SB-0309, As Passed Senate, November 30, 2006

 

 

 

 

 

 

 

 

 

 

 

SUBSTITUTE FOR

 

SENATE BILL NO. 309

 

 

 

 

 

 

 

 

 

 

     A bill to amend 2004 PA 452, entitled

 

"Identity theft protection act,"

 

by amending the title and section 3 (MCL 445.63) and by adding

 

sections 12, 12a, and 12b.

 

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

 

TITLE

 

     An act to prohibit certain acts and practices concerning

 

identity theft; to require notification of a security breach of a

 

database that contains certain personal information; to provide for

 

the powers and duties of certain state and local governmental

 

officers and entities; to prescribe penalties and provide remedies;

 

and to repeal acts and parts of acts.

 

     Sec. 3. As used in this act:

 

     (a) "Agency" means a department, board, commission, office,

 

agency, authority, or other unit of state government of this state.


 

The term includes an institution of higher education of this state.

 

     (b) "Breach of the security of a database" or "security

 

breach" means the unauthorized access and acquisition of data that

 

compromises the security or confidentiality of personal information

 

maintained by a person or agency as part of a database of personal

 

information regarding multiple individuals. These terms do not

 

include unauthorized access to data by an employee or other

 

individual if the access meets all of the following:

 

     (i) The employee or other individual acted in good faith in

 

accessing the data.

 

     (ii) The access was related to the activities of the agency or

 

person.

 

     (iii) The employee or other individual did not misuse any

 

personal information or disclose any personal information to an

 

unauthorized person.

 

     (c)  (a)  "Child or spousal support" means support for a child

 

or spouse, paid or provided pursuant to state or federal law under

 

a court order or judgment. Support includes, but is not limited to,

 

any of the following:

 

     (i) Expenses for day-to-day care.

 

     (ii) Medical, dental, or other health care.

 

     (iii) Child care expenses.

 

     (iv) Educational expenses.

 

     (v) Expenses in connection with pregnancy or confinement under

 

the paternity act, 1956 PA 205, MCL 722.711 to 722.730.

 

     (vi) Repayment of genetic testing expenses, under the paternity

 

act, 1956 PA 205, MCL 722.711 to 722.730.


 

     (vii) A surcharge as provided by section 3a of the support and

 

parenting time enforcement act, 1982 PA 295, MCL 552.603a.

 

     (d)  (b)  "Credit card" means that term as defined in section

 

157m of the Michigan penal code, 1931 PA 328, MCL 750.157m.

 

     (e) "Data" means computerized personal information.

 

     (f)  (c)  "Depository institution" means a state or nationally

 

chartered bank or a state or federally chartered savings and loan

 

association, savings bank, or credit union.

 

     (g) "Encrypted" means transformation of data through the use

 

of an algorithmic process into a form in which there is a low

 

probability of assigning meaning without use of a confidential

 

process or key, or securing information by another method that

 

renders the data elements unreadable or unusable.

 

     (h)  (d)  "Financial institution" means a depository

 

institution, an affiliate of a depository institution, a licensee

 

under the consumer financial services act, 1988 PA 161, MCL

 

487.2051 to 487.2072, 1984 PA 379, MCL 493.101 to 493.114, the

 

motor vehicle sales finance act, 1950 (Ex Sess) PA 27, MCL 492.101

 

to 492.141, the secondary mortgage loan act, 1981 PA 125, MCL

 

493.51 to 493.81, the mortgage brokers, lenders, and servicers

 

licensing act, 1987 PA 173, MCL 445.1651 to 445.1684, or the

 

regulatory loan act, 1939 PA 21, MCL 493.1 to 493.24, a seller

 

under the home improvement finance act, 1965 PA 332, MCL 445.1101

 

to 445.1431, or the retail installment sales act, 1966 PA 224, MCL

 

445.851 to 445.873, or a person subject to subtitle A of title V of

 

the Gramm-Leach-Bliley act, 15 USC 6801 to 6809.

 

     (i)  (e)  "Financial transaction device" means that term as


 

defined in section 157m of the Michigan penal code, 1931 PA 328,

 

MCL 750.157m.

 

     (j)  (f)  "Identity theft" means engaging in an act or conduct

 

prohibited in section 5(1).

