Tag: data security

Michigan House and Senate Pass Bills Imposing 45-Day Data Breach Notification Requirement

The Michigan House of Representatives recently voted to approve legislation that will impose a 45-day data breach notice requirement on Michigan businesses. House Bills 4186 and 4187, which were passed on December 16, 2020, will become law if signed by Governor Whitmer. Identical bills were passed by the Michigan Senate on December 10.

Data security is a major concern for many businesses across industries. A report issued by the FBI, Department of Health and Human Services, and Cybersecurity and Infrastructure Security Agency in October warns of “an increased and imminent cybercrime threat” to businesses, particularly those in the health care sector. Recent revelations of a sophisticated cyberattack on the U.S. government shows how vulnerable even the most secure systems are to a breach. This new legislation, if enacted, will impose new obligations on Michigan businesses when a data breach occurs.

Key Provisions of New Legislation

The legislation requires a “covered entity” to provide notice within 45 days to state residents whose “sensitive personally identifying information” (PII) was exposed in a data breach.

A “covered entity” includes an individual or a sole proprietorship, partnership, government entity, corporation, limited liability company, nonprofit, trust, estate, cooperative association, or other business entity, that has more than 50 employees and owns or licenses sensitive personally identifying information, or a franchisee of any of the foregoing.

The scope of PII that gives rise to an obligation to notify state residents in the event of a data breach includes a state resident’s first name or first initial, and last name, in combination with one or more of the following data elements that relate to that state resident:

  • A nontruncated Social Security number.
  • A nontruncated driver license number, enhanced driver license number, state personal identification card number, enhanced state personal identification card number, passport number, military identification number, or other unique identification number issued on a government document that is used to verify the identity of a specific individual.
  • A financial account number.
  • A state resident’s medical or mental history, treatment, or diagnosis issued by a health care professional.
  • A state resident’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the state resident.
  • A username or electronic mail address, in combination with a password, security question and answer, or similar information, that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

All covered entities and third-party agents are required to implement and maintain reasonable security measures designed to protect PII against a breach of security. The legislation lays out a long series of factors covered entities must consider in developing reasonable security measures, including the size of the covered entity and the amount of PII it maintains and processes.

If a covered entity determines that a breach of security has or may have occurred, the covered entity must conduct a good-faith and prompt investigation into the scope and extent of the breach.

If a covered entity determines that a breach has occurred, it must notify state residents whose PII was acquired in the breach, as expeditiously as possible and without unreasonable delay. Notification must occur within 45 days of a determination that a breach has occurred unless law enforcement determines that such notification could interfere with a criminal investigation or national security. Written notice must at least include the following:

  • The date, estimated date, or estimated date range of the breach.
  • A description of the PII acquired by an unauthorized person as part of the breach.
  • A description of the actions taken to restore the security and confidentiality of the PII involved in the breach.
  • A description of steps a state resident can take to protect against identity theft, if the breach creates a risk of identity theft.
  • Contact information that the state resident can use to ask about the breach.

A covered entity may provide substitute notice in lieu of direct notice, if direct notice is not feasible because of excessive cost or lack of contact information. Under the legislation, the cost of direct notification to state residents is considered excessive if it exceeds $250,000 or if notice must be provided to more than 500,000 state residents. Substitute notice must include a conspicuous notice on the covered entity’s website (if it has one) for at least 30 days, and notice in print and broadcast media.

Penalties for Noncompliance with Notification Requirements

A covered entity that fails to comply with the notice requirements set forth in the legislation faces potentially steep fines. Penalties may include a civil fine of not more than $2,000 for each violation, or not more than $5,000 per day for each consecutive day that the covered entity fails to take reasonable action to comply with applicable notice requirements. Aggregate liability for civil fines for multiple violations related to the same security breach shall not exceed $750,000.

This legislation is not yet law, but soon may be. This article touches upon many of the important provisions of the legislation, but there are additional details to be aware of. Businesses and other entities covered by this legislation should take steps to assess their preparedness to comply with the new obligations imposed by these bills. If you have any questions, or require assistance in planning for the implications of this legislation, please contact Fraser Trebilcock shareholder  Thad Morgan.

