Bill Summary – FastDemocracy

IDENTITY THEFT PROTECTION; MODIFY                                           S.B. 888-892:
                                                             SUMMARY OF INTRODUCED BILL
                                                                           IN COMMITTEE
Senate Bills 888 through 892 (as introduced 5-30-24)
Sponsor: Senator Rosemary Bayer
Committee: Finance, Insurance, and Consumer Protection
Date Completed: 10-8-24
INTRODUCTION
Generally, Senate Bill 888 would require private and State entities that had access to State
residents' personal information to maintain security procedures for the protection of that
information. These procedures would include the assignment of a security coordinator and
the implementation of appropriate safeguards to protect the information, among other things.
In the case of a security breach, the bill would require an entity to notify affected residents
and provide specific information concerning consumer protections and actions taken to rectify
the breach. If a breach affected more than 100 residents, the entity would have to notify the
Attorney General. The bill would prescribe civil fines for failing to comply with the bill's
requirements. Senate Bills 889 through 892 would modify Michigan Compiled Laws (MCL)
references in various acts in accordance with Senate Bill 888's proposed changes.
FISCAL IMPACT
Senate Bill 888 could have a positive fiscal impact on the State and local units of government.
The bill would impose civil fines ranging from a low of $250 up to a maximum fine of $750,000.
Revenue collected from civil fines is used to support local libraries. Additionally, $10 of the
civil fine would be deposited into the State Justice System Fund. This Fund supports justice-
related activities across State government in the Departments of Corrections, Health and
Human Services, State Police, and Treasury. The Fund also supports justice-related issues in
the Legislative Retirement System and the Judiciary. The amount of revenue to the State or
for libraries is indeterminate and dependent on the number of violations and fines imposed.
The bills would enhance notice requirements for private and public entities, including State
departments and educational institutions, whenever a data breach was discovered.
Depending on the size of the data breach and how many residents were affected, these notice
requirements could have a significant, thought indeterminate, fiscal impact on State agencies.
The bills also would enhance security procedures for State agencies that housed or accessed
personal information. Per the language of the bill, these security enhancements could vary
based on the amount of personal information used or stored by a particular State agency.
State departments and education institutions could have increased costs to meet these
requirements, but those costs are indeterminate.
The bills would empower the Attorney General to investigate and prosecute data breach
violations and provide for voluntary payments to offset the costs of investigation and attorney
fees. While this would offset many costs, it is possible the Attorney General would require
additional appropriations and full-time equivalents to pursue data breach violations,
depending on the volume of investigations and prosecutions sought.
MCL 445.75 et al. (S.B. 888)                             Legislative Analyst: Nathan Leaman
    487.2142 (S.B. 889); 750.159g (S.B. 890)                  Fiscal Analyst: Joe Carrasco, Jr.
    8.9 (S.B. 891); 762.10c (S.B. 892)                                        Michael Siracuse
Page 1 of 8                                                                           888/2324
CONTENT
Senate Bill 888 would amend the Identity Theft Protection Act to do the following:
-- Expand the Act’s definition of personal information, as protected under the Act.
-- Require a person or an agency that owned, possessed, collected, or accessed
   personal information to implement and maintain reasonable security procedures
   to protect and safeguard personal information from unlawful use.
-- Prescribe the security procedures required and how to determine their
   reasonableness.
-- Require a person or an agency that owned or licensed data that was included in
   a database that discovered a security breach or received notice of a security
   breach to provide a notice to those affected, and if more than 100 residents were
   affected, require the person or agency to provide a notice to the Attorney
   General.
-- Prescribe the information that the notices would have to contain.
-- Prescribe actions that the Attorney General could take to remedy violations of
   the Act, including executing an assurance of discontinuance, serving a written
   demand to a suspected person or agency, and bringing a civil action against a
   person or agency that could result in civil fines.
Senate Bill 889 would amend the Deferred Presentment Service Transactions Act to
modify a MCL reference to the Identity Theft Protection Act.
Senate Bill 890 would amend the Michigan Penal Code to modify an MCL reference
to the Identity Theft Protection Act.
Senate Bill 891 would amend the Revised Statutes of 1846 to modify an MCL
reference to the Identity Theft Protection Act.
Senate Bill 892 would amend the Code of Criminal Procedure to modify an MCL
reference to the Identity Theft Protection Act.
Senate Bills 889 through 892 are tie-barred to Senate Bill 888, which is described in greater
detail below.
Definitions
"Data" currently means computerized personal information. The bill would include in the
definition personal information contained in any other medium.
