Privacy and security continue to be at the forefront for legislatures across the nation, despite (or perhaps because of) the COVID-19 pandemic. In late May, with back-to-back amendments, Washington D.C. and Vermont significantly overhauled their data breach notification laws, including expansion of the definition of personal information, and heightened notice requirements. Now, Michigan may follow suit.
Earlier this month, the Michigan House of Representatives voted to advance House Bills 4186-87, sponsored by state Rep. Diana Farrington, of Utica, which create the Data Breach Notification Act, and exempt entities subject to the new act from similar provisions of Michigan’s previous Identity Theft Protection Act. Unlike other states that have expanded on already existing data breach notification laws, this bill would effectively replace Michigan’s prior law in its entirety.
“This proposal puts Michigan consumers first when there are instances of compromised data,” said Farrington, who chairs the House Financial Services Committee. “Consumer protections are always important – and now many people across Michigan and in Macomb County have been put in dire financial straits through no fault of their own due to COVID-19. They don’t need the additional stress that is brought on when your personal information is potentially in someone else’s hands.
Below are highlights of Michigan’s new data breach notification bill:
- Expansion of the definition of “sensitive personally identifying information” (PII). Following many other states, the new bill expands the definition of PII to include a state resident’s first name or first initial and last name in combination with one or more of the following data elements that relate to the resident:
- A nontruncated Social Security number, driver license number, state personal identification card number, passport number, military identification number, or other unique identification number issued on a government document.
- A financial account number.
- A medical or mental history, treatment, or diagnosis issued by a health care professional.
- A health insurance policy number or subscriber identification number and any unique identifier used by a health insurer.
- A username or email address, in combination with a password or a security question and answer, that would allow access to an online account that is likely to have or is used to obtain sensitive personally identifying information.
- Notification requirements to affected state residents. A covered entity would be required to provide notice to state residents whose PII was acquired in the breach, as expeditiously as possible and without unreasonable delay, taking into account the time necessary to conduct an investigation, and determine scope of breach, but not more than 45 days of its determination that a breach has occurred (unless law enforcement determines that such notification could interfere with a criminal investigation/national security). Written notice must at least include the following:
- The date, estimated date, or estimated date range of the breach.
- A description of the PII acquired as part of the breach.
- A general description of the actions taken to restore the security and confidentiality of the PII involved in the breach.
- A general description of steps a state resident can take to protect against identity theft, if the breach creates a risk of identity theft.
- Contact information that the state resident can use to ask about the breach.
- Notification requirements to state agency. If the number of state residents to be notified exceeds 750, the entity would have to provide written notice to Michigan’s Department of Technology, Management & Budget within the same time frame as notification to affected residents. Written notice must at least include a synopsis of events surrounding the breach, approximate number of state residents notified, any related services the covered entity is offering to state residents, and how the state resident can obtain additional information.
- Substitute Notice. Under the bill, a covered entity required to provide notice could instead provide substitute notice, if direct notice is not feasible due to excessive cost or lack of sufficient contact information. For example, the cost of direct notification would be considered excessive if it exceeded $250,000.
- Reasonable Security Measures. Michigan would join many other states that mandate businesses implement and maintain reasonable security measures designed to protect PII against a breach. When developing security measures, entities may consider the size of their entity, the amount of PII owned or licensed and its surrounding activity, and the cost to maintain such measures relative to the entity’s resources.
- Data Disposal. Covered entities and third-party agents would be required to take reasonable measures to dispose of or arrange to dispose of PII when retention is no longer required by law. Disposal requires shredding, erasing or otherwise modifying PII to make it unreadable or undecipherable.
- Penalties. The new law in its current form would not create a private right of action. However, a person that knowingly violates a notification requirement could be ordered to pay a fine of up to $2,000 for each violation or not more than $5,000 per day for each consecutive day the covered entity fails to take reasonable action to comply with the requirements, up to $250,000. The attorney general would have exclusive enforcement authority.
The bill now moves on to the Michigan Senate for further consideration. This amendment would keep Michigan in line with other states across the nation currently enhancing their data breach notification laws in light of the significant uptick in number and scale of data breaches and heightened public awareness. Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.