Sec. 553.
As used in this chapter:
(a) "Authorized individual" means an individual known to and screened by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.
(b) "Consumer" means an individual, including, but not limited to, an applicant, a policyholder, an insured, a beneficiary, a claimant, and a certificate holder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control.
(c) "Cybersecurity event" means an event that results in unauthorized access to and acquisition of, or disruption or misuse of, an information system or nonpublic information stored on an information system. Cybersecurity event does not include either of the following:
(i) The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization.
(ii) The unauthorized access to data by a person if the access meets both of the following criteria:
(A) The person acted in good faith in accessing the data.
(B) The access was related to activities of the person.
(d) "Encrypted" means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.
(e) "Information security program" means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.
(f) "Information system" means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information, as well as any specialized system such as an industrial or process controls system, a telephone switching and private branch exchange system, or an environmental control system.
(g) "Licensee" means a licensed insurer or producer, and other persons licensed or required to be licensed, authorized, or registered, or holding or required to hold a certificate of authority under this act. Licensee does not include a purchasing group or a risk retention group chartered and licensed in a state other than this state or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
(h) "Multi-factor authentication" means authentication through verification of at least 2 of the following types of authentication factors:
(i) Knowledge factors, such as a password.
(ii) Possession factors, such as a token or text message on a mobile phone.
(iii) Inherence factors, such as a biometric characteristic.
(i) "Nonpublic information" means electronic information that is not publicly available information and is any of the following:
(i) Business-related information of a licensee, the tampering with which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee.
(ii) Any information concerning a consumer that because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with any 1 or more of the following data elements:
(A) Social Security number.
(B) Driver license number or nondriver identification card number.
(C) Financial account number, or credit or debit card number.
(D) Any security code, access code, or password that would permit access to a consumer's financial account.
(E) Biometric records.
(iii) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to any of the following:
(A) The past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family.
(B) The provision of health care to any consumer.
(C) Payment for the provision of health care to any consumer.
(j) "Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records, by widely distributed media, or by disclosures to the general public that are required to be made by federal, state, or local law. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if both of the following apply:
(i) The licensee has taken steps to determine that the information is of the type that is available to the general public.
(ii) If an individual can direct that the information not be made available to the general public, that the licensee's consumer has not directed that the information not be made available to the general public.
(k) "Risk assessment" means the risk assessment that each licensee is required to conduct under section 555(3).
(l) "Third-party service provider" means a person that is not a licensee and that contracts with a licensee to maintain, process, or store, or otherwise is permitted access to nonpublic information, through its provision of services to the licensee.
History: Add. 2018, Act 690, Eff. Jan. 20, 2021
Popular Name: Act 218