HB4186: SUMMARY OF BILL REPORTED FROM COMMITTEE (Date Completed: 12-4-20) - DATA BREACH NOTIFICATION ACT

DATA BREACH NOTIFICATION ACT                                                                         H.B. 4186 (S-1) & 4187 (S-1):

                                                                                                                                                                                                      SUMMARY OF BILL

                                                                                                                                                                        REPORTED FROM COMMITTEE

 

 

 

 

 

 

 

 

 

House Bill 4186 (Substitute S-1 as reported)

House Bill 4187 (Substitute S-1 as reported)

Sponsor:   Representative Diana Farrington

House Committee:   Financial Services

                                                        Ways and Means

Senate Committee:   Regulatory Reform

 

CONTENT

 

House Bill 4187 (S-1) would enact the "Data Breach Notification Act" to do the following:

 

 --       Require business entities to implement and maintain reasonable security measures designed to protect sensitive personally identifying information against a breach of security.

 --       Require a covered entity or third-party agent to consider specified circumstances in developing its reasonable security measures.

 --       Require a covered entity to conduct a good-faith and prompt investigation if it determined that a breach of security had or could have occurred.

 --       Require a covered entity to provide notice of a breach to each Michigan resident whose sensitive personally identifiable information was acquired in the breach and require the notice to be sent within 45 days after the covered entity completed the measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database.

 --       Prescribe the information a notice would have to include, including the date or estimated date of the breach, a description of the sensitive personally identifying information that was acquired, and a general description of steps a resident could take to protect himself or herself from identity theft.

 --       Allow a covered entity to provide a substitute notice instead of a direct notice under certain circumstances.

 --       Require a third-party agent that experienced a breach of security to notify a covered entity of the breach.

 --       Subject State agencies to the notice requirements proposed in the Act.

 --       Prescribe penalties for violating the Act.  

 --       Specify that certain entities would be exempt from the Act.

 

House Bill 4186 (S-1) would amend the Identity Theft Protection Act to specify that Sections 12 and 12a of the Act would not apply to a covered entity, as that term is defined in the Data Breach Notification Act. (Section 12 prescribes certain notice requirements regarding a security breach. Section 12a governs the destruction of data containing personal information.)

 

The bills are tie-barred. Each bill would take effect on January 20, 2022.

 

MCL 445.64                                                                                         &