cybersecurity | Fraser Blog

Michigan House and Senate Pass Bills Imposing 45-Day Data Breach Notification Requirement

The Michigan House of Representatives recently voted to approve legislation that will impose a 45-day data breach notice requirement on Michigan businesses. House Bills 4186 and 4187, which were passed on December 16, 2020, will become law if signed by Governor Whitmer. Identical bills were passed by the Michigan Senate on December 10.

Data security is a major concern for many businesses across industries. A report issued by the FBI, Department of Health and Human Services, and Cybersecurity and Infrastructure Security Agency in October warns of “an increased and imminent cybercrime threat” to businesses, particularly those in the health care sector. Recent revelations of a sophisticated cyberattack on the U.S. government shows how vulnerable even the most secure systems are to a breach. This new legislation, if enacted, will impose new obligations on Michigan businesses when a data breach occurs.

Key Provisions of New Legislation

The legislation requires a “covered entity” to provide notice within 45 days to state residents whose “sensitive personally identifying information” (PII) was exposed in a data breach.

A “covered entity” includes an individual or a sole proprietorship, partnership, government entity, corporation, limited liability company, nonprofit, trust, estate, cooperative association, or other business entity, that has more than 50 employees and owns or licenses sensitive personally identifying information, or a franchisee of any of the foregoing.

The scope of PII that gives rise to an obligation to notify state residents in the event of a data breach includes a state resident’s first name or first initial, and last name, in combination with one or more of the following data elements that relate to that state resident:

A nontruncated Social Security number.
A nontruncated driver license number, enhanced driver license number, state personal identification card number, enhanced state personal identification card number, passport number, military identification number, or other unique identification number issued on a government document that is used to verify the identity of a specific individual.
A financial account number.
A state resident’s medical or mental history, treatment, or diagnosis issued by a health care professional.
A state resident’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the state resident.
A username or electronic mail address, in combination with a password, security question and answer, or similar information, that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

All covered entities and third-party agents are required to implement and maintain reasonable security measures designed to protect PII against a breach of security. The legislation lays out a long series of factors covered entities must consider in developing reasonable security measures, including the size of the covered entity and the amount of PII it maintains and processes.

If a covered entity determines that a breach of security has or may have occurred, the covered entity must conduct a good-faith and prompt investigation into the scope and extent of the breach.

If a covered entity determines that a breach has occurred, it must notify state residents whose PII was acquired in the breach, as expeditiously as possible and without unreasonable delay. Notification must occur within 45 days of a determination that a breach has occurred unless law enforcement determines that such notification could interfere with a criminal investigation or national security. Written notice must at least include the following:

The date, estimated date, or estimated date range of the breach.
A description of the PII acquired by an unauthorized person as part of the breach.
A description of the actions taken to restore the security and confidentiality of the PII involved in the breach.
A description of steps a state resident can take to protect against identity theft, if the breach creates a risk of identity theft.
Contact information that the state resident can use to ask about the breach.

A covered entity may provide substitute notice in lieu of direct notice, if direct notice is not feasible because of excessive cost or lack of contact information. Under the legislation, the cost of direct notification to state residents is considered excessive if it exceeds $250,000 or if notice must be provided to more than 500,000 state residents. Substitute notice must include a conspicuous notice on the covered entity’s website (if it has one) for at least 30 days, and notice in print and broadcast media.

Penalties for Noncompliance with Notification Requirements

A covered entity that fails to comply with the notice requirements set forth in the legislation faces potentially steep fines. Penalties may include a civil fine of not more than $2,000 for each violation, or not more than $5,000 per day for each consecutive day that the covered entity fails to take reasonable action to comply with applicable notice requirements. Aggregate liability for civil fines for multiple violations related to the same security breach shall not exceed $750,000.

This legislation is not yet law, but soon may be. This article touches upon many of the important provisions of the legislation, but there are additional details to be aware of. Businesses and other entities covered by this legislation should take steps to assess their preparedness to comply with the new obligations imposed by these bills. If you have any questions, or require assistance in planning for the implications of this legislation, please contact Fraser Trebilcock shareholder Thad Morgan.

Thaddeus E. Morgan is a shareholder with Fraser Trebilcock and formerly served as President of the firm. Thad is the firm’s Litigation Department Chair and serves as the firm’s State Capital Group voting representative. He can be reached at tmorgan@fraserlawfirm.com or (517) 377-0877.