 

     (k)  (g)  "Law enforcement agency" means that term as defined

 

in section 2804 of the public health code, 1978 PA 368, MCL

 

333.2804.

 

     (l)  (h)  "Local registrar" means that term as defined in

 

section 2804 of the public health code, 1978 PA 368, MCL 333.2804.

 

     (m)  (i)  "Medical records or information" includes, but is

 

not limited to, medical and mental health histories, reports,

 

summaries, diagnoses and prognoses, treatment and medication

 

information, notes, entries, and x-rays and other imaging records.

 

     (n)  (j)  "Person" means an individual, partnership,

 

corporation, limited liability company, association, or other legal

 

entity.

 

     (o)  (k)  "Personal identifying information" means a name,

 

number, or other information that is used for the purpose of

 

identifying a specific person or providing access to a person's

 

financial accounts, including, but not limited to, a person's name,

 

address, telephone number, driver license or state personal

 

identification card number, social security number, place of

 

employment, employee identification number, employer or taxpayer

 

identification number, government passport number, health insurance

 

identification number, mother's maiden name, demand deposit account

 

number, savings account number, financial transaction device

 

account number or the person's account password, stock or other


 

security certificate or account number, credit card number, vital

 

record, or medical records or information.

 

     (p) "Personal information" means the first name or first

 

initial and last name linked to 1 or more of the following data

 

elements of a resident of this state:

 

     (i) Social security number.

 

     (ii) Driver license number or state personal identification

 

card number.

 

     (iii) Demand deposit or other financial account number, or

 

credit card or debit card number, in combination with any required

 

security code, access code, or password that would permit access to

 

any of the resident's financial accounts.

 

     (q) "Public utility" means that term as defined in section 1

 

of 1972 PA 299, MCL 460.111.

 

     (r) "Redact" means to alter or truncate data so that no more

 

than the last 4 sequential digits of a social security number,

 

driver license number, state personal identification card number,

 

or account number is accessible as part of personal information.

 

     (s)  (l)  "State registrar" means that term as defined in

 

section 2805 of the public health code, 1978 PA 368, MCL 333.2805.

 

     (t)  (m)  "Trade or commerce" means that term as defined in

 

section 2 of the Michigan consumer protection act, 1971 PA 331, MCL

 

445.902.

 

     (u)  (n)  "Vital record" means that term as defined in section

 

2805 of the public health code, 1978 PA 368, MCL 333.2805.

 

     Sec. 12. (1) Unless the person or agency determines that the

 

security breach has not or is not likely to cause substantial loss


 

or injury to, or result in identity theft with respect to, 1 or

 

more residents of this state, a person or agency that owns or

 

licenses data that are included in a database that discovers a

 

security breach, or receives notice of a security breach under

 

subsection (2), shall provide a notice of the security breach to

 

each resident of this state who meets 1 or more of the following:

 

     (a) That resident's personal information was accessed and

 

acquired by an unauthorized person. As used in this subdivision,

 

personal information includes encrypted or redacted personal

 

information.

 

     (b) That resident's personal information was accessed and

 

acquired in encrypted form by a person with unauthorized access to

 

the encryption key.

 

     (2) Unless the person or agency determines that the security

 

breach has not or is not likely to cause substantial loss or injury

 

to, or result in identity theft with respect to, 1 or more

 

residents of this state, a person or agency that maintains a

 

database that includes data that the person or agency does not own

 

or license that discovers a breach of the security of the database

 

shall provide a notice to the owner or licensor of the information

 

of the security breach.

 

     (3) In determining whether a security breach is not likely to

 

cause substantial loss or injury to, or result in identity theft

 

with respect to, 1 or more residents of this state under subsection

 

(1) or (2), a person or agency shall act with the care an

 

ordinarily prudent person or agency in like position would exercise

 

under similar circumstances.


 

     (4) A person or agency shall provide any notice required under

 

this section without unreasonable delay. A person or agency may

 

delay providing notice without violating this subsection if either

 

of the following is met:

 

     (a) A delay is necessary in order for the person or agency to

 

take any measures necessary to determine the scope of the security

 

breach and restore the reasonable integrity of the database.

 

However, the agency or person shall provide the notice required

 

under this subsection without unreasonable delay after the person

 

or agency completes the measures necessary to determine the scope

 

of the security breach and restore the reasonable integrity of the

 

database.

