IDENTITY THEFT PROTECTION; MODIFY S.B. 888 (S-1) & 889 - 892:
SUMMARY OF BILL
REPORTED FROM COMMITTEE
Senate Bill 888 (Substitute S-1 as reported)
Senate Bills 889 through 892 (as reported without amendment)
Sponsor: Senator Rosemary Bayer
Committee: Finance, Insurance, and Consumer Protection
CONTENT
Senate Bill 888 (S-1) would require private and State entities that had access to State residents' personal information to maintain security procedures for the protection of that information. These procedures would include the assignment of a security coordinator and the implementation of appropriate safeguards to protect the information, among other things. An entity that reasonably conformed to an industry recognized cybersecurity framework would meet the bill's requirements if specific circumstances applied. In the case of a security breach, the bill would require an entity to notify affected residents and provide specific information concerning consumer protections and actions taken to rectify the breach. If a breach affected more than 100 residents, the entity would have to notify the Attorney General. The bill would prescribe civil fines for failing to comply with the bill's requirements. Senate Bills 889 through 892 would modify Michigan Compiled Laws (MCL) references in various acts in accordance with Senate Bill 888 (S-1)'s proposed changes.
BRIEF RATIONALE
According to testimony, the number of identity thefts has risen sharply. Scammers can steal money by targeting the personal data collected for Social Security, Medicare, and unemployment benefits without the people referenced in that data ever knowing. Some have argued that entities that collect data should be held accountable when they do not do enough to keep personal data safe and that they should be required to notify consumers if their personal data is leaked.
MCL 445.75 et al. (S.B. 888) Legislative Analyst: Nathan Leaman
487.2142 (S.B. 889); 750.159g (S.B. 890)
8.9 (S.B. 891); 762.10c (S.B. 892)
FISCAL IMPACT
Senate Bill 888 (S-1) could have a positive fiscal impact on the State and local units of government. The bill would impose civil fines ranging from a low of $250 up to a maximum fine of $750,000. Revenue collected from civil fines is used to support local libraries. Additionally, $10 of the civil fine would be deposited into the State Justice System Fund. This Fund supports justice-related activities across State government in the Departments of Corrections, Health and Human Services, State Police, and Treasury. The Fund also supports justice-related issues in the Legislative Retirement System and the Judiciary. The amount of revenue to the State or for libraries is indeterminate and dependent on the number of violations and fines imposed.
The bills would enhance notice requirements for private and public entities, including State departments and educational institutions, whenever a data breach was discovered. Depending on the size of the data breach and how many residents were affected, these notice requirements could have a significant, thought indeterminate, fiscal impact on State agencies.
The bills also would enhance security procedures for State agencies that housed or accessed personal information. Per the language of the bill, these security enhancements could vary based on the amount of personal information used or stored by a particular State agency. State departments and education institutions could have increased costs to meet these requirements, but those costs are indeterminate.
The bills would empower the Attorney General to investigate and prosecute data breach violations and provide for voluntary payments to offset the costs of investigation and attorney fees. While this would offset many costs, it is possible the Attorney General would require additional appropriations and full-time equivalents to pursue data breach violations, depending on the volume of investigations and prosecutions sought.
Date Completed: 12-13-24 Fiscal Analyst: Joe Carrasco, Jr.
Michael Siracuse
This analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent.