The bill amends the Identity Theft Protection Act of 2004 to enhance the protection of personal information by updating definitions and introducing new requirements for entities that handle such data. Key changes include clarifying terms like "agency," "personal information," and "security breach," while establishing new sections (11a and 11b) that mandate reasonable security procedures and prompt investigations following a security breach. The bill emphasizes the need for entities to identify risks, implement safeguards, and comply with recognized cybersecurity frameworks, taking into account their size and resources. Additionally, it repeals outdated provisions to streamline the legal framework surrounding identity theft protection in Michigan.

The bill also revises the notification process for security breaches, imposing new obligations on third-party agents to notify affected individuals or agencies without unreasonable delay. It requires that if 100 or more residents are notified, the attorney general must also be informed, along with detailed breach information. The bill outlines the content and timing of notifications, including offering identity theft prevention services when sensitive information is involved, and establishes penalties for fraudulent notifications. Notably, it removes the previous civil fine for failing to notify individuals and eliminates the aggregate liability cap for multiple violations. The attorney general is empowered to enforce compliance and seek civil actions against violators, further strengthening the legal framework for security breach notifications and enforcement.

Statutes affected:
Senate Introduced Bill: 445.63
As Passed by the Senate: 445.63