DATA SECURITY ENFORCEMENT; MODIFY S.B. 549:

SUMMARY OF INTRODUCED BILL

IN COMMITTEE

Senate Bill 549 (as introduced 9-17-25)

Sponsor: Senator Dayna Polehanki

Committee: Finance, Insurance, and Consumer Protection

Date Completed: 9-23-25

CONTENT

The bill would amend Chapter 5A (Data Security) of the Insurance Code to do the following:

-- Delete provisions allowing a licensee to determine whether a cybersecurity event would likely cause substantial loss or injury to affected residents before notifying the residents.

-- Allow the Director of the Department of Insurance and Financial Services (DIFS) to examine and investigate the affairs of any licensee to determine whether the licensee had been or was engaged in any conduct in violation of Chapter 5A.

-- Modify the definition of "cybersecurity event".

-- Subject a licensee in violation of Chapter 5A to fines under the Code.

Notices from Licencees

Under the Code, a licensee must notify a resident whose personal information was accessed by an unauthorized person in a cybersecurity event except if the licensee determines that the cybersecurity event has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents. Similarly, a licensee that maintains a database of data that the licensee does not own or license must notify the owner or licensor of the data of the cybersecurity event except if that licensee determines that the cybersecurity event has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents. The bill would delete the exceptions for notifying residents or another licensee.

("Licensee" means a licensed insurer or producer, and other persons licensed or required to be licensed, authorized, or registered, or holding or required to hold a certificate of authority under the Code. The term does not include a purchasing group or a risk retention group chartered and licensed in a state other than Michigan or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.)

In determining whether a cybersecurity event is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents as described above, a licensee must act with the care an ordinarily prudent person or agency in like position would exercise under similar circumstances. The bill would delete this provision.

Modify "Cybersecurity Event"

Under the Code, "cybersecurity event" means an event that results in unauthorized access to, and acquisition of, or disruption or misuse of, an information system or nonpublic information stored on an information system. The term does not include the following:

-- The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization.

-- The unauthorized access to data by a person if the person acted in good faith in accessing the data and the access was related to activities of the person.

Instead, under the bill, "cybersecurity event" would mean an event that results in the unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system. The term would not include the following:

-- The unauthorized access to encrypted nonpublic information if the encryption, process, or key were not also acquired, released, or used without authorization.

-- An event in which the licensee had determined that the nonpublic information accessed by an unauthorized person had not been used or released and had been returned or destroyed.

Director Examination

Under the bill, except as otherwise provided, the Director could examine and investigate the affairs of any licensee to determine whether the licensee had been or was engaged in any conduct in violation of Chapter 5A. This power would be in addition to the other powers the Director had under the Code. Any examination or investigation of a licensee would have to be conducted in accordance with Section 222.¹

If the Director believed that a licensee had been or was engaged in conduct that violated Chapter 5A, the Director could take necessary or appropriate action to enforce Chapter 5A.

If a licensee violated Chapter 5A, the licensee could be subject to fines under Section 150.²

MCL 500.553 et al.

FISCAL IMPACT

The bill likely would not have a significant fiscal impact on State or local units of government. The Department currently examines and investigates licensees for matters pertaining to the bill using existing appropriations; however, it is possible that the removal of some discretion on the part of the licensee under the bill could result in a need for additional resources.

The bill specifies that a licensee in violation of the Chapter’s provisions could be subject to certain fines; however, these violations are already subject to these fines under current law. Any increase in civil fine revenue resulting from the bill would be due to an increase in the number of investigations for which a licensee was found to be in violation of the Code and for which the Director elected to impose a fine. Revenue collected from civil fines is used to support local libraries.

Analyst: Nathan Leaman

[1] Generally, Section 222 of the Code allows the Director to examine any or all the books, records, documents, or papers of an insurer at any time after its articles of incorporation have been executed and filed or after it has been authorized to do business in Michigan. Within 60 days of the examination, the Director must report on the examination and disclose conclusions and recommendations.

[2] Generally, Section 150 of the Code prescribes penalties for any violation of the Code that does not have its own penalties.

This analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent.