Michigan requirements for data breaches
December 12, 2016
By Anthony Kaylin, courtesy of SBAM Approved Partner ASE
With Yahoo having up to 500 million users’ emails compromised, employee data breached from the Federal Government multiple times, and other personal information data breaches, Michigan employers need to take greater action than ever before to protect their data. If your Michigan organization experiences a breach, the Michigan Identity Theft Protection Act of 2004 (Act 452 of 2004) covers the requirements for organizations. Since HR departments handle and store sensitive personal data, they need to have good knowledge of this law.
This law covers any person or legal entity that owns or licenses personal information that is included in a database. Third party licensees must notify the owner or licensor of the information of a security breach unless it’s determined that the breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to one or more Michigan residents.
The law defines “Security Breach” as an unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a covered entity as part of a database of personal information regarding multiple individuals. So what happens if a breach occurs? Under the law, the organization should provide written, electronic or telephonic notice to the victims without unreasonable delay. Notification may be delayed if a law enforcement agency determines that notification will impede a criminal or civil investigation or jeopardize homeland or national security.
If a security breach occurs, the statute requires that notice must be provided by one of the following methods:
(a) Written notice sent to the recipient’s postal address in the records of the agency or person
(b) Written notice sent electronically to the recipient if any of the following are met:
(i) The recipient has expressly consented to receive electronic notice.
(ii) The person or agency has an existing business relationship with the recipient that includes periodic electronic mail communications, and the person or agency reasonably believes that it has the recipient’s current electronic mail address.
(iii) The person or agency conducts its business primarily through internet account transactions.
(c) Telephone notice if not otherwise prohibited by state or federal law
(d) Electronic notice if the person or agency demonstrates that the cost of providing notice under subdivision (a), (b), or (c) will exceed $250,000 or that the person or agency has to provide notice to more than 500,000 residents of this state. A person or agency can provide substitute notice under this subdivision by doing all of the following:
(i) If the person or agency has electronic mail addresses for any of the residents of this state who are entitled to receive the notice, providing electronic notice to those residents.
(ii) If the person or agency maintains a website, conspicuously posting the notice on that website.
(iii) Notifying major statewide media. A notification under this subparagraph shall include a telephone number or a website address that a person may use to obtain additional assistance and information.
The content of the notice must be written in a clear and conspicuous manner. It has to describe the security breach in general terms and identify the type of personal information that was the subject of the unauthorized access or use. If applicable, the notice must describe what the agency or person has done to protect data from further security breaches and include a telephone number where a notice recipient may obtain assistance or additional information. Finally, it must remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft.
There is a safe harbor provision under the law that states that notice is not required and the statute is not applicable if the personal data that was lost, stolen or accessed is encrypted or redacted, and the encryption key was not compromised. “Encrypted” means transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, or securing information by another method that renders the data elements unreadable or unusable. “Redact” means to alter or truncate data so that no more than four sequential digits of a driver license number, state personal identification card number, or account number, or no more than five sequential digits of a social security number, are accessible as part of personal information.
There are civil and criminal penalties that can be imposed if the organization does not follow the requirements of the statute. An informal study by ASE has identified that a number of HR personnel from recruitment to compensation do not have their computers encrypted. That is a must as well as ensuring that the VPN is also encrypted and secure. If an organization doesn’t have cybersecurity policies, that has to be a priority and followed religiously.