by: Hunton Andrews Kurth’s Privacy and Cybersecurity
  • Southern District of New York Reaffirms That Seven-Year Window for…
    by: Jason D. Wyman
  • Update on Forced Labor for Imported Products
    by: Jordan W. Cowman
    and Laura Siegel Rabinowitz
  • FDA Responds to Questions About Heavy Metals in Baby Food
    by: Food and Drug Law at Keller and Heckman
  • Best Interest Standard of Care for Advisors #39
    by: Fred Reish
  • Social Bonds Are All The Rage: How to Credibly Attain The Coveted…
    by: Melissa R. Santiago
    and Marc T. Kamer
  • Stumbling Through Securities Law Challenges for COVID-19 Vaccine…
    by: Mee (Rina) Kim
  • EU Expected to Permit Data Flow to UK With Forthcoming Adequacy…
    by: Kristin L. Bryan
  • Are the Rules Changing for Employer Dress Codes and Union Insignia?
    by: Grant T. Pecor
  • COVID-19: Are Your Workplace Safety Compliance Policies Medium-Rare…
    by: David C. Rybicki
    and Barry M. Hartman
  • Massachusetts House Bill No. 5250: Revisions to Massachusetts Zoning
    by: Andrew E. Bensson
  • Driving the Deal Podcast Episode 8: Healthcare Private Equity…
    by: Kristian A. Werling
  • FTC Settles Facial Recognition Data Misuse Allegations with App…
    by: Sheila A. Millar
    and Tracy P. Marshall
  • COVID-19: US State Policy Report – February 13-16, 2021
    by: Jacqueline Orfield
  • How Should These Form 10-K Items Be Captioned?
    by: Keith Paul Bishop
  • Recent Federal Developments: February 2021
    by: TCSA Blog at Bergeson Campbell
  • No “Finite Fellows” in the Bargaining Unit – the Board Weighs in on…
    by: Mark Theodore
    and Joshua S. Fox
  • Colgate-Palmolive Not Rebranding China’s Darlie/Black Person’s…
    by: Aaron Wininger
  • Brexit Updated: EU Set to Publish UK Adequacy Decision
    by: Anna Ciesielska
  • Legal Pitfalls and Precautions When Returning to In-Person Events in…
    by: Norma W. Zeitler
  • Biden Administration Rapidly Advances Climate Change Agenda
    by: Brook J. Detterman
    and Jessalee L. Landfried
  • PFAS Water Utility Lawsuit Shows An Increasing Trend
    by: John Gardella
  • EAT refuses to swallow stale discrimination training – keeping up the…
    by: David Whincup
  • Democrats May Invoke Congressional Review Act to Reverse Recent EPA…
    by: Ashley E. Parr
    and Fredric P. Andes

Varnum LLP Law Firm Logo

Thursday, February 18, 2021

Under new rules put forth by the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law and adopted by the Michigan legislature in 2018, Michigan-based insurance licensees are now subject to additional requirements relating to data security as of Jan. 20, 2021. The new rules are codified as chapter 5A of the Insurance Code (the “Act”) and focus on regulating “licensees,” which are defined as “any licensed insurer or producer required by DIFS to hold a certificate of authority, such as life & health, property & casualty, surplus lines, fraternal, and title insurers.” 

The portions of the Act that became effective on January 20 include terms requiring licensees:

  • with 25 or more employees to develop, implement, and maintain a comprehensive written information security program (WISP) that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system, in addition a written incident response plan; and
  • to contractually bind their third-party service providers to implement appropriate measures to protect and secure the information systems and nonpublic information they can access or hold.

Notably, many of these requirements are similar to those of the federal Gramm-Leach-Bliley Act (GLBA)’s Safeguards Rule, which also imposes data privacy-related obligations on “financial institutions,” including insurance agencies.

Unlike the GLBA, however, the Act also contains specific data breach notification requirements. Although Michigan’s general data breach notification law expressly exempts entities subject to or regulated by the Michigan Insurance Code, under the Act’s recently effective terms licensees of any size – even those having fewer than 25 employees – must notify the director of the Department of Insurance and Financial Services (DIFS) within 10 days after a determination of a cybersecurity event is made. In its notification to DIFS, the licensee must include a copy of its privacy policy, a summary of the event, and a statement regarding whether the event resulted from a lapse in its controls and procedures.

If the event is likely to cause substantial loss or injury, or result in identity theft, to one or more Michigan residents, the licensee must provide notice to each resident whose personal information was accessed without authorization. Non-Michigan licensees are only required to notify DIFS of a security breach if 250 Michigan residents are impacted; for Michigan licensees, there is no such threshold.

What this means for you:

  • If you are a licensee with 25 or more employees, you are required to have a WISP in place.
  • If you are a licensee with 25 or more employees, you are required to have contractual terms in place that require third-party service providers to implement security measures to protect the data that you share with them.
  • If you are a licensee of any size and you experience a data breach of any size, you must provide DIFS with a detailed notification, including whether your controls and procedures contributed to the security event.


© 2020 Varnum LLP
National Law Review, Volume XI, Number 49


John J. Rolecki Litigation Attorney Varnum Grand Rapids, MI

John represents clients in various types of complex commercial litigation and provides counsel on matters including regulatory compliance, licensing and insurance coverage. He has successfully represented clients in a range of litigation including contractual and supply chain disputes, unfair competition, creditors’ rights, securities disputes and administrative actions. John’s background in complex matters includes bringing cases to summary judgment, trial and courts of appeal in state and federal courts throughout the country.

Practice Areas

  • Insurance

Charumati Ganesh Data Privacy Attorney Varnum

Charu holds a CIPP/US certification and focuses her legal practice on Data Privacy and Cybersecurity. Charu represents clients in a number of industries, including autonomous and connected vehicles and the consumer data marketplace. Charu is able to skillfully navigate the intricacies of the rapidly-evolving data privacy and cybersecurity regulatory landscape and help her clients develop policies and procedures that comply with both international and domestic privacy laws.

Charu has represented clients in the insurance, manufacturing and agricultural industries through regulatory…

To sum up, as we move on to the next post, may I add that geoFence blocks unwanted traffic and disables remote access from FSAs and that’s the no lie!

Leave a Reply

Your email address will not be published. Required fields are marked *