In December, tens of millions of Target consumers were affected by one of the largest reported data breaches in history. Nearly four months later, the major retailer hit by this data breach continues to feel the effects resulting, in part, from a loss in consumer confidence. As a business operating in Michigan, it important to understand exactly what steps must be taken should you too become the victim of data breach.
In July 2007, Michigan joined a number of other states by enacting legislation requiring persons (defined as any individual, partnership, corporation, limited liability company, association or other legal entity) to issue notification to individuals whose “personal identifying information” may have been compromised by a data breach.
Most commonly referred to as the Data Breach Notification Act, this legislation was designed to identify the types of information afforded protection by the act as well as the steps which must be taken by a person should a data breach occur.
The measure broadly defines personal identifying information as a name, number, or other information that is used for the purpose of identifying a specific person or providing access to a person’s financial accounts. Information of this type includes, but is not limited to, a person’s name, telephone number, social security number, tax identification number, and/or place of employment.
In the event of a data breach, the person is obligated to provide a notice of such breach to each resident of Michigan whose personal identifying information was accessed and acquired by an unauthorized person, and/or whose personal identifying information was accessed in encrypted form by a person with unauthorized access to the encryption key.
Such notice is only required, however, if the person determines that the data breach has or is likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents of Michigan. Generally, such notices must be provided in writing, but may also be issued electronically or by phone provided certain criteria are met.
The act does provide one limited exception to the foregoing requirements where the person can demonstrate that the unauthorized individual accessed that data in good faith, the access was related to the activities of the entity, and the individual accessing the data did not misuse or disclose any personal identifying information.
A violation of the measure is punishable by a fine of $250 for each failure to provide notice, and the aggregate liability for multiple violations that arise from the same security breach shall not exceed $750,000.