Morgan, Thaddeus.jpgThaddeus E. Morgan is a shareholder with Fraser Trebilcock and formerly served as President of the firm. Thad is the firm’s Litigation Department Chair and serves as the firm’s State Capital Group voting representative. He can be reached at tmorgan@fraserlawfirm.com or (517) 377-0877.

Seven Tips About Data Breach Prevention and Cybersecurity for Small Businesses

We see it in the news regularly. Major corporations like Anthem, eBay, Equifax, Sony Pictures, and Target have all suffered major data security breaches. But these breaches don’t only happen to large organizations. Companies of all sizes are targets. Sometimes, smaller companies are even bigger targets because protections may not be as secure.

So how do businesses of all sizes go about data breach prevention and cyber security? Here are seven tips to strengthen your business against a data breach.

1. Train employees and users on data breach prevention

Human error is often to blame for most breaches. The easiest way for a hacker to invade your network is by preying on an employee who doesn’t recognize the risk. Whether through a malware email attachment, or by downloading a document from an unreliable resource, there is a wide variety of easy phishing attempts that can lead to a data breach. The key to prevention is teaching your employees how to avoid making these common mistakes. Also, include a technology protocol section in your employee handbook where your team can easily access it. This section should cover proper steps to take to protect your technology, especially anything that could be considered a trade secret, or private customer/client information and data.

2. Store customer data in an encrypted database

Another tip for data breach prevention is to use a secure database and encrypt any items containing customer/client information or trade secrets. The encryption process converts that information or data into a code, which then works to prevent unauthorized access. A common example of this process is the one used when you make an online purchase. Once you enter your payment information onto an ecommerce website and it has been approved, your information is encrypted before it is stored on the website. When you later go back to the website to make another purchase from your account, your information is ready to use.

3. Improve cybersecurity with two-factor authentication

Two-factor authentication adds an extra layer of protection to logging into a website. After a user inputs the required login and password, an extra step is initiated to ask the user for another piece of information that only he or she would have. For example, a text message with a one-time code may be sent to the user’s phone, which is tied to the account. Two-factor authentication is very important for data breach prevention if your business has devices that go in and out of the office, such as tablets or laptops, making sure they are secure in the event they become lost or stolen.

4. Malware detection software on both servers and workstations

Each workstation inside your business, as well any servers, need to have malware detection software installed to help with data breach prevention. The detection software prevents malware from being installed. Malware can be hidden in a variety of formats, the detection software helps scan each item to ensure its safety. There are a variety of different software packages available for businesses, depending on the level of security needed.

5. Perform regular vulnerability checks

It’s critical that you perform regular vulnerability checks to minimize the risk and prevent data breaches. For example, it’s important that firewall configurations be reviewed regularly with penetration testing, to make sure only trusted networks are given access. Software updates may also vary with your malware protection software. There are programs that can run regular checks, or you can look to a third-party IT company for assistance. It’s also important that you continue to test and train employees through phishing emails to ensure they stay vigilant.

6. Require frequent remote data backups

Whether routinely completed on the cloud or on an external hard drive, remote data backups ensure that your data is stored securely. A routine backup allows you to have a reference point if your data is breached in the future. Most backup providers allow you to pick the frequency of the backup, time of day it occurs, and what level of information detail you would like to store.

7. Have a disaster plan ready in case of a data breach

Protecting your business against a data breach is an ongoing process. Under the Michigan Identity Theft Protection Act, in the event of a data breach that is likely to cause harm or result in identify theft, a business must provide a notice of the security breach to each affected Michigan resident, customers and vendors affected by the breach, as well as consumer reporting agencies. Keep in mind, the notifications must be precise and meet certain statutory requirements.

Unfortunately, even with planning, a cyberattack can still happen. Be prepared by having a disaster plan ready, and be sure to include the proper steps for employees to take both during and after an attack. Review the plan as an internal team frequently to ensure that everyone has a clear understanding of timelines and responsibilities. Time is of the essence during a data breach, and having a disaster plan prepared will make that stressful time more efficient.

To learn more, contact an attorney at Fraser Trebilcock at 517.482.5800 or by clicking here to fill out this form on our website.

business-legal-checklist

Business Legal Compliance Checklist

A critical overview of laws and regulations governing businesses of all sizes.

