On December 22, 2020 the Michigan legislature presented the Data Breach Notification Act to Governor Whitmer. Although Governor Whitmer pocket vetoed the bill on January 5, 2021, it passed the Senate unanimously and received the support of 93 out of 110 Representatives in the House, indicating it may be just a matter of time before Michigan joins the growing number of states creating or updating cybersecurity and data privacy requirements.
The Data Breach Notification Act would have implemented several substantive changes from Michigan’s Identity Theft Protection Act, including requiring businesses with more than 50 employees to (1) adopt data security measures that reasonably account for business-specific factors, (2) conduct a prompt investigation if a data breach occurred or could have occurred and provide notice to affected Michigan residents of the scope of the breach within 45 days, and (3) provide specific information in these notices.
Reasonable Security Measures
Michigan’s Identity Theft Protection Act currently only requires businesses to provide a notice to potentially impacted Michigan residents if they discover, or are notified, that a harmful data breach has occurred. MCL 445.72(1). They are not required, however, to proactively implement data security policies (although certain practices can allow businesses to avoid the notice requirement, such as encrypting their data). The Data Breach Notification Act, in contrast, would have required businesses to adopt “reasonable security measures designed to protect sensitive personally identifying information against a breach of security.” To be considered “reasonable,” security measures would need to account for the size of the business, the amount of sensitive personally identifying information maintained by the business, and the cost of implementing the security measure.
Specific examples of “reasonable security measures” identified in the Data Breach Notification Act include designating an employee to coordinate the security measures of the business, identifying potential risks of a data breach, adopting information safeguards and routinely assessing their effectiveness, retaining service providers to maintain information safeguards, and routinely evaluating security measures to accommodate changes in circumstances.
Investigate and Notify Victims of a Data Breach
The Identity Theft Protection Act does not explicitly outline any requirements for investigations of data breaches. Rather, it vaguely requires businesses to “act with the care an ordinarily prudent person . . . in like position would exercise under similar circumstances” to determine whether a security breach is likely to cause a Michigan resident to suffer substantial loss, injury, or identity theft. MCL 445.72(3).
The Data Breach Notification Act, however, specifically described the minimum scope of a data breach investigation as (1) assessing the nature and extent of the breach, (2) identifying the sensitive personally identifying information involved and any connected Michigan residents, (3) determining whether there is a reasonable likelihood an unauthorized person acquired sensitive personally identifying information, and (4) implementing measures to restore the security of any compromised systems.
The Identity Theft Protection Act also vaguely requires businesses to provide notice to Michigan residents impacted by a data breach “without unreasonable delay” after determining the scope of the data breach and restoring the reasonable integrity of the database. MCL 445.72(4). The Data Breach Notification Act specifically defined its notification deadline, however, as 45 days after the company determines the scope of the security breach and restores the reasonable integrity of the database.
Required Information in Notices
The Identity Theft Protection Act requires all notices of a data breach to contain (1) a general description of the breach, (2) a general description of any actions the business has taken to prevent future security breaches, (3) a phone number where the recipient can receive assistance or more information, and (4) a reminder “remain vigilant for incidents of fraud and identity theft.” MCL 455.72(6).
The Data Breach Notification Act would have required a similar notice, but it specified that the notice must contain the estimated date of the security breach and a description of the information acquired in the security breach, as well as a general description of measures individuals can take to protect against identity theft.
The Data Breach Notification Act also contained exceptions, however, in specific circumstances. If the data breach disclosed information that would simply allow the recipient to access an online account, the business would only be required to provide a notice directing the victim to change their login information and the login information of any other accounts using the same login information. If the data breach disclosed information specifically allowing the recipient to access an email account, the business could use a similar notice as long as it is not sent to that email address or the business verifies the victim connected to the account from the same IP address or location from which the victim normally accesses the account.
Due to its high level of bipartisan support, businesses may need to comply with the requirements of the Data Breach Notification Act in the near future regardless of Governor Whitmer’s veto (and even Governor Whitmer’s disapproval may have simply been based on the bill’s exemption for financial institutions already subject to federal regulation). In the meantime, it may be wise to become acquainted with its terms and treat its requirements as “best practices” for protecting your sensitive data and complying with Michigan’s current Identity Theft Protection Act. If you are concerned about complying with data privacy and cybersecurity laws, the knowledgeable attorneys at Gielow Groom Terpstra & McEvoy in Muskegon can help you address these and other modern legal challenges facing your business.
News and blog articles presented in this website are distributed for general information purposes only with the understanding that the author, publisher and distributor of articles is not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, GGTM assumes no liability whatsoever in connection with the use of any article. Pursuant to applicable rules of professional conduct, this communication may constitute Attorney Advertising.