HOUSE BILL No. 4525

 

March 17, 2005, Introduced by Reps. Spade, Vagnozzi, Polidori, Tobocman, Bieda, Anderson, Gleason, Miller, Plakas, Kolb, Accavitti, Brown, Angerer and Lemmons, III and referred to the Committee on Judiciary.

 

     A bill to amend 2004 PA 452, entitled

 

"Identity theft protection act,"

 

by amending section 11 (MCL 445.71) and by adding section 12.

 

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

 

     Sec. 11. (1) A person shall not do any of the following in the

 

conduct of trade or commerce:

 

     (a) Deny credit or public utility service to or reduce the

 

credit limit of a consumer solely because the consumer was a victim

 

of identity theft, if the person had prior knowledge that the

 

consumer was a victim of identity theft. A consumer is presumed to

 

be a victim of identity theft for the purposes of this subdivision

 

if he or she provides both of the following to the person:

 

     (i) A copy of a police report evidencing the claim of the


 

victim of identity theft.

 

     (ii) Either a properly completed copy of a standardized

 

affidavit of identity theft developed and made available by the

 

federal trade commission pursuant to 15 USC 1681g or an affidavit

 

of fact that is acceptable to the person for that purpose.

 

     (b) Solicit to extend credit to a consumer who does not have

 

an existing line of credit, or has not had or applied for a line of

 

credit within the preceding year, through the use of an unsolicited

 

check that includes personal identifying information other than the

 

recipient's name, address, and a partial, encoded, or truncated

 

personal identifying number. In addition to any other penalty or

 

remedy under this act or the Michigan consumer protection act, 1976

 

PA 331, MCL 445.901 to 445.922, a credit card issuer, financial

 

institution, or other lender that violates this subdivision, and

 

not the consumer, is liable for the amount of the instrument if the

 

instrument is used by an unauthorized user and for any fees

 

assessed to the consumer if the instrument is dishonored.

 

     (c) Solicit to extend credit to a consumer who does not have a

 

current credit card, or has not had or applied for a credit card

 

within the preceding year, through the use of an unsolicited credit

 

card sent to the consumer. In addition to any other penalty or

 

remedy under this act or the Michigan consumer protection act, 1976

 

PA 331, MCL 445.901 to 445.922, a credit card issuer, financial

 

institution, or other lender that violates this subdivision, and

 

not the consumer, is liable for any charges if the credit card is

 

used by an unauthorized user and for any interest or finance

 

charges assessed to the consumer.


 

     (d) Extend credit to a consumer without exercising reasonable

 

procedures to verify the identity of that consumer. Compliance with

 

regulations issued for depository institutions, and to be issued

 

for other financial institutions, by the United States department

 

of treasury under section 326 of the USA patriot act of 2001, 31

 

USC 5318, is considered compliance with this subdivision. This

 

subdivision does not apply to a purchase of a credit obligation in

 

an acquisition, merger, purchase of assets, or assumption of

 

liabilities or any change to or review of an existing credit

 

account.

 

     (e) Fail to provide notice required under section 12.

 

     (2) A person who knowingly or intentionally violates

 

subsection (1) is guilty of a misdemeanor punishable by

 

imprisonment for not more than 30 days or a fine of not more than

 

$1,000.00, or both. This subsection does not affect the

 

availability of any civil remedy for a violation of this act, the

 

Michigan consumer protection act, 1976 PA 331, MCL 445.901 to

 

445.922, or any other state or federal law.

 

     Sec. 12. (1) An agency of this state that owns or licenses

 

computerized data that include personal identifying information

 

shall provide notice of any breach of the security of the system

 

following discovery or notification of the breach in the security

 

of the data to any resident of this state whose unencrypted

 

personal identifying information is acquired by an unauthorized

 

person or if the agency reasonably believes that an unauthorized

 

person has acquired that information. The agency shall provide

 

notice in the most expedient time possible and without unreasonable


 

delay, unless 1 or both of the following apply:

 

     (a) A law enforcement agency determines that providing notice

 

will impede a criminal investigation. However, the agency shall

 

provide notice after the law enforcement agency determines that

 

disclosure will not compromise the investigation.

