Relating to testing for individuals in drug treatment
Expands protected personal info (medical, biometric, govt IDs, credentials), requires safeguards, tightens breach notices, and lets AG enforce penalties against data collectors.
Expands protected personal info (medical, biometric, govt IDs, credentials), requires safeguards, tightens breach notices, and lets AG enforce penalties against data collectors.
Status: Referred to Committee on Government Operations (introduced Jan. 23, 2025)
Subject: Consumer protection — identity theft; modify Identity Theft Protection Act (2004 PA 452; MCL 445.63 et seq.)
Bill changes: Amend secs. 3, 12 & 12b; add secs. 11a, 11b, 20, 20a, 20b & 20c; repeal secs. 15 & 17.
Update and strengthen Michigan’s Identity Theft Protection Act by (1) expanding what counts as protected personal information, (2) requiring entities (private and state) that possess or access residents’ personal information to implement reasonable security procedures, (3) tightening breach-notification rules, and (4) giving the Attorney General enforcement tools and civil penalties for noncompliance.
Definitions and scope
- Expands “data” to include personal information in any medium (not only computerized).
- Broadens “personal information” beyond name + SSN/driver’s license/account numbers to expressly include: passport or other government ID numbers; medical records/medical information; health insurance or subscriber IDs; usernames or email together with passwords/security Q&As that permit account access; genetic information and biometric identifiers (fingerprint, voice print, retina/iris, etc.).
- Exclusions: information lawfully made public; properly truncated/encrypted/secured data that is rendered unusable — except when the encryption key/credential is known to have been compromised.
Reasonable security procedures (applies to persons and agencies that own, possess, collect, or access personal information)
- Must implement and maintain reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access or disclosure.
- Required elements include: designation of a security coordinator; identification of internal/external risks; implementation of safeguards proportionate to risks; regular assessments/testing of safeguards; contract provisions and oversight when third parties access data; secure disposal of personal information; employee training; incident response planning.
- The bill provides that reasonable conformity with an industry-recognized cybersecurity framework may satisfy requirements in specified circumstances.
Breach notification
- Entities that discover or receive notice of a security breach affecting a database must notify affected residents.
- If a breach affects more than 100 state residents, the entity must also notify the Attorney General.
- Notices must include specified information about the breach, consumer protections available, and actions taken to remediate or mitigate harm.
Enforcement, remedies and penalties
- Empowers the Attorney General to investigate alleged violations, seek assurances of discontinuance, issue written demands, and bring civil actions.
- Civil fines are established for violations (committee documents cite a range up to $750,000; some revenue earmarking described — e.g., $10 of fines to the State Justice System Fund and general fine revenue supporting local libraries — as part of fiscal analysis).
- Tie-bar: related bills (SBs 889–892) update statutory references in other acts to reflect these changes.
Compiled from official sources — confirm details with the bill’s official record.
Sign in to ask a question.