Michigan Considers Enhanced Data Breach Notification Law
Monday, September 14, 2020
privacy is in your hands
Print Mail Download i

Privacy and security continue to be at the forefront for legislatures across the nation, despite (or perhaps because of) the COVID-19 pandemic.  In late May, with back-to-back amendments, Washington D.C. and Vermont significantly overhauled their data breach notification laws, including expansion of the definition of personal information, and heightened notice requirements.  Now, Michigan may follow suit.

Earlier this month, the Michigan House of Representatives voted to advance House Bills 4186-87, sponsored by state Rep. Diana Farrington, of Utica, which create the Data Breach Notification Act, and exempt entities subject to the new act from similar provisions of Michigan’s previous Identity Theft Protection Act. Unlike other states that have expanded on already existing data breach notification laws, this bill would effectively replace Michigan’s prior law in its entirety.

This proposal puts Michigan consumers first when there are instances of compromised data,” said Farrington, who chairs the House Financial Services Committee. “Consumer protections are always important – and now many people across Michigan and in Macomb County have been put in dire financial straits through no fault of their own due to COVID-19. They don’t need the additional stress that is brought on when your personal information is potentially in someone else’s hands.

Below are highlights of Michigan’s new data breach notification bill:

  • Expansion of the definition of “sensitive personally identifying information” (PII). Following many other states, the new bill expands the definition of PII to include a state resident’s first name or first initial and last name in combination with one or more of the following data elements that relate to the resident:

    • A nontruncated  Social  Security  number,  driver  license  number,  state  personal identification  card  number,  passport  number,  military  identification  number,  or other unique identification number issued on a government document.

    • A financial account number.

    • A  medical  or  mental  history,  treatment,  or  diagnosis  issued  by  a  health  care professional.

    • A  health  insurance  policy  number  or  subscriber  identification  number  and  any unique identifier used by a health insurer.

    • A username or email address, in combination with a password or a security question and answer, that would allow access to an online account that is likely to have or is used to obtain sensitive personally identifying information.

  • Notification requirements to affected state residents. A covered entity would be required to provide notice to state residents whose PII was acquired in the breach, as expeditiously as possible and without unreasonable delay, taking into account the time necessary to conduct an investigation, and determine scope of breach, but not more than 45 days of its determination that a breach has occurred (unless law enforcement determines that such notification could interfere with a criminal investigation/national security). Written notice must at least include the following:

    • The date, estimated date, or estimated date range of the breach.

    • A description  of  the  PII acquired as part of the breach.

    • A   general   description   of   the   actions   taken   to   restore   the   security   and confidentiality of the PII involved in the breach.

    • A general description of steps a state resident can take to protect against identity theft, if the breach creates a risk of identity theft.

    • Contact information that the state resident can use to ask about the breach.

  • Notification requirements to state agency. If the number of state residents to be notified exceeds 750, the entity would have to provide written notice to Michigan’s Department of Technology, Management & Budget within the same time frame as notification to affected residents. Written notice must at least include a synopsis of events surrounding the breach, approximate number of state residents notified, any related services the covered entity is offering to state residents, and how the state resident can obtain additional information.

  • Substitute Notice. Under the bill, a covered entity required to provide notice could instead provide substitute notice, if direct notice is not feasible due to excessive cost or lack of sufficient contact information. For example, the cost of direct notification would be considered excessive if it exceeded $250,000.

  • Reasonable Security Measures. Michigan would join many other states that mandate businesses implement and maintain reasonable security measures designed to protect PII against a breach. When developing security measures, entities may consider the size of their entity, the amount of PII owned or licensed and its surrounding activity, and the cost to maintain such measures relative to the entity’s resources.

  • Data Disposal. Covered entities and third-party agents would be required to take reasonable measures to dispose of or arrange to dispose of PII when retention is no longer required by law. Disposal requires shredding, erasing or otherwise modifying PII to make it unreadable or undecipherable.

  • Penalties. The new law in its current form would not create a private right of action. However, a person that knowingly violates a notification requirement could be ordered to pay a fine of up to $2,000 for each violation or not more than $5,000 per day for each consecutive day the covered entity fails to take reasonable action to comply with the requirements, up to $250,000. The attorney general would have exclusive enforcement authority.

The bill now moves on to the Michigan Senate for further consideration. This amendment would keep Michigan in line with other states across the nation currently enhancing their data breach notification laws in light of the significant uptick in number and scale of data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

Jackson Lewis P.C. © 2024

Current Legal Analysis

More from Jackson Lewis P.C.

USCIS Issues Employment Authorization Procedures for Palestinians on Deferred Enforced Departure
by: Forrest G. Read IV
OSHA Proposes Expansion of Workplace Protections for Emergency Responders
by: Courtney M. Malveaux , Melanie L. Paul
Ninth Circuit Holds Warehouse Worker Qualifies as Transportation Worker Under FAA Exemption
by: Scott P. Jang
MSHA Issues Long Awaited Final Silica Rule
by: Karl F. Kumli
Labor Commissioner’s FAQ on Fast Food Minimum Wage
by: Laura A. Pierson-Scheinberg , Benjamin A. Tulis
New Study Shows Gen Z LGBTQIA+ Students, Graduates Value, Seek Out Inclusive Workplaces
by: Teresa Burke Wright
DHS Extends, Redesignates Temporary Protected Status for Ethiopia
by: Forrest G. Read IV
Privacy Versus Cyber – What is the Bigger Risk?
by: Joseph J. Lazzarotti
Top Five Labor Law Developments for March 2024
by: Jonathan J. Spitz , Richard F. Vitarelli
How Manufacturers Can Stay Ahead of the Changing Landscape of PFAS Regulations
by: Arthur Cunningham

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins