Michigan House and Senate Pass Bills Imposing 45-Day Data Breach Notification Requirement

The Michigan House of Representatives recently voted to approve legislation that will impose a 45-day data breach notice requirement on Michigan businesses. House Bills 4186 and 4187, which were passed on December 16, 2020, will become law if signed by Governor Whitmer. Identical bills were passed by the Michigan Senate on December 10.

Data security is a major concern for many businesses across industries. A report issued by the FBI, Department of Health and Human Services, and Cybersecurity and Infrastructure Security Agency in October warns of “an increased and imminent cybercrime threat” to businesses, particularly those in the health care sector. Recent revelations of a sophisticated cyberattack on the U.S. government shows how vulnerable even the most secure systems are to a breach. This new legislation, if enacted, will impose new obligations on Michigan businesses when a data breach occurs.

Key Provisions of New Legislation

The legislation requires a “covered entity” to provide notice within 45 days to state residents whose “sensitive personally identifying information” (PII) was exposed in a data breach.

A “covered entity” includes an individual or a sole proprietorship, partnership, government entity, corporation, limited liability company, nonprofit, trust, estate, cooperative association, or other business entity, that has more than 50 employees and owns or licenses sensitive personally identifying information, or a franchisee of any of the foregoing.

The scope of PII that gives rise to an obligation to notify state residents in the event of a data breach includes a state resident’s first name or first initial, and last name, in combination with one or more of the following data elements that relate to that state resident:

  • A nontruncated Social Security number.
  • A nontruncated driver license number, enhanced driver license number, state personal identification card number, enhanced state personal identification card number, passport number, military identification number, or other unique identification number issued on a government document that is used to verify the identity of a specific individual.
  • A financial account number.
  • A state resident’s medical or mental history, treatment, or diagnosis issued by a health care professional.
  • A state resident’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the state resident.
  • A username or electronic mail address, in combination with a password, security question and answer, or similar information, that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

All covered entities and third-party agents are required to implement and maintain reasonable security measures designed to protect PII against a breach of security. The legislation lays out a long series of factors covered entities must consider in developing reasonable security measures, including the size of the covered entity and the amount of PII it maintains and processes.

If a covered entity determines that a breach of security has or may have occurred, the covered entity must conduct a good-faith and prompt investigation into the scope and extent of the breach.

If a covered entity determines that a breach has occurred, it must notify state residents whose PII was acquired in the breach, as expeditiously as possible and without unreasonable delay. Notification must occur within 45 days of a determination that a breach has occurred unless law enforcement determines that such notification could interfere with a criminal investigation or national security. Written notice must at least include the following:

  • The date, estimated date, or estimated date range of the breach.
  • A description of the PII acquired by an unauthorized person as part of the breach.
  • A description of the actions taken to restore the security and confidentiality of the PII involved in the breach.
  • A description of steps a state resident can take to protect against identity theft, if the breach creates a risk of identity theft.
  • Contact information that the state resident can use to ask about the breach.

A covered entity may provide substitute notice in lieu of direct notice, if direct notice is not feasible because of excessive cost or lack of contact information. Under the legislation, the cost of direct notification to state residents is considered excessive if it exceeds $250,000 or if notice must be provided to more than 500,000 state residents. Substitute notice must include a conspicuous notice on the covered entity’s website (if it has one) for at least 30 days, and notice in print and broadcast media.

Penalties for Noncompliance with Notification Requirements

A covered entity that fails to comply with the notice requirements set forth in the legislation faces potentially steep fines. Penalties may include a civil fine of not more than $2,000 for each violation, or not more than $5,000 per day for each consecutive day that the covered entity fails to take reasonable action to comply with applicable notice requirements. Aggregate liability for civil fines for multiple violations related to the same security breach shall not exceed $750,000.

