Michigan

• Any individual, partnership, corporation, limited liability company, association, or other legal entity, or any department, board, commission, office, agency, authority, or other unit of state government of MI (collectively, Entity) that owns or licenses data including PI of a MI resident.
o The provisions governing maintenance of PI are applicable to any Entity maintaining information on MI residents, whether or not organized or licensed under the laws of MI.
• The unauthorized access and acquisition of data that compromises the security or confidentiality of PI maintained by an Entity as part of a database of PI regarding multiple individuals.
o A good-faith but unauthorized acquisition of PI by an employee or other individual, where the access was related to the activities of the Entity, is not a breach of security unless the PI is misused or disclosed to an unauthorized person. In making this determination an Entity shall act with the care an ordinarily prudent Entity in a like position would exercise under similar circumstances.
• An Entity to which the statute applies shall provide notice of the breach to each resident of MI if (i) the resident’s unencrypted and unredacted PI was accessed and acquired by an unauthorized person or (ii) the resident’s PI was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key.
o Notification is not required if the Entity determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents of MI. This section does not apply to the access or acquisition by a person or agency of federal, state, or local government records or documents lawfully made available to the general public.
• If an Entity notifies 1,000 or more MI residents, the Entity shall, after notifying those residents, notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis of the security breach without unreasonable delay. A notification under this subsection shall include the number and timing of notices that the person or agency provided to residents of this state. This subsection does not apply if the person or agency is subject to Title V of the Gramm-Leach-Bliley Act.
• An Entity that maintains a database that includes data that the Entity does not own or license that discovers a breach of the security of the database shall provide a notice to the owner or licensor of the information of the security breach, unless the Entity determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to one or more residents of MI.
• The notification shall be given without unreasonable delay following discovery of the breach, consistent with measures necessary to determine the scope of the breach of the security of a system or restore the integrity of the system.
• Definition of Personal Information: The first name or first initial and last name linked to one or more of the following data elements of a resident of MI:
o Social Security number;
o Driver’s license number or state personal identification card number; or
o Demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident’s financial accounts.