 

     (b) A law enforcement agency determines and advises the agency

 

or person that providing a notice will impede a criminal or civil

 

investigation or jeopardize homeland or national security. However,

 

the agency or person shall provide the notice required under this

 

section without unreasonable delay after the law enforcement agency

 

determines that providing the notice will no longer impede the

 

investigation or jeopardize homeland or national security.

 

     (5) Except as provided in subsection (11), an agency or person

 

shall provide any notice required under this section by providing 1

 

or more of the following to the recipient:

 

     (a) Written notice sent to the recipient at the recipient's

 

postal address in the records of the agency or person.

 

     (b) Written notice sent electronically to the recipient if any

 

of the following are met:

 

     (i) The recipient has expressly consented to receive electronic


 

notice.

 

     (ii) The person or agency has an existing business relationship

 

with the recipient that includes periodic electronic mail

 

communications and based on those communications the person or

 

agency reasonably believes that it has the recipient's current

 

electronic mail address.

 

     (iii) The person or agency conducts its business primarily

 

through internet account transactions or on the internet.

 

     (c) If not otherwise prohibited by state or federal law,

 

notice given by telephone by an individual who represents the

 

person or agency if all of the following are met:

 

     (i) The notice is not given in whole or in part by use of a

 

recorded message.

 

     (ii) The recipient has expressly consented to receive notice by

 

telephone, or if the recipient has not expressly consented to

 

receive notice by telephone, the person or agency also provides

 

notice under subdivision (a) or (b) if the notice by telephone does

 

not result in a live conversation between the individual

 

representing the person or agency and the recipient within 3

 

business days after the initial attempt to provide telephonic

 

notice.

 

     (d) Substitute notice, if the person or agency demonstrates

 

that the cost of providing notice under subdivision (a), (b), or

 

(c) will exceed $250,000.00 or that the person or agency has to

 

provide notice to more than 500,000 residents of this state. A

 

person or agency provides substitute notice under this subdivision

 

by doing all of the following:


 

     (i) If the person or agency has electronic mail addresses for

 

any of the residents of this state who are entitled to receive the

 

notice, providing electronic notice to those residents.

 

     (ii) If the person or agency maintains a website, conspicuously

 

posting the notice on that website.

 

     (iii) Notifying major statewide media. A notification under this

 

subparagraph shall include a telephone number or a website address

 

that a person may use to obtain additional assistance and

 

information.

 

     (6) A notice under this section shall meet all of the

 

following:

 

     (a) For a notice provided under subsection (5)(a) or (b), be

 

written in a clear and conspicuous manner and contain the content

 

required under subdivisions (c) to (g).

 

     (b) For a notice provided under subsection (5)(c), clearly

 

communicate the content required under subdivisions (c) to (g) to

 

the recipient of the telephone call.

 

     (c) Describe the security breach in general terms.

 

     (d) Describe the type of personal information that is the

 

subject of the unauthorized access or use.

 

     (e) If applicable, generally describe what the agency or

 

person providing the notice has done to protect data from further

 

security breaches.

 

     (f) Include a telephone number where a notice recipient may

 

obtain assistance or additional information.

 

     (g) Remind notice recipients of the need to remain vigilant

 

for incidents of fraud and identity theft.


 

     (7) A person or agency may provide any notice required under

 

this section pursuant to an agreement between that person or agency

 

and another person or agency, if the notice provided pursuant to

 

the agreement does not conflict with any provision of this section.

 

     (8) Except as provided in this subsection, after a person or

 

agency provides a notice under this section, the person or agency

 

shall notify each consumer reporting agency that compiles and

 

maintains files on consumers on a nationwide basis, as defined in

 

15 USC 1681a(p), of the security breach without unreasonable delay.

 

A notification under this subsection shall include the number,

 

timing, distribution, and contents of the notices to be provided by

 

the agency or person. This subsection does not apply if either of

 

the following is met:

 

     (a) The person or agency is required under this section to

 

provide notice of a security breach to 1,000 or fewer residents of

 

this state.

 

     (b) The person or agency is subject to title V of the Gramm-

 

Leach-Bliley act, 15 USC 6801 to 6809.

