Identity Theft Notice Requirements

Effective July 2, 2007, Michigan law requires specific notices to be sent if personal information is compromised by a security breach.

Identify Theft Protection Act, Public Act 452 of 2004, MCL 445.61, et seq. (as amended by PA 566 of 2006, effective July 2, 2007)

"Personal information" means the first name or first initial and last name of a Michigan resident linked to one or more of the following:

• Social security number,
• Driver license number or state personal ID cared number, or
• Demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident's financial accounts.

A "security breach" is any unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a township as part of a database of personal information regarding multiple individuals.

It is not a security breach if all of the following apply: 1) the person acted in good faith in accessing the data, 2) the access was related to the activities of the agency or person, AND 3) the person did not misuse any personal information or disclose any personal information to an unauthorized person. 

If a township that "owns or licenses data" (computerized personal information) in a database discovers a security breach, or receives notice of a security breach involving that data, the township must provide a notice of the security breach to certain Michigan residents, unless it determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents.

If a township is required to give notice, then notice must be given to any Michigan resident 1) whose unencrypted and unredacted [unedited] personal information was accessed and acquired by an unauthorized person, or 2) that resident's personal information was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key.

If a township maintains a database that includes data that the township does not own or license, and the township discovers a breach of the security of the database, then the township must provide a notice of the security breach to the owner or licensor of the information, unless it determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents.

In determining whether a security breach is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents, a township must act with the care an ordinarily prudent agency in like position would exercise under similar circumstances.

Notice must be given without unreasonable delay. Notice may be delayed only 1) when it is necessary for the township to take any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database, or 2) if a law enforcement agency determines and advises the township that providing a notice will impede a criminal or civil investigation or jeopardize homeland or national security.

A township must provide notice by:

(a) Written notice sent to the recipient at the recipient's postal address in the records of the agency or person, or

(b) Written notice sent electronically to the recipient if any of the following are met:

(i) The recipient has expressly consented to receive electronic notice.

(ii) The township has an existing business relationship with the recipient that includes periodic electronic mail communications and based on those communications the person or agency reasonably believes that it has the recipient's current electronic mail address.

(iii) The person or agency conducts its business primarily through internet account transactions or on the internet.

(c) If not otherwise prohibited by state or federal law, notice given by telephone by an individual who represents the person or agency if all of the following are met:

(i) The notice is not given in whole or in part by use of a recorded message.

(ii) The recipient has expressly consented to receive notice by telephone, or if the recipient has not expressly consented to receive notice by telephone, the person or agency also provides notice under subdivision (a) or (b) if the notice by telephone does not result in a live conversation between the individual representing the person or agency and the recipient within 3 business days after the initial attempt to provide telephonic notice.

(d) Substitute notice, if the township demonstrates that the cost of providing notice under subdivision (a), (b), or (c) will exceed $250,000.00 or that the township has to provide notice to more than 500,000 residents of this state. A township provides substitute notice under this subdivision by doing all of the following:

(i) If the person or agency has electronic mail addresses for any of the residents of this state who are entitled to receive the notice, providing electronic notice to those residents.

(ii) If the person or agency maintains a website, conspicuously posting the notice on that website.

(iii) Notifying major statewide media. A notification under this subparagraph shall include a telephone number or a website address that a person may use to obtain additional assistance and information.

Notice must clearly communicate and describe:

• The security breach in general terms,
• The type of personal information that is the subject of the unauthorized access or use,
• If applicable, what the agency or person providing the notice has done to protect data from further security breaches,
• A telephone number where a notice recipient may obtain assistance or additional information, and
• A reminder to the resident to watch for incidents of fraud and identity theft.

A township that is subject to and complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, and with regulations promulgated under that act, 45 CFR parts 160 and 164, for the prevention of unauthorized access to customer information and customer notice is considered to be in compliance with the requirement to notify residents of security breaches.

A public utility that sends monthly billing or account statements to the postal address of its customers may provide notice of a security breach to its customers in the manner described above, or alternatively by providing all of the following:

(a) As applicable, notice as described in subsection (5)(b).

(b) Notification to the media reasonably calculated to inform the customers of the public utility of the security breach.

(c) Conspicuous posting of the notice of the security breach on the website of the public utility.

(d) Written notice sent in conjunction with the monthly billing or account statement to the customer at the customer's postal address in the records of the public utility.

A person who knowingly fails to provide any notice of a security breach required under this section may be ordered to pay a civil fine of not more than $250.00 for each failure to provide notice. The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section.

If a township provides a notice under this section, the township must also notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as defined in 15 USC 1681a(p), of the security breach without unreasonable delay. This notice must include the number of notices that the township provided to residents of this state and the timing of those notices. This requirement does not apply if either of the following is met:

(a) The township is required under this section to provide notice of a security breach to 1,000 or fewer residents of this state, or

(b) The township is subject to title V of the Gramm-Leach-Bliley act, 15 USC 6801 to 6809.