Download the Checklist

7 Tips About Data Breach Prevention and Cybersecurity for Small Businesses

We see it in the news on a regular basis. Major corporations like Anthem, eBay, Sony Pictures, and Target have all suffered major data security breaches. But these breaches don’t only happen to major businesses. Companies of all sizes are targets. Sometimes, smaller companies are even bigger targets because protections may be lax.

So how do businesses of all sizes go about data breach prevention and cyber security? Here are seven tips to strengthen your business against a data breach.

1. Train employees and users on data breach prevention

Human error is often to blame for most breaches. The easiest way for a hacker to invade your network is by preying on an employee who doesn’t recognize the risk. Whether through a malware email attachment, or by downloading a document from an unreliable resource, there is a wide variety of easy phishing attempts that can lead to a data breach. The key to prevention is teaching your employees how to avoid making these common mistakes. Also, include a technology protocol section in your employee handbook where your team can easily access it. This section should cover proper steps to take to protect your technology, especially anything that could be considered a trade secret, or private customer/client information and data.

2. Store customer data in an encrypted database

Another tip for data breach prevention is to use a secure database and encrypt any items containing customer/client information or trade secrets. The encryption process converts that information or data into a code, which then works to prevent unauthorized access. A common example of this process is the one used when you make an online purchase. Once you enter your payment information onto an ecommerce website and it has been approved, your information is encrypted before it is stored on the website. When you later go back to the website to make another purchase from your account, your information is ready to use.

3. Improve cybersecurity with two-factor authentication

Two-factor authentication adds an extra layer of protection to logging into a website. After a user inputs the required login and password, an extra step is initiated to ask the user for another piece of information that only he or she would have. For example, a text message with a one-time code may be sent to the user’s phone, which is tied to the account. Two-factor authentication is very important for data breach prevention if your business has devices that go in and out of the office, such as tablets or laptops, making sure they are secure in the event they become lost or stolen.

4. Malware detection software on both servers and workstations

Each workstation inside your business, as well any servers, need to have malware detection software installed to help with data breach prevention. The detection software prevents malware from being installed. Malware can be hidden in a variety of formats, the detection software helps scan each item to ensure its safety. There are a variety of different software packages available for businesses, depending on the level of security needed.

5. Perform regular vulnerability checks

It’s critical that you perform regular vulnerability checks to minimize the risk and prevent data breaches. For example, it’s important that firewall configurations be reviewed regularly with penetration testing, to make sure only trusted networks are given access. Software updates may also vary with your malware protection software. There are programs that can run regular checks, or you can look to a third-party IT company for assistance. It’s also important that you continue to test and train employees through phishing emails to ensure they stay vigilant.

6. Require frequent remote data backups

Whether routinely completed on the cloud or on an external hard drive, remote data backups ensure that your data is stored securely. A routine backup allows you to have a reference point if your data is breached in the future. Most backup providers allow you to pick the frequency of the backup, time of day it occurs, and what level of information detail you would like to store.

7. Have a disaster plan ready in case of a data breach

Protecting your business against a data breach is an ongoing process. Under the Michigan Identity Theft Protection Act, in the event of a data breach that is likely to cause harm or result in identify theft, a business must provide a notice of the security breach to each affected Michigan resident, customers and vendors affected by the breach, as well as consumer reporting agencies. Keep in mind, the notifications must be precise and meet certain statutory requirements.

Unfortunately, even with planning, a cyberattack can still happen. Be prepared by having a disaster plan ready, and be sure to include the proper steps for employees to take both during and after an attack. Review the plan as an internal team frequently to ensure that everyone has a clear understanding of timelines and responsibilities. Time is of the essence during a data breach, and having a disaster plan prepared will make that stressful time more efficient.

To learn more, contact an attorney at Fraser Trebilcock at 517.482.5800 or by clicking here to fill out this form on our website.

business-legal-checklist

Business Legal Compliance Checklist

A critical overview of laws and regulations governing businesses of all sizes.

Download the Checklist

Top Trends in Business Law that You Need to Know for 2017

Macy’s and Kmart are each closing a Lansing location – but did you know that retail spending is up?

It’s easier than ever to collect customer data, but business owners beware: you need to protect that data or you could be on the hook for a breach.

And, get ready, driverless cars are definitely coming – and sooner than you might think!

