Bill Text: MI SB0633 | 2017-2018 | 99th Legislature | Introduced
Bill Title: Trade; data security; personal identifying information; require encryption of certain computerized data and provide remedy to depository institutions for security breaches. Amends secs. 11 & 12 of 2004 PA 452 (MCL 445.71 & 445.72). TIE BAR WITH: SB 0632'17
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2017-10-17 - Referred To Committee On Banking And Financial Institutions [SB0633 Detail]
Download: Michigan-2017-SB0633-Introduced.html
SENATE BILL No. 633
October 17, 2017, Introduced by Senator BOOHER and referred to the Committee on Banking and Financial Institutions.
A bill to amend 2004 PA 452, entitled
"Identity theft protection act,"
by amending sections 11 and 12 (MCL 445.71 and 445.72), as amended
by 2010 PA 315.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 11. (1) A person shall not do any of the following in the
conduct of trade or commerce:
(a) Deny credit or public utility service to or reduce the
credit limit of a consumer solely because the consumer was a victim
of identity theft, if the person had prior knowledge that the
consumer was a victim of identity theft. A consumer is presumed to
be a victim of identity theft for the purposes of this subdivision
if he or she provides both of the following to the person:
(i) A copy of a police report evidencing the claim of the
victim of identity theft.
(ii) Either a properly completed copy of a standardized
affidavit of identity theft developed and made available by the
federal
trade commission Federal
Trade Commission under 15 USC
1681g or an affidavit of fact that is acceptable to the person for
that purpose.
(b) Solicit to extend credit to a consumer who does not have
an existing line of credit, or has not had or applied for a line of
credit within the preceding year, through the use of an unsolicited
check that includes personal identifying information other than the
recipient's name, address, and a partial, encoded, or truncated
personal identifying number. In addition to any other penalty or
remedy under this act or the Michigan consumer protection act, 1976
PA 331, MCL 445.901 to 445.922, a credit card issuer, financial
institution, or other lender that violates this subdivision, and
not the consumer, is liable for the amount of the instrument if the
instrument is used by an unauthorized user and for any fees
assessed to the consumer if the instrument is dishonored.
(c) Solicit to extend credit to a consumer who does not have a
current credit card, or has not had or applied for a credit card
within the preceding year, through the use of an unsolicited credit
card sent to the consumer. In addition to any other penalty or
remedy under this act or the Michigan consumer protection act, 1976
PA 331, MCL 445.901 to 445.922, a credit card issuer, financial
institution, or other lender that violates this subdivision, and
not the consumer, is liable for any charges if the credit card is
used by an unauthorized user and for any interest or finance
charges assessed to the consumer.
(d) Extend credit to a consumer without exercising reasonable
procedures to verify the identity of that consumer. Compliance with
regulations issued for depository institutions, and to be issued
for
other financial institutions, by the United States department
of
treasury Department of
Treasury under section 326 of the USA
patriot act of 2001, 31 USC 5318, is considered compliance with
this subdivision. This subdivision does not apply to a purchase of
a credit obligation in an acquisition, merger, purchase of assets,
or assumption of liabilities or any change to or review of an
existing credit account.
(e) If the person collects personal identifying information in
the regular course of business and stores that information in a
computerized database, fail or neglect to store that information in
the database in an encrypted form.
(2) A person who knowingly or intentionally violates
subsection (1) is guilty of a misdemeanor punishable as follows:
(a) Except as otherwise provided in subdivisions (b) and (c),
by imprisonment for not more than 93 days or a fine of not more
than $1,000.00, or both.
(b) For a second violation, by imprisonment for not more than
93 days or a fine of not more than $2,000.00, or both.
(c) For a third or subsequent violation, by imprisonment for
not more than 93 days or a fine of not more than $3,000.00, or
both.
(3) Subsection (2) does not prohibit a person from being
liable for any civil remedy for a violation of this act, the
Michigan consumer protection act, 1976 PA 331, MCL 445.901 to
445.922, or any other state or federal law.
Sec.
12. (1) Unless the person or agency determines that the
security
breach has not or is not likely to cause substantial loss
or
injury to, or result in identity theft with respect to, 1 or
more
residents of this state, a A person or agency that owns or
licenses data that are included in a database that discovers a
security breach, or receives notice of a security breach under
subsection (2), shall provide a notice of the security breach to
all of the following:
(a) Each financial institution that issued a credit card or
debit card that is compromised by the breach.
(b) Unless the person or agency determines that the security
breach has not or is not likely to cause substantial loss or injury
to, or result in identity theft with respect to, 1 or more
residents of this state, to each resident of this state who meets 1
or more of the following:
(i) (a)
That resident's unencrypted and
unredacted personal
information was accessed and acquired by an unauthorized person.
