New Data Breach Bill Moves Amid Latest Ransomware Attack
March 19, 2019
Consumers would have to be notified within 45 days if their “sensitive personally identifying information” was stolen in a data breach, under two bills that moved out of the House Financial Services Committee Wednesday morning.
Meanwhile, letters continue to go out from one recent example of a data breach, a ransomware incident that locked up servers and workstations back on Sept. 23 at Wolverine Solutions Group (WSG). A letter an impacted consumer received that notified him of the incident arrived on March 1, 159 days after the incident.
Bill sponsor Rep. Diana Farrington (R-Utica) said she is not happy with the speed of notification in that incident.
“Six months is a little excessive,” she said.
According to a press release issued by Attorney General Dana Nessel’s office Monday, it is unclear if any personal information was actually acquired in the breach, but up to 600,000 Michigander’s records might have been exposed.
Information that might have been exposed includes names, addresses, dates of birth, Social Security numbers, insurance contract information, phone numbers and medical information for customers of Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, Three Rivers Health, North Ottawa Community Health System, and the Sparrow Health System.
According to the March 1 letter, WSG notified Sparrow of the incident Dec. 10. And on Feb. 7, the letter states, WSG identified the consumers’ information in the computer system, so the notification was sent.
An article in the Detroit Free Press quotes WSG President Darryl English as saying the company sent letters to Blue Cross customers in late December and that the full impact of the breach will not be known until April. English did not return a call from MIRS Wednesday.
Business groups — including the Michigan Chamber of Commerce, the Michigan Retailers Association and the National Federation of Independent Businesses — oppose the bills, saying they’d prefer additional time, as they did last year when similar legislation was pending.
“This is a consumer protection. It is your data and my data,” Farrington said. “If it is your information out there, I think you have a right to know, sooner than 90 days. You are talking about three months for somebody’s information to be out there without their knowledge.
HB 4186 and HB 4187 are reintroductions of bills that passed the House in 103-6 votes last session, but the package stalled in the Senate.
Farrington explained the Senate made several changes that companies were asking for, and she “decided to not run the bill any further.”
Among the changes made by the Senate was to extend the time period for non-credit card information. Businesses and agencies that use “a credit card payment processor or a credit card payment gateway” would have had to notify in 45 days, but those without credit card processors or gateways would have been given 75 days.
Farrington said she prefers the 45-day period because that is the standard set by 13 other states that have passed legislation for notification.
Farrington’s bills would cover Social Security numbers, driver license numbers, state personal identification card numbers, passport numbers, and other sensitive information. The law would require businesses and government agencies which have such information in their computers to take reasonable security measures to protect such information.
The 45-day time period would begin running once a security breach is detected, Farrington explained. The law would require notification which would give the date or dates of the breach, a description of what information might have been acquired, what the business or agency is doing to restore security, and a description of steps consumers can take to protect against identity theft.
The Michigan Bankers Association (MBA) is on board with the proposal. Bankers often learn a breach has occurred before official notification goes out.
“Yes, we can send them a new card. Yes, we can close existing accounts and open new accounts, but until we have been notified, we cannot fully explain why we are taking these actions. Our hands are tied,” MBA Policy Director David Worthams said in written testimony submitted to the committee. “When merchants notify financial institutions in a timely manner, we are more quickly able to react to potentially fraudulent activity as a result of a data breach. Our experience has shown, however, that merchants are reluctant to share this information.”
Nessel spokesperson Kelly Rossman-McKinney said the Attorney General’s office itself wasn’t notified by the WSG data breach and learned of the incident through the Free Press article on March 7. She said that points out the need for the Attorney General’s office to also be notified when such data breaches occur.