Michigan Compiled Laws §445.61 et seq
Enacted: 12.28.2004
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
-
Breach is defined in §445.63(b) below:
-
(b) “Breach of the security of a database” or “security breach” means the unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals. These terms do not include unauthorized access to data by an employee or other individual if the access meets all of the following:
-
(i) The employee or other individual acted in good faith in accessing the data.
-
(ii) The access was related to the activities of the agency or person.
-
(iii) The employee or other individual did not misuse any personal information or disclose any personal information to an unauthorized person.
-
When is notice required?
Notice is required for all affected residents unless there is no likelihood of harm. §445.72 details the requirements and key provisions are summarized below:
-
§445.72(4): Notice is given without delay unless necessary for law enforcement reasons or delay in determining scope and restoring integrity.
-
§445.72(5): Written, electronic, telephonic, and substitute notice are permitted.
-
§445.72(6): The content of the notice has minimum requirements but businesses can include more information as necessary.
-
§445.72(8): Consumer reporting agencies must be notified if over 1,000 residents are affected.
What are the penalties for non-compliance?
Violations have their own sections of the law, §445.72(12)-(15), which read as follows:
-
(12) A person that provides notice of a security breach in the manner described in this section when a security breach has not occurred, with the intent to defraud, is guilty of a misdemeanor punishable as follows:
-
(a) Except as otherwise provided under subdivisions (b) and (c), by imprisonment for not more than 93 days or a fine of not more than $250.00 for each violation, or both.
-
(b) For a second violation, by imprisonment for not more than 93 days or a fine of not more than $500.00 for each violation, or both.
-
(c) For a third or subsequent violation, by imprisonment for not more than 93 days or a fine of not more than $750.00 for each violation, or both.
-
-
(13) Subject to subsection (14), a person that knowingly fails to provide any notice of a security breach required under this section may be ordered to pay a civil fine of not more than $250.00 for each failure to provide notice. The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section.
-
(14) The aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000.00.
-
(15) Subsections (12) and (13) do not affect the availability of any civil remedy for a violation of state or federal law.