(ii) (b)
That resident's personal
information was accessed and
acquired in encrypted form by a person with unauthorized access to
the encryption key.
(2) Unless the person or agency determines that the security
breach has not or is not likely to cause substantial loss or injury
to, or result in identity theft with respect to, 1 or more
residents of this state, a person or agency that maintains a
database that includes data that the person or agency does not own
or license that discovers a breach of the security of the database
shall provide a notice to the owner or licensor of the information
of the security breach.
(3) In determining whether a security breach is not likely to
cause substantial loss or injury to, or result in identity theft
with respect to, 1 or more residents of this state under subsection
(1) or (2), a person or agency shall act with the care an
ordinarily prudent person or agency in like position would exercise
under similar circumstances.
(4) A person or agency that is required to give notice of a
security breach under subsection (1) to a financial institution
described in subsection (1)(a) shall provide that notice within 3
business days after the date the person or agency discovers the
security breach. A person or agency shall provide any other notice
required under this section without unreasonable delay. A person or
agency may delay providing notice without violating this subsection
if either of the following is met:
(a) A delay is necessary in order for the person or agency to
take any measures necessary to determine the scope of the security
breach and restore the reasonable integrity of the database.
However, the agency or person shall provide the notice required
under this subsection without unreasonable delay after the person
or agency completes the measures necessary to determine the scope
of the security breach and restore the reasonable integrity of the
database.
(b) A law enforcement agency determines and advises the agency
or person that providing a notice will impede a criminal or civil
investigation or jeopardize homeland or national security. However,
the agency or person shall provide the notice required under this
section without unreasonable delay after the law enforcement agency
determines that providing the notice will no longer impede the
investigation or jeopardize homeland or national security.
(5) Except as provided in subsection (11), an agency or person
shall provide any notice required under this section by providing 1
or more of the following to the recipient:
(a) Written notice sent to the recipient at the recipient's
postal address in the records of the agency or person.
(b) Written notice sent electronically to the recipient if any
of the following are met:
(i) The recipient has expressly consented to receive
electronic notice.
(ii) The person or agency has an existing business
relationship with the recipient that includes periodic electronic
mail communications and based on those communications the person or
agency reasonably believes that it has the recipient's current
electronic mail address.
(iii) The person or agency conducts its business primarily
through internet account transactions or on the internet.
(c) If not otherwise prohibited by state or federal law,
notice given by telephone by an individual who represents the
person or agency if all of the following are met:
(i) The notice is not given in whole or in part by use of a
recorded message.
(ii) The recipient has expressly consented to receive notice
by telephone, or if the recipient has not expressly consented to
receive notice by telephone, the person or agency also provides
notice under subdivision (a) or (b) if the notice by telephone does
not result in a live conversation between the individual
representing the person or agency and the recipient within 3
business days after the initial attempt to provide telephonic
notice.
(d) Substitute notice, if the person or agency demonstrates
that the cost of providing notice under subdivision (a), (b), or
(c) will exceed $250,000.00 or that the person or agency has to
provide notice to more than 500,000 residents of this state. A
person or agency provides substitute notice under this subdivision
by doing all of the following:
(i) If the person or agency has electronic mail addresses for
any of the residents of this state who are entitled to receive the
notice, providing electronic notice to those residents.
(ii) If the person or agency maintains a website,
conspicuously posting the notice on that website.
(iii) Notifying major statewide media. A notification under
this subparagraph shall include a telephone number or a website
address that a person may use to obtain additional assistance and
information.
(6) A notice under this section shall do all of the following:
(a) For a notice provided under subsection (5)(a) or (b), be
written in a clear and conspicuous manner and contain the content
required
under subdivisions (c) to (g).(j).
(b) For a notice provided under subsection (5)(c), clearly
communicate
the content required under subdivisions (c) to (g) (j)
to the recipient of the telephone call.
(c) If the information is possible to determine at the time
the notice is provided, include 1 of the following, as applicable:
(i) The date of the breach.
(ii) The estimated date of the breach.
(iii) The date range within which the breach occurred.
(d) Include the date of the notice.
(e) State whether notification was delayed as a result of an
investigation by a law enforcement agency, if that information is
possible to determine at the time the notice is provided.
(f) (c)
Describe the security breach in
general terms.
(g) (d)
Describe the type of personal
information that is the
subject of the unauthorized access or use.
(h) (e)
If applicable, generally describe
what the agency or
person providing the notice has done to protect data from further
security breaches.
(i) (f)
Include a telephone number where a
notice recipient
may obtain assistance or additional information.
(j) (g)
Remind notice recipients of the
need to remain
vigilant for incidents of fraud and identity theft.
(k) If the person or agency providing the notification was the
source of the breach, and the person or agency is providing the
notice to a resident of this state under subsection (1) or (2),
include an offer to provide appropriate identity theft prevention
and mitigation services, if any, at no cost to the affected
resident for at least 12 months, and include all information
necessary for the resident to accept the offer.
