SENATE BILL NO. 888
May 30, 2024, Introduced by Senator BAYER and referred to the Committee on Finance,
Insurance, and Consumer Protection.
A bill to amend 2004 PA 452, entitled
"Identity theft protection act,"
by amending sections 3, 12, and 12b (MCL 445.63, 445.72, and
445.72b), section 3 as amended by 2010 PA 318 and sections 12 and
12b as amended by 2010 PA 315, and by adding sections 11a, 11b, 20,
20a, 20b, and 20c; and to repeal acts and parts of acts.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
1 Sec. 3. As used in this act:
2 (a) "Agency" means a department, board, commission, office,
3 agency, authority, or other unit of state government of this state.
VMP S05654'24
 2
1 The term Agency includes an institution of higher education of this
2 state. The term Agency does not include a circuit, probate,
3 district, or municipal court.
4 (b) "Breach of the security of a database" or "security
5 breach" means the unauthorized access and acquisition of data that
6 compromises the security or confidentiality of personal information
7 maintained by a person or agency as part of a database of personal
8 information regarding multiple individuals. These terms do not
9 include unauthorized access to data by an employee or other
10 individual if the access meets all of the following:
11 (i) The employee or other individual acted in good faith in
12 accessing the data.
13 (ii) The access was related to the activities of the agency or
14 person.
15 (iii) The employee or other individual did not misuse any
16 personal information or disclose any personal information to an
17 unauthorized person.
18 (b) (c) "Child or spousal support" means support for a child
19 or spouse, paid or provided pursuant to in accordance with state or
20 federal law under a court order or judgment. Support includes, but
21 is not limited to, any of the following:
22 (i) Expenses for day-to-day care.
23 (ii) Medical, dental, or other health care.
24 (iii) Child care expenses.
25 (iv) Educational expenses.
26 (v) Expenses in connection with pregnancy or confinement under
27 the paternity act, 1956 PA 205, MCL 722.711 to 722.730.
28 (vi) Repayment of genetic testing expenses , under the
29 paternity act, 1956 PA 205, MCL 722.711 to 722.730.
VMP S05654'24
 3
1 (vii) A surcharge as provided by section 3a of the support and
2 parenting time enforcement act, 1982 PA 295, MCL 552.603a.
3 (c) (d) "Credit card" means that term as defined in section
4 157m of the Michigan penal code, 1931 PA 328, MCL 750.157m.
5 (d) (e) "Data" means computerized personal information or
6 personal information contained in any other medium.
7 (e) (f) "Depository institution" means a state or nationally
8 chartered bank or a state or federally chartered savings and loan
9 association, savings bank, or credit union.
10 (f) (g) "Encrypted" means transformation of data through the
11 use of an algorithmic process into a form in which there is a low
12 probability of assigning meaning without use of a confidential
13 process or key, or securing information by another method that
14 renders the data elements unreadable or unusable.
15 (g) (h) "False pretenses" includes, but is not limited to, a
16 false, misleading, or fraudulent representation, writing,
17 communication, statement, or message, communicated by any means to
18 another person, that the maker of the representation, writing,
19 communication, statement, or message knows or should have known is
20 false or fraudulent. The false pretense may be a representation
21 regarding a past or existing fact or circumstance or a
22 representation regarding the intention to perform a future event or
23 to have a future event performed.
24 (h) (i) "Financial institution" means a any of the following:
25 (i) A depository institution. , an
26 (ii) An affiliate of a depository institution. , a
27 (iii) A licensee under any of the following:
28 (A) The consumer financial services act, 1988 PA 161, MCL
29 487.2051 to 487.2072. ,
VMP S05654'24
 4
1 (B) 1984 PA 379, MCL 493.101 to 493.114. , the
2 (C) The motor vehicle sales finance act, 1950 (Ex Sess) PA 27,
3 MCL 492.101 to 492.141. , the
4 (D) The secondary mortgage loan act, 1981 PA 125, MCL 493.51
5 to 493.81. , the
6 (E) The mortgage brokers, lenders, and servicers licensing
7 act, 1987 PA 173, MCL 445.1651 to 445.1684. , or the
8 (F) The regulatory loan act, 1939 PA 21, MCL 493.1 to 493.24.
9 , a
10 (iv) A seller under either of the following:
11 (A) The home improvement finance act, 1965 PA 332, MCL
12 445.1101 to 445.1431. , or the
13 (B) The retail installment sales act, 1966 PA 224, MCL 445.851
14 to 445.873. , or a
15 (v) A person subject to subtitle A of title V of the Gramm-
16 Leach-Bliley act, 15 USC 6801 to 6809.
17 (i) (j) "Financial transaction device" means that term as
18 defined in section 157m of the Michigan penal code, 1931 PA 328,
19 MCL 750.157m.
20 (j) (k) "Identity theft" means engaging in an act or conduct
21 prohibited in section 5(1).
