SENATE BILL NO. 888

A bill to amend 2004 PA 452, entitled

"Identity theft protection act,"

by amending sections 3, 12, and 12b (MCL 445.63, 445.72, and 445.72b), section 3 as amended by 2010 PA 318 and sections 12 and 12b as amended by 2010 PA 315, and by adding sections 11a, 11b, 20, 20a, 20b, and 20c; and to repeal acts and parts of acts.

the people of the state of michigan enact:

Sec. 3. As used in this act:

(a) "Agency" means a department, board, commission, office, agency, authority, or other unit of state government of this state. The term Agency includes an institution of higher education of this state. The term Agency does not include a circuit, probate, district, or municipal court.

(b) "Breach of the security of a database" or "security breach" means the unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals. These terms do not include unauthorized access to data by an employee or other individual if the access meets all of the following:

(i) The employee or other individual acted in good faith in accessing the data.

(ii) The access was related to the activities of the agency or person.

(iii) The employee or other individual did not misuse any personal information or disclose any personal information to an unauthorized person.

(b) (c) "Child or spousal support" means support for a child or spouse, paid or provided pursuant to in accordance with state or federal law under a court order or judgment. Support includes, but is not limited to, any of the following:

(i) Expenses for day-to-day care.

(ii) Medical, dental, or other health care.

(iii) Child care expenses.

(iv) Educational expenses.

(v) Expenses in connection with pregnancy or confinement under the paternity act, 1956 PA 205, MCL 722.711 to 722.730.

(vi) Repayment of genetic testing expenses , under the paternity act, 1956 PA 205, MCL 722.711 to 722.730.

(vii) A surcharge as provided by section 3a of the support and parenting time enforcement act, 1982 PA 295, MCL 552.603a.

(c) (d) "Credit card" means that term as defined in section 157m of the Michigan penal code, 1931 PA 328, MCL 750.157m.

(d) (e) "Data" means computerized personal information or personal information contained in any other medium.

(e) (f) "Depository institution" means a state or nationally chartered bank or a state or federally chartered savings and loan association, savings bank, or credit union.

(f) (g) "Encrypted" means transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, or securing information by another method that renders the data elements unreadable or unusable.

(g) (h) "False pretenses" includes, but is not limited to, a false, misleading, or fraudulent representation, writing, communication, statement, or message, communicated by any means to another person, that the maker of the representation, writing, communication, statement, or message knows or should have known is false or fraudulent. The false pretense may be a representation regarding a past or existing fact or circumstance or a representation regarding the intention to perform a future event or to have a future event performed.

(h) (i) "Financial institution" means a any of the following:

(i) A depository institution. , an

(ii) An affiliate of a depository institution. , a

(iii) A licensee under any of the following:

(A) The consumer financial services act, 1988 PA 161, MCL 487.2051 to 487.2072. ,

(B) 1984 PA 379, MCL 493.101 to 493.114. , the

(C) The motor vehicle sales finance act, 1950 (Ex Sess) PA 27, MCL 492.101 to 492.141. , the

(D) The secondary mortgage loan act, 1981 PA 125, MCL 493.51 to 493.81. , the

(E) The mortgage brokers, lenders, and servicers licensing act, 1987 PA 173, MCL 445.1651 to 445.1684. , or the

(F) The regulatory loan act, 1939 PA 21, MCL 493.1 to 493.24. , a

(iv) A seller under either of the following:

(A) The home improvement finance act, 1965 PA 332, MCL 445.1101 to 445.1431. , or the

(B) The retail installment sales act, 1966 PA 224, MCL 445.851 to 445.873. , or a

(v) A person subject to subtitle A of title V of the Gramm-Leach-Bliley act, 15 USC 6801 to 6809.

(i) (j) "Financial transaction device" means that term as defined in section 157m of the Michigan penal code, 1931 PA 328, MCL 750.157m.

(j) (k) "Identity theft" means engaging in an act or conduct prohibited in section 5(1).