(7) A person or agency may provide any notice required under
this
section pursuant to under an agreement between that person or
agency and another person or agency, if the notice provided
pursuant
to under the agreement does not conflict with any
provision
of this section.
(8) Except as provided in this subsection, after a person or
agency provides a notice under this section, the person or agency
shall notify each consumer reporting agency that compiles and
maintains files on consumers on a nationwide basis, as defined in
15 USC 1681a(p), of the security breach without unreasonable delay.
A notification under this subsection shall include the number of
notices that the person or agency provided to residents of this
state and the timing of those notices. This subsection does not
apply if either of the following is met:
(a) The person or agency is required under this section to
provide notice of a security breach to 1,000 or fewer residents of
this state.
(b) The person or agency is subject to 15 USC 6801 to 6809.
(9) A financial institution that is subject to, and has
notification procedures in place that are subject to examination by
the financial institution's appropriate regulator for compliance
with, the interagency guidance on response programs for
unauthorized access to customer information and customer notice
prescribed
by the board of governors of the federal reserve system
Board of Governors of the Federal Reserve System and the other
federal bank and thrift regulatory agencies, or similar guidance
prescribed
and adopted by the national credit union administration,
National Credit Union Administration and its affiliates, is
considered to be in compliance with this section.
(10) A person or agency that is subject to and complies with
the health insurance portability and accountability act of 1996,
Public Law 104-191, and with regulations promulgated under that
act, 45 CFR parts 160 and 164, for the prevention of unauthorized
access to customer information and customer notice is considered to
be in compliance with this section.
(11) A public utility that sends monthly billing or account
statements to the postal address of its customers may provide
notice of a security breach to its customers in the manner
described in subsection (5), or alternatively by providing all of
the following:
(a) As applicable, notice as described in subsection (5)(b).
(b) Notification to the media reasonably calculated to inform
the customers of the public utility of the security breach.
(c) Conspicuous posting of the notice of the security breach
on the website of the public utility.
(d) Written notice sent in conjunction with the monthly
billing or account statement to the customer at the customer's
postal address in the records of the public utility.
(12) A person that provides notice of a security breach in the
manner described in this section when a security breach has not
occurred, with the intent to defraud, is guilty of a misdemeanor
punishable as follows:
(a) Except as otherwise provided under subdivisions (b) and
(c), by imprisonment for not more than 93 days or a fine of not
more than $250.00 for each violation, or both.
(b) For a second violation, by imprisonment for not more than
93 days or a fine of not more than $500.00 for each violation, or
both.
(c) For a third or subsequent violation, by imprisonment for
not more than 93 days or a fine of not more than $750.00 for each
violation, or both.
(13) Subject to subsection (14), a person that knowingly fails
to provide any notice of a security breach required under this
section may be ordered to pay a civil fine of not more than $250.00
for each failure to provide notice. The attorney general or a
prosecuting attorney may bring an action to recover a civil fine
under this section.
(14) The aggregate liability of a person for civil fines under
subsection (13) for multiple violations of subsection (13) that
arise from the same security breach shall not exceed $750,000.00.
(15) Subsections (12) and (13) do not affect the availability
of any civil remedy for a violation of state or federal law.
(16) If a person maintains a computerized database that
includes personal identifying information about a depository
institution's customers, and a security breach of the computerized
database occurs, the depository institution may bring a civil
action against that person for any actual damages to the depository
institution, including, but not limited to, the depository
institution's costs incurred in connection with any of the
following:
(a) The cancellation or reissuance of any credit or debit
cards affected by the security breach.
(b) Closing any deposit, transaction, share draft, or other
accounts affected by the security breach and any action to stop
payments or block transactions with respect to the accounts.
(c) Opening or reopening any deposit, transaction, share
draft, or other accounts affected by the security breach.
(d) Any refund or credit made to a credit or debit cardholder
to cover the cost of any unauthorized transaction relating to the
security breach.
(e) Notifying any customers of the depository institution
affected by the security breach.
(17)
(16) This section applies to the discovery or
notification of a breach of the security of a database that occurs
on or after July 2, 2006.
(18) (17)
This section does not apply to the
access or
acquisition by a person or agency of federal, state, or local
government records or documents lawfully made available to the
general public.
(19) (18)
This section deals with subject
matter that is of
statewide concern, and any charter, ordinance, resolution,
regulation, rule, or other action by a municipal corporation or
other political subdivision of this state to regulate, directly or
indirectly, any matter expressly set forth in this section is
preempted.
Enacting section 1. This amendatory act takes effect 90 days
after the date it is enacted into law.
Enacting section 2. This amendatory act does not take effect
unless Senate Bill No. 632
of the 99th Legislature is enacted into law.