The Michigan House of Representatives recently voted to approve legislation that will impose a 45-day data breach notice requirement on Michigan businesses. House Bills 4186 and 4187, which were passed on December 16, 2020, will become law if signed by Governor Whitmer. Identical bills were passed by the Michigan Senate on December 10.
Data security is a major concern for many businesses across industries. A report issued by the FBI, Department of Health and Human Services, and Cybersecurity and Infrastructure Security Agency in October warns of “an increased and imminent cybercrime threat” to businesses, particularly those in the health care sector. Recent revelations of a sophisticated cyberattack on the U.S. government shows how vulnerable even the most secure systems are to a breach. This new legislation, if enacted, will impose new obligations on Michigan businesses when a data breach occurs.
Key Provisions of New Legislation
The legislation requires a “covered entity” to provide notice within 45 days to state residents whose “sensitive personally identifying information” (PII) was exposed in a data breach.
A “covered entity” includes an individual or a sole proprietorship, partnership, government entity, corporation, limited liability company, nonprofit, trust, estate, cooperative association, or other business entity, that has more than 50 employees and owns or licenses sensitive personally identifying information, or a franchisee of any of the foregoing.
The scope of PII that gives rise to an obligation to notify state residents in the event of a data breach includes a state resident’s first name or first initial, and last name, in combination with one or more of the following data elements that relate to that state resident:
- A nontruncated Social Security number.
- A nontruncated driver license number, enhanced driver license number, state personal identification card number, enhanced state personal identification card number, passport number, military identification number, or other unique identification number issued on a government document that is used to verify the identity of a specific individual.
- A financial account number.
- A state resident’s medical or mental history, treatment, or diagnosis issued by a health care professional.
- A state resident’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the state resident.
- A username or electronic mail address, in combination with a password, security question and answer, or similar information, that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.
All covered entities and third-party agents are required to implement and maintain reasonable security measures designed to protect PII against a breach of security. The legislation lays out a long series of factors covered entities must consider in developing reasonable security measures, including the size of the covered entity and the amount of PII it maintains and processes.
If a covered entity determines that a breach of security has or may have occurred, the covered entity must conduct a good-faith and prompt investigation into the scope and extent of the breach.
If a covered entity determines that a breach has occurred, it must notify state residents whose PII was acquired in the breach, as expeditiously as possible and without unreasonable delay. Notification must occur within 45 days of a determination that a breach has occurred unless law enforcement determines that such notification could interfere with a criminal investigation or national security. Written notice must at least include the following:
- The date, estimated date, or estimated date range of the breach.
- A description of the PII acquired by an unauthorized person as part of the breach.
- A description of the actions taken to restore the security and confidentiality of the PII involved in the breach.
- A description of steps a state resident can take to protect against identity theft, if the breach creates a risk of identity theft.
- Contact information that the state resident can use to ask about the breach.
A covered entity may provide substitute notice in lieu of direct notice, if direct notice is not feasible because of excessive cost or lack of contact information. Under the legislation, the cost of direct notification to state residents is considered excessive if it exceeds $250,000 or if notice must be provided to more than 500,000 state residents. Substitute notice must include a conspicuous notice on the covered entity’s website (if it has one) for at least 30 days, and notice in print and broadcast media.
Penalties for Noncompliance with Notification Requirements
A covered entity that fails to comply with the notice requirements set forth in the legislation faces potentially steep fines. Penalties may include a civil fine of not more than $2,000 for each violation, or not more than $5,000 per day for each consecutive day that the covered entity fails to take reasonable action to comply with applicable notice requirements. Aggregate liability for civil fines for multiple violations related to the same security breach shall not exceed $750,000.
This legislation is not yet law, but soon may be. This article touches upon many of the important provisions of the legislation, but there are additional details to be aware of. Businesses and other entities covered by this legislation should take steps to assess their preparedness to comply with the new obligations imposed by these bills. If you have any questions, or require assistance in planning for the implications of this legislation, please contact Fraser Trebilcock shareholder Thad Morgan.
Thaddeus E. Morgan is a shareholder with Fraser Trebilcock and formerly served as President of the firm. Thad is the firm’s Litigation Department Chair and serves as the firm’s State Capital Group voting representative. He can be reached at firstname.lastname@example.org or (517) 377-0877.