top of page

Michigan Compiled Laws §445.61 et seq

Enacted:  12.28.2004

Type of Data Covered: Computerized or electronic data. 

Is Breach Defined?

  • Breach is defined in §445.63(b) below:

  • (b)  “Breach of the security of a database” or “security breach” means the unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals. These terms do not include unauthorized access to data by an employee or other individual if the access meets all of the following:

    • (i)  The employee or other individual acted in good faith in accessing the data.

    • (ii)  The access was related to the activities of the agency or person.

    • (iii)  The employee or other individual did not misuse any personal information or disclose any personal information to an unauthorized person.

When is notice required?

Notice is required for all affected residents unless there is no likelihood of harm. §445.72 details the requirements and key provisions are summarized below:

  • §445.72(4): Notice is given without delay unless necessary for law enforcement reasons or delay in determining scope and restoring integrity. 

  • §445.72(5): Written, electronic, telephonic, and substitute notice are permitted.

  • §445.72(6): The content of the notice has minimum requirements but businesses can include more information as necessary.

  • §445.72(8): Consumer reporting agencies must be notified if over 1,000 residents are affected.

What are the penalties for non-compliance?

Violations have their own sections of the law, §445.72(12)-(15), which read as follows: 

  • (12)  A person that provides notice of a security breach in the manner described in this section when a security breach has not occurred, with the intent to defraud, is guilty of a misdemeanor punishable as follows:

    • (a)  Except as otherwise provided under subdivisions (b) and (c), by imprisonment for not more than 93 days or a fine of not more than $250.00 for each violation, or both.

    • (b)  For a second violation, by imprisonment for not more than 93 days or a fine of not more than $500.00 for each violation, or both.

    • (c)  For a third or subsequent violation, by imprisonment for not more than 93 days or a fine of not more than $750.00 for each violation, or both.

  • (13)  Subject to subsection (14), a person that knowingly fails to provide any notice of a security breach required under this section may be ordered to pay a civil fine of not more than $250.00 for each failure to provide notice. The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section.

  • (14)  The aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000.00.

  • (15)  Subsections (12) and (13) do not affect the availability of any civil remedy for a violation of state or federal law.

bottom of page