(k) (l) "Interactive computer service" means an information service or system that enables computer access by multiple users to a computer server, including, but not limited to, a service or system that provides access to the internet or to software services available on a server.

(l) (m) "Law enforcement agency" means that term as defined in section 2804 of the public health code, 1978 PA 368, MCL 333.2804.

(m) (n) "Local registrar" means that term as defined in section 2804 of the public health code, 1978 PA 368, MCL 333.2804.

(n) (o) "Medical records or information" includes, but is not limited to, medical and mental health histories, reports, summaries, diagnoses and prognoses, treatment and medication information, notes, entries, and x-rays X-rays and other imaging records.

(o) (p) "Person" means an individual, partnership, corporation, limited liability company, association, or other legal entity.

(p) (q) "Personal identifying information" means a name, number, or other information that is used for the purpose of identifying a specific person or providing access to a person's financial accounts, including, but not limited to, a person's name, address, telephone number, driver license or state personal identification card number, social security Social Security number, place of employment, employee identification number, employer or taxpayer identification number, government passport number, health insurance identification number, mother's maiden name, demand deposit account number, savings account number, financial transaction device account number or the person's account password, any other account password in combination with sufficient information to identify and access the account, automated or electronic signature, biometrics, stock or other security certificate or account number, credit card number, vital record, or medical records or information.

(q) (r) "Personal information", except as otherwise provided in subdivision (r), means the first name or first initial and last name linked to 1 or more of the following data elements of a resident of this state:

(i) A Social security Security number.

(ii) Driver A driver license number, or state personal identification card number, passport number, or other unique identification number issued on a government document that is used to verify the identity of an individual.

(iii) Demand A demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident's financial accounts.

(iv) Any medical records or information.

(v) A health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify an individual.

(vi) A username or email address, in combination with a password or security question and answer, that would permit access to an online account that is reasonably likely to contain or is used to obtain personal identifying information.

(vii) Any genetic information or biometric information that is used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina, or iris image.

(r) Personal information does not include either of the following:

(i) Any information about an individual that has been lawfully made public by a federal, state, or local government record or widely distributed media.

(ii) Any information that is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data or device containing the information, unless the person or agency knows or reasonably believes that the encryption key or security credential that could render the personal information readable or usable has been accessed or acquired with the information.

(s) "Public utility" means that term as defined in section 1 of 1972 PA 299, MCL 460.111.

(t) "Redact" means to alter or truncate data so that no more than 4 sequential digits of a driver license number, state personal identification card number, or account number, or no more than 5 sequential digits of a social security Social Security number, are accessible as part of personal information.

(u) "Security breach" means the unauthorized access to or unauthorized acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency. Security breach does not include unauthorized access to data by an employee or other individual if the access meets all of the following:

(i) The employee or other individual acted in good faith in accessing the data.

(ii) The access was related to the activities of the agency or person.

(iii) The employee or other individual did not misuse any personal information or disclose any personal information to an unauthorized person.

(v) (u) "State registrar" means that term as defined in section 2805 of the public health code, 1978 PA 368, MCL 333.2805.

(w) "Third-party agent" means either of the following:

(i) A person that maintains a database that includes personal information that the person does not own or license.

(ii) A person that is otherwise permitted to access personal information owned or licensed by another person or agency in connection with providing services under an agreement with the other person or agency.

(x) (v) "Trade or commerce" means that term as defined in section 2 of the Michigan consumer protection act, 1971 1976 PA 331, MCL 445.902.

(y) (w) "Vital record" means that term as defined in section 2805 of the public health code, 1978 PA 368, MCL 333.2805.

(z) (x) "Webpage" means a location that has a uniform resource locator or URL with respect to the world wide web or another location that can be accessed on the internet.

Sec. 11a. (1) A person or an agency that owns, possesses, collects, or accesses personal information shall implement and maintain reasonable security procedures to protect and safeguard personal information from unlawful use or disclosure.

