SB-0149, As Passed Senate, April 23, 2009

SENATE BILL No. 149

January 29, 2009, Introduced by Senators PATTERSON, CROPSEY, JELINEK, KUIPERS, GARCIA, KAHN, HARDIMAN and RICHARDVILLE and referred to the Committee on Judiciary.

     A bill to amend 2004 PA 452, entitled

"Identity theft protection act,"

by amending sections 3, 7, and 9 (MCL 445.63, 445.67, and 445.69),

section 3 as amended by 2006 PA 566, and by adding section 7a.

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

     Sec. 3. As used in this act:

     (a) "Agency" means a department, board, commission, office,

agency, authority, or other unit of state government of this state.

The term includes an institution of higher education of this state.

The term does not include a circuit, probate, district, or

municipal court.

     (b) "Breach of the security of a database" or "security

breach" means the unauthorized access and acquisition of data that

compromises the security or confidentiality of personal information

maintained by a person or agency as part of a database of personal

information regarding multiple individuals. These terms do not

include unauthorized access to data by an employee or other

individual if the access meets all of the following:

     (i) The employee or other individual acted in good faith in

accessing the data.

     (ii) The access was related to the activities of the agency or

person.

     (iii) The employee or other individual did not misuse any

personal information or disclose any personal information to an

unauthorized person.

     (c) "Child or spousal support" means support for a child or

spouse, paid or provided pursuant to state or federal law under a

court order or judgment. Support includes, but is not limited to,

any of the following:

     (i) Expenses for day-to-day care.

     (ii) Medical, dental, or other health care.

     (iii) Child care expenses.

     (iv) Educational expenses.

     (v) Expenses in connection with pregnancy or confinement under

the paternity act, 1956 PA 205, MCL 722.711 to 722.730.

     (vi) Repayment of genetic testing expenses, under the paternity

act, 1956 PA 205, MCL 722.711 to 722.730.

     (vii) A surcharge as provided by section 3a of the support and

parenting time enforcement act, 1982 PA 295, MCL 552.603a.

     (d) "Credit card" means that term as defined in section 157m

of the Michigan penal code, 1931 PA 328, MCL 750.157m.

Senate Bill No. 149 as amended April 22, 2009

     (e) "Data" means computerized personal information.

     (f) "Depository institution" means a state or nationally

chartered bank or a state or federally chartered savings and loan

association, savings bank, or credit union.

     (g) "Encrypted" means transformation of data through the use

of an algorithmic process into a form in which there is a low

probability of assigning meaning without use of a confidential

process or key, or securing information by another method that

renders the data elements unreadable or unusable.

     (h) "False pretenses" <<includes, but is not limited to, a false,

misleading, or fraudulent representation, writing, communication,

statement, or message, communicated by any means to another person, that the maker of the representation, writing, communication, statement, or message knows or should have known is false or fraudulent. The false pretense may be a representation regarding a past or existing fact or circumstance or a representation regarding the intention to perform a future event or to have a future event performed.>>

     (i) (h) "Financial institution" means a depository

institution, an affiliate of a depository institution, a licensee

under the consumer financial services act, 1988 PA 161, MCL

487.2051 to 487.2072, 1984 PA 379, MCL 493.101 to 493.114, the

motor vehicle sales finance act, 1950 (Ex Sess) PA 27, MCL 492.101

to 492.141, the secondary mortgage loan act, 1981 PA 125, MCL

493.51 to 493.81, the mortgage brokers, lenders, and servicers

licensing act, 1987 PA 173, MCL 445.1651 to 445.1684, or the

regulatory loan act, 1939 PA 21, MCL 493.1 to 493.24, a seller

under the home improvement finance act, 1965 PA 332, MCL 445.1101

to 445.1431, or the retail installment sales act, 1966 PA 224, MCL

445.851 to 445.873, or a person subject to subtitle A of title V of

the Gramm-Leach-Bliley act, 15 USC 6801 to 6809.

     (j) (i) "Financial transaction device" means that term as

defined in section 157m of the Michigan penal code, 1931 PA 328,

MCL 750.157m.

     (k) (j) "Identity theft" means engaging in an act or conduct

prohibited in section 5(1).

