The bill amends the Michigan Insurance Code of 1956 to strengthen cybersecurity measures and the handling of nonpublic information by licensed insurers. It introduces key definitions such as "authorized individual," "consumer," and "cybersecurity event," and specifies that a cybersecurity event does not include cases where encrypted information is accessed without the encryption key. The bill mandates that licensees notify affected residents in the event of a cybersecurity breach, detailing the procedures for notification, including communication methods and required content. It also establishes penalties for failing to provide these notices and states that compliance with the Health Insurance Portability and Accountability Act (HIPAA) meets the requirements outlined in the bill.

Additionally, the bill enhances confidentiality protections for documents and information related to the director's regulatory duties, ensuring that such information is not subject to subpoena or admissible in civil actions, while still allowing the director to use it for regulatory purposes. It permits sharing of confidential information with other regulatory agencies and law enforcement, provided confidentiality is maintained. The bill also clarifies that final adjudicated actions can be made public under the Freedom of Information Act, while documents held by the National Association of Insurance Commissioners or third-party consultants remain confidential. It grants the director authority to examine licensees for compliance and establishes potential fines for violations.

Statutes affected:
Senate Introduced Bill: 500.553