Bill Text: MI HB4187 | 2019-2020 | 100th Legislature | Introduced


Bill Title: Trade; data security; data breach notification act; enact. Creates new act. TIE BAR WITH: HB 4186'19

Spectrum: Partisan Bill (Republican 1-0)

Status: (Introduced) 2019-12-10 - Referred To Second Reading [HB4187 Detail]

Download: Michigan-2019-HB4187-Introduced.html

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

HOUSE BILL No. 4187

 

 

February 14, 2019, Introduced by Rep. Farrington and referred to the Committee on Financial Services.

 

     A bill to require certain entities to provide notice to

 

certain persons in the event of a breach of security that results

 

in the unauthorized acquisition of sensitive personally identifying

 

information; to provide for the powers and duties of certain state

 

governmental officers and entities; and to prescribe penalties and

 

provide remedies.

 

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

 

     Sec. 1. This act shall be known and may be cited as the "data

 

breach notification act".

 

     Sec. 3. As used in this act:

 

     (a) "Breach of security" or "breach" means the unauthorized

 

acquisition of sensitive personally identifying information in

 

electronic form, if that acquisition is reasonably likely to cause

 

substantial risk of identity theft or fraud to the state residents

 


to whom the information relates. Acquisition that occurs over a

 

period of time that is committed by the same entity constitutes 1

 

breach. The term does not include any of the following:

 

     (i) A good-faith acquisition of sensitive personally

 

identifying information by an employee or agent of a covered

 

entity, unless the information is used for a purpose unrelated to

 

the business of the covered entity or is subject to further

 

unauthorized use.

 

     (ii) A release of a public record that is not otherwise

 

subject to confidentiality or nondisclosure requirements.

 

     (iii) An acquisition or release of data in connection with a

 

lawful investigative, protective, or intelligence activity of a law

 

enforcement or intelligence agency of this state or a political

 

subdivision of this state.

 

     (b) "Covered entity" means an individual or a sole

 

proprietorship, partnership, government entity, corporation,

 

limited liability company, nonprofit, trust, estate, cooperative

 

association, or other business entity, that has more than 50

 

employees and owns or licenses sensitive personally identifying

 

information. The term also includes a state agency.

 

     (c) "Data in electronic form" means any data that is stored

 

electronically or digitally on any computer system or other

 

database, including, but not limited to, recordable tapes and other

 

mass storage devices.

 

     (d) Except as provided in subdivision (e), "sensitive

 

personally identifying information" means a state resident's first

 

name or first initial and last name in combination with 1 or more


of the following data elements that relate to that state resident:

 

     (i) A nontruncated Social Security number.

 

     (ii) A nontruncated driver license number, state personal

 

identification card number, passport number, military

 

identification number, or other unique identification number issued

 

on a government document that is used to verify the identity of a

 

specific individual.

 

     (iii) A financial account number, including, but not limited

 

to, a bank account number, credit card number, or debit card

 

number, in combination with any security code, access code,

 

password, expiration date, or PIN, that is necessary to access the

 

financial account or to conduct a transaction that will result in a

 

credit or debit to the financial account.

 

     (iv) A state resident's medical or mental history, treatment,

 

or diagnosis issued by a health care professional.

 

     (v) A state resident's health insurance policy number or

 

subscriber identification number and any unique identifier used by

 

a health insurer to identify the state resident.

 

     (vi) A username or electronic mail address, in combination

 

with a password or security question and answer, that would permit

 

access to an online account affiliated with the covered entity that

 

is reasonably likely to contain or is used to obtain sensitive

 

personally identifying information.

 

     (e) "Sensitive personally identifying information" does not

 

include any of the following:

 

     (i) Information about a state resident that has been lawfully

 

made public by a federal, state, or local government record or a


widely distributed media.

 

     (ii) Information that is truncated, encrypted, secured, or

 

modified by any other method or technology that removes elements

 

that personally identify a state resident or that otherwise renders

 

the information unusable, including encryption of the data or

 

device containing the sensitive personally identifying information,

 

unless the covered entity knows or reasonably believes that the

 

encryption key or security credential that could render the

 

personally identifying information readable or usable has been

 

breached together with the information.

 

     (f) "State agency" means an agency, board, bureau, commission,

 

department, division, or office of this state that owns, acquires,

 

maintains, stores, or uses data in electronic form that contains

 

sensitive personally identifiable information.

 

     (g) "State resident" means an individual who is a resident of

 

this state.

 

     (h) "Third-party agent" means an entity that maintains,

 

processes, or is otherwise permitted to access, sensitive

 

personally identifying information in connection with providing

 

services to a covered entity under an agreement with the covered

 

entity.

