Security Breach Notification Law in the State of Michigan

Mich. Comp. Laws §§ 445.63, 445.72 is a data breach notification law that was passed in the U.S. state of Michigan in 2006. While the state of Michigan has passed numerous laws pertaining to data privacy since the year 2006, Mich. Comp. Laws §§ 445.63, 445.72 represent the foremost means by which residents of the state can protect themselves from the adverse consequences of a data breach. With this being said, the law establishes the legal framework that business entities within the state are required to follow should a data breach occur. Moreover, the law also empowers the Michigan state attorney general to impose penalties against entities that fail to comply with the law.

What are the data breach notification requirements under the law?

Under Mich. Comp. Laws §§ 445.63, 445.72, business entities within the state are required to provide notification to all affected parties and residents in the event that a data breach occurs. These notifications must provide affected individuals with information concerning the categories of data that were compromised during the breach, among other pertinent details. However, in contrast to many other states around the U.S., these notifications must be provided to consumers in either written or telephonic form. To this point, written data breach notifications under Mich. Comp. Laws §§ 445.63, 445.72 must provide residents of the state with the following information:

• A description of the data breach, in general terms. This description must be written in a clear and conspicuous manner, and must clearly communicate all content that is required under the law.
• A description of the categories of personal information that was compromised during the breach.
• A general description of what the affected entity has done to remedy the breach, if applicable.
• A telephone number where a notice recipient may obtain assistance or additional information.
• Remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft.

What personal information is legally protected under the law?

Under Mich. Comp. Laws §§ 445.63, 445.72, the following categories of personal information are legally protected in the event of a data breach, in combination with a Michigan resident’s first name or first initial and last name:

• Social security numbers.
• Drivers license and state identification card numbers.
• Demand deposit or another financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident’s financial accounts.

In terms of the enforcement of Mich. Comp. Laws §§ 445.63, 445.72, the Michigan attorney general has the authority to impose numerous punishments against business entities within the state that are found to be in violation of the law. Such penalties include a term of imprisonment of up to 30 days and a fine of up $250 for misdemeanor offenses, as well as a term of imprisonment of up to 93 days and a fine of up to $1,000 for more serious offenses. What’s more, the law states that “entities who fail to provide notice may be ordered to pay a civil fine of not more than $250 for each failure to provide notice, capped at $750,000 per security breach. These penalties do not affect the availability of civil remedies under state or federal law.”

Through the enactment of Mich. Comp. Laws §§ 445.63, 445.72 in 2006, residents of the state of Michigan were provided with legal protections as it relates to data and security breach incidents. To this end, in addition to various monetary and criminal penalties that can be imposed by the Michigan attorney general, Mich. Comp. Laws §§ 445.63, 445.72 also provide consumers with the privacy right of action to bring civil liability claims against business entities within the state that fail to comply with the provisions established in the law. As such, residents of Michigan can have the peace of mind that they will have the means to seek justice and compensation should their personal information be compromised during a data breach.