(2) The security procedures described in subsection (1) must do all of the following:

(a) Identify at least 1 owner, manager, or employee that will coordinate the person's or agency's security procedures.

(b) Identify internal and external risks for security breaches.

(c) Include appropriate safeguards for personal information that are designed to address the risks identified in subdivision (b).

(d) Provide for assessments of the effectiveness of the safeguards described in subdivision (c).

(e) Contractually require each service provider of the person or agency to maintain appropriate safeguards for personal information.

(f) Evaluate and adjust security procedures to account for changes in circumstances affecting the security of personal information.

(3) The reasonableness of the security procedures described in subsection (1) must be determined considering all of the following:

(a) The size of the person or agency.

(b) The amount of personal information that is owned, possessed, collected, or accessed by the person or agency.

(c) The type of activities for which the personal information is owned, possessed, collected, or accessed by the person or agency.

(d) The cost to implement and maintain the security procedures compared to the person's or agency's resources.

Sec. 11b. (1) If a person or an agency determines that a security breach has or may have occurred, the person or agency shall conduct a good-faith and prompt investigation that includes doing all of the following:

(a) Assessing the nature and scope of the security breach.

(b) Identifying the personal information that was involved in the security breach and the identity of the individuals whose personal information was involved in the security breach.

(c) Determining whether the personal information identified under subdivision (b) has been accessed or acquired or is reasonably believed to have been accessed or acquired by an unauthorized person.

(d) Identifying and implementing measures to restore the security and confidentiality of any system compromised in the security breach.

(2) All of the following indicate that personal information has been accessed or acquired by an unauthorized person under subsection (1)(c):

(a) The personal information is or could be in the physical possession and control of an unauthorized person, including, but not limited to, under circumstances where a computer or other device containing personal information is reported lost or stolen.

(b) The personal information has been downloaded or copied by an unauthorized person.

(c) The personal information was used in an unlawful manner by an unauthorized person, including, but not limited to, circumstances under which a fraudulent account is opened using the personal information or a report of identity theft.

(d) The personal information is publicly displayed.

Sec. 12. (1) If, on or after the effective date of the amendatory act that amended this subsection, a third-party agent discovers a security breach that involves data that is owned or licensed by another person or agency, the third-party agent shall, immediately after the discovery, provide a notice of the security breach to the person or agency, and shall provide any other information that is necessary for the person or agency to comply with the notice requirements under subsections (2) and (3).

(2) (1) Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state, Subject to subsections (5) to (9), a person or an agency that owns or licenses data that are is included in a database that discovers a security breach on or after the effective date of the amendatory act that amended subsection (1), or receives notice of a security breach under subsection (2), (1) on or after the effective date of the amendatory act that amended subsection (1), shall provide a notice of the security breach to each resident of this state who meets 1 or more of the following criteria, if the person or agency knows, should know, or should have known that the security breach has or could result in identity theft or fraud affecting the resident:

(a) That The resident's unencrypted and unredacted personal information was or may have been accessed and or acquired by an unauthorized person.

(b) That The resident's personal information was or may have been accessed and or acquired in encrypted form by a person with unauthorized access to the encryption key.

(2) Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state, a person or agency that maintains a database that includes data that the person or agency does not own or license that discovers a breach of the security of the database shall provide a notice to the owner or licensor of the information of the security breach.

(3) In determining whether a security breach is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state under subsection (1) or (2), a person or agency shall act with the care an ordinarily prudent person or agency in like position would exercise under similar circumstances.

(3) Subject to subsection (8), if a person or an agency is required to provide notice under subsection (2) to 100 or more residents of this state, the person or agency must also provide written notice of the security breach to the attorney general not later than 45 days after the discovery of the security breach or receipt of notice under subsection (1).

(4) The written notice described in subsection (3) must include all of the following:

(a) A synopsis of the events surrounding the security breach.

(b) The approximate number of residents of this state that the person or agency is required to notify under subsection (2).

(c) A description of the timing, distribution, and content of the notice required under subsection (2).

