Skip to main content

Reporting a Cybersecurity Event

Reporting a Cybersecurity Event

Posted 08/10/21

Frequently Asked Questions

  • Any licensee who meets one of the following criteria:

    (A) The licensee is an insurer and is domiciled in Michigan, or the licensee is a producer whose home state is Michigan. Also, the cybersecurity event has a reasonable likelihood of materially harming either one or more Michigan consumers or any material part of a normal operation of the licensee.

    (B) The licensee reasonably believes that the nonpublic information affects 250 or more Michigan consumers and is either of the following:

    (1) A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or other supervisory body under any state or federal law.

    (2) A cybersecurity event that has a reasonable likelihood of materially harming either any Michigan consumer or any material part of the normal operation of the licensee.

    Licensees shall notify the Director promptly, but no later than 10 business days, after a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.

  • Please fill out form FIS 2359: Notice of Cybersecurity Event. When completed, please send via email to DIFS-Cybersecurityforms@Michigan.gov.

  • Yes, any documents, materials, or other information sent to the Department of Insurance and Financial Services for the purpose of reporting a cybersecurity event is generally confidential and not subject to the Freedom of Information Act (FOIA) or to subpoena. Please see MCL 500.563 for a detailed description of the protections and limitations of those protections.

  • A licensee subject to MCL 500.561 who owns or licenses data included in a database that discovers or receives notice of a cybersecurity event, unless it has not or is not likely to cause substantial loss or result in the identity theft of one or more Michigan consumers. The licensee must notify the affected consumers if their unencrypted and unredacted personal information was accessed and acquired by an unauthorized person or their personal information was accessed and acquired in encrypted form by a licensee with unauthorized access to the encryption key.

  • Consumers must receive notices without delay, as described in MCL 500.561(4), and in a clear manner containing the following:

    (A) A description of the cybersecurity event in general terms.

    (B) A description of the type(s) of personal information that is the subject of the unauthorized access or use; be sure not to include the specific personal information accessed in the notice.

    (C) A description of what the licensee providing the notice has done to protect data from further security breaches.

    (D) A telephone number where a notice recipient may obtain assistance or additional information.

    (E) A reminder to the notice recipients of the need to remain vigilant for incidents of fraud and identity theft.

  • Yes, another licensee may act on your behalf to notify consumers and provide the necessary resources required under MCL 500.561. However, should the allocated licensee fail to meet the requirements of a clear notice that contains all of the necessary information and is provided to Michigan consumers without unreasonable delay, then you  may be subject to the penalties described under MCL 500.561 or other  enforcement action for failing to provide the notice to Michigan consumers.   

The answers provided are not meant to be a substitute for legal advice.