MI HB6268

Removes requirement for licensees to determine whether a cybersecurity event has caused substantial loss or injury before notifying affected residents, making notification mandatory upon discovery of unauthorized access to personal information.

Modifies definition of "cybersecurity event" to focus on unauthorized access or disruption rather than "acquisition" of information, and simplifies exception for encrypted data breaches to cases where data has not been used, released, and has been returned or destroyed.

Adds new enforcement authority allowing the director to examine and investigate licensees for violations of data security requirements under section 222, with ability to take necessary action to enforce the chapter.

Establishes that licensees violating the data security chapter are subject to civil fines under section 150 of the Insurance Code.

Makes technical amendments to section 563 regarding confidentiality of licensee documents and materials submitted to the director for regulatory purposes.