(d) The steps taken to investigate the security breach.

(e) The steps taken to prevent a similar security breach.

(f) A description of any services related to the security breach that the person or agency is offering under subsection (7)(h) and a description of the information being provided under subsection (7)(i) and (j).

(g) A description of how a resident of this state may obtain additional information about the security breach from the person or agency.

(5) (4) A Except as otherwise provided in this subsection, a person or an agency shall provide any a notice required under this section subsection (2) without unreasonable delay, . A but not later than 45 days after the discovery of the breach. The person or agency may delay providing notice without violating this subsection if either of the following is met:

(a) A delay is necessary in order for the person or agency to take any measures necessary to determine discover the scope of the security breach and or restore the reasonable integrity of the database. Computer system. However, the agency or person shall provide the notice required under this subsection without unreasonable delay must be provided as soon as possible after the person or agency completes the measures necessary to determine discovery of the scope of the security breach and restore or the restoration of the reasonable integrity of the database. Computer system.

(b) A law enforcement agency determines and advises the agency or person that providing a notice requests to delay disclosure because the disclosure will impede a criminal or civil investigation or jeopardize homeland or national security. However, the agency or person shall provide the notice required under this section without unreasonable delay subsection must be provided as soon as possible after the law enforcement agency determines that providing the notice will no longer impede the investigation or jeopardize homeland or national security.

(6) (5) Except as provided in subsection (11), an agency or (12), a person or an agency shall provide any a notice required under this section subsection (2) by providing 1 or more of the following to the recipient:

(a) Written notice sent to the recipient at the recipient's postal address in the records of the agency or person.

(b) Written notice sent electronically to the recipient if any of the following are met:

(i) The recipient has expressly consented to receive electronic notice.

(ii) The person or agency has an existing business relationship with the recipient that includes periodic electronic mail email communications and based on those communications the person or agency reasonably believes that it the person or agency has the recipient's current electronic mail email address.

(iii) The person or agency conducts its business primarily through internet account transactions or on the internet.

(c) If not otherwise prohibited by state or federal law, notice given by telephone by an individual who represents the person or agency if all of the following are met:

(i) The notice is not given in whole or in part by use of a recorded message.

(ii) The recipient has expressly consented to receive notice by telephone, or if the recipient has not expressly consented to receive notice by telephone, the person or agency also provides notice under subdivision (a) or (b) if the notice by telephone does not result in a live conversation between the individual representing the person or agency and the recipient within not later than 3 business days after the initial attempt to provide telephonic notice.

(d) Substitute notice, if the person or agency demonstrates that the cost of providing notice under subdivision (a), (b), or (c) will exceed $250,000.00 or that the person or agency has to provide notice to more than 500,000 residents of this state. A person or agency provides substitute notice under this subdivision by doing all of the following:

(i) If the person or agency has electronic mail email addresses for any of the residents of this state who are entitled to receive the notice, providing electronic notice to those residents.

(ii) If the person or agency maintains a website, conspicuously posting the notice on that website.

(iii) Notifying major statewide media. A notification under this subparagraph shall must include a telephone number or a website address that a person may use to obtain additional assistance and information.

(7) (6) A notice under this section shall do subsection (2) must meet all of the following requirements, as applicable:

(a) For a notice provided under as described in subsection (5)(a) (6)(a) or (b), it must be written in a clear and conspicuous manner and contain the content required under subdivisions (c) to (g), and (h), (i), and (j), if applicable.

(b) For a notice provided under as described in subsection (5)(c), (6)(c), it must clearly communicate the content required under subdivisions (c) to (g), and (h), (i), and (j), if applicable, to the recipient of the telephone call.

(c) Describe It must describe the security breach in general terms.

(d) Describe It must describe the type of personal information that is the subject of the unauthorized access or use.

(e) If applicable, it must generally describe what the agency or person providing the notice has done to protect data from further security breaches.

(f) Include It must include a telephone number where a notice recipient may obtain assistance or additional information.