Seven Tips About Data Breach Prevention and Cybersecurity for Small Businesses

We see it in the news regularly. Major corporations like Anthem, eBay, Equifax, Sony Pictures, and Target have all suffered major data security breaches. But these breaches don’t only happen to large organizations. Companies of all sizes are targets. Sometimes, smaller companies are even bigger targets because protections may not be as secure.

So how do businesses of all sizes go about data breach prevention and cyber security? Here are seven tips to strengthen your business against a data breach.

1. Train employees and users on data breach prevention

Human error is often to blame for most breaches. The easiest way for a hacker to invade your network is by preying on an employee who doesn’t recognize the risk. Whether through a malware email attachment, or by downloading a document from an unreliable resource, there is a wide variety of easy phishing attempts that can lead to a data breach. The key to prevention is teaching your employees how to avoid making these common mistakes. Also, include a technology protocol section in your employee handbook where your team can easily access it. This section should cover proper steps to take to protect your technology, especially anything that could be considered a trade secret, or private customer/client information and data.

2. Store customer data in an encrypted database

Another tip for data breach prevention is to use a secure database and encrypt any items containing customer/client information or trade secrets. The encryption process converts that information or data into a code, which then works to prevent unauthorized access. A common example of this process is the one used when you make an online purchase. Once you enter your payment information onto an ecommerce website and it has been approved, your information is encrypted before it is stored on the website. When you later go back to the website to make another purchase from your account, your information is ready to use.

3. Improve cybersecurity with two-factor authentication

Two-factor authentication adds an extra layer of protection to logging into a website. After a user inputs the required login and password, an extra step is initiated to ask the user for another piece of information that only he or she would have. For example, a text message with a one-time code may be sent to the user’s phone, which is tied to the account. Two-factor authentication is very important for data breach prevention if your business has devices that go in and out of the office, such as tablets or laptops, making sure they are secure in the event they become lost or stolen.

4. Malware detection software on both servers and workstations

Each workstation inside your business, as well any servers, need to have malware detection software installed to help with data breach prevention. The detection software prevents malware from being installed. Malware can be hidden in a variety of formats, the detection software helps scan each item to ensure its safety. There are a variety of different software packages available for businesses, depending on the level of security needed.

5. Perform regular vulnerability checks

It’s critical that you perform regular vulnerability checks to minimize the risk and prevent data breaches. For example, it’s important that firewall configurations be reviewed regularly with penetration testing, to make sure only trusted networks are given access. Software updates may also vary with your malware protection software. There are programs that can run regular checks, or you can look to a third-party IT company for assistance. It’s also important that you continue to test and train employees through phishing emails to ensure they stay vigilant.

6. Require frequent remote data backups

Whether routinely completed on the cloud or on an external hard drive, remote data backups ensure that your data is stored securely. A routine backup allows you to have a reference point if your data is breached in the future. Most backup providers allow you to pick the frequency of the backup, time of day it occurs, and what level of information detail you would like to store.

7. Have a disaster plan ready in case of a data breach

Protecting your business against a data breach is an ongoing process. Under the Michigan Identity Theft Protection Act, in the event of a data breach that is likely to cause harm or result in identify theft, a business must provide a notice of the security breach to each affected Michigan resident, customers and vendors affected by the breach, as well as consumer reporting agencies. Keep in mind, the notifications must be precise and meet certain statutory requirements.

Unfortunately, even with planning, a cyberattack can still happen. Be prepared by having a disaster plan ready, and be sure to include the proper steps for employees to take both during and after an attack. Review the plan as an internal team frequently to ensure that everyone has a clear understanding of timelines and responsibilities. Time is of the essence during a data breach, and having a disaster plan prepared will make that stressful time more efficient.

To learn more, contact an attorney at Fraser Trebilcock at 517.482.5800 or by clicking here to fill out this form on our website.

Business Legal Compliance Checklist

A critical overview of laws and regulations governing businesses of all sizes.

Download the Checklist

7 Tips About Data Breach Prevention and Cybersecurity for Small Businesses

We see it in the news on a regular basis. Major corporations like Anthem, eBay, Sony Pictures, and Target have all suffered major data security breaches. But these breaches don’t only happen to major businesses. Companies of all sizes are targets. Sometimes, smaller companies are even bigger targets because protections may be lax.