     (l) "Interactive computer service" means an information service

or system that enables computer access by multiple users to a

computer server, including, but not limited to, a service or system

that provides access to the internet or to software services

available on a server.

     (m) (k) "Law enforcement agency" means that term as defined in

section 2804 of the public health code, 1978 PA 368, MCL 333.2804.

     (n) (l) "Local registrar" means that term as defined in section

2804 of the public health code, 1978 PA 368, MCL 333.2804.

     (o) (m) "Medical records or information" includes, but is not

limited to, medical and mental health histories, reports,

summaries, diagnoses and prognoses, treatment and medication

information, notes, entries, and x-rays and other imaging records.

     (p) (n) "Person" means an individual, partnership,

corporation, limited liability company, association, or other legal

entity.

     (q) (o) "Personal identifying information" means a name,

number, or other information that is used for the purpose of

identifying a specific person or providing access to a person's

financial accounts, including, but not limited to, a person's name,

address, telephone number, driver license or state personal

identification card number, social security number, place of

employment, employee identification number, employer or taxpayer

identification number, government passport number, health insurance

identification number, mother's maiden name, demand deposit account

number, savings account number, financial transaction device

account number or the person's account password, any other account

password in combination with sufficient information to identify and

access the account, automated or electronic signature, biometrics,

stock or other security certificate or account number, credit card

number, vital record, or medical records or information.

     (r) (p) "Personal information" means the first name or first

initial and last name linked to 1 or more of the following data

elements of a resident of this state:

     (i) Social security number.

     (ii) Driver license number or state personal identification

card number.

     (iii) Demand deposit or other financial account number, or

credit card or debit card number, in combination with any required

security code, access code, or password that would permit access to

any of the resident's financial accounts.

     (s) (q) "Public utility" means that term as defined in section

1 of 1972 PA 299, MCL 460.111.

     (t) (r) "Redact" means to alter or truncate data so that no

more than 4 sequential digits of a driver license number, state

personal identification card number, or account number, or no more

than 5 sequential digits of a social security number, are

accessible as part of personal information.

     (u) (s) "State registrar" means that term as defined in

section 2805 of the public health code, 1978 PA 368, MCL 333.2805.

     (v) (t) "Trade or commerce" means that term as defined in

section 2 of the Michigan consumer protection act, 1971 PA 331, MCL

445.902.

     (w) (u) "Vital record" means that term as defined in section

2805 of the public health code, 1978 PA 368, MCL 333.2805.

     (x) "Webpage" means a location that has a uniform resource

locator or URL with respect to the world wide web or another

location that can be accessed on the internet.

     Sec. 7. A person shall not do any of the following:

     (a) Make any electronic mail or other communication under

false pretenses purporting to be by or on behalf of a business,

without the authority or approval of the business, and use that

electronic mail or other communication to induce, request, or

solicit any individual to provide personal identifying information

with the intent to use that information to commit identity theft or

another crime.

     (b) Create or operate a webpage that represents itself as

belonging to or being associated with a business, without the

authority or approval of that business, and induces, requests, or

solicits any user of the internet to provide personal identifying

information with the intent to use that information to commit

identity theft or another crime.

     (c) Alter a setting on a user's computer or similar device or

software program through which the user may access the internet and

cause any user of the internet to view a communication that

represents itself as belonging to or being associated with a

business, which message has been created or is operated without the

authority or approval of that business, and induces, requests, or

solicits any user of the internet to provide personal identifying

information with the intent to use that information to commit

identity theft or another crime.

     (d) (a) Obtain or possess, or attempt to obtain or possess,

personal identifying information of another person with the intent

to use that information to commit identity theft or another crime.

     (e) (b) Sell or transfer, or attempt to sell or transfer,

personal identifying information of another person if the person

knows or has reason to know that the specific intended recipient

will use, attempt to use, or further transfer the information to

another person for the purpose of committing identity theft or

another crime.

     (f) (c) Falsify a police report of identity theft, or

knowingly create, possess, or use a false police report of identity

theft.

     Sec. 7a. (1) A person shall not do any of the following:

     (a) Make any electronic mail or other communication under

false pretenses purporting to be by or on behalf of a business,

without the authority or approval of the business, and use that

electronic mail or other communication to induce, request, or

solicit any individual to provide personal identifying information.

