HB 6491 Summary

• Adds Chapter 5A to Michigan's insurance code establishing comprehensive data security requirements for licensed insurers and insurance producers handling nonpublic consumer information.

• Requires licensees with 25+ employees to develop and implement written information security programs based on risk assessments, including administrative, technical, and physical safeguards, with annual board reporting and compliance certification by February 15 each year.

• Mandates licensees to investigate cybersecurity events promptly and notify the Michigan Department of Insurance within 10 business days if the event affects 250+ Michigan residents or has reasonable likelihood of material harm to consumers or operations.

• Requires consumer notification without unreasonable delay when unencrypted personal information is accessed or encrypted information is accessed with the unauthorized encryption key, with specific notification methods and content requirements.

• Establishes exemptions for licensees under 25 employees and those complying with HIPAA regulations, with implementation deadline of January 20, 2022 for most requirements and January 20, 2023 for board reporting provisions.