Michigan Compiled Laws §445.61 et seq

Enacted:  12.28.2004

Type of Data Covered: Computerized or electronic data. 

​

Is Breach Defined?

• Breach is defined in §445.63(b) below:

• (b)  “Breach of the security of a database” or “security breach” means the unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals. These terms do not include unauthorized access to data by an employee or other individual if the access meets all of the following:

  • (i)  The employee or other individual acted in good faith in accessing the data.

  • (ii)  The access was related to the activities of the agency or person.

  • (iii)  The employee or other individual did not misuse any personal information or disclose any personal information to an unauthorized person.

​

​

When is notice required?

​

Notice is required for all affected residents unless there is no likelihood of harm. §445.72 details the requirements and key provisions are summarized below:

• §445.72(4): Notice is given without delay unless necessary for law enforcement reasons or delay in determining scope and restoring integrity. 

• §445.72(5): Written, electronic, telephonic, and substitute notice are permitted.

• §445.72(6): The content of the notice has minimum requirements but businesses can include more information as necessary.

• §445.72(8): Consumer reporting agencies must be notified if over 1,000 residents are affected.

​

What are the penalties for non-compliance?

​

Violations have their own sections of the law, §445.72(12)-(15), which read as follows: 

​

• (12)  A person that provides notice of a security breach in the manner described in this section when a security breach has not occurred, with the intent to defraud, is guilty of a misdemeanor punishable as follows:

  • (a)  Except as otherwise provided under subdivisions (b) and (c), by imprisonment for not more than 93 days or a fine of not more than $250.00 for each violation, or both.

  • (b)  For a second violation, by imprisonment for not more than 93 days or a fine of not more than $500.00 for each violation, or both.

  • (c)  For a third or subsequent violation, by imprisonment for not more than 93 days or a fine of not more than $750.00 for each violation, or both.

• (13)  Subject to subsection (14), a person that knowingly fails to provide any notice of a security breach required under this section may be ordered to pay a civil fine of not more than $250.00 for each failure to provide notice. The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section.

• (14)  The aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000.00.

• (15)  Subsections (12) and (13) do not affect the availability of any civil remedy for a violation of state or federal law.

​

​