Information Covered / Important Definitions
Personal information of Michigan residents.
“Security Breach” means unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a covered entity as part of a database of personal information regarding multiple individuals.
“Encrypted” means transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, or securing information by another method that renders the data elements unreadable or unusable.
“Redact” means to alter or truncate data so that no more than four sequential digits of a driver license number, state personal identification card number, or account number, or no more than five sequential digits of a social security number, are accessible as part of personal information.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or legal entity that owns or licenses personal information that is included in a database.
Third party recipients:
A covered entity that maintains a database that includes data that the person does not own or license must notify the owner or licensor of the information of a security breach unless the covered entity determines that breach has not or is not likely to cause substantial loss or injury to, or result in, identity theft with respect to, one or more Michigan residents.
Notice Procedures & Timing / Other Obligations
Written, electronic, or telephonic notice must be provided to victims of a security breach without unreasonable delay. Notification may be delayed if law enforcement agency determines that notification will impede a criminal or civil investigation or jeopardize homeland or national security. Notification must occur without unreasonable delay following authorization from the law enforcement agency.
- Notice to affected residents is required to contain specific content described in the statute.
- Covered entities may deliver notice pursuant to an agreement with another covered entity, if the agreement does not conflict with the Michigan statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000 or affected class exceeds 500,000 persons.
- Notification is not required if the covered entity determines that breach has not or is not likely to cause substantial loss or injury to, or result in, identity theft with respect to, one or more Michigan residents. In making this determination, a covered entity must act with the care an ordinarily prudent person in like position would exercise under similar circumstances.
Any covered entity that must notify more than 1,000 residents at one time of a security breach is also required to notify consumer reporting agencies of the security breach without unreasonable delay (unless subject to GLBA).
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted and the encryption key was not compromised.
Exemption for good faith acquisition of personal information by an employee or agent of a covered entity related to their activities for the covered entity so long as employee or agent does not misuse personal information or disclose any personal information to an unauthorized person.
Financial institutions that are subject to and comply with notification procedures from an appropriate regulator are exempt from Michigan statute.
A covered entity that is subject to and complies with HIPAA is exempt from Michigan statute.
Notification to Regulator / Waiver
A determination of no likelihood of harm:
Does not require notification to attorney general for individuals or commercial entities.
A waiver of the statute is void and unenforceable.
Civil penalty for failure to provide notice of not more than $250 for each failure to provide notice, capped at $750,000 per security breach.
Penalties do not affect availability of civil remedies under state or federal law.
Criminal penalties for notice of a security breach that has not occurred, where such notice is given with the intent to defraud. Misdemeanor – 93 days imprisonment or fine of $250 (or both) for each violation (penalties escalate with more violations).
Private Cause of Action / Enforcement
Private Cause of Action: No.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.