MICHIGAN
FINES & PENALTIES
Violations
$250 per failed notice
BREACH NOTIFICATION
Mandated Timeframe
Without unreasonable delay
BREACH REPORTING
Breach reporting for cases involving 1,000 or more residents of Michigan must be made without unreasonable delay to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.
CONSUMER NOTIFICATION
Breach reporting for cases involving 1,000 or more residents of Michigan must be made without unreasonable delay to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.
DEFINITION OF ``PERSONAL INFORMATION``
Michigan’s laws have a wide-ranging definition of what is considered personal identifying information relating to financial accounts, which includes biometric data, account numbers and passwords.
FINES & PENALTIES
Failure to provide any notice of a security breach as required may result in a civil fine of up to $250 for each failure to provide notice (with the collective liability for civil fines that arise from the same security breach up to $750,000). The Attorney General or a prosecuting attorney may bring an action to recover a civil fine. Violations of data disposal requirements have a misdemeanor penalty punishable by a fine of up to $250 for each violation.
INDUSTRY SPECIFIC LAWS
Michigan passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Effective January 20, 2021, licensees must comply with the breach notification requirements, including Commissioner notification within 10 business days.
PRIVACY PROGRAM
Organizations must have in place measures to destroy or arrange for the destruction of consumer’s personal identifying records so that the records are made unreadable or indecipherable.
VENDOR/3RD PARTIES
Vendors must notify Organizations without delay after the discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification. Vendors who are “an individual, partnership, corporation, limited liability company, association, or other legal entity” and “maintains a database that includes personal information” must have measures in place for the destruction of records containing personal information.