Reporting and Notification Rules Regarding Data Breaches in Michigan

Stew Nelson Senior Risk Advisor

Stew Nelson
Senior Risk Advisor

Remember, I am not a lawyer but for those of you that have a hard time reading regulations, here is a summary of the Identity Theft Protection Act, Act 452 of 2004. This act covers notification of state residents that they are the victims of an unauthorized access of a database with their personally identifiable information or personal health information.

Who has to notify affected individuals? Unless you can determine that a security breach has not or is not likely to cause injury to one or more Michigan residents then you must notify the affected parties.

How will I know if my brief data breach is likely to cause injury? Due to the high percentage of people that end up involved in identity fraud after a breach you probably have to assume that your breach is likely to cause injury unless your data is encrypted.

How long do I have to comply with Michigan’s notification requirements? You are expected to provide notification without unreasonable delay. The law specifically allows a delay in order to determine the size of the security breach and also to restore the integrity of your network. You also can delay if a law enforcement agency informs you that notification will be impede a criminal or civil investigation or jeopardize homeland security.

What constitutes notification? Basically, you’ll be required to provide written notice to an affected individual at their postal addresses. Email can be used to the affected individual as given you permission to do so, or if you primarily conduct your business on the Internet. Prudent business practices would suggest that notification should be conducted by registered mail so that you have a record that the individual was notified and the date they received that notification.

What if I have 25,000 people I must notify and the cost of a registered letter is $10? If the cost of the notification is estimated to exceed $250,000 or notify more than 500,000 then substitute notification rules apply. Substitute notification can be done by email, conspicuously posting it on your website or notifying statewide media. What if I only store their name and password? You are required to notify you store the first name middle initial, and the last name link to one or more of the following data elements, Social Security number, driver’s license number or state personal identification card number, demand deposit or other financial account number, or credit or debit card number in combination with any security code, access code or password that would permit access to any of the residents financial accounts