This legislation is not yet law, but soon may be. This article touches upon many of the important provisions of the legislation, but there are additional details to be aware of. Businesses and other entities covered by this legislation should take steps to assess their preparedness to comply with the new obligations imposed by these bills. If you have any questions, or require assistance in planning for the implications of this legislation, please contact Fraser Trebilcock shareholder  Thad Morgan.

Morgan, Thaddeus.jpgThaddeus E. Morgan is a shareholder with Fraser Trebilcock and formerly served as President of the firm. Thad is the firm’s Litigation Department Chair and serves as the firm’s State Capital Group voting representative. He can be reached at tmorgan@fraserlawfirm.com or (517) 377-0877.

Filing of Property Transfer Affidavits

Michigan law requires that a Property Transfer Tax Affidavit (“PTA”) be filed with the local assessor (city or township) upon the transfer of ownership of real property. As used in the statute “transfer of ownership” means the conveyance of title to or a present interest in real property or some personal property.  The PTA must be filed within 45 days of the date of transfer.

The penalties for failure to file can be severe. Generally, (i) if the sale price of the property transferred is $100,000,000.00 or less, the penalty is $20.00 per day for each separate failure beginning after the 45 days have elapsed, up to a maximum of $1,000.00 or (ii) if the sale price of the property transferred is more than $100,000,000.00, the penalty is $20,000.00 after the 45 days have elapsed. Note, the statute is complex and each situation needs to be carefully reviewed with your real estate attorney.

Additionally, if the assessor discovers the transfer in a later tax year, the assessor can go back and reassess the property for the three prior years and bill for the difference in the taxes actually paid plus interest and penalties.

In order to protect yourself, you must make sure that you have timely filed the PTA. When filing you should also have a copy time-stamped by the local assessor, so you can prove the PTA was properly and timely filed. The safest way to accomplish this is to hand-file the PTA and ask at that time for the copy to be time-stamped. However, in these days of COVID-19 shutdowns, many assessors’ offices are closed. If this is the case in the applicable jurisdiction, I suggest you utilize either (i) an overnight delivery service or (ii) certified mail, return receipt requested. You should send the original along with a copy to be time-stamped together with a self-addressed, postage-paid envelope and request in your cover letter that time-stamped copy be returned to you. Utilizing either an overnight delivery service or certified mail, return receipt requested will provide evidence that you did timely file the PTA.

We have created a response team to the rapidly changing COVID-19 situation and the law and guidance that follows, so we will continue to post any new developments. You can view our COVID-19 Response Page and additional resources by following the link here. In the meantime, if you have any questions, please contact your Fraser Trebilcock attorney.

Fraser Trebilcock Attorney Norbert T. Madison, Jr.Norbert T. Madison, Jr. is a highly regarded corporate and real estate attorney with more than three decades of experience. Primarily focused on real estate matters, Norb represents clients in all facets of the practice, including the purchase, sale, leasing, and financing of various types of real estate, as well as the development of industrial, office, retail, condominium and residential real estate. Contact Norb at 313.965.9026 or nmadison@fraserlawfirm.com.

Michigan Court of Appeals Clarifies Athlete Concussion Liability Standards

On November 19, 2020, the Michigan Court of Appeals issued a decision in Randall v. Michigan High Sch. Athletic Association which clarifies the legal risks and obligations coaches and other covered adults face when they suspect a youth athlete has suffered a concussion.

The old playboook: standards were unclear

In 2013, Michigan enacted its concussion protection statute, codified at MCL 333.9156. It established requirements for coaches and other adult participants in organized youth sports events, providing in relevant part:

A coach or other adult employed by, volunteering for, or otherwise acting on behalf of an organizing entity during an athletic event sponsored by or operated under the auspices of the organizing entity shall immediately remove from physical participation in an athletic activity a youth athlete who is suspected of sustaining a concussion during the athletic activity. A youth athlete who has been removed from physical participation in an athletic activity under this subsection shall not return to physical activity until he or she has been evaluated by an appropriate health professional and receives written clearance from that health professional authorizing the youth athlete’s return to physical participation in the athletic activity.

