Frequently Asked Questions
What constitutes a cybersecurity event?
An event that results in unauthorized access to and acquisition of nonpublic information or the disruption or misuse of an information system. This does not include acquisition of encrypted information without a means of decryption or unauthorized access by a person acting in good faith if accessing the data was related to the person's activities.
Who is a Consumer?
A Consumer is an individual, including, but not limited to, an applicant, a policyholder, an insured, a beneficiary, a claimant, and a certificate holder who is a resident of Michigan and whose nonpublic information is in a licensee's possession, custody, or control.
Who is a Licensee?
A Licensee is an insurer, producer, or other person who is licensed, required to be licensed, authorized, registered, certified, or required to be certified with the Department of Insurance and Financial Services pursuant to the Insurance Code of 1956. A Licensee is not a purchasing group, or a risk retention group chartered and licensed in a state other than Michigan or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
What is Nonpublic Information?
Nonpublic information means electronic information that is not publicly available information and is any of the following:
(A) Business-related information of a licensee, the tampering with which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee.
(B) Consumer-related information that can identify a specific consumer and contains sensitive information. The sensitive information can include any of the following:
(1) Social Security number.
(2) Driver license number or nondriver identification card number.
(3) Financial account number or credit or debit card number.
(4) Any security code, access code, or password that would permit access to a consumer's financial account.
(5) Biometric records.
(6) The past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family.
(7) The provision of health care to any consumer.
(8) Payment for the provision of health care to any consumer.
Who is a Third-Party Service Provider?
A Third-Party Service Provider (TPSP) is a person that is not a licensee and that contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through its provision of services to the licensee.