Introduction

Mich. Comp. Laws § 445.72 (the “Statute”) is a state statutory law, that amends the Identification Theft Protection Act, and establishes a data breach notification standard for the personal information of Michigan residents. It also criminalizes the use of a breach notification to defraud another as a misdemeanor.

Applicability

The Statute applies to persons and agencies. The term “person” includes an individual, corporation, and other private business organizations. The term “agency” covers almost all types of entities within state government, including institutions of higher education, but expressly excludes judicial courts of law.

The Statute governs a security breach of personal information. The term “personal information” is defined as the individual’s first and last name in combination with their social security number, government-issued identification number, or financial account number with the pin number. Any public information published in government records is excluded. 

A security breach involves the unauthorized access and acquisition of personal information that compromises its security or confidentiality. There is a safe harbor from notification requirements when the security breach has not, and is not likely to, cause substantial loss or injury to, or result in identity theft of data subjects.

Requirements

Persons and agencies are obligated to provide notice without unreasonable delay. There are two recognized reasons for delay under the Statute—(1) taking measures necessary to determine the scope of the security breach and restore the reasonable integrity; and (2) providing a notice will impede a criminal or civil investigation or jeopardize homeland or national security.

Enforcement & Liability

The Michigan Attorney General is authorized to enforce the regulatory provision of the Statute. Criminal offenses under the Statute may be enforced by a prosecuting attorney of the state.

Penalties

A person or agency found liable of failing to comply with the breach notification requirements may be subject to civil fines of up to $250 for each notice and $750,000 in the aggregate. The criminal offense carries penalties of up to 93 days of imprisonment and $750 per notice, depending on the number of prior convictions for the same offense.