HOUSE BILL NO. 6268
December 10, 2024, Introduced by Reps. McKinney, Grant, McFall and Scott and referred to the
Committee on Insurance and Financial Services.
A bill to amend 1956 PA 218, entitled
"The insurance code of 1956,"
by amending sections 553, 561, and 563 (MCL 500.553, 500.561, and
500.563), as added by 2018 PA 690, and by adding sections 564 and
564a.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
1 Sec. 553. As used in this chapter:
2 (a) "Authorized individual" means an individual known to and
3 screened by the licensee and determined to be necessary and
4 appropriate to have access to the nonpublic information held by the
5 licensee and its information systems.
DDM H05835'24
 2
1 (b) "Consumer" means an individual, including, but not limited
2 to, an applicant, a policyholder, an insured, a beneficiary, a
3 claimant, and a certificate holder, who is a resident of this state
4 and whose nonpublic information is in a licensee's possession,
5 custody, or control.
6 (c) "Cybersecurity event" means an event that results in
7 unauthorized access to, and acquisition of, or disruption or misuse
8 of, an information system or nonpublic information stored on an
9 information system. Cybersecurity event does not include either of
10 the following:
11 (i) The unauthorized acquisition access of encrypted nonpublic
12 information if the encryption, process, or key is not also
13 acquired, released, or used without authorization.
14 (ii) The unauthorized access to data by a person if the access
15 meets both of the following criteria:
16 (A) The person acted in good faith in accessing the data.
17 (ii) (B) The access was related to activities of the person.An
18 event in which the licensee has determined that the nonpublic
19 information accessed by an unauthorized person has not been used or
20 released and has been returned or destroyed.
21 (d) "Encrypted" means the transformation of data into a form
22 that results in a low probability of assigning meaning without the
23 use of a protective process or key.
24 (e) "Information security program" means the administrative,
25 technical, and physical safeguards that a licensee uses to access,
26 collect, distribute, process, protect, store, use, transmit,
27 dispose of, or otherwise handle nonpublic information.
28 (f) "Information system" means a discrete set of electronic
29 information resources organized for the collection, processing,
DDM H05835'24
 3
1 maintenance, use, sharing, dissemination, or disposition of
2 electronic nonpublic information, as well as any specialized system
3 such as an industrial or process controls system, a telephone
4 switching and private branch exchange system, or an environmental
5 control system.
6 (g) "Licensee" means a licensed insurer or producer, and other
7 persons licensed or required to be licensed, authorized, or
8 registered, or holding or required to hold a certificate of
9 authority under this act. Licensee does not include a purchasing
10 group or a risk retention group chartered and licensed in a state
11 other than this state or a person that is acting as an assuming
12 insurer that is domiciled in another state or jurisdiction.
13 (h) "Multi-factor authentication" means authentication through
14 verification of at least 2 of the following types of authentication
15 factors:
16 (i) Knowledge factors, such as a password.
17 (ii) Possession factors, such as a token or text message on a
18 mobile phone.
19 (iii) Inherence factors, such as a biometric characteristic.
20 (i) "Nonpublic information" means electronic information that
21 is not publicly available information and is any of the following:
22 (i) Business-related information of a licensee, the tampering
23 with which, or unauthorized disclosure, access, or use of which,
24 would cause a material adverse impact to the business, operations,
25 or security of the licensee.
26 (ii) Any information concerning a consumer that because of
27 name, number, personal mark, or other identifier can be used to
28 identify the consumer, in combination with any 1 or more of the
29 following data elements:
DDM H05835'24
 4
1 (A) Social Security number.
2 (B) Driver license number or nondriver identification card
3 number.
4 (C) Financial account number, or credit or debit card number.
5 (D) Any security code, access code, or password that would
6 permit access to a consumer's financial account.
7 (E) Biometric records.
8 (iii) Any information or data, except age or gender, in any form
9 or medium created by or derived from a health care provider or a
10 consumer, that can be used to identify a particular consumer, and
11 that relates to any of the following:
12 (A) The past, present, or future physical, mental, or
13 behavioral health or condition of any consumer or a member of the
14 consumer's family.
15 (B) The provision of health care to any consumer.
16 (C) Payment for the provision of health care to any consumer.
17 (j) "Publicly available information" means any information
18 that a licensee has a reasonable basis to believe is lawfully made
19 available to the general public from federal, state, or local
20 government records, by widely distributed media, or by disclosures
21 to the general public that are required to be made by federal,
22 state, or local law. A licensee has a reasonable basis to believe
23 that information is lawfully made available to the general public
24 if both of the following apply:
25 (i) The licensee has taken steps to determine that the
26 information is of the type that is available to the general public.