(g) Remind It must remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft.

(h) If the Social Security number or tax payer identification number of a resident was accessed or acquired, or is reasonably believed to have been accessed or acquired, in the security breach, it must offer appropriate identity theft prevention services and, if applicable, identity theft mitigation services, which must be provided at no charge to the resident for not less than 24 months.

(i) It must provide any information that is necessary for a resident described in subdivision (h) to enroll in the identity theft prevention services and identity theft mitigations services, as applicable.

(j) It must provide information on how a resident described in subdivision (h) can place a credit freeze on the resident's credit file.

(8) (7) A person or agency third-party agent may provide any notice required under this section pursuant to subsection (2), (3), or (9) in accordance with an agreement between that the third-party agent and a person or agency, and another person or agency, if the notice provided pursuant to under the agreement does not conflict with any provision of this section.

(9) (8) Except as provided in this subsection, and subject to subsection (8), after a person or an agency provides a notice under this section, subsection (2), the person or agency shall notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as defined in 15 USC 1681a(p), of the security breach without unreasonable delay. A notification under this subsection shall must include the number of notices that the person or agency provided to residents of this state under subsection (2) and the timing of those notices. This subsection does not apply if either of the following is met:

(a) The person or agency is required under this section subsection (2) to provide notice of a security breach to 1,000 or fewer residents of this state.

(b) The person or agency is subject to 15 USC 6801 to 6809.

(10) (9) A financial institution that is subject to, and has notification procedures in place that are subject to examination by the financial institution's appropriate regulator for compliance with, the interagency guidance on response programs for unauthorized access to customer information and customer notice prescribed by the board of governors of the federal reserve system Board of Governors of the Federal Reserve System and the other federal bank and thrift regulatory agencies, or similar guidance prescribed and adopted by the national credit union administration, National Credit Union Administration, and its affiliates, is considered to be in compliance with this section.

(11) (10) A person or an agency that is subject to and complies with the health insurance portability and accountability act of 1996, Public Law 104-191, and with regulations promulgated under that act, 45 CFR parts 160 and 164, for the prevention of unauthorized access to customer information and customer notice is considered to be in compliance with this section.

(12) (11) A public utility that sends monthly billing or account statements to the postal address of its the public utility's customers may provide notice of a security breach to its customers in the manner described in subsection (5), (6), or alternatively by providing all of the following:

(a) As applicable, notice as described in subsection (5)(b).(6)(b).

(b) Notification to the media reasonably calculated to inform the customers of the public utility of the security breach.

(c) Conspicuous posting of the notice of the security breach on the website of the public utility.

(d) Written notice sent in conjunction with the monthly billing or account statement to the customer at the customer's postal address in the records of the public utility.

(13) (12) A person that provides notice of a security breach in the manner described in this section when a security breach has not occurred, with the intent to defraud, is guilty of a misdemeanor punishable as follows:

(a) Except as otherwise provided under subdivisions (b) and (c), by imprisonment for not more than 93 days or a fine of not more than $250.00 for each violation, or both.

(b) For a second violation, by imprisonment for not more than 93 days or a fine of not more than $500.00 for each violation, or both.

(c) For a third or subsequent violation, by imprisonment for not more than 93 days or a fine of not more than $750.00 for each violation, or both.

(13) Subject to subsection (14), a person that knowingly fails to provide any notice of a security breach required under this section may be ordered to pay a civil fine of not more than $250.00 for each failure to provide notice. The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section.

(14) The aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000.00.

(14) (15) Subsections (12) and (13) do Subsection (13) does not affect the availability of any civil remedy for a violation of state or federal law.

(16) This section applies to the discovery or notification of a breach of the security of a database that occurs on or after July 2, 2006.

(15) (17) This section does not apply to the access or acquisition by a person or an agency of federal, state, or local government records or documents lawfully made available to the general public.

