WeVote

Bill

Bill

SB 888

Relating to testing for individuals in drug treatment

2025 Regular Session Introduced by Tom Takubo and 1 co-sponsor

Expands protected personal info (medical, biometric, govt IDs, credentials), requires safeguards, tightens breach notices, and lets AG enforce penalties against data collectors.

To Health and Human Resources
0
WeVote Research Nonpartisan
Bill Summary · SB 888

SB 888 — Summary (Identity Theft Protection Act amendments)

Status: Referred to Committee on Government Operations (introduced Jan. 23, 2025)
Subject: Consumer protection — identity theft; modify Identity Theft Protection Act (2004 PA 452; MCL 445.63 et seq.)
Bill changes: Amend secs. 3, 12 & 12b; add secs. 11a, 11b, 20, 20a, 20b & 20c; repeal secs. 15 & 17.

Main purpose

Update and strengthen Michigan’s Identity Theft Protection Act by (1) expanding what counts as protected personal information, (2) requiring entities (private and state) that possess or access residents’ personal information to implement reasonable security procedures, (3) tightening breach-notification rules, and (4) giving the Attorney General enforcement tools and civil penalties for noncompliance.

Key provisions

Definitions and scope
- Expands “data” to include personal information in any medium (not only computerized).
- Broadens “personal information” beyond name + SSN/driver’s license/account numbers to expressly include: passport or other government ID numbers; medical records/medical information; health insurance or subscriber IDs; usernames or email together with passwords/security Q&As that permit account access; genetic information and biometric identifiers (fingerprint, voice print, retina/iris, etc.).
- Exclusions: information lawfully made public; properly truncated/encrypted/secured data that is rendered unusable — except when the encryption key/credential is known to have been compromised.

Reasonable security procedures (applies to persons and agencies that own, possess, collect, or access personal information)
- Must implement and maintain reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access or disclosure.
- Required elements include: designation of a security coordinator; identification of internal/external risks; implementation of safeguards proportionate to risks; regular assessments/testing of safeguards; contract provisions and oversight when third parties access data; secure disposal of personal information; employee training; incident response planning.
- The bill provides that reasonable conformity with an industry-recognized cybersecurity framework may satisfy requirements in specified circumstances.

Breach notification
- Entities that discover or receive notice of a security breach affecting a database must notify affected residents.
- If a breach affects more than 100 state residents, the entity must also notify the Attorney General.
- Notices must include specified information about the breach, consumer protections available, and actions taken to remediate or mitigate harm.

Enforcement, remedies and penalties
- Empowers the Attorney General to investigate alleged violations, seek assurances of discontinuance, issue written demands, and bring civil actions.
- Civil fines are established for violations (committee documents cite a range up to $750,000; some revenue earmarking described — e.g., $10 of fines to the State Justice System Fund and general fine revenue supporting local libraries — as part of fiscal analysis).
- Tie-bar: related bills (SBs 889–892) update statutory references in other acts to reflect these changes.

Who is affected

  • Private businesses (including financial institutions and service providers), third‑party data hosts/contractors, and state agencies (including institutions of higher education) that collect, store, transmit, or otherwise access Michigan residents’ personal information.
  • Consumers/residents benefit from broadened definitions of protected data and stronger breach-notification and remediation requirements.
  • State agencies may incur additional compliance costs (assessments, security upgrades, notification processes).

Procedural / timeline notes

  • The bill text adds several new sections and repeals others in the existing Identity Theft Protection Act; it was reported with a committee substitute (S‑1) in committee analyses and reports.
  • Introduced and referred to committee; subsequent procedural history (committee reports) indicates the bill was considered and amended in committee and that enforcement and fiscal impact were analyzed. No final effective date is specified in the provided materials.

Potential impact

  • Strengthens legal obligations and accountability for data holders, narrows gaps in protection for sensitive categories (medical, biometric, genetic, authentication credentials).
  • Likely increases compliance costs for some businesses and state agencies, but provides clearer standards and enforcement mechanisms aimed at reducing identity theft risks for residents.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.