 

     Sec. 5. (1) Each covered entity and third-party agent shall

 

implement and maintain reasonable security measures designed to

 

protect sensitive personally identifying information against a

 

breach of security.

 

     (2) For purposes of subsection (1), a covered entity shall

 

consider all of the following in developing its reasonable security


measures:

 

     (a) The size of the covered entity.

 

     (b) The amount of sensitive personally identifying information

 

that is owned or licensed by the covered entity and the type of

 

activities for which the sensitive personally identifying

 

information is accessed, acquired, or maintained by or on behalf of

 

the covered entity.

 

     (c) The covered entity's cost to implement and maintain the

 

security measures to protect against a breach of security relative

 

to its resources.

 

     (3) As used in this section, "reasonable security measures"

 

means security measures that are reasonable for a covered entity to

 

implement and maintain, including consideration of all of the

 

following:

 

     (a) Designation of an employee or employees to coordinate the

 

covered entity's security measures to protect against a breach of

 

security. An owner or manager may designate himself or herself for

 

purposes of this subdivision.

 

     (b) Identification of internal and external risks of a breach

 

of security.

 

     (c) Adoption of appropriate information safeguards that are

 

designed to address identified risks of a breach of security and

 

assess the effectiveness of those safeguards.

 

     (d) Retention of service providers, if any, that are

 

contractually required to maintain appropriate safeguards for

 

sensitive personally identifying information.

 

     (e) Evaluation and adjustment of security measures to account


for changes in circumstances affecting the security of sensitive

 

personally identifying information.

 

     Sec. 7. (1) If a covered entity determines that a breach of

 

security has or may have occurred, the covered entity shall conduct

 

a good-faith and prompt investigation that includes all of the

 

following:

 

     (a) An assessment of the nature and scope of the breach.

 

     (b) Identification of any sensitive personally identifying

 

information that was involved in the breach and the identity of any

 

state residents to whom that information relates.

 

     (c) A determination of whether the sensitive personally

 

identifying information has been acquired or is reasonably believed

 

to have been acquired by an unauthorized person.

 

     (d) Identification and implementation of measures to restore

 

the security and confidentiality of the systems, if any,

 

compromised in the breach.

 

     (2) In determining whether sensitive personally identifying

 

information has been acquired by an unauthorized person without

 

valid authorization, the following factors may be considered:

 

     (a) Indications that the information is in the physical

 

possession and control of an unauthorized person, such as a lost or

 

stolen computer or other device containing information.

 

     (b) Indications that the information has been downloaded or

 

copied by an unauthorized person.

 

     (c) Indications that the information was used in an unlawful

 

manner by an unauthorized person, such as fraudulent accounts

 

opened or instances of identity theft reported.


     (d) Whether the information was publicly displayed.

 

     Sec. 9. (1) If a covered entity that owns or licenses

 

sensitive personally identifiable information determines under

 

section 7 that a breach has occurred, the covered entity must

 

provide notice of the breach to each state resident whose sensitive

 

personally identifiable information was acquired in the breach.

 

     (2) A covered entity shall provide notice under subsection (1)

 

to state residents described in subsection (1) as expeditiously as

 

possible and without unreasonable delay, taking into account the

 

time necessary to allow the covered entity to conduct an

 

investigation and determine the scope of the breach under section

 

7. Except as provided in subsection (3), the covered entity shall

 

provide notice within 45 days of the covered entity's determination

 

that a breach has occurred.

 

     (3) If a federal or state law enforcement agency determines

 

that notice to state residents required under this section would

 

interfere with a criminal investigation or national security, and

 

delivers a request to the covered entity for a delay, a covered

 

entity shall delay providing the notice for a period that the law

 

enforcement agency determines is necessary. If the law enforcement

 

agency determines that an additional delay is necessary, the law

 

enforcement agency shall deliver a written request to the covered

 

entity for an additional delay, and the covered entity shall delay

 

providing the notice to the date specified in the law enforcement

 

agency's written request, or extend the delay set forth in the

 

original request for the additional period set forth in the written

 

request.


     (4) Except as provided in subsection (5), a covered entity

 

shall provide notice to a state resident under this section in

 

compliance with 1 of the following, as applicable:

 

     (a) In the case of a breach of security that involves a

 

username or password, in combination with any password or security

 

question and answer that would permit access to an online account,

 

and no other sensitive personally identifying information is

 

involved, the covered entity may comply with this section by

 

providing the notification in electronic or other form that directs

 

the state resident whose sensitive personally identifying

 

information has been breached to promptly change his or her

 

password and security question or answer, as applicable, or to take

 

other appropriate steps to protect the online account with the

 

covered entity and all other accounts for which the state resident

 

whose sensitive personally identifying information has been

 

breached uses the same username or electronic mail address and

 

password or security question or answer.