22 (k) (l) "Interactive computer service" means an information
23 service or system that enables computer access by multiple users to
24 a computer server, including, but not limited to, a service or
25 system that provides access to the internet or to software services
26 available on a server.
27 (l) (m) "Law enforcement agency" means that term as defined in
28 section 2804 of the public health code, 1978 PA 368, MCL 333.2804.
29 (m) (n) "Local registrar" means that term as defined in
VMP S05654'24
 5
1 section 2804 of the public health code, 1978 PA 368, MCL 333.2804.
2 (n) (o) "Medical records or information" includes, but is not
3 limited to, medical and mental health histories, reports,
4 summaries, diagnoses and prognoses, treatment and medication
5 information, notes, entries, and x-rays X-rays and other imaging
6 records.
7 (o) (p) "Person" means an individual, partnership,
8 corporation, limited liability company, association, or other legal
9 entity.
10 (p) (q) "Personal identifying information" means a name,
11 number, or other information that is used for the purpose of
12 identifying a specific person or providing access to a person's
13 financial accounts, including, but not limited to, a person's name,
14 address, telephone number, driver license or state personal
15 identification card number, social security Social Security number,
16 place of employment, employee identification number, employer or
17 taxpayer identification number, government passport number, health
18 insurance identification number, mother's maiden name, demand
19 deposit account number, savings account number, financial
20 transaction device account number or the person's account password,
21 any other account password in combination with sufficient
22 information to identify and access the account, automated or
23 electronic signature, biometrics, stock or other security
24 certificate or account number, credit card number, vital record, or
25 medical records or information.
26 (q) (r) "Personal information", except as otherwise provided
27 in subdivision (r), means the first name or first initial and last
28 name linked to 1 or more of the following data elements of a
29 resident of this state:
VMP S05654'24
 6
1 (i) A Social security Security number.
2 (ii) Driver A driver license number, or state personal
3 identification card number, passport number, or other unique
4 identification number issued on a government document that is used
5 to verify the identity of an individual.
6 (iii) Demand A demand deposit or other financial account number,
7 or credit card or debit card number, in combination with any
8 required security code, access code, or password that would permit
9 access to any of the resident's financial accounts.
10 (iv) Any medical records or information.
11 (v) A health insurance policy number or subscriber
12 identification number and any unique identifier used by a health
13 insurer to identify an individual.
14 (vi) A username or email address, in combination with a
15 password or security question and answer, that would permit access
16 to an online account that is reasonably likely to contain or is
17 used to obtain personal identifying information.
18 (vii) Any genetic information or biometric information that is
19 used to authenticate or ascertain the individual's identity, such
20 as a fingerprint, voice print, retina, or iris image.
21 (r) Personal information does not include either of the
22 following:
23 (i) Any information about an individual that has been lawfully
24 made public by a federal, state, or local government record or
25 widely distributed media.
26 (ii) Any information that is truncated, encrypted, secured, or
27 modified by any other method or technology that removes elements
28 that personally identify an individual or that otherwise renders
29 the information unusable, including encryption of the data or
VMP S05654'24
 7
1 device containing the information, unless the person or agency
2 knows or reasonably believes that the encryption key or security
3 credential that could render the personal information readable or
4 usable has been accessed or acquired with the information.
5 (s) "Public utility" means that term as defined in section 1
6 of 1972 PA 299, MCL 460.111.
7 (t) "Redact" means to alter or truncate data so that no more
8 than 4 sequential digits of a driver license number, state personal
9 identification card number, or account number, or no more than 5
10 sequential digits of a social security Social Security number, are
11 accessible as part of personal information.
12 (u) "Security breach" means the unauthorized access to or
13 unauthorized acquisition of data that compromises the security or
14 confidentiality of personal information maintained by a person or
15 agency. Security breach does not include unauthorized access to
16 data by an employee or other individual if the access meets all of
17 the following:
18 (i) The employee or other individual acted in good faith in
19 accessing the data.
20 (ii) The access was related to the activities of the agency or
21 person.
22 (iii) The employee or other individual did not misuse any
23 personal information or disclose any personal information to an
24 unauthorized person.
25 (v) (u) "State registrar" means that term as defined in
26 section 2805 of the public health code, 1978 PA 368, MCL 333.2805.