27 (ii) If an individual can direct that the information not be
28 made available to the general public, that the licensee's consumer
29 has not directed that the information not be made available to the
DDM H05835'24
 5
1 general public.
2 (k) "Risk assessment" means the risk assessment that each
3 licensee is required to conduct under section 555(3).
4 (l) "Third-party service provider" means a person that is not a
5 licensee and that contracts with a licensee to maintain, process,
6 or store, or otherwise is permitted access to nonpublic
7 information, through its provision of services to the licensee.
8 Sec. 561. (1) Unless the licensee determines that the
9 cybersecurity event has not or is not likely to cause substantial
10 loss or injury to, or result in identity theft with respect to, 1
11 or more residents of this state, a licensee that owns or licenses
12 data that are included in a database that discovers a cybersecurity
13 event, or receives notice of a cybersecurity event under subsection
14 (2), A licensee shall provide a notice of the a cybersecurity event
15 to each resident of this state who meets 1 or more of the
16 following:
17 (a) That resident's unencrypted and unredacted personal
18 information was accessed and acquired by an unauthorized person.
19 (b) That resident's personal information was accessed and
20 acquired in encrypted form by a licensee with unauthorized access
21 to the encryption key.
22 (2) Unless the licensee determines that the cybersecurity
23 event has not or is not likely to cause substantial loss or injury
24 to, or result in identity theft with respect to, 1 or more
25 residents of this state, a A licensee that maintains a database
26 that includes data that the licensee does not own or license that
27 discovers a breach of the security of the database shall provide a
28 notice to the owner or licensor of the information of the
29 cybersecurity event.
DDM H05835'24
 6
1 (3) In determining whether a cybersecurity event is not likely
2 to cause substantial loss or injury to, or result in identity theft
3 with respect to, 1 or more residents of this state under subsection
4 (1) or (2), a licensee shall act with the care an ordinarily
5 prudent person or agency in like position would exercise under
6 similar circumstances.
7 (3) (4) A licensee shall provide any notice required under
8 this section without unreasonable delay. A licensee may delay
9 providing notice without violating this subsection if either of the
10 following is met:
11 (a) A delay is necessary in order for the licensee to take any
12 measures necessary to determine the scope of the cybersecurity
13 event and restore the reasonable integrity of the database.
14 However, the licensee shall provide the notice required under this
15 subsection without unreasonable delay after the licensee completes
16 the measures necessary to determine the scope of the cybersecurity
17 event and restore the reasonable integrity of the database.
18 (b) A law enforcement agency determines and advises the
19 licensee that providing a notice will impede a criminal or civil
20 investigation or jeopardize homeland or national security. However,
21 the licensee shall provide the notice required under this section
22 without unreasonable delay after the law enforcement agency
23 determines that providing the notice will no longer impede the
24 investigation or jeopardize homeland or national security.
25 (4) (5) A licensee shall provide any notice required under
26 this section by providing 1 or more of the following to the
27 recipient:
28 (a) Written notice sent to the recipient at the recipient's
29 postal address in the records of the licensee.
DDM H05835'24
 7
1 (b) Written notice sent electronically to the recipient if any
2 of the following are met:
3 (i) The recipient has expressly consented to receive electronic
4 notice.
5 (ii) The licensee has an existing business relationship with
6 the recipient that includes periodic electronic mail communications
7 and based on those communications the licensee reasonably believes
8 that it has the recipient's current electronic mail address.
9 (iii) The licensee conducts its business primarily through
10 internet account transactions or on the internet.
11 (c) If not otherwise prohibited by state or federal law,
12 notice given by telephone by an individual who represents the
13 licensee if all of the following are met:
14 (i) The notice is not given in whole or in part by use of a
15 recorded message.
16 (ii) The recipient has expressly consented to receive notice by
17 telephone, or if the recipient has not expressly consented to
18 receive notice by telephone, the licensee also provides notice
19 under subdivision (a) or (b) if the notice by telephone does not
20 result in a live conversation between the individual representing
21 the licensee and the recipient within 3 business days after the
22 initial attempt to provide telephonic notice.
23 (d) Substitute notice, if the licensee demonstrates that the
24 cost of providing notice under subdivision (a), (b), or (c) will
25 exceed $250,000.00 or that the licensee has to provide notice to
26 more than 500,000 residents of this state. A licensee provides
27 substitute notice under this subdivision by doing all of the
28 following:
29 (i) If the licensee has electronic mail addresses for any of
DDM H05835'24
 8
1 the residents of this state who are entitled to receive the notice,
2 providing electronic notice to those residents.