 

     (b) In the case of a breach that involves sensitive personally

 

identifying information for login credentials of an electronic mail

 

account furnished by the covered entity, the covered entity shall

 

not comply with this section by providing the notification to that

 

electronic mail address, but may, instead, comply with this section

 

by providing notice by another method described in subdivision (a)

 

or (c), or by providing clear and conspicuous notice delivered to

 

the state resident online if the resident is connected to the

 

online account from an internet protocol address or online location

 

from which the covered entity knows the state resident customarily


accesses the account.

 

     (c) Except as provided in subdivision (a) or (b), the covered

 

entity shall comply with this section by providing a notice, in

 

writing, sent to the mailing address of the state resident in the

 

records of the covered entity, or by electronic mail notice sent to

 

the electronic mail address of the state resident in the records of

 

the covered entity. The notice shall include, at a minimum, all of

 

the following:

 

     (i) The date, estimated date, or estimated date range of the

 

breach.

 

     (ii) A description of the sensitive personally identifying

 

information that was acquired by an unauthorized person as part of

 

the breach.

 

     (iii) A general description of the actions taken by the

 

covered entity to restore the security and confidentiality of the

 

personal information involved in the breach.

 

     (iv) A general description of steps a state resident can take

 

to protect himself or herself from identity theft, if the breach

 

creates a risk of identity theft.

 

     (v) Contact information that the state resident can use to

 

contact the covered entity to inquire about the breach.

 

     (5) A covered entity that is required to provide notice to any

 

state resident under this section may provide substitute notice in

 

lieu of direct notice, if direct notice is not feasible because of

 

any of the following:

 

     (a) Excessive cost to the covered entity of providing direct

 

notification relative to the resources of the covered entity. For


purposes of this subdivision, the cost of direct notification to

 

state residents is considered excessive if it exceeds $250,000.00.

 

     (b) Lack of sufficient contact information for the state

 

resident who the covered entity is required to notify.

 

     (6) For purposes of subsection (5), substitute notice must

 

include both of the following:

 

     (a) If the covered entity maintains an internet website, a

 

conspicuous notice posted on the website for a period of at least

 

30 days.

 

     (b) Notice in print and in broadcast media, including major

 

media in urban and rural areas where the state residents who the

 

covered entity is required to notify reside.

 

     (7) If a covered entity determines that notice is not required

 

under this section, the entity shall document the determination in

 

writing and maintain records concerning the determination for at

 

least 5 years.

 

     Sec. 11. (1) If the number of state residents who a covered

 

entity is required to notify under section 9 exceeds 750, the

 

entity shall provide written notice of the breach to the department

 

of technology, management, and budget as expeditiously as possible

 

and without unreasonable delay. Except as provided in section 9(3),

 

the covered entity shall provide the notice within 45 days of the

 

covered entity's determination that a breach has occurred.

 

     (2) Written notice to the department of technology,

 

management, and budget under subsection (1) must include all of the

 

following:

 

     (a) A synopsis of the events surrounding the breach at the


time that notice is provided.

 

     (b) The approximate number of state residents the covered

 

entity is required to notify.

 

     (c) Any services related to the breach the covered entity is

 

offering or is scheduled to offer without charge to state

 

residents, and instructions on how to use the services.

 

     (d) How a state resident may obtain additional information

 

about the breach from the covered entity.

 

     (3) A covered entity may provide the department of technology,

 

management, and budget with supplemental or updated information

 

regarding a breach at any time.

 

     (4) Information marked as confidential that is obtained by the

 

department of technology, management, and budget under this section

 

is not subject to the freedom of information act, 1976 PA 442, MCL

 

15.231 to 15.246.

 

     Sec. 13. If a covered entity discovers circumstances that

 

require that it provide notice under section 9 to more than 1,000

 

state residents at a single time, the entity shall also notify,

 

without unreasonable delay, each consumer reporting agency that

 

compiles and maintains files on consumers on a nationwide basis, as

 

defined in 15 USC 1681a(p), of the timing, distribution, and

 

content of the notices.

 

     Sec. 15. (1) If a third-party agent experiences a breach of

 

security in the system maintained by the agent, the agent shall

 

notify the covered entity of the breach of security as quickly as

 

practicable.

 

     (2) After receiving notice from a third-party agent under


subsection (1), a covered entity shall provide notices required

 

under sections 9 and 11. A third-party agent, in cooperation with a

 

covered entity, shall provide information in the possession of the

 

third-party agent so that the covered entity can comply with its

 

notice requirements.

