March 16, 2005, Introduced by Senators JOHNSON, HARDIMAN, PATTERSON, TOY, CROPSEY, STAMAS and VAN WOERKOM and referred to the Committee on Judiciary.
A bill to amend 2004 PA 452, entitled
"Identity theft protection act,"
by amending section 11 (MCL 445.71) and by adding section 12.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 11. (1) A person shall not do any of the following in the
conduct of trade or commerce:
(a) Deny credit or public utility service to or reduce the
credit limit of a consumer solely because the consumer was a victim
of identity theft, if the person had prior knowledge that the
consumer was a victim of identity theft. A consumer is presumed to
be a victim of identity theft for the purposes of this subdivision
if he or she provides both of the following to the person:
(i) A copy of a police report evidencing the claim of the
victim of identity theft.
(ii) Either a properly completed copy of a standardized
affidavit of identity theft developed and made available by the
federal trade commission pursuant to 15 USC 1681g or an affidavit
of fact that is acceptable to the person for that purpose.
(b) Solicit to extend credit to a consumer who does not have
an existing line of credit, or has not had or applied for a line of
credit within the preceding year, through the use of an unsolicited
check that includes personal identifying information other than the
recipient's name, address, and a partial, encoded, or truncated
personal identifying number. In addition to any other penalty or
remedy under this act or the Michigan consumer protection act, 1976
PA 331, MCL 445.901 to 445.922, a credit card issuer, financial
institution, or other lender that violates this subdivision, and
not the consumer, is liable for the amount of the instrument if the
instrument is used by an unauthorized user and for any fees
assessed to the consumer if the instrument is dishonored.
(c) Solicit to extend credit to a consumer who does not have a
current credit card, or has not had or applied for a credit card
within the preceding year, through the use of an unsolicited credit
card sent to the consumer. In addition to any other penalty or
remedy under this act or the Michigan consumer protection act, 1976
PA 331, MCL 445.901 to 445.922, a credit card issuer, financial
institution, or other lender that violates this subdivision, and
not the consumer, is liable for any charges if the credit card is
used by an unauthorized user and for any interest or finance
charges assessed to the consumer.
(d) Extend credit to a consumer without exercising reasonable
procedures to verify the identity of that consumer. Compliance with
regulations issued for depository institutions, and to be issued
for other financial institutions, by the United States department
of treasury under section 326 of the USA patriot act of 2001, 31
USC 5318, is considered compliance with this subdivision. This
subdivision does not apply to a purchase of a credit obligation in
an acquisition, merger, purchase of assets, or assumption of
liabilities or any change to or review of an existing credit
account.
(e) Fail to provide notice to a person in violation of section
12.
(2) A person who knowingly or intentionally violates
subsection (1) is guilty of a misdemeanor punishable by
imprisonment for not more than 30 days or a fine of not more than
$1,000.00, or both. This subsection does not affect the
availability of any civil remedy for a violation of this act, the
Michigan consumer protection act, 1976 PA 331, MCL 445.901 to
445.922, or any other state or federal law.
Sec. 12. (1) An agency of this state that owns or licenses
computerized data that include personal identifying information
shall provide notice of any breach of the security of the system
following discovery or notification of the breach in the security
of the data to a resident of this state whose unencrypted personal
identifying information is acquired by an unauthorized person or if
the agency reasonably believes that an unauthorized person has
acquired that information. The agency shall provide notice in the
most expedient time possible and without unreasonable delay.
(2) An agency that maintains computerized data that include
personal identifying information that the agency does not own shall
provide notice to the owner or licensee of the information of any
breach of the security of the data immediately following discovery,
if the personal identifying information is acquired by an
unauthorized person or if the agency reasonably believes that an
unauthorized person has acquired that information.
(3) A person doing business in this state that owns or
licenses computerized data that include personal identifying
information shall provide notice of any breach of the security of
the system following discovery or notification of the breach in the
security of the data to a resident of this state whose unencrypted
personal identifying information is acquired by an unauthorized
person or if the person reasonably believes that an unauthorized
person has acquired that information. The person shall provide
notice in the most expedient time possible and without unreasonable
delay, unless delay is necessary to determine the scope of the
breach and restore the reasonable integrity of the data system.
(4) A person doing business in this state that maintains
computerized data that include personal identifying information
that the person does not own shall provide notice to the owner or
licensee of the information of any breach of the security of the
data immediately following discovery, if the personal identifying
information is acquired by an unauthorized person or if the person
reasonably believes that an unauthorized person has acquired that
information.
(5) An agency or person doing business in this state may
provide notice under this section by 1 of the following methods:
(a) Written notice.
(b) Electronic notice, if the notice provided is consistent
with the provisions regarding electronic records and signatures set
forth in section 101 of title I of the electronic signatures in
global and national commerce act, 15 USC 7001, and the agency or
person does not have sufficient contact information for the
individuals, owners, or licensees it is required to notify under
that subsection to provide each of them with written notice.
(6) An agency or a person doing business in this state that is
required to provide notice to a person under this section shall
notify the department of attorney general, the computer crimes
section of the department of state police, and any local law
enforcement agency with jurisdiction in the city, village, or
township where the agency or person is located.
(7) A person injured by a violation of this section may bring
a civil action in a court of competent jurisdiction to recover
actual damages and reasonable attorney fees or seek injunctive or
any other relief available at law or in equity.
(8) As used in this section:
(a) "Agency" means a department, board, commission, office,
agency, authority, or other unit of state government. The term
includes a state institution of higher education.
(b) "Breach of the security of the system" means unauthorized
acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal identifying information
maintained by an agency or a person doing business in this state.
The term does not include good faith acquisition of personal
identifying information by an employee or agent of the agency or
person related to the activities of the agency or person if the
personal identifying information is not used or subject to further
unauthorized disclosure.