Michigan Data Breach
Mich. Comp. Laws § 445.63, § 445.72, et seq.
SUMMARY:
EFFECTIVE. July 2, 2007
WHO DOES THIS LAW APPLY TO. (1) Any person, business or government agency that owns or licenses computerized data that includes Personal Information; and (2) any person, business, or government agency that maintains Personal Information on State residents.
WHAT IS A BREACH. Unauthorized acquisition of and access to computerized data that compromises the security or confidentiality of Personal Information maintained by a person, business, or government agency. A good faith acquisition of Personal Information by an employee or agent of the person, business or government agency for internal purposes only is not a breach, if it is not used for an unlawful purpose or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the resident’s financial account.
Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the residents affected when a person, business or government agency discovers or is notified of a security breach. No notification is required if the person, business or government agency determines that a security breach has not or is not reasonably likely to cause substantial loss or injury to a resident(s) or result in identity theft. Any notice to affected residents must clearly communicate and include all of the following:
-
A general description of the security breach.
-
The type of Personal Information that was accessed or used.
-
A general description of what has been done to protect the Personal Information from further security breaches.
-
A telephone number where additional assistance and information may be obtained.
-
Advice for the need to be aware and look for incidents of fraud and identity theft.
If more than 1,000 residents are involved in a breach, the person, business, or government agency shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the number and timing of notices sent. Notice to the consumer reporting agencies does not apply to a person, business or government agency that is subject to Title V of the Federal Gramm-Leach Bliley Act, 15 U.S.C. § 6801 et seq.
EXCEPTION. This Section does not apply to the following:
-
A financial institution that is subject to and has notification procedures in place that are subject to audit by its regulator for compliance with the Interagency Guidance on Response Programs for unauthorized access to Personal Information and consumer notice, or similar requirements by the National Credit Union Administration, is considered in compliance with this Section.
-
A person, business or government agency that is subject to and complies with the Health Insurance Portability and Accountability Act of 1996 and related regulations to prevent unauthorized access to Personal Information, and the notice requirements, is considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person, business or government agency becomes aware of an incident of unauthorized acquisition. The disclosure shall be made without unreasonable delay consistent with measures necessary to determine the scope of the breach, and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation or jeopardize national security, and such is requested. In that instance, notification will be made without unreasonable delay following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written (to the last known address on file with the person, business, or government agency).
-
Telephonic, if all of the following are met:
-
Notice does not include a recorded message;
-
Express consent to telephonic notice has been provided by the resident(s); and
-
Notice is also provided by written or electronic means (within 3 business days of the first attempt to reach the resident by telephone) if the resident is not reached for a live conversation
-
-
Electronic, if any of the following are met:
-
Express consent has been provided;
-
It is the primary means for communication with the resident; or
-
The person, business or government agency conducts business primarily on the internet.
-
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person, business, or government agency can demonstrate that the cost of providing notice will exceed $250,000 or the affected class of persons to be notified exceeds 500,000, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person, business, or government agency has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person, business, or government agency if one is maintained.
-
Notification to major statewide media, which includes a telephone number or website that may be used to obtain additional assistance and information.
NOTICE TO THIRD-PARTIES. If a person, business or government agency maintains unencrypted data that includes Personal Information that it does not own, then the person, business or government agency shall notify the owner or licensor of a security breach, unless it determines that the breach has not or is not likely to cause substantial loss or injury or result in identity theft to a resident(s). The person, business or government agency that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. A person or business that provides notice of a security breach that has not occurred, with the intent to defraud, is guilty of a misdemeanor punishable for up to 30 days in prison, and/or a fine of up to $250 for each violation.
A person or business that knowingly fails to give notice of a security breach, is subject to a fine of up to $250 for each failure to provide notice, not to exceed $750,000. The Attorney General or prosecuting attorney may bring an action to recover a civil fine under this Section.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. MCL § 445.72a. (1) A person or agency that maintains a database that includes personal information regarding multiple individuals shall destroy any data that contain personal information concerning an individual when that data is removed from the database and the person or agency is not retaining the data elsewhere for another purpose not prohibited by state or federal law. This subsection does not prohibit a person or agency from retaining data that contain personal information for purposes of an investigation, audit, or internal review. (2) A person who knowingly violates this section is guilty of a misdemeanor punishable by a fine of not more than $250.00 for each violation. This subsection does not affect the availability of any civil remedy for a violation of state or federal law. (3) A person or agency is considered to be in compliance with this section if the person or agency is subject to federal law concerning the disposal of records containing personal identifying information and the person or agency is in compliance with that federal law. (4) As used in this section, "destroy" means to destroy or arrange for the destruction of data by shredding, erasing, or otherwise modifying the data so that they cannot be read, deciphered, or reconstructed through generally available means.
LEGISLATIVE UPDATES.
S.B. 309 – Signed into law on 12/30/2006, Effective 7/2/2007.
S.B. 223 – Signed into law on 12/21/2010, Effective 4/1/2011.
H.B. 6406 – Signed into law on 12/28/2018, Effective 1/20/2020.
For more information, see here: https://www.legislature.mi.gov/(S(a2jdr2cfyczs5a0hg02f2vhe))/mileg.aspx?page=getobject&objectname=mcl-445-63
AND
https://www.legislature.mi.gov/(S(a2jdr2cfyczs5a0hg02f2vhe))/mileg.aspx?page=getobject&objectname=mcl-445-72
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.