 

     (3) A covered entity may enter into a contractual agreement

 

with a third-party agent under which the third-party agent agrees

 

to handle notifications required under this act.

 

     Sec. 17. (1) Subject to subsection (2), a person that

 

knowingly violates or has violated a notification requirement under

 

this act may be ordered to pay a civil fine of not more than

 

$2,000.00 for each violation, or not more than $5,000.00 per day

 

for each consecutive day that the covered entity fails to take

 

reasonable action to comply with the notice requirements of this

 

act.

 

     (2) A person's aggregate liability for civil fines under

 

subsection (1) for multiple violations related to the same security

 

breach shall not exceed $250,000.00.

 

     (3) The attorney general has exclusive authority to bring an

 

action to recover a civil fine under this section.

 

     (4) It is not a violation of this act to refrain from

 

providing any notice required under this act if a court of

 

competent jurisdiction has directed otherwise.

 

     (5) To the extent that notification is required under this act

 

as the result of a breach experienced by a third-party agent, a

 

failure to inform the covered entity of the breach is a violation

 

of this act by the third-party agent and the agent is subject to


the remedies and penalties described in this section.

 

     (6) The remedies under this section are independent and

 

cumulative. The availability of a remedy under this section does

 

not affect any right or cause of action a person may have at common

 

law, by statute, or otherwise.

 

     (7) This act shall not be construed to provide a basis for a

 

private right of action.

 

     Sec. 19. (1) State agencies are subject to the notice

 

requirements of this act. A state agency that acquires and

 

maintains sensitive personally identifying information from a state

 

government employer, and that is required to provide notice to any

 

state resident under this act, must also notify the employing state

 

agency of any state residents to whom the information relates.

 

     (2) A claim or civil action for a violation of this act by a

 

state agency is subject to 1964 PA 170, MCL 691.1401 to 691.1419.

 

     (3) By February 1 of each year, the department of technology,

 

management, and budget shall submit a report to the governor, the

 

senate majority leader, and the speaker of the house of

 

representatives that describes the nature of any reported breaches

 

of security by state agencies or third-party agents of state

 

agencies in the preceding calendar year along with recommendations

 

for security improvements. The report shall identify any state

 

agency that has violated any of the applicable requirements in this

 

act in the preceding calendar year.

 

     Sec. 21. A covered entity or third-party agent shall take

 

reasonable measures to dispose, or arrange for the disposal, of

 

records that contain sensitive personally identifying information


within its custody or control when retention of the records is no

 

longer required under applicable law, regulations, or business

 

needs. Disposal shall include shredding, erasing, or otherwise

 

modifying the sensitive personally identifying information in the

 

records to make it unreadable or undecipherable through any

 

reasonable means consistent with industry standards.

 

     Sec. 23. (1) An entity that is subject to or regulated under

 

federal laws, rules, regulations, procedures, or guidance on data

 

breach notification established or enforced by the federal

 

government is exempt from this act as long as the entity does all

 

of the following:

 

     (a) Maintains procedures under those laws, rules, regulations,

 

procedures, or guidance.

 

     (b) Provides notice to consumers under those laws, rules,

 

regulations, procedures, or guidance.

 

     (c) Timely provides a copy of the notice to the department of

 

technology, management, and budget when the number of state

 

residents the entity notified exceeds 750.

 

     (2) Except as provided in subsection (3), an entity that is

 

subject to or regulated under state laws, rules, regulations,

 

procedures, or guidance on data breach notification that are

 

established or enforced by state government, and are at least as

 

thorough as the notice requirements provided by this act, is exempt

 

from this act so long as the entity does all of the following:

 

     (a) Maintains procedures under those laws, rules, regulations,

 

procedures, or guidance.

 

     (b) Provides notice to customers under the notice requirements


of those laws, rules, regulations, procedures, or guidance.

 

     (c) Timely provides a copy of the notice to the department of

 

technology, management, and budget when the number of state

 

residents the entity notified exceeds 750.

 

     (3) An entity that is subject to or regulated under the

 

insurance code of 1956, 1956 PA 218, MCL 500.100 to 500.8302, is

 

exempt from this act.

 

     (4) An entity that owns, is owned by, or is under common

 

ownership with an entity described in subsection (1), (2), or (3)

 

and that maintains the same cybersecurity procedures as that other

 

entity is exempt from this act.

 

     Enacting section 1. This act takes effect January 20, 2020.

 

     Enacting section 2. This act does not take effect unless

 

Senate Bill No.____ or House Bill No. 4186 (request no. 00206'19 a)

 

of the 100th Legislature is enacted into law.

feedback