"Personal information" means the first name or first initial and last name linked to one or
more of the following data elements of a State resident: 1) a Social Security number; 2) a
driver license number or a State personal identification number; 3) a demand deposit or other
financial account information. Under the bill, the term also would include the following:
-- A passport number or other unique identification number issued on a government
   document that is used to verify the identity of an individual.
-- Any medical records or information.
-- A health insurance policy number or subscriber identification number and any unique
   identifier used by a health insurer to identify an individual.
-- A username or email address, in combination with a password or security question and
   answer, that would permit access to an online account that is reasonably likely to contain
   or is used to obtain personal identifying information.
Page 2 of 8                                                                          888/2324
-- Any genetic information or biometric information that is used to authenticate or ascertain
   the individual's identity, such as a fingerprint, voice print, retina, or iris image.
The term would not include the following:
-- Any information about an individual that had been lawfully made public by a Federal,
   State, or local government record or widely distributed media.
-- Any information that was truncated, encrypted, secured, or modified by any other method
   or technology that removed elements that personally identify an individual or that
   otherwise rendered the information unusable, including encryption of the data or device
   containing the information, unless the person or agency knew or reasonably believed that
   the encryption key or security credential that could render the personal information
   readable or usable had been accessed or acquired with the information.
"Third-party agency" would mean either of the following:
-- A person that maintains a database that includes personal information that the person
   does not own or license.
-- A person that is otherwise permitted to access personal information owned or licensed by
   another person or agency in connection with providing services under an agreement with
   the other person or agency.
Requirements for the Protection of Personal Information
Under the bill, a person or an agency that owned, possessed, collected, or accessed personal
information would have to implement and maintain reasonable security procedures to protect
and safeguard personal information from unlawful use or disclosure by doing all the following:
-- Identify at least one owner, manager, or employee that would coordinate the person's or
   agency's security procedures.
-- Identify internal and external risks for security breaches.
-- Include appropriate safeguards for personal information that would be designed to address
   the external risks.
-- Provide for assessments of the effectiveness of the safeguards.
-- Contractually require each service provider of the person or agency to maintain
   appropriate safeguards for personal information.
-- Evaluate and adjust security procedures to account for changes in circumstances affecting
   the security of personal information.
(The Act defines "person" as an individual, partnership, corporation, limited liability company,
association, or other legal entity. "Agency" means a department, board, commission, office,
agency, authority, or other unit of State government. The term includes State institutions of
higher education and does not include courts.)
The reasonableness of the security procedures would have to be determined by considering
all of the following:
-- The size of the person or agency.
-- The amount of personal information owned, possessed, collected, or accessed by the
   person or agency.
-- The type of activities for which the personal information was owned, possessed, collected,
   or accessed by the person or agency.
-- The cost to implement and maintain the security procedures compared to the person's or
   agency's resources.
Page 3 of 8                                                                            888/2324
If a person or an agency determined that a security breach had or could have occurred, the
person or agency would have to conduct a good-faith and prompt investigation that included
all the following:
-- Assessment of the nature and scope of the security breach.
-- Identification of the personal information that was involved in the security breach and the
   identity of the individuals whose personal information was involved in the security breach.
-- Determination of whether the personal information identified had been accessed or
   acquired or was reasonably believed to have been accessed or acquired by an
   unauthorized person.
-- Identification and implementation of measures to restore the security and confidentiality
   of any system compromised in the security breach.
The bill would stipulate that all of the following indicate that personal information had been
accessed or acquired by an unauthorized person under the Act:
-- The personal information was or could be in the physical possession and control of an
   unauthorized person, including under circumstances where a computer or other device
   containing personal information was reported lost or stolen.
-- The personal information had been downloaded or copied by an unauthorized person.
-- The personal information was used in an unlawful manner by an unauthorized person,
   including circumstances under which a fraudulent account was opened using the personal
   information or a report of identity theft.
-- The personal information was publicly displayed.
Security Breach Notice Requirements
Under the Act, unless the person or agency determines that the security breach has not or is
not likely to cause substantial loss or injury to, or result in identity theft with respect to, one
or more residents of the State, a person or agency that owns or licenses data that are included
in a database that discovers a security breach, or receives notice of a security breach must
provide a notice of the security breach to each resident of the State who meets one or more
of the following:
-- That resident's unencrypted and unredacted personal information was accessed and
   acquired by an unauthorized person.
-- That resident's personal information was accessed and acquired in encrypted form by a
   person with unauthorized access to the encryption key.
