April 26, 2005, Introduced by Senators CHERRY, JACOBS, BASHAM, PRUSI, THOMAS, OLSHOVE, BERNERO, SCOTT, LELAND, EMERSON, SCHAUER, CLARK-COLEMAN, BRATER, BARCIA and CLARKE and referred to the Committee on Banking and Financial Institutions.
A bill to amend 1980 PA 307, entitled
"Savings and loan act of 1980,"
(MCL 491.102 to 491.1202) by adding sections 1136, 1137, and 1138.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 1136. (1) An association shall use reasonable care to
secure nonpublic personal financial information from unauthorized
access.
(2) An association shall not disclose nonpublic personal
financial information to a person without the prior and specific
informed consent, in writing, of the individual to whom the
nonpublic personal financial information pertains. This subsection
does not apply if the disclosure is required by law.
(3) An association shall disclose nonpublic personal financial
information to which subsection (2) does not apply only if the
person to whom the disclosure is made agrees to protect and use the
disclosed information only in the manner authorized by the
association under section 1137. This subsection does not apply to a
disclosure made to the supervisor, another governmental agency or
entity, or a court.
(4) If an individual authorizes the release of nonpublic
personal financial information under subsection (2) to a specific
person, an association shall disclose the information to that
person only if the person agrees not to release the information to
another person without another prior and specific informed consent
from the individual, in writing, authorizing the additional
release.
(5) This section does not preclude the release of information
pertaining to an individual to that individual by telephone if the
identity of the individual is verified.
(6) As used in this section and section 1137:
(a) "Nonpublic personal financial information" means
personally identifiable financial information and any list,
description, or other grouping of consumers and publicly available
information pertaining to them that is derived using any personally
identifiable financial information that is not publicly available.
Nonpublic personal financial information does not include any of
the following:
(i) Financial information otherwise protected by state or
federal law.
(ii) Publicly available information.
(iii) Any list, description, or other grouping of consumers and
publicly available information pertaining to them that is derived
without using any personally identifiable financial information
that is not publicly available.
(b) "Personally identifiable financial information" means any
of the following:
(i) Information a consumer provides to an association to obtain
a financial product or service from the association.
(ii) Information about a consumer resulting from any
transaction involving a financial product or service between an
association and a consumer.
(iii) Information an association otherwise obtains about a
consumer in connection with providing a financial product or
service to that consumer.
(c) "Publicly available information" means any information
that an association has a reasonable basis to believe is lawfully
made available to the general public from federal, state, or local
government records by wide distribution by the media or by
disclosures to the general public that are required to be made by
federal, state, or local law. An association has a reasonable basis
to believe that information is lawfully made available to the
general public if both of the following apply:
(i) The association has taken steps to determine that the
information is of the type that is available to the general public.
(ii) If an individual can direct that the information not be
made available to the general public, that the association's
consumer has not directed that the information not be made
available to the general public.
Sec. 1137. An association shall establish and make public a
policy regarding the protection of privacy and the confidentiality
of nonpublic personal financial information. The policy shall do at
least all of the following:
(a) Provide for the association's implementation of the
requirements of this act and other applicable laws respecting
collection, security, use, release of, and access to nonpublic
personal financial information.
(b) Identify the routine uses of nonpublic personal financial
information by the association; prescribe the means by which
individuals will be notified regarding those uses; and provide for
notification regarding the actual release of nonpublic personal
financial information that may be identified with, or that may
concern, an individual, upon specific request by that individual.
As used in this subdivision, "routine use" means the ordinary use
or release of nonpublic personal financial information compatible
with the purpose for which the information was collected.
(c) Assure that no person has access to nonpublic personal
financial information except on the basis of a need to know.
(d) Establish the contractual or other conditions under which
the association may release nonpublic personal financial
information.
(e) Provide that enrollment applications and claim forms
developed by the association shall contain an individual's consent
to the release of data and information that is limited to the data
and information necessary for the proper review and payment of
claims, and shall reasonably notify individuals of their rights
under the association's policy and applicable law.
Sec. 1138. Sections 1136 and 1137 do not limit access to
records or enlarge or diminish the investigative and examination
powers of governmental agencies as provided for by law.