In what has quickly grown into one of the most popular presentations in the Lansing Regional Chamber’s Small Business Education Series, Fraser Trebilcock business attorney Mark Kellogg joined a panel of experts for a rapid-fire session on top business trends for the coming year.

“Business owners are busy enough running their businesses,” said Tom Donaldson, Regional Director of the Capital Area for the Small Business Development Center. “It’s hard to keep up with everything going on in the world, too.”

To give business owners a snapshot of what’s happening now and what’s to come in 2017, area experts provided: a look at legal and business changes, financial forecasting, technology trends, a public policy preview, and what’s on the horizon in marketing for small businesses.

Administrative Law & Regulatory Changes

As with any changes in leadership on Capitol Hill, small business owners can anticipate a number of administrative law and regulatory changes ahead in 2017. Attorney Mark Kellogg said that while President Trump has not discussed his plans in detail, the President has said that he will “unburden” small business owners.

What exactly does this mean? From changes to labor and employment laws to key legislation like the Affordable Care Act (ACA), Mark said the only certainty we have is that change is coming.

Health Care Reform 2.0

Top of mind for many is health care reform. In January, President Trump signed an executive order titled, “Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal”. Then, just last week, Republicans in Congress introduced the “American Health Care Reform Act of 2017” to overhaul the Affordable Care Act. The bill rolls back some of the ACA’s taxes, replaces insurance subsidies with tax credits, and makes big changes to Medicaid.

As the legislation evolves, Mark urged business owners to keep an eye on possible mandate changes, as the new administration modifies the Affordable Care Act. Updates are posted to our Fraser Trebilcock Employee Benefits Blog

Employee Overtime Rules

Changes once anticipated to labor and employment laws under the previous administration, may now be off the table. For instance, the rules that would have made more workers eligible for overtime is likely now to disappear altogether, said Mark. If the new administration decides to move forward with the change, he said the rules will likely be altered to include a lower salary cap than the original $47,476. This is something that our labor and employment attorneys will be watching closely.

Two-for-One Regulation Repeal

Another major change coming out of Washington, is a change to the process of how regulations are enacted. In an Executive order issued by President Trump, for every new regulation put into place, two old regulations must be repealed.

Attorney Mark Kellogg said this could have a big impact on emerging markets, such as drones rules and regulations. This is an area, he said, which will likely need more regulations as the technology evolves. However, in order to create these potential new regulations, the Federal Aviation Administration would need to repeal other rules.

Sick Leave Requirements

In the state of Michigan, changes to employee sick leave are also under consideration. Michigan lawmakers are debating a requirement for employers to give employees paid time off for sick leave. This could be especially critical for small business owners, Mark said. He shared that as a franchise owner himself, he will be watching this legislation closely as it develops in Lansing. With the current-make up of the State Legislature, this type of legislation may be difficult to advance at this time.

Businesses Succession & Sales

Expect to see more businesses for sale in 2017.

“10,000 people a day in the U.S. are turning 65,” said Mark, and as baby boomer business owners retire, we are finding that many do not have succession plans in place. Mark said that he has closed on three business sales transactions in just the last month and a half, a trend he expects to continue. He elaborates further in a recent article.

Data Security

Data breach incidents continue to make headlines, and unfortunately this is a trend not likely to go away in 2017. Any company that stories sensitive information, like customer credit card data, driver’s license numbers, or social security numbers, is susceptible to theft. Mark explained that it’s important to have a plan in place in case that data is compromised. Michigan has specific breach notification requirements under Michigan’s Identity Theft Protection Act that all businesses, regardless of size, must follow. These steps are outlined for you in a recent blog post.

Marketing Tips

Despite the security considerations, data collection is more important now than ever, added panelist Amanda Stitt of Change Media Group. Collecting and using data about customers adds to the creation of more personalized marketing, she explained. For example, companies can create ads that target returning customers and then use data to make sure only returning customers will see that ad. If you have ever put something in your online shopping cart and decided not to buy it, then been haunted by advertisements for that product elsewhere online, you have experienced this kind of targeted advertising. She said that messaging has to be more authentic and demonstrate the values of the company, pointing to the 2017 Super Bowl ads as examples. And, If you’re a fan of long-form writing, you’re in luck. Amanda said we will see a resurgence in longer videos, news articles, and even social media posts.