(16) (18) This section deals with subject matter that is of statewide concern, and any charter, ordinance, resolution, regulation, rule, or other action by a municipal corporation or other political subdivision of this state to regulate, directly or indirectly, any matter expressly set forth in this section is preempted.

(17) For purposes of this section, residency must be determined by the principal mailing address of an individual, as determined by a record of the person or agency.

Sec. 12b. (1) A person shall not distribute an advertisement or make any other solicitation that misrepresents to the recipient that a security breach has occurred that may affect the recipient.

(2) A person shall not distribute an advertisement or make any other solicitation that is substantially similar to a notice required under section 12(5) 12(2), or by federal law, if the form of that notice is prescribed by state or federal law, rule, or regulation.

(3) A person who knowingly or intentionally violates this section is guilty of a misdemeanor punishable as follows:

(a) Except as otherwise provided in subdivisions (b) and (c), by imprisonment for not more than 93 days or a fine of not more than $1,000.00 for each violation, or both.

(b) For a second violation, by imprisonment for not more than 93 days or a fine of not more than $2,000.00 for each violation, or both.

(c) For a third or subsequent violation, by imprisonment for not more than 93 days or a fine of not more than $3,000.00 for each violation, or both.

(4) Subsection (3) does not affect the availability of any civil remedy for a violation of this section or any other state or federal law.

Sec. 20. (1) If the attorney general has authority to institute a civil action or proceeding under this act, the attorney general may accept an assurance of discontinuance of a method, act, or practice that is alleged to be unlawful from the person or agency that is alleged to have engaged, be engaging, or be about to engage in the method, act, or practice.

(2) An assurance of discontinuance under subsection (1) does not constitute an admission of guilt and may not be introduced in any other proceeding.

(3) An assurance of discontinuance under subsection (1) may include a stipulation for any of the following:

(a) The voluntary payment by the person for the costs of investigation and reasonable attorney fees.

(b) An amount to be held in escrow pending the outcome of an action.

(c) An amount for restitution to any aggrieved person.

(4) An assurance of discontinuance under subsection (1) must be in writing and may be filed with the circuit court of Ingham County, and the clerk of the court shall maintain a record of the filings.

(5) Unless rescinded by the parties or voided by a court for good cause, the assurance of discontinuance under subsection (1) may be enforced in the circuit court by the parties to the assurance of discontinuance.

(6) The assurance of discontinuance under subsection (1) may be modified by the parties by a written agreement signed by all parties or by a court for good cause.

Sec. 20a. (1) If the attorney general has reasonable cause to believe that a person or an agency has information or is in possession, custody, or control of any document or object that is relevant to an investigation of a violation of this act, the attorney general may, before bringing any action under this act, serve the person with a written demand to do 1 or more of the following:

(a) Appear and be examined under oath.

(b) Answer interrogatories.

(c) Produce the document or object for inspection and copying.

(2) A demand must contain all of the following:

(a) A description of the conduct constituting the violation of this act being investigated by the attorney general.

(b) A summary of subsections (3) and (4).

(c) If the demand requires the appearance of the person, the demand must also include all of the following:

(i) A reasonable time and place for the appearance.

(ii) A notice that the person may file an objection to or reason for not complying with the demand with the attorney general on or before the time described in subparagraph (i).

(d) If the demand requires written interrogatories, the demand must also include all of the following:

(i) A copy of the written interrogatories.

(ii) A reasonable time within which the person must answer the written interrogatories.

(iii) A notice that the person may file an objection to or reason for not complying with the demand with the attorney general on or before the time described in subparagraph (ii).

(e) If the demand requires the production of a document or object, the demand must also include all of the following:

(i) A description of the document or object with sufficient definiteness to permit the document or object to be fairly identified by the person.

(ii) A reasonable time and place for production of the document or object.

(iii) A notice that the person may file an objection to or reason for not complying with the demand with the attorney general on or before the time described in subparagraph (ii).

(iv) The name of the person that will be the custodian of the document or object.