 

     (b) Delay is necessary to determine the scope of the breach

 

and restore the reasonable integrity of the data system.

 

     (2) An agency that maintains computerized data that include

 

personal identifying information that the agency does not own shall

 

provide notice to the owner or licensee of the information of any

 

breach of the security of the data immediately following discovery,

 

if the personal identifying information is acquired by an

 

unauthorized person or if the agency reasonably believes that an

 

unauthorized person has acquired that information.

 

     (3) A person doing business in this state that owns or

 

licenses computerized data that include personal identifying

 

information shall provide notice of any breach of the security of

 

the system following discovery or notification of the breach in the

 

security of the data to any resident of this state whose

 

unencrypted personal identifying information is acquired by an

 

unauthorized person or if the person reasonably believes that an

 

unauthorized person has acquired that information. The person shall

 

provide notice in the most expedient time possible and without

 

unreasonable delay, unless 1 or both of the following apply:

 

     (a) A law enforcement agency determines that providing notice

 

will impede a criminal investigation. However, the person shall

 

provide notice after the law enforcement agency determines that


 

disclosure will not compromise the investigation.

 

     (b) Delay is necessary to determine the scope of the breach

 

and restore the reasonable integrity of the data system.

 

     (4) A person doing business in this state that maintains

 

computerized data that include personal identifying information

 

that the person does not own shall provide notice to the owner or

 

licensee of the information of any breach of the security of the

 

data immediately following discovery, if the personal identifying

 

information is acquired by an unauthorized person or if the person

 

reasonably believes that an unauthorized person has acquired that

 

information.

 

     (5) An agency or person doing business in this state may

 

provide notice under this section by any of the following methods:

 

     (a) Written notice.

 

     (b) Electronic notice, if the notice provided is consistent

 

with the provisions regarding electronic records and signatures set

 

forth in section 101 of title I of the electronic signatures in

 

global and national commerce act, 15 USC 7001.

 

     (c) Substitute notice, if the agency or person demonstrates

 

that the cost of providing notice will exceed $250,000.00, that the

 

agency or person has to provide notice to more than 500,000

 

individuals, owners, or licensees described in subsection (1), (2),

 

(3), or (4), as applicable, or that the agency or person does not

 

have sufficient contact information for the individuals, owners, or

 

licensees it is required to notify under that subsection. An agency

 

or person provides substitute notice under this subdivision by

 

doing all of the following:


 

     (i) Providing notice by electronic mail to those individuals,

 

owners, or licensees for whom the agency or person has electronic

 

mail addresses.

 

     (ii) If the agency or person maintains a website, conspicuously

 

posting the notice on that website.

 

     (iii) Notifying major statewide media.

 

     (iv) If the agency or person maintains its own notification

 

procedures for security breaches as part of an information security

 

policy for the treatment of personal identifying information that

 

are consistent with the time requirements of this section,

 

notifying the individuals, owners, or licensees in accordance with

 

those procedures.

 

     (6) A person injured by a violation of this section may bring

 

a civil action in a court of competent jurisdiction to recover

 

actual damages and reasonable attorney fees or seek injunctive or

 

any other relief available at law or in equity.

 

     (7) As used in this section:

 

     (a) "Agency" means a department, board, commission, office,

 

agency, authority, or other unit of state government. The term

 

includes a state institution of higher education.

 

     (b) "Breach of the security of the system" means unauthorized

 

acquisition of computerized data that compromises the security,

 

confidentiality, or integrity of personal identifying information

 

maintained by an agency or a person doing business in this state.

 

The term does not include good faith acquisition of personal

 

identifying information by an employee or agent of the agency or

 

person related to the activities of the agency or person if the


 

personal identifying information is not used or subject to further

 

unauthorized disclosure.