27 (w) "Third-party agent" means either of the following:
28 (i) A person that maintains a database that includes personal
29 information that the person does not own or license.
VMP S05654'24
 8
1 (ii) A person that is otherwise permitted to access personal
2 information owned or licensed by another person or agency in
3 connection with providing services under an agreement with the
4 other person or agency.
5 (x) (v) "Trade or commerce" means that term as defined in
6 section 2 of the Michigan consumer protection act, 1971 1976 PA
7 331, MCL 445.902.
8 (y) (w) "Vital record" means that term as defined in section
9 2805 of the public health code, 1978 PA 368, MCL 333.2805.
10 (z) (x) "Webpage" means a location that has a uniform resource
11 locator or URL with respect to the world wide web or another
12 location that can be accessed on the internet.
13 Sec. 11a. (1) A person or an agency that owns, possesses,
14 collects, or accesses personal information shall implement and
15 maintain reasonable security procedures to protect and safeguard
16 personal information from unlawful use or disclosure.
17 (2) The security procedures described in subsection (1) must
18 do all of the following:
19 (a) Identify at least 1 owner, manager, or employee that will
20 coordinate the person's or agency's security procedures.
21 (b) Identify internal and external risks for security
22 breaches.
23 (c) Include appropriate safeguards for personal information
24 that are designed to address the risks identified in subdivision
25 (b).
26 (d) Provide for assessments of the effectiveness of the
27 safeguards described in subdivision (c).
28 (e) Contractually require each service provider of the person
29 or agency to maintain appropriate safeguards for personal
VMP S05654'24
 9
1 information.
2 (f) Evaluate and adjust security procedures to account for
3 changes in circumstances affecting the security of personal
4 information.
5 (3) The reasonableness of the security procedures described in
6 subsection (1) must be determined considering all of the following:
7 (a) The size of the person or agency.
8 (b) The amount of personal information that is owned,
9 possessed, collected, or accessed by the person or agency.
10 (c) The type of activities for which the personal information
11 is owned, possessed, collected, or accessed by the person or
12 agency.
13 (d) The cost to implement and maintain the security procedures
14 compared to the person's or agency's resources.
15 Sec. 11b. (1) If a person or an agency determines that a
16 security breach has or may have occurred, the person or agency
17 shall conduct a good-faith and prompt investigation that includes
18 doing all of the following:
19 (a) Assessing the nature and scope of the security breach.
20 (b) Identifying the personal information that was involved in
21 the security breach and the identity of the individuals whose
22 personal information was involved in the security breach.
23 (c) Determining whether the personal information identified
24 under subdivision (b) has been accessed or acquired or is
25 reasonably believed to have been accessed or acquired by an
26 unauthorized person.
27 (d) Identifying and implementing measures to restore the
28 security and confidentiality of any system compromised in the
29 security breach.
VMP S05654'24
 10
1 (2) All of the following indicate that personal information
2 has been accessed or acquired by an unauthorized person under
3 subsection (1)(c):
4 (a) The personal information is or could be in the physical
5 possession and control of an unauthorized person, including, but
6 not limited to, under circumstances where a computer or other
7 device containing personal information is reported lost or stolen.
8 (b) The personal information has been downloaded or copied by
9 an unauthorized person.
10 (c) The personal information was used in an unlawful manner by
11 an unauthorized person, including, but not limited to,
12 circumstances under which a fraudulent account is opened using the
13 personal information or a report of identity theft.
14 (d) The personal information is publicly displayed.
15 Sec. 12. (1) If, on or after the effective date of the
16 amendatory act that amended this subsection, a third-party agent
17 discovers a security breach that involves data that is owned or
18 licensed by another person or agency, the third-party agent shall,
19 immediately after the discovery, provide a notice of the security
20 breach to the person or agency, and shall provide any other
21 information that is necessary for the person or agency to comply
22 with the notice requirements under subsections (2) and (3).
23 (2) (1) Unless the person or agency determines that the
24 security breach has not or is not likely to cause substantial loss
25 or injury to, or result in identity theft with respect to, 1 or
26 more residents of this state, Subject to subsections (5) to (9), a
27 person or an agency that owns or licenses data that are is included
28 in a database that discovers a security breach on or after the
29 effective date of the amendatory act that amended subsection (1),
VMP S05654'24
 11
1 or receives notice of a security breach under subsection (2), (1)
2 on or after the effective date of the amendatory act that amended
3 subsection (1), shall provide a notice of the security breach to
4 each resident of this state who meets 1 or more of the following
5 criteria, if the person or agency knows, should know, or should
6 have known that the security breach has o