(3) At any time before the return date or not later than 10 days after receiving the demand, whichever is earlier, a person subject to the demand may petition the circuit court of Ingham County for a protective order to do any of the following:

(a) Extend the return date for a reasonable time.

(b) Modify the demand.

(c) Set aside the demand.

(4) If a person files a petition under subsection (3), the person must give the attorney general not less than 10 days' notice of any hearing on the petition and the attorney general must be given an opportunity to respond to the petition.

(5) If a person does not secure a protective order under subsection (3) and the person does not comply with the demand by the return date, the attorney general, with notice to the person, may apply to a court for an order compelling the person's compliance with the demand.

(6) If the court contemplating the order under subsection (5) finds that there is reasonable cause to believe that this act is being, has been, or is about to be violated, that the person subject to the demand is the person that is committing, has committed, or is about to commit the violation or is the person that possesses information, document, or object that is relevant to the investigation by the attorney general, that the person has left the state or is about to leave the state, and that the order is necessary for the enforcement of this act, the court may do either or both of the following:

(a) Require the person to comply with the demand.

(b) Forbid the removal, concealment, withholding, destruction, mutilation, falsification, or alteration of any document or object that is in the possession, custody, or control of the person.

(7) A person subject to a demand or court order under this section, that with the intent to avoid, evade, or prevent compliance with the demand or order, in whole or in part, removes, conceals, withholds, destroys, mutilates, falsifies, or by any other means alters any document or object in the possession, custody, or control of the person may be ordered to pay a civil fine of not more than $25,000.00.

(8) Except as otherwise provided in subsection (9), any testimony, answer, document, or object received by the attorney general in accordance with a demand or order under this section is confidential and not subject to disclosure until the time that an enforcement action is brought by the attorney general under this act.

(9) The attorney general may disclose any testimony, answer, document, or object described in subsection (8) if confidentiality is waived by both of the following:

(a) The person subject to the demand.

(b) The person being investigated by the attorney general.

(10) As used in this section:

(a) "Demand" means a demand under subsection (1).

(b) "Return date" means the date specified in subsection (2)(c)(ii), (d)(iii), or (e)(iii).

Sec. 20b. (1) A person or agency to whom a written demand is served under section 20a shall comply with the terms of the demand unless otherwise provided by the order of the circuit court.

(2) A person that does any of the following may be ordered to pay a civil fine of not more than $25,000.00:

(a) Knowingly and without good cause fails to appear when served with a demand.

(b) Knowingly avoids, evades, or prevents compliance, in whole or in part, with an investigation, including, without limitation, the removal from any place, concealment, destruction, mutilation, alteration, or falsification of documentary material in the possession, custody, or control of a person subject to the demand.

(c) Knowingly conceals relevant information.

(3) The attorney general may file a petition in the circuit court of the county in which the person is established or conducts business or, if the person is not established in this state, in the circuit court of Ingham County for an order to enforce compliance with this section. A violation of a final order entered under this section must be punished as civil contempt.

Sec. 20c. (1) If the attorney general has reasonable cause to believe that a person or an agency has violated this act, the attorney general may bring a civil action seeking 1 or more of the following, as applicable, together with reasonable attorney fees and costs of investigation and litigation:

(a) Injunctive relief.

(b) If the person or an agency knowingly fails to implement and maintain reasonable security procedures under section 11a, a civil fine of not more than $2,000.00.

(c) If the person or an agency knowingly fails to investigate a security breach under section 11b, a civil fine of not more than $2,000.00.

(d) If the person or an agency knowingly fails to provide a notice of a security breach required under section 12, a civil fine of not more than $250.00 for each failure to provide the notice, except that the aggregate liability under this subdivision for multiple violations that arise from the same security breach may not exceed $750,000.00.

(2) On the petition of the attorney general, the circuit court may enjoin a person from doing business in this state if the person persistently and knowingly evades or prevents compliance with an injunction issued under this act.

Enacting section 1. Sections 15 and 17 of the identity theft protection act, 2004 PA 452, MCL 445.75 and 445.77, are repealed.