SENATE BILL No. 1458

 

 

September 19, 2006, Introduced by Senators JACOBS, SCOTT, CHERRY, WHITMER, BRATER, CLARK-COLEMAN and SCHAUER and referred to the Committee on Judiciary.

 

 

 

     A bill to require certain notices regarding unauthorized

 

access to personal identifying information; to establish procedures

 

for notice; and to provide remedies and civil sanctions.

 

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

 

     Sec. 1. This act shall be known and may be cited as the

 

"information privacy protection act".

 

     Sec. 2. The legislature finds all of the following:

 

     (a) The privacy and financial security of individuals is

 

increasingly at risk due to the ever more widespread collection of

 

personal information by both the private and public sectors.

 

     (b) Credit card transactions, magazine subscriptions,

 

telephone numbers, real estate records, motor vehicle


 

registrations, consumer surveys, warranty registrations, credit

 

reports, and websites are all sources of personal information and

 

form the source material for identity thieves.

 

     (c) Identity theft is 1 of the fastest growing crimes

 

committed in the United States and this state.

 

     (d) Criminals who steal personal information such as social

 

security numbers use the information to open credit card accounts,

 

write bad checks, buy cars, and commit other financial crimes with

 

other people's identities.

 

     (e) Identity theft is costly to the marketplace and to

 

consumers.

 

     (f) Residents of this state are entitled to notice of

 

unauthorized acquisition of computerized data that compromises the

 

security, confidentiality, or integrity of their private personal

 

information.

 

     Sec. 3. As used in this act:

 

     (a) "Data" includes any of the following:

 

     (i) Computerized data.

 

     (ii) Noncomputerized data that is maintained or stored on

 

paper, microfilm, or other form of record-keeping or storage

 

medium.

 

     (b) "Major credit reporting agency" means a consumer reporting

 

agency that compiles and maintains files on a nationwide basis as

 

defined in 15 USC 1681a(p).

 

     (c) "Person" means an individual, partnership, limited

 

liability company, association, corporation, public or nonpublic

 

elementary or secondary school, trade school, vocational school,


 

community or junior college, college, university, state or local

 

governmental agency or department, or other legal entity.

 

     (d) "Personal identifying information" means that term as

 

defined in section 3 of the identity theft protection act, 2004 PA

 

452, MCL 445.63.

 

     (e) "Security breach" means an unauthorized acquisition of

 

data that compromises the security, confidentiality, or integrity

 

of the personal identifying information of 1 or more individuals

 

maintained by a person. The term includes an unauthorized

 

acquisition of encrypted records or data containing personal

 

identifying information if the encryption key is also acquired. The

 

term also includes the unauthorized photocopying or facsimile or

 

other paper-based transmission of documents containing personal

 

identifying information. The term does not include good-faith

 

acquisition of personal identifying information by an employee or

 

agent of the person related to the legitimate activities of the

 

person if the personal identifying information is not used or

 

subject to further unauthorized disclosure.

 

     Sec. 4. (1) A person that owns, uses, or maintains data that

 

includes personal identifying information concerning a resident of

 

this state shall provide notice of a security breach to that

 

resident under this section after the person is notified of the

 

security breach, discovers the security breach, or discovers

 

evidence from which a reasonable person would conclude that a

 

security breach has occurred.

 

     (2) A notice provided under this section shall include both of

 

the following:


 

     (a) To the extent possible, a description of the categories of

 

personal identifying information that was, or is reasonably

 

believed to have been, acquired by an unauthorized person.

 

     (b) A toll-free telephone number or website that the recipient

 

of the notice may use to contact the person or an agent of the

 

person and from which the recipient may learn all of the following:

 

     (i) The types of information the person maintained or stored

 

about the recipient or about individuals in general.

 

     (ii) Whether or not the person maintained or stored information

 

about the recipient.

 

     (iii) The toll-free contact telephone numbers and addresses for

 

the major credit reporting agencies.

