Michigan employers will have a new set of responsibilities when the state’s new security-breach notification law takes effect on July 2.
Under the law, which amends Michigan’s Identity Theft Protection Act, owners and licensers of databases are required to notify Michigan residents whose personal information has been accessed by an unauthorized person. Failure to provide timely notice will subject employers to both fines and civil lawsuits.
To comply, it’s important to understand what “database,” “personal information” and “breach” mean.
While the law does not specifically define “database,” the generally accepted definition is a collection of data arranged for ease and speed of retrieval, usually by a computer. For example, employee payroll records and computerized personnel, medical and worker’s compensation files are all considered databases.
The law defines “personal information” as a first name or first initial and last name of a Michigan resident linked to one or more of the following:
- Social Security number.
- Driver’s license number or state personal identification card number.
- Demand deposit or other financial account numbers, credit card or debit card numbers, in combination with any required security code, access code or password that would permit access to any of the resident’s financial accounts.
“Breach” means the unauthorized access and acquisition of data that compromises the security or confidentiality of personal information. Breach does not include the unauthorized access or use by an employee or other individual so long as:
- The employee or other individual acted in good faith in accessing the data.
- Access was related to the activities of the business or person.
- The employee or individual did not misuse any personal information or disclose any personal information to an unauthorized person.
When must you notify residents?
An employer must provide notice without unreasonable delay to individuals whose personal information is at risk, unless the employer determines that the security breach has not or is not likely to cause substantial loss or injury to a Michigan resident or result in identity theft.
Types of notice permitted
According to the new law, Michigan residents may be notified by mail, telephone or e-mail. Written notice can be sent to the individual’s postal address. The employer can telephone, as long as the recipient has expressly consented to be contacted by phone and a person— not a recorded message—delivers the notice.
E-mail notification is acceptable, as long as one of these stipulations can be met:
- The resident has consented to receive electronic notice.
- The person or agency has an existing business relationship with the individual that includes periodic e-mail communications, and believes it has the individual’s current e-mail address.
- The person or agency conducts business primarily through Internet account transactions or on the Internet.
If contact through any of those methods would cost more than $250,000 or if the breach affects more than 500,000 Michigan residents, the employer may opt for lower-cost methods such as bulk electronic mailings, posting information in a notice on a Web site or notifying major statewide media and providing a phone number or Web address where residents can get assistance and information.
What the notice must entail
Notice must describe the security breach, the type of personal information at risk and what the employer has done to protect the data from further breaches. Notice also must include a telephone number for assistance and a reminder about the importance of vigilance in protecting against identity theft.
Penalties for violating the law
The attorney general or a prosecuting attorney may bring an action to recover a civil fine of $250 for each failure to provide timely notice of a breach, subject to a $750,000 cap for multiple breaches resulting from a single incident. Michigan residents also can bring their own lawsuits for damages resulting from the failure to provide notice.
Anyone who fraudulently provides notice of a security breach when one has not actually occurred is guilty of a misdemeanor, punishable either by imprisonment for not more than 30 days, a fine of not more than $250 per violation or both.
Like what you've read? ...Republish it and share great business tips!
Attention: Readers, Publishers, Editors, Bloggers, Media, Webmasters and more...
We believe great content should be read and passed around. After all, knowledge IS power. And good business can become great with the right information at their fingertips. If you'd like to share any of the insightful articles on BusinessManagementDaily.com, you may republish or syndicate it without charge.
The only thing we ask is that you keep the article exactly as it was written and formatted. You also need to include an attribution statement and link to the article.
" This information is proudly provided by Business Management Daily.com: http://www.businessmanagementdaily.com/2797/security-breach-notification-onus-falls-on-michigan-employers "