SENATE BILL No. 309

 

 

March 16, 2005, Introduced by Senators JOHNSON, HARDIMAN, PATTERSON, TOY, CROPSEY, STAMAS and VAN WOERKOM and referred to the Committee on Judiciary.

 

 

 

 

     A bill to amend 2004 PA 452, entitled

 

"Identity theft protection act,"

 

by amending section 11 (MCL 445.71) and by adding section 12.

 

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

 

     Sec. 11. (1) A person shall not do any of the following in the

 

conduct of trade or commerce:

 

     (a) Deny credit or public utility service to or reduce the

 

credit limit of a consumer solely because the consumer was a victim

 

of identity theft, if the person had prior knowledge that the

 

consumer was a victim of identity theft. A consumer is presumed to

 

be a victim of identity theft for the purposes of this subdivision

 

if he or she provides both of the following to the person:

 

     (i) A copy of a police report evidencing the claim of the

 

victim of identity theft.


 

     (ii) Either a properly completed copy of a standardized

 

affidavit of identity theft developed and made available by the

 

federal trade commission pursuant to 15 USC 1681g or an affidavit

 

of fact that is acceptable to the person for that purpose.

 

     (b) Solicit to extend credit to a consumer who does not have

 

an existing line of credit, or has not had or applied for a line of

 

credit within the preceding year, through the use of an unsolicited

 

check that includes personal identifying information other than the

 

recipient's name, address, and a partial, encoded, or truncated

 

personal identifying number. In addition to any other penalty or

 

remedy under this act or the Michigan consumer protection act, 1976

 

PA 331, MCL 445.901 to 445.922, a credit card issuer, financial

 

institution, or other lender that violates this subdivision, and

 

not the consumer, is liable for the amount of the instrument if the

 

instrument is used by an unauthorized user and for any fees

 

assessed to the consumer if the instrument is dishonored.

 

     (c) Solicit to extend credit to a consumer who does not have a

 

current credit card, or has not had or applied for a credit card

 

within the preceding year, through the use of an unsolicited credit

 

card sent to the consumer. In addition to any other penalty or

 

remedy under this act or the Michigan consumer protection act, 1976

 

PA 331, MCL 445.901 to 445.922, a credit card issuer, financial

 

institution, or other lender that violates this subdivision, and

 

not the consumer, is liable for any charges if the credit card is

 

used by an unauthorized user and for any interest or finance

 

charges assessed to the consumer.

 

     (d) Extend credit to a consumer without exercising reasonable


 

procedures to verify the identity of that consumer. Compliance with

 

regulations issued for depository institutions, and to be issued

 

for other financial institutions, by the United States department

 

of treasury under section 326 of the USA patriot act of 2001, 31

 

USC 5318, is considered compliance with this subdivision. This

 

subdivision does not apply to a purchase of a credit obligation in

 

an acquisition, merger, purchase of assets, or assumption of

 

liabilities or any change to or review of an existing credit

 

account.

 

     (e) Fail to provide notice to a person in violation of section

 

12.

 

     (2) A person who knowingly or intentionally violates

 

subsection (1) is guilty of a misdemeanor punishable by

 

imprisonment for not more than 30 days or a fine of not more than

 

$1,000.00, or both. This subsection does not affect the

 

availability of any civil remedy for a violation of this act, the

 

Michigan consumer protection act, 1976 PA 331, MCL 445.901 to

 

445.922, or any other state or federal law.

 

     Sec. 12. (1) An agency of this state that owns or licenses

 

computerized data that include personal identifying information

 

shall provide notice of any breach of the security of the system

 

following discovery or notification of the breach in the security

 

of the data to a resident of this state whose unencrypted personal

 

identifying information is acquired by an unauthorized person or if

 

the agency reasonably believes that an unauthorized person has

 

acquired that information. The agency shall provide notice in the

 

most expedient time possible and without unreasonable delay.


 

     (2) An agency that maintains computerized data that include

 

personal identifying information that the agency does not own shall

 

provide notice to the owner or licensee of the information of any

 

breach of the security of the data immediately following discovery,

 

if the personal identifying information is acquired by an

 

unauthorized person or if the agency reasonably believes that an

 

unauthorized person has acquired that information.

 

     (3) A person doing business in this state that owns or

 

licenses computerized data that include personal identifying

 

information shall provide notice of any breach of the security of

 

the system following discovery or notification of the breach in the

 

security of the data to a resident of this state whose unencrypted

 

personal identifying information is acquired by an unauthorized

 

person or if the person reasonably believes that an unauthorized

 

person has acquired that information. The person shall provide

 

notice in the most expedient time possible and without unreasonable

 

delay, unless delay is necessary to determine the scope of the

 

breach and restore the reasonable integrity of the data system.

 

     (4) A person doing business in this state that maintains

 

computerized data that include personal identifying information

 

that the person does not own shall provide notice to the owner or

 

licensee of the information of any breach of the security of the

 

data immediately following discovery, if the personal identifying

 

information is acquired by an unauthorized person or if the person

 

reasonably believes that an unauthorized person has acquired that

 

information.

 

     (5) An agency or person doing business in this state may


 

provide notice under this section by 1 of the following methods:

 

     (a) Written notice.

 

     (b) Electronic notice, if the notice provided is consistent

 

with the provisions regarding electronic records and signatures set

 

forth in section 101 of title I of the electronic signatures in

 

global and national commerce act, 15 USC 7001, and the agency or

 

person does not have sufficient contact information for the

 

individuals, owners, or licensees it is required to notify under

 

that subsection to provide each of them with written notice.

 

     (6) An agency or a person doing business in this state that is

 

required to provide notice to a person under this section shall

 

notify the department of attorney general, the computer crimes

 

section of the department of state police, and any local law

 

enforcement agency with jurisdiction in the city, village, or

 

township where the agency or person is located.

 

     (7) A person injured by a violation of this section may bring

 

a civil action in a court of competent jurisdiction to recover

 

actual damages and reasonable attorney fees or seek injunctive or

 

any other relief available at law or in equity.

 

     (8) As used in this section:

 

     (a) "Agency" means a department, board, commission, office,

 

agency, authority, or other unit of state government. The term

 

includes a state institution of higher education.

 

     (b) "Breach of the security of the system" means unauthorized

 

acquisition of computerized data that compromises the security,

 

confidentiality, or integrity of personal identifying information

 

maintained by an agency or a person doing business in this state.


 

The term does not include good faith acquisition of personal

 

identifying information by an employee or agent of the agency or

 

person related to the activities of the agency or person if the

 

personal identifying information is not used or subject to further

 

unauthorized disclosure.