3 (ii) If the licensee maintains a website, conspicuously posting
4 the notice on that website.
5 (iii) Notifying major statewide media. A notification under this
6 subparagraph must include a telephone number or a website address
7 that a person may use to obtain additional assistance and
8 information.
9 (5) (6) A notice under this section must do all of the
10 following:
11 (a) For a notice provided under subsection (5)(a) (4)(a) or
12 (b), be written in a clear and conspicuous manner and contain the
13 content required under subdivisions (c) to (g).
14 (b) For a notice provided under subsection (5)(c), (4)(c)
15 clearly communicate the content required under subdivisions (c) to
16 (g) to the recipient of the telephone call.
17 (c) Describe the cybersecurity event in general terms.
18 (d) Describe the type of personal information that is the
19 subject of the unauthorized access or use.
20 (e) If applicable, generally describe what the licensee
21 providing the notice has done to protect data from further security
22 breaches.
23 (f) Include a telephone number where a notice recipient may
24 obtain assistance or additional information.
25 (g) Remind notice recipients of the need to remain vigilant
26 for incidents of fraud and identity theft.
27 (6) (7) A licensee may provide any notice required under this
28 section under an agreement between the licensee and another
29 licensee, if the notice provided under the agreement does not
DDM H05835'24
 9
1 conflict with this section.
2 (7) (8) Except as provided in this subsection, after a
3 licensee provides a notice under this section, the licensee shall
4 notify each consumer reporting agency that compiles and maintains
5 files on consumers on a nationwide basis, as defined in 15 USC
6 1681a(p), of the cybersecurity event without unreasonable delay. A
7 notification under this subsection must include the number of
8 notices that the licensee provided to residents of this state and
9 the timing of those notices. This subsection does not apply if
10 either of the following is met:
11 (a) The licensee is required under this section to provide
12 notice of a cybersecurity event to 1,000 or fewer residents of this
13 state.
14 (b) The licensee is subject to 15 USC 6801 to 6809.
15 (8) (9) A licensee that is subject to and complies with the
16 health insurance portability and accountability act of 1996, Public
17 Law 104-191, and with regulations promulgated under that act, 45
18 CFR parts 160 and 164, for the prevention of unauthorized access to
19 customer information and customer notice is considered to be in
20 compliance with this section.
21 (9) (10) A person that provides notice of a cybersecurity
22 event in the manner described in this section when a cybersecurity
23 event has not occurred, with the intent to defraud, is guilty of a
24 misdemeanor punishable as follows:
25 (a) Except as otherwise provided under subdivisions (b) and
26 (c), by imprisonment for not more than 93 days or a fine of not
27 more than $250.00 for each violation, or both.
28 (b) For a second violation, by imprisonment for not more than
29 93 days or a fine of not more than $500.00 for each violation, or
DDM H05835'24
 10
1 both.
2 (c) For a third or subsequent violation, by imprisonment for
3 not more than 93 days or a fine of not more than $750.00 for each
4 violation, or both.
5 (10) (11) Subject to subsection (12), (11), a person that
6 knowingly fails to provide a notice of a cybersecurity event
7 required under this section may be ordered to pay a civil fine of
8 not more than $250.00 for each failure to provide notice. The
9 attorney general or a prosecuting attorney may bring an action to
10 recover a civil fine under this section.
11 (11) (12) The aggregate liability of a person for civil fines
12 under subsection (11) (10) for multiple violations of subsection
13 (11) (10) that arise from the same cybersecurity event must not
14 exceed $750,000.00.
15 (12) (13) Subsections (10) (9) and (11) (10) do not affect the
16 availability of any civil remedy for a violation of state or
17 federal law.
18 (13) (14) This section applies to the discovery or
19 notification of a breach of the security of a database that occurs
20 after December 31, 2019.
21 (14) (15) This section does not apply to the access or
22 acquisition by a person or agency of federal, state, or local
23 government records or documents lawfully made available to the
24 general public.
25 (15) (16) This section deals with subject matter that is of
26 statewide concern, and any charter, ordinance, resolution,
27 regulation, rule, or other action by a municipal corporation or
28 other political subdivision of this state to regulate, directly or
29 indirectly, any matter expressly set forth in this section is
DDM H05835'24
 11
1 preempted.
2 (16) (17) As used in this section:
3 (a) "Data" means computerized informa