HB-6406, As Passed House, December 6, 2018
SUBSTITUTE FOR
HOUSE BILL NO. 6406
A bill to amend 2004 PA 452, entitled
"Identity theft protection act,"
by amending the title and section 3 (MCL 445.63), the title as
amended by 2006 PA 566 and section 3 as amended by 2010 PA 318, and
by adding section 4; and to repeal acts and parts of acts.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
TITLE
An act to prohibit certain acts and practices concerning
identity
theft; to require notification of a security breach of a
database
that contains certain personal information; to provide for
the powers and duties of certain state and local governmental
officers and entities; to prescribe penalties and provide remedies;
and to repeal acts and parts of acts.
Sec. 3. As used in this act:
(a)
"Agency" means a department, board, commission, office,
agency,
authority, or other unit of state government of this state.
The
term includes an institution of higher education of this state.
The
term does not include a circuit, probate, district, or
municipal
court.
(b)
"Breach of the security of a database" or "security
breach"
means the unauthorized access and acquisition of data that
compromises
the security or confidentiality of personal information
maintained
by a person or agency as part of a database of personal
information
regarding multiple individuals. These terms do not
include
unauthorized access to data by an employee or other
individual
if the access meets all of the following:
(i) The employee or other individual acted in good
faith in
accessing
the data.
(ii) The access was related to the activities of the
agency or
person.
(iii) The employee or other individual did not misuse
any
personal
information or disclose any personal information to an
unauthorized
person.
(a) (c)
"Child or spousal
support" means support for a child
or spouse, paid or provided pursuant to state or federal law under
a court order or judgment. Support includes, but is not limited to,
any of the following:
(i) Expenses for day-to-day care.
(ii) Medical, dental, or other health care.
(iii) Child care expenses.
(iv) Educational expenses.
(v) Expenses in connection with pregnancy or confinement under
the paternity act, 1956 PA 205, MCL 722.711 to 722.730.
(vi) Repayment of genetic testing expenses, under the
paternity act, 1956 PA 205, MCL 722.711 to 722.730.
(vii) A surcharge as provided by section 3a of the support and
parenting time enforcement act, 1982 PA 295, MCL 552.603a.
(b) (d)
"Credit card" means that
term as defined in section
157m of the Michigan penal code, 1931 PA 328, MCL 750.157m.
(e)
"Data" means computerized personal information.
(c) (f)
"Depository institution"
means a state or nationally
chartered bank or a state or federally chartered savings and loan
association, savings bank, or credit union.
(g)
"Encrypted" means transformation of data through the use
of
an algorithmic process into a form in which there is a low
probability
of assigning meaning without use of a confidential
process
or key, or securing information by another method that
renders
the data elements unreadable or unusable.
(d) (h)
"False pretenses"
includes, but is not limited to, a
false, misleading, or fraudulent representation, writing,
communication, statement, or message, communicated by any means to
another person, that the maker of the representation, writing,
communication, statement, or message knows or should have known is
false or fraudulent. The false pretense may be a representation
regarding a past or existing fact or circumstance or a
representation regarding the intention to perform a future event or
to have a future event performed.
(e) (i)
"Financial institution" means
a depository
institution, an affiliate of a depository institution, a licensee
under the consumer financial services act, 1988 PA 161, MCL
487.2051 to 487.2072, 1984 PA 379, MCL 493.101 to 493.114, the
motor vehicle sales finance act, 1950 (Ex Sess) PA 27, MCL 492.101
to 492.141, the secondary mortgage loan act, 1981 PA 125, MCL
493.51 to 493.81, the mortgage brokers, lenders, and servicers
licensing act, 1987 PA 173, MCL 445.1651 to 445.1684, or the
regulatory loan act, 1939 PA 21, MCL 493.1 to 493.24, a seller
under the home improvement finance act, 1965 PA 332, MCL 445.1101
to 445.1431, or the retail installment sales act, 1966 PA 224, MCL
445.851 to 445.873, or a person subject to subtitle A of title V of
the Gramm-Leach-Bliley act, 15 USC 6801 to 6809.
(f) (j)
"Financial transaction
device" means that term as
defined in section 157m of the Michigan penal code, 1931 PA 328,
MCL 750.157m.
(g) (k)
"Identity theft" means
engaging in an act or conduct
prohibited in section 5(1).
(h) (l) "Interactive
computer service" means an information
service or system that enables computer access by multiple users to
a computer server, including, but not limited to, a service or
system that provides access to the internet or to software services
available on a server.
(i) (m)
"Law enforcement agency"
means that term as defined in
section 2804 of the public health code, 1978 PA 368, MCL 333.2804.
(j) (n)
"Local registrar" means
that term as defined in
section 2804 of the public health code, 1978 PA 368, MCL 333.2804.
(k) (o)
"Medical records or
information" includes, but is not
limited to, medical and mental health histories, reports,
summaries, diagnoses and prognoses, treatment and medication
information,
notes, entries, and x-rays X-rays
and other imaging
records.
(l) (p)
"Person" means an
individual, partnership,
corporation, limited liability company, association, or other legal
entity.
(m) (q)
"Personal identifying
information" means a name,
number, or other information that is used for the purpose of
identifying a specific person or providing access to a person's
financial accounts, including, but not limited to, a person's name,
address, telephone number, driver license or state personal
identification
card number, social security Social
Security number,
place of employment, employee identification number, employer or
taxpayer identification number, government passport number, health
insurance identification number, mother's maiden name, demand
deposit account number, savings account number, financial
transaction device account number or the person's account password,
any other account password in combination with sufficient
information to identify and access the account, automated or
electronic signature, biometrics, stock or other security
certificate or account number, credit card number, vital record, or
medical records or information.
(r)
"Personal information" means the first name or first
initial
and last name linked to 1 or more of the following data
elements
of a resident of this state:
(i) Social security number.
(ii) Driver license number or state personal
identification
card
number.
(iii) Demand deposit or other financial account number,
or
credit
card or debit card number, in combination with any required
security
code, access code, or password that would permit access to
any
of the resident's financial accounts.
(n) (s)
"Public utility" means
that term as defined in section
1 of 1972 PA 299, MCL 460.111.
(t)
"Redact" means to alter or truncate data so that no more
than
4 sequential digits of a driver license number, state personal
identification
card number, or account number, or no more than 5
sequential
digits of a social security number, are accessible as
part
of personal information.
(o) (u)
"State registrar" means
that term as defined in
section 2805 of the public health code, 1978 PA 368, MCL 333.2805.
(p) (v)
"Trade or commerce" means
that term as defined in
section
2 of the Michigan consumer protection act, 1971 1976 PA
331, MCL 445.902.
(q) (w)
"Vital record" means that
term as defined in section
2805 of the public health code, 1978 PA 368, MCL 333.2805.
(x)
"Webpage" means a location that has a uniform resource
locator
or URL with respect to the world wide web or another
location
that can be accessed on the internet.
Sec. 4. An entity that is subject to or regulated under the
insurance code of 1956, 1956 PA 218, MCL 500.100 to 500.8302, is
exempt from this act.
Enacting section 1. Sections 12, 12a, and 12b of the identity
theft protection act, 2004 PA 452, MCL 445.72, 445.72a, and
445.72b, are repealed.
Enacting section 2. This amendatory act takes effect 90 days
after the date it is enacted into law.
Enacting section 3. This amendatory act does not take effect
unless House Bill No. 6405 of the 99th Legislature is enacted into
law.