The bill would modify this provision as described below.
Under the bill, if, on or after the bill's effective date, a third-party agent discovered a security
breach that involved data that was owned or licensed by another person or agency, the third-
party agent would have to provide immediately upon discovery a notice of the security breach
to the person or agency and provide any other information that was necessary for the person
or agency to comply with the notice requirements under the bill.
A person or an agency that owned or licensed data that was included in a database that
discovered a security breach or received notice of a security breach on or after the bill's
effective date would have to provide a notice of the security breach to each resident of the
State who met one or more of the following criteria, if the person or agency knew, should
know, or should have known that the security breach had or could have resulted in identity
theft or fraud affecting the resident:
Page 4 of 8                                                                                888/2324
-- The resident's unencrypted and unredacted personal information was or could have been
   accessed or acquired by an unauthorized person.
-- The resident's personal information was or could have been accessed or acquired in
   encrypted form by a person with unauthorized access to the encryption key.
The Act provides that unless the person or agency determines that the security breach has
not or is not likely to cause substantial loss or injury to, or result in identity theft with respect
to, one or more residents of the State, a person or agency that maintains a database that
includes data that the person or agency does not own or license that discovers a breach of
the security of the database must provide a notice to the owner or licensor of the information
of the security breach. In determining whether a security breach was likely to cause
substantial loss or injury to, or result in identity theft for, one or more State residents, a
person or agency must act with the care an ordinarily prudent person or agency in like position
would exercise under similar circumstances. The bill would delete these provisions.
Instead, under the bill, if a person or an agency was required to provide notice under the Act
to 100 or more residents of the State, the person or agency would also have to provide written
notice of the security breach to the Attorney General within 45 days after the discovery of the
security breach or receipt of notice.
The written notice would have to include all the following:
-- A synopsis of the events surrounding the security breach.
-- The approximate number of residents of the State that the person or agency was required
   to notify.
-- A description of the timing, distribution, and content of the notice.
-- The steps taken to investigate the security breach.
-- The steps taken to prevent a similar security breach.
-- A description of any services related to the security breach that the person or agency was
   offering and a description of the information being provided.
-- A description of how a resident of the State could obtain additional information about the
   security breach from the person or agency.
In the case of a security breach, the Act requires a notice to an affected State resident to
meet all the following:
--   Be clear and conspicuous.
--   Describe the security breach in general terms.
--   Describe the type of personal information subject to the breach.
--   Describe the action the agency or person has taken to protect data from further breach.
--   Include a telephone number for further assistance or information.
The bill also would require the notice to meet the following requirements:
-- If the Social Security number or taxpayer identification number of a resident were
   accessed or acquired or was reasonable believed to have been accessed or acquired in the
   security breach, the notice would have to offer appropriate identity theft prevention
   services and, if applicable, identity theft mitigation services, which would have to be
   provided at no charge to the resident for not less than 24 months.
-- The notice would have to provide any information necessary for a resident to enroll in the
   identity theft prevention services and identity theft mitigations services, as applicable.
-- The notice would have to provide information on how a resident could place a credit freeze
   on the resident’s credit file.
Page 5 of 8                                                                                 888/2324
Under the Act, a person who knowingly fails to provide any notice of a security breach may
be ordered to pay a civil fine of no more than $250 for each failure to provide notice. The
Attorney General or a prosecuting attorney may bring an action to recover the civil fine. The
aggregate liability of a person for these civil fines for multiple violations that arise from the
same security breach may not exceed $750,000. The bill would delete these provisions.
For the purposes of the bill, residency would be determined by the principal mailing address
of an individual, as determined by a record of the person or agency.
Assurance of Discontinuance
Under the bill, if the Attorney General had authority to institute a civil action or proceeding
under the bill, the Attorney General could accept an assurance of discontinuance of a method,
act, or practice that was alleged to be unlawful from the person or agency that was alleged
to have engaged, be engaging, or be about to engage in the method, act, or practice.
The assurance of discontinuance would not constitute an admission of guilt and could not be
introduced in any other proceeding. The assurance of discontinuance could include a
stipulation for any of the following:
-- The voluntary payment by the person for the costs of investigation and reasonable
   attorney fees.
-- An amount to be held in escrow pending the outcome of an action.
-- An amount for restitution to any aggrieved person.
The assurance of discontinuance would have to be in writing and could be filed with the circuit
court of Ingham County, and the clerk of the court would have to maintain a record of the
filings. Unless rescinded by