Public Policy Preview

Public Sector Consulting’s Chief Executive Officer Jeff Williams gave a deeper dive into upcoming public policy changes. This year, watch for major changes to come out of Washington. In the last several decades, he explained, we have seen the executive branch of government take more power; expect the legislative and judicial branches to respond with a push for a more equal division.

Next year, he believes the biggest changes for Michigan business owners will happen at the state and local levels. The state will elect a new governor, lieutenant governor, attorney general, and many new legislators, while Lansing will elect a new mayor. No matter where on the political spectrum you fall, Jeff said, it’s going to be a wild two years for all of us.

Technology: Protection is Key

Changes in technology have historically driven the evolution of business. Personal computers and the internet have forced most companies to move online, to change marketing and business strategies, and more. Now, according to Matt Scott of Dewpoint, business will begin driving changes in technology. As companies face the need to get more work done faster, more accurately, and at a lower cost, we can expect to see the tech sector working to create the products needed to make that possible.

Companies are also evolving the way they seek to solve problems. Matt believes that in 2017, more companies will look to outside tech experts to tell them how to develop new strategies, and to demonstrate what tech tools are needed to accomplish new goals. In that same vein, more businesses are looking to outsource complicated IT problems to technology specialists, instead of relying on in-house IT employees. All of these changes in technology will require small business owners to become more and more invested in technology.

Optimistic Economic Outlook

Fifth Third Bank Vice President Tom Ruis says there is a lot to be optimistic about with our current economy. Consumer confidence is up, as are retail sales and the stock market. What about big box stores closing locations? That’s all a part of the growth in online sales instead of the traditional storefront, he said, so don’t let it trick you into thinking that retails sales are down.

Tax reform that would reduce income taxes could help consumer spending increase even more, Tom said. Interest rates will probably increase slightly over the next year, and loans will get a little more expensive, he said, but he doesn’t think it will have a dramatic impact on small businesses.

One exciting innovation that’s closer to your driveway than you might think – self-driving cars.

“If you just bought a car, your next car will be almost fully automated in terms of parking and other features,” Tom said. He says virtual reality is making it much easier for automotive companies to test self-driving technology, and that will make road-ready versions available sooner than you might think. “Overall, this is a very positive, exciting time.”

[metaslider id=”5445″]

Fraser Trebilcock is proud to co-sponsor the Business Education Series, along with Fifth-Third Bank. Programs are free for members of the Lansing Regional Chamber of Commerce. Click HERE to view upcoming events.

Fraser Trebilcock Attorney Mark E. Kellogg

Attorney Mark E. Kellogg has devoted his nearly 30 years of practice to the needs of family and closely-held businesses and enterprises, business succession, and estate planning. In addition, Mark is a certified public accountant. Contact Mark at 517.377.0890 or mkellogg@fraserlawfirm.com.

Your IT Technician Has Just Informed You That Your Business Has Suffered a Data Security Breach… Now What Should You Do?

Security Breach IT Michigan LawData breach incidents continue to make headlines. The Yahoo data security breach—affecting more than one billion accounts—announced late last year is a recent example. Data security breaches affect companies of all sizes, and any company that maintains an electronically stored database containing personal information—such as credit card numbers, driver’s license numbers, or Social Security numbers, is susceptible to data security breach and identity theft.

If you have been informed that your business has been the victim of a data security breach, you will need to follow the breach notification requirements in Michigan’s Identity Theft Protection Act (the “Act”). This blog will provide an outline of the steps you should consider if your business has suffered a data security breach.

Step. 1: Determine the extent of the breach and what harm may result from the breach.

Under the Act, a business that discovers a security breach of personal information must provide a notice of the security breach to each affected Michigan resident, unless the business can establish that the security breach is not likely to cause substantial loss of injury to, or result in identify theft with respect to, one or more Michigan residents. Personal information means the first initial or name and last name of a Michigan resident linked to one of the following elements: i) social security number; ii) driver’s license or state identification card number; or iii) bank account or credit card number combined with an access code that would permit access to any of the financial accounts.