 

     (3) If a person discovers circumstances that require the

 

person to provide notice under this section to more than 500

 

individuals at 1 time, the person shall also notify all of the

 

major credit reporting agencies within 48 hours.

 

     (4) A person shall provide any notice required under this

 

section in the most expedient time possible and without

 

unreasonable delay, unless 1 or both of the following apply:

 

     (a) Delay is necessary to determine the scope of the security

 

breach and restore the reasonable integrity of the data system.

 

     (b) A law enforcement agency determines that providing notice

 

will impede a criminal investigation. However, the person shall

 

provide the notice after the law enforcement agency determines that

 

disclosure will not compromise the investigation.

 

     (5) A person shall provide notice required under this section

 

by any of the following methods:


 

     (a) Written notice sent by first-class mail, address

 

correction requested.

 

     (b) Electronic notice, if the notice provided is consistent

 

with the provisions regarding electronic records and signatures set

 

forth in section 101 of title I of the electronic signatures in

 

global and national commerce act, 15 USC 7001.

 

     (c) Substitute notice, if the person demonstrates that the

 

cost of providing notice under subdivision (a) or (b) will exceed

 

$250,000.00, that the person has to provide notice to more than

 

500,000 individuals, or that the person does not have sufficient

 

contact information for the individuals or licensees it is required

 

to notify under that subsection. A person provides substitute

 

notice under this subdivision by doing all of the following:

 

     (i) Providing notice by e-mail to those individuals for whom

 

the agency or person has e-mail addresses.

 

     (ii) If the person maintains a website, conspicuously posting

 

the notice on that website.

 

     (iii) Notifying major statewide media. A notification under this

 

subparagraph shall include the toll-free telephone number or

 

website described in subsection (2)(b).

 

     (iv) If the person maintains, as part of an information

 

security policy for the treatment of personal identifying

 

information, its own notification procedures for security breaches

 

that are consistent with the time requirements of this section,

 

notifying the individuals in accordance with those procedures.

 

     Sec. 5. (1) An individual injured by a violation of section 4

 

may bring a civil action against the person that violated section 4


 

and recover his or her actual damages or $500.00, whichever is

 

greater.

 

     (2) The attorney general or a county prosecuting attorney may

 

bring an action against a person that violated section 4 and

 

recover a civil fine in 1 of the following amounts, whichever is

 

less:

 

     (a) An amount equal to $500.00 for each violation of section 4

 

by the person.

 

     (b) An amount equal to $250,000.00 for each day that a

 

violation occurs.

 

     (3) If the attorney general or an individual, class of

 

individuals, or county prosecuting attorney prevails in an action

 

described in this section, the court shall award that prevailing

 

party actual costs and reasonable attorney fees in connection with

 

the action.

 

     (4) An individual described in subsection (1) or the attorney

 

general may bring a class action on behalf of individuals whose

 

personal identifying information was the subject of a security

 

breach.

 

     Sec. 6. (1) A notifying person may bring an action against any

 

person who unlawfully obtains or benefits from personal identifying

 

information obtained from data maintained or stored by the

 

notifying person.

 

     (2) The court may award a notifying person that prevails in an

 

action described in this section damages that include, but are not

 

limited to, the reasonable costs of providing notice, reasonable

 

attorney fees and actual costs in connection with the action, and


 

punitive damages if the court finds them appropriate.

 

     (3) As used in this section:

 

     (a) "Costs of providing notice" includes, but is not limited

 

to, the costs of labor, materials, and postage and any other costs

 

reasonably related to providing a notice under this act.

 

     (b) "Notifying person" means a person that is required to

 

provide notice under this act.

 

     Sec. 7. (1) The rights, liabilities, and remedies created by

 

this act are in addition to any others provided by law.

 

     (2) A waiver of any right to receive notice under this act is

 

contrary to public policy and is void and unenforceable.

 

     Enacting section 1. This act takes effect January 1, 2007.