Michigan data breach law requires a response to a data breach involving a Michigan resident. Specifically, MCL 445.72 contains important provisions to determine whether you are subject to Michigan law, and if so, the proper response.
Am I Subject To The Michigan Data Breach Law?
- Do you own or license data included in a database?
- Was a Michigan resident’s unencrypted and un-redacted personal information accessed and acquired by an unauthorized person?
If you answer yes to the questions above, you are required to comply with Michigan law. This holds even if you are not located in Michigan. Some minor exceptions exist, and are explained below.
What is Personal Information?
Michigan data breach law defines “personal information” as the “first name or first initial and last name” plus one of the following: social security number, driver license number or state identification card, financial account number, credit card number, or debit card number (with access code), or password that would permit access to the resident’s financial accounts.
Is there an Encryption Exception?
Yes. Michigan’s data breach laws are only triggered by the unauthorized acquisition of unencrypted personal information. Michigan law defines encryption as:
transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, or securing information by another method that renders the data elements unreadable or unusable.
This form of encryption safe harbor provision can save companies from added time and expense of responding under Michigan laws. But, in order to take advantage of this exception, it is vital to understand the breach you suffered, the encryption measures in place, and whether the thief not only stole encrypted data, but also the key to unlock that data.
When Do I Need to Notify Michigan Residents of my Data Breach?
Michigan law requires you to act without “unreasonable delay.” However, the exceptions exist:
- a delay is needed to determine the scope of the breach and restore integrity to the database;
- law enforcement determines and advises that notice may impede an investigation;
- if you can determine that the breach is not likely to cause substantial loss or injury.
How Do I Notify Michigan Residents of a Data Breach?
Michigan data breach law requires notification via postal mail or email. Email is sufficient if the person has expressly consented to receive electronic notice. If there is an existing business relationship that includes periodic emails and you believe you have the correct email address, or if you conduct your business “primarily through internet account transactions or on the internet.” Michigan law also permits telephone notice, subject to certain conditions.
For large data breaches, specifically those exceeding $250,000 in costs to provide notice or that will need to be sent to more than 500,000 residents, substitute notice is permitted.
What Does the Notice Need to Include?
When drafting the notice, Michigan data breach law requires that you:
- Describe the security breach in general terms;
- Describe the type of personal information that is subject of the unauthorized access or use;
- If applicable, generally describe what you have done to protect data from further security breaches;
- Include a telephone number where a notice recipient may obtain assistance or additional information;
- A reminder that notice recipients need to remain vigilant for incidents of fraud and identity theft.
Do I Need to Notify Anyone Else of the Data Breach?
Michigan law requires you to notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis of the breach without unreasonable delay, but only if your breach involves more than 1,000 Michigan residents.
What Are the Penalties For Failing to Provide Notice?
MCL 445.72(13) provides that a person who knowingly fails to provide notice of a security breach may be ordered to pay a civil fine of not more than $250 for each failure to notice. This can result in a large amount of fines, but there is a cap of $750,000.
Talk to a Data Breach Lawyer
If you have suffered a data breach involving the personal information of Michigan residents, you likely must comply with Michigan’s data breach notification laws.If you have concerns about your exposure or have received notice that a breach has occurred affecting you website, contact the experienced data breach attorneys at Revision Legal. Civil fines are available in some states for a failure to expeditiously notify those affected by breaches, so if a breach has occurred, you need the legal team from Revision Legal in your corner today. Contact us using the form on this page or call us at 855-473-8474.
Photo credit: Flickr user rexp2