In order to determine whether a security breach is likely to cause injury to, or result in loss or identity theft to a Michigan resident, the Act requires that a business must act with the care that an ordinarily prudent person in like position would exercise under similar circumstances. In other words, once you have determined that a security breach has occurred, you should immediately begin a thorough, reasonable investigation into the security breach before concluding that harm is unlikely.

Step 2: You have determined that a breach has occurred. How should you notify your customer or contacts?

Once you have determined that a data breach has occurred, you will need to provide notice to customers and vendors affected by the breach. The form of notice you must give—written, electronic written, phone, or substitute notice—is largely determined by the relationship between you and your customers and vendors—the intended recipients of the notice.

Written notice. The most common and simplest form of notice you may use is written notification sent to the recipient’s postal address on file in your records.

Email notice. The written notice may be sent in electronic format if you can show any of the following three requirements: 1) the recipient has expressly consented to receive electronic notice, or 2) you conduct your business primarily through the internet, or 3) you have an existing relationship with the recipient that includes electronic mail communications, and, as a result of those communications, you reasonable believe you have the recipient’s current electronic mail address. MCL 445.72(5)(b)(i-iii).

Phone notice. If not prohibited by state or federal law, you may make notification by phone if the following two requirements are met: 1) the notice is not given in whole or in part by recorded message, and 2) the recipient has expressly consented to receive notice by phone, or, if the recipient has not expressly consented, you also provide written or electronic written notice if the notice by phone does not result in a live conversation between you and the recipient within 3 business days after the initial attempt at phone notification.

Substitute notice. If you determine that the cost of providing notice as described above exceeds $250,000.00 or that the notice must be provided to more than 500,000 residents of Michigan, you may provide substitute notice by doing all of the following: 1) providing electronic notice to all residents for whom you have an electronic mail address; 2) if you have a website, conspicuously posting the notice on that website; and 3) notifying statewide media, which must include a telephone number or website address that an individual may use to obtain additional information and assistance.

Step 3: You have identified recipients that require notification and have obtained their contact information. What information should the notification contain?

Any notifications you send out must meet all of the following requirements: 1) The notice must be written in a clear and conspicuous manner or clearly communicated; 2) You must describe the security breach in general terms; 3) You must describe the personal information that is subject to the breach; 4) If applicable, describe in general terms what you have done to protect the recipient’s data from further security breaches; 5) Include a telephone number where a notice recipient may obtain additional information or assistance; and 6) Remind notice recipients of the need to remain vigilant for incidents of identity theft and fraud.

Step 4: You have notified affected customers and vendors of the data breach.  Do you have to meet any additional notice requirements?

After you have provided notice to individual recipients, you must also notify consumer reporting agencies of the breach without unreasonable delay. The notice you provide to consumer reporting agencies, which are defined in 15 USC 1682a(p), must include the number of notices that you have provided to residents of Michigan as well as the timing of those notices.

In some limited circumstances you may not be required to notify consumer reporting agencies of the data breach. Notification to consumer reporting agencies is not required if: 1) the breach affected 1,000 or fewer residents of Michigan, or 2) your business is a financial institution subject to Title V of the Gramm-Leach-Biley Act (governing treatment of nonpublic personal information about consumers by financial institutions).

Limited exceptions to the notification requirements through compliance with federal regulations.

The Act carves out limited exceptions to the notification requirements for certain businesses complying with specific federal regulations. For example, a financial institution with notification procedures in place that are subject to interagency guidance prescribed by the federal reserve system and other federal bank and thrift regulatory agencies is considered to be in compliance with the Act. Similarly, a business that is subject to, and complies with, the Health Insurance and Portability Act of 1996 (HIPAA) and its attendant regulations is considered to be in compliance with the Act.

Penalties for failing to provide notification of a data security breach.

If you do not provide the notification required by the Act, the attorney general or a prosecuting attorney may seek a civil fine of not more than $250.00 for each failure to provide notice. The aggregate liability for multiple violations of the statute cannot exceed $750,000.00 for the same security breach.

Conclusion

Michigan’s Identity Theft Protection Act is complex, and the failure to comply with the statute’s notification requirements can be significant.

This article is a brief summary of a law.  Readers should not rely on the contents of this article as it is not legal advice.  Anyone affected by the law should seek competent counsel. To find out more about the laws concerning data breaches, contact Fraser Trebilcock at 517.482.5800.