     (b) Create or operate a webpage that represents itself as

belonging to or being associated with a business, without the

authority or approval of that business, and induces, requests, or

solicits any user of the internet to provide personal identifying

information.

     (c) Alter a setting on a user's computer or similar device or

software program through which the user may access the internet and

cause any user of the internet to view a communication that

represents itself as belonging to or being associated with a

business, which message has been created or is operated without the

authority or approval of that business, and induces, requests, or

solicits any user of the internet to provide personal identifying

information.

     (2) An interactive computer service provider shall not be held

liable under any provision of the laws of this state for removing

or disabling access to an internet domain name controlled or

operated by the registrar or by the provider, or to content that

resides on an internet website or other online location controlled

or operated by the provider, that the provider believes in good

faith is used to engage in a violation of this act. This act does

not apply to a telecommunications provider's or internet service

provider's good faith transmission or routing of, or intermediate

temporary storing or caching of, personal identifying information.

     (3) The attorney general, or an interactive computer service

provider harmed by a violation of subsection (1), may bring a civil

action against a person who has violated that subsection.

     (4) Subsection (1) does not apply to the following:

     (a) A law enforcement officer while that officer is engaged in

the performance of his or her official duties.

     (b) Any other individual authorized to conduct lawful

investigations while that individual is engaged in a lawful

investigation.

     (5) A person bringing an action under this section may recover

1 of the following:

     (a) Actual damages, including reasonable attorney fees.

     (b) In lieu of actual damages, reasonable attorney fees plus

the lesser of the following:

     (i) $5,000.00 per violation.

     (ii) $250,000.00 for each day that a violation occurs.

     (6) If the attorney general has reason to believe that a

person has violated section 7(a), (b), or (c) or this section, the

attorney general may investigate the business transactions of that

person. The attorney general may require that person to appear, at

a reasonable time and place, to give information under oath and to

produce any documents and evidence necessary to determine whether

the person is in compliance with the requirements of that section.

     (7) Any damages collected by the attorney general under this

section shall be credited to the attorney general for the costs of

investigating, enforcing, and defending this act.

     Sec. 9. (1) Subject to subsection (6) (7), a person who

violates section 5 or 7 is guilty of a felony punishable by

imprisonment for not more than 5 years or a fine of not more than

$25,000.00, or both.

     (2) Subject to subsection (7), a person who violates section 7

is guilty of a felony punishable by imprisonment for not less than

1 year or more than 10 years or a fine of not less than $5,000.00

or more than $500,000.00, or both.

     (3) (2) Sections 5 and 7 apply whether an individual who is a

victim or intended victim of a violation of 1 of those sections is

alive or deceased at the time of the violation.

     (4) (3) This section does not prohibit a person from being

charged with, convicted of, or sentenced for any other violation of

law committed by that person using information obtained in

violation of this section or any other violation of law committed

by that person while violating or attempting to violate this

section.

     (5) (4) The court may order that a term of imprisonment

imposed under this section be served consecutively to any term of

imprisonment imposed for a conviction of any other violation of law

committed by that person using the information obtained in

violation of this section or any other violation of law committed

by that person while violating or attempting to violate this

section.

     (6) (5) A person may assert as a defense in a civil action or

as an affirmative defense in a criminal prosecution for a violation

of section 5 or 7, and has the burden of proof on that defense by a

preponderance of the evidence, that the person lawfully

transferred, obtained, or attempted to obtain personal identifying

information of another person for the purpose of detecting,

preventing, or deterring identity theft or another crime or the

funding of a criminal activity.

     (7) (6) Subsection (1) or (2) does not apply to a violation of

a statute or rule administered by a regulatory board, commission,

or officer acting under authority of this state or the United

States that confers primary jurisdiction on that regulatory board,

commission, or officer to authorize, prohibit, or regulate the

transactions and conduct of that person, including, but not limited

to, a state or federal statute or rule governing a financial

institution and the insurance code of 1956, 1956 PA 218, MCL

500.100 to 500.8302, if the act is committed by a person subject to

and regulated by that statute or rule, or by another person who has

contracted with that person to use personal identifying

information.

     Enacting section 1. This amendatory act takes effect 90 days

after the date it is enacted into law.