The web Browser you are currently using is unsupported, and some features of this site may not work as intended. Please update to a modern browser such as Chrome, Firefox or Edge to experience all features Michigan.gov has to offer.
Reporting a Cybersecurity Event
Reporting a Cybersecurity Event
Frequently Asked Questions
Who is required to report a cybersecurity event to the Department of Insurance and Financial Services?
Any licensee who meets one of the following criteria:
(A) The licensee is an insurer and is domiciled in Michigan, or the licensee is a producer whose home state is Michigan. Also, the cybersecurity event has a reasonable likelihood of materially harming either one or more Michigan consumers or any material part of a normal operation of the licensee.
(B) The licensee reasonably believes that the nonpublic information affects 250 or more Michigan consumers and is either of the following:
(1) A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or other supervisory body under any state or federal law.
(2) A cybersecurity event that has a reasonable likelihood of materially harming either any Michigan consumer or any material part of the normal operation of the licensee.
Licensees shall notify the Director promptly, but no later than 10 business days, after a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.
How does one report a cybersecurity event to the Department of Insurance and Financial Services?
Will information provided in the report be confidential?
Yes, any documents, materials, or other information sent to the Department of Insurance and Financial Services for the purpose of reporting a cybersecurity event is generally confidential and not subject to the Freedom of Information Act (FOIA) or to subpoena. Please see MCL 500.563 for a detailed description of the protections and limitations of those protections.
Who is required to notify consumers of a cybersecurity event?
A licensee subject to MCL 500.561 who owns or licenses data included in a database that discovers or receives notice of a cybersecurity event, unless it has not or is not likely to cause substantial loss or result in the identity theft of one or more Michigan consumers. The licensee must notify the affected consumers if their unencrypted and unredacted personal information was accessed and acquired by an unauthorized person or their personal information was accessed and acquired in encrypted form by a licensee with unauthorized access to the encryption key.
What information is required on a notification to Michigan consumers?
Consumers must receive notices without delay, as described in MCL 500.561(4), and in a clear manner containing the following:
(A) A description of the cybersecurity event in general terms.
(B) A description of the type(s) of personal information that is the subject of the unauthorized access or use; be sure not to include the specific personal information accessed in the notice.
(C) A description of what the licensee providing the notice has done to protect data from further security breaches.
(D) A telephone number where a notice recipient may obtain assistance or additional information.
(E) A reminder to the notice recipients of the need to remain vigilant for incidents of fraud and identity theft.
Can I allocate my requirement to notify Michigan consumers to another licensee?
Yes, another licensee may act on your behalf to notify consumers and provide the necessary resources required under MCL 500.561. However, should the allocated licensee fail to meet the requirements of a clear notice that contains all of the necessary information and is provided to Michigan consumers without unreasonable delay, then you may be subject to the penalties described under MCL 500.561 or other enforcement action for failing to provide the notice to Michigan consumers.