MCL 333.9156

While the law established requirements to follow, it did not explicitly set out any penalties. Since the law’s enactment, most authorities agreed that an injured person could sue non-medical professionals under a common-law negligence theory. Common-law negligence occurs when a person has a legal duty to exercise reasonable care, the person breaches that duty, and the breach “proximately” causes an injury giving rise to damages. Laws such as the concussion awareness law can and do impose legal duties of care on covered adults. Stated plainly, reasonable care is the level of care a reasonably prudent person would take. It is an objective standard, so the decision is up to a judge or jury.

Even with existing common-law negligence theories, the lack of clarity from the statute and the lack of case law to clarify it created uncertainty among many coaches, referees, school administrators, and other adults involved in organized youth sports. For example, it was uncertain whether violating the terms of the statute would automatically put someone on the hook for damages.

How the Randall decision changes the game

In the Randall case, the plaintiff sued the MHSAA and numerous other entities connected to his youth hockey team after he endured two collisions in a game—the second of which came after he allegedly showed signs of a concussion and his coach had put him back in. The plaintiff’s theories of liability were that:

  1. The concussion protection statute created a private cause of action against non-medical professionals, meaning that the plaintiff would not need to prove the covered adult was negligent—and,
  2. In the alternative, a violation of the statute constituted negligence per se—meaning that a covered adult’s violation of the statute would automatically be negligent—and finally,
  3. Failing those two arguments, defendants were liable under a theory of ordinary negligence.

In its November 19 opinion, the Michigan Court of Appeals established that a violation of the statute neither gives rise to a statutory cause of action nor constitutes negligence per se.

“Our Legislature enacted the concussion-protection statute to protect youth athletes from the harmful effects of concussions. In doing so, the Legislature did not create, explicitly or by implication, a private statutory cause of action for violation of the statute. Rather, the statute creates negligence-based duties on the part of coaches and other covered adults, and a violation of the statute can be evidence of actionable negligence.” Randall v. Michigan High Sch. Athletic Ass’n, No. 346135, 2020 WL 6811661, at *12 (Mich. Ct. App. Nov. 19, 2020)

This does not mean that coaches, referees, and other covered adults are free from liability concerns. If the plaintiff can prove that a covered adult violated the statute by failing to pull an athlete suspected of sustaining a concussion, the covered adult will face a rebuttable presumption of negligence. In other words, covered adults who violate the statute are presumed “guilty” of negligence unless they can prove themselves “innocent.” (Note: negligence under this statute is not a crime, but negligence can become criminal if the negligence and resulting injury are serious enough).

Covered adults who face this presumption can avoid liability by proving (by a preponderance of the evidence) that their negligence did not cause an injury giving rise to damages.

It is also important to note that an athlete’s willingness to get back in the game does NOT protect covered adults from liability. The rule is that if covered adults suspect a concussion, they need to pull the athlete from participation until a qualified medical professional determines that they can safely get back in the game.

Play it safe

The best course of action is to follow the statutory requirements and exercise your judgment as a covered adult—whether you are a coach, referee, adult volunteer, or even a school administrator—conservatively. If you suspect a youth athlete might have suffered a head injury, it is likely in everyone’s best interests to play it safe. Remember that common-law negligence uses an objective standard—ultimately, if you run into a negligence suit, a judge or jury who lacks your background and experience in youth sports would decide whether your actions were reasonable. Furthermore—as we all know—in litigation and in life, hindsight is always 20/20.

Still, playing it safe is not always enough. Things can go wrong. If that is the case and you find yourself facing a lawsuit, the attorneys at Fraser Trebilcock are here to help.

Matthew J. Meyerhuber is an associate at Fraser Trebilcock focusing on general litigation, environmental law, and real estate. Matthew can be reached at mmeyerhuber@fraserlawfirm.com or 517.377.0885.