MI SB0549

Expands the definition of "cybersecurity event" to include unauthorized access to information systems, removing the previous requirement that data must also be "acquired" for an event to qualify

Removes licensees' discretion to determine whether a cybersecurity event is "likely to cause substantial loss or injury" before notifying affected consumers—notification is now required for any unauthorized access to personal information

Eliminates the exception that previously allowed licensees to avoid notification when an unauthorized person accessed data in "good faith" for activities related to their work

Grants the Director of Insurance explicit authority to examine and investigate licensees for compliance with data security requirements and take enforcement action for violations

Subjects licensees who violate the chapter to fines under existing insurance code penalty provisions (Section 150)