 

     (9) A financial institution that is subject to, and has

 

notification procedures in place that are subject to examination by

 

the financial institution's appropriate federal regulator for

 

compliance with, the interagency guidance on response programs for

 

unauthorized access to customer information and customer notice

 

prescribed by the board of governors of the federal reserve system

 

and the other federal bank, thrift, and credit union regulatory

 

agencies, and its affiliates, are considered to be in compliance

 

with this section.


 

     (10) A person or agency that is subject to and complies with

 

the health insurance portability and accountability act of 1996,

 

Public Law 104-191, and with regulations promulgated under that

 

act, 45 CFR parts 160 and 164, for the prevention of unauthorized

 

access to customer information and customer notice is considered to

 

be in compliance with this section.

 

     (11) A public utility that sends monthly billing or account

 

statements to the postal address of its customers may provide

 

notice of a security breach to its customers in the manner

 

described in subsection (5), or alternatively by providing all of

 

the following:

 

     (a) As applicable, notice as described in subsection (5)(b).

 

     (b) Notification to the media reasonably calculated to inform

 

the customers of the public utility of the security breach.

 

     (c) Conspicuous posting of the notice of the security breach

 

on the website of the public utility.

 

     (d) Written notice sent in conjunction with the monthly

 

billing or account statement to the customer at the customer's

 

postal address in the records of the public utility.

 

     (12) A person that provides notice of a security breach in the

 

manner described in this section when a security breach has not

 

occurred, with the intent to defraud, is guilty of a misdemeanor

 

punishable by imprisonment for not more than 30 days or a fine of

 

not more than $1,000.00, or both.

 

     (13) Subject to subsection (14), a person that fails to

 

provide any notice of a security breach required under this section

 

may be ordered to pay a civil fine of not more than $1,000.00 for


 

each failure to provide notice. The attorney general or a

 

prosecuting attorney may bring an action to recover a civil fine

 

under this section.

 

     (14) The aggregate liability of a person for civil fines under

 

subsection (13) for multiple violations of subsection (13) that

 

arise from the same security breach shall not exceed $2,500,000.00.

 

     (15) Subsections (12) and (13) do not affect the availability

 

of any civil remedy for a violation of this section or any other

 

state or federal law.

 

     (16) This section applies to the discovery or notification of

 

a breach of the security of a database that occurs on or after the

 

effective date of the amendatory act that added this section.

 

     (17) This section deals with subject matter that is of

 

statewide concern, and any charter, ordinance, resolution,

 

regulation, rule, or other action by a municipal corporation or

 

other political subdivision of this state to regulate, directly or

 

indirectly, any matter expressly set forth in this section is

 

preempted.

 

     Sec. 12a. (1) A person or agency that maintains a database

 

that includes personal information regarding multiple individuals

 

shall destroy any data that contain personal information concerning

 

an individual when that data is removed from the database and the

 

person or agency is not retaining the data elsewhere for another

 

purpose not prohibited by state or federal law. This subsection

 

does not prohibit a person or agency from retaining data that

 

contain personal information for purposes of an investigation,

 

audit, or internal review.


 

     (2) A person who knowingly or intentionally violates this

 

section is guilty of a misdemeanor punishable by imprisonment for

 

not more than 30 days or a fine of not more than $1,000.00 for each

 

violation, or both. This subsection does not affect the

 

availability of any civil remedy for a violation of this section or

 

any other state or federal law.

 

     (3) As used in this section, "destroy" means to destroy or

 

arrange for the destruction of data by shredding, erasing, or

 

otherwise modifying the data so that they cannot be read,

 

deciphered, or reconstructed through generally available means.

 

     Sec. 12b. (1) A person shall not distribute an advertisement

 

or make any other solicitation that misrepresents to the recipient

 

that a security breach has occurred that may affect the recipient.

 

     (2) A person shall not distribute an advertisement or make any

 

other solicitation that is substantially similar to a notice

 

required under section 12(5) or by federal law, if the form of that

 

notice is prescribed by state or federal law, rule, or regulation.

 

     (3) A person who knowingly or intentionally violates this

 

section is guilty of a misdemeanor punishable by imprisonment for

 

not more than 30 days or a fine of not more than $1,000.00 for each

 

violation, or both. This subsection does not affect the

 

availability of any civil remedy for a violation of this section or

 

any other state or federal law.

 

     Enacting section 1. This amendatory act takes effect 180 days

 

after the date it is enacted.