Data breach incidents continue to make headlines. The Yahoo data security breach—affecting more than one billion accounts—announced late last year is a recent example. Data security breaches affect companies of all sizes, and any company that maintains an electronically stored database containing personal information—such as credit card numbers, driver’s license numbers, or Social Security numbers, is susceptible to data security breach and identity theft.
If you have been informed that your business has been the victim of a data security breach, you will need to follow the breach notification requirements in Michigan’s Identity Theft Protection Act (the “Act”). This blog will provide an outline of the steps you should consider if your business has suffered a data security breach.
Step. 1: Determine the extent of the breach and what harm may result from the breach.
Under the Act, a business that discovers a security breach of personal information must provide a notice of the security breach to each affected Michigan resident, unless the business can establish that the security breach is not likely to cause substantial loss of injury to, or result in identify theft with respect to, one or more Michigan residents. Personal information means the first initial or name and last name of a Michigan resident linked to one of the following elements: i) social security number; ii) driver’s license or state identification card number; or iii) bank account or credit card number combined with an access code that would permit access to any of the financial accounts.
In order to determine whether a security breach is likely to cause injury to, or result in loss or identity theft to a Michigan resident, the Act requires that a business must act with the care that an ordinarily prudent person in like position would exercise under similar circumstances. In other words, once you have determined that a security breach has occurred, you should immediately begin a thorough, reasonable investigation into the security breach before concluding that harm is unlikely.
Step 2: You have determined that a breach has occurred. How should you notify your customer or contacts?
Once you have determined that a data breach has occurred, you will need to provide notice to customers and vendors affected by the breach. The form of notice you must give—written, electronic written, phone, or substitute notice—is largely determined by the relationship between you and your customers and vendors—the intended recipients of the notice.
Written notice. The most common and simplest form of notice you may use is written notification sent to the recipient’s postal address on file in your records.
Email notice. The written notice may be sent in electronic format if you can show any of the following three requirements: 1) the recipient has expressly consented to receive electronic notice, or 2) you conduct your business primarily through the internet, or 3) you have an existing relationship with the recipient that includes electronic mail communications, and, as a result of those communications, you reasonable believe you have the recipient’s current electronic mail address. MCL 445.72(5)(b)(i-iii).
Phone notice. If not prohibited by state or federal law, you may make notification by phone if the following two requirements are met: 1) the notice is not given in whole or in part by recorded message, and 2) the recipient has expressly consented to receive notice by phone, or, if the recipient has not expressly consented, you also provide written or electronic written notice if the notice by phone does not result in a live conversation between you and the recipient within 3 business days after the initial attempt at phone notification.
Substitute notice. If you determine that the cost of providing notice as described above exceeds $250,000.00 or that the notice must be provided to more than 500,000 residents of Michigan, you may provide substitute notice by doing all of the following: 1) providing electronic notice to all residents for whom you have an electronic mail address; 2) if you have a website, conspicuously posting the notice on that website; and 3) notifying statewide media, which must include a telephone number or website address that an individual may use to obtain additional information and assistance.
Step 3: You have identified recipients that require notification and have obtained their contact information. What information should the notification contain?
Any notifications you send out must meet all of the following requirements: 1) The notice must be written in a clear and conspicuous manner or clearly communicated; 2) You must describe the security breach in general terms; 3) You must describe the personal information that is subject to the breach; 4) If applicable, describe in general terms what you have done to protect the recipient’s data from further security breaches; 5) Include a telephone number where a notice recipient may obtain additional information or assistance; and 6) Remind notice recipients of the need to remain vigilant for incidents of identity theft and fraud.
Step 4: You have notified affected customers and vendors of the data breach. Do you have to meet any additional notice requirements?
After you have provided notice to individual recipients, you must also notify consumer reporting agencies of the breach without unreasonable delay. The notice you provide to consumer reporting agencies, which are defined in 15 USC 1682a(p), must include the number of notices that you have provided to residents of Michigan as well as the timing of those notices.
In some limited circumstances you may not be required to notify consumer reporting agencies of the data breach. Notification to consumer reporting agencies is not required if: 1) the breach affected 1,000 or fewer residents of Michigan, or 2) your business is a financial institution subject to Title V of the Gramm-Leach-Biley Act (governing treatment of nonpublic personal information about consumers by financial institutions).
Limited exceptions to the notification requirements through compliance with federal regulations.
The Act carves out limited exceptions to the notification requirements for certain businesses complying with specific federal regulations. For example, a financial institution with notification procedures in place that are subject to interagency guidance prescribed by the federal reserve system and other federal bank and thrift regulatory agencies is considered to be in compliance with the Act. Similarly, a business that is subject to, and complies with, the Health Insurance and Portability Act of 1996 (HIPAA) and its attendant regulations is considered to be in compliance with the Act.
Penalties for failing to provide notification of a data security breach.
If you do not provide the notification required by the Act, the attorney general or a prosecuting attorney may seek a civil fine of not more than $250.00 for each failure to provide notice. The aggregate liability for multiple violations of the statute cannot exceed $750,000.00 for the same security breach.
Michigan’s Identity Theft Protection Act is complex, and the failure to comply with the statute’s notification requirements can be significant.
This article is a brief summary of a law. Readers should not rely on the contents of this article as it is not legal advice. Anyone affected by the law should seek competent counsel. To find out more about the laws concerning data breaches, contact Fraser Trebilcock at 517.482.5800.