SENATE BILL No. 1022

 

 

January 22, 2008, Introduced by Senator RICHARDVILLE and referred to the Committee on Banking and Financial Institutions.

 

 

 

     A bill to amend 2004 PA 452, entitled

 

"Identity theft protection act,"

 

by amending sections 11 and 12 (MCL 445.71 and 445.72), section 12

 

as added by 2006 PA 566.

 

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

 

     Sec. 11. (1) A person shall not do any of the following in the

 

conduct of trade or commerce:

 

     (a) Deny credit or public utility service to or reduce the

 

credit limit of a consumer solely because the consumer was a victim

 

of identity theft, if the person had prior knowledge that the

 

consumer was a victim of identity theft. A consumer is presumed to

 

be a victim of identity theft for the purposes of this subdivision


 

if he or she provides both of the following to the person:

 

     (i) A copy of a police report evidencing the claim of the

 

victim of identity theft.

 

     (ii) Either a properly completed copy of a standardized

 

affidavit of identity theft developed and made available by the

 

federal trade commission pursuant to 15 USC 1681g or an affidavit

 

of fact that is acceptable to the person for that purpose.

 

     (b) Solicit to extend credit to a consumer who does not have

 

an existing line of credit, or has not had or applied for a line of

 

credit within the preceding year, through the use of an unsolicited

 

check that includes personal identifying information other than the

 

recipient's name, address, and a partial, encoded, or truncated

 

personal identifying number. In addition to any other penalty or

 

remedy under this act or the Michigan consumer protection act, 1976

 

PA 331, MCL 445.901 to 445.922, a credit card issuer, financial

 

institution, or other lender that violates this subdivision, and

 

not the consumer, is liable for the amount of the instrument if the

 

instrument is used by an unauthorized user and for any fees

 

assessed to the consumer if the instrument is dishonored.

 

     (c) Solicit to extend credit to a consumer who does not have a

 

current credit card, or has not had or applied for a credit card

 

within the preceding year, through the use of an unsolicited credit

 

card sent to the consumer. In addition to any other penalty or

 

remedy under this act or the Michigan consumer protection act, 1976

 

PA 331, MCL 445.901 to 445.922, a credit card issuer, financial

 

institution, or other lender that violates this subdivision, and

 

not the consumer, is liable for any charges if the credit card is


 

used by an unauthorized user and for any interest or finance

 

charges assessed to the consumer.

 

     (d) Extend credit to a consumer without exercising reasonable

 

procedures to verify the identity of that consumer. Compliance with

 

regulations issued for depository institutions, and to be issued

 

for other financial institutions, by the United States department

 

of treasury under section 326 of the USA patriot act of 2001, 31

 

USC 5318, is considered compliance with this subdivision. This

 

subdivision does not apply to a purchase of a credit obligation in

 

an acquisition, merger, purchase of assets, or assumption of

 

liabilities or any change to or review of an existing credit

 

account.

 

     (e) If the person collects personal identifying information in

 

the regular course of business and stores that information in a

 

computerized database, failing or neglecting to store that

 

information in the database in an encrypted form, in conformity

 

with current industry-standard encryption methods and capabilities.

 

     (2) A person who knowingly or intentionally violates

 

subsection (1) is guilty of a misdemeanor punishable by

 

imprisonment for not more than 30 days or a fine of not more than

 

$1,000.00, or both. This subsection does not affect the

 

availability of any civil remedy for a violation of this act, the

 

Michigan consumer protection act, 1976 PA 331, MCL 445.901 to

 

445.922, or any other state or federal law.

 

     Sec. 12. (1) Unless the person or agency determines that the

 

security breach has not or is not likely to cause substantial loss

 

or injury to, or result in identity theft with respect to, 1 or


 

more residents of this state, a person or agency that owns or

 

licenses data that are included in a database that discovers a

 

security breach, or receives notice of a security breach under

 

subsection (2), shall provide a notice of the security breach to

 

each resident of this state who meets 1 or more of the following:

 

     (a) That resident's unencrypted and unredacted personal

 

information was accessed and acquired by an unauthorized person.

 

     (b) That resident's personal information was accessed and

 

acquired in encrypted form by a person with unauthorized access to

 

the encryption key.

 

     (2) Unless the person or agency determines that the security

 

breach has not or is not likely to cause substantial loss or injury

 

to, or result in identity theft with respect to, 1 or more

 

residents of this state, a person or agency that maintains a

 

database that includes data that the person or agency does not own

 

or license that discovers a breach of the security of the database

 

shall provide a notice to the owner or licensor of the information

 

of the security breach.

 

     (3) In determining whether a security breach is not likely to

 

cause substantial loss or injury to, or result in identity theft

 

with respect to, 1 or more residents of this state under subsection

 

(1) or (2), a person or agency shall act with the care an

 

ordinarily prudent person or agency in like position would exercise

 

under similar circumstances.

 

     (4) A person or agency shall provide any notice required under

 

this section without unreasonable delay. A person or agency may

 

delay providing notice without violating this subsection if either


 

of the following is met:

 

     (a) A delay is necessary in order for the person or agency to

 

take any measures necessary to determine the scope of the security

 

breach and restore the reasonable integrity of the database.

 

However, the agency or person shall provide the notice required

 

under this subsection without unreasonable delay after the person

 

or agency completes the measures necessary to determine the scope

 

of the security breach and restore the reasonable integrity of the

 

database.

 

     (b) A law enforcement agency determines and advises the agency

 

or person that providing a notice will impede a criminal or civil

 

investigation or jeopardize homeland or national security. However,

 

the agency or person shall provide the notice required under this

 

section without unreasonable delay after the law enforcement agency

 

determines that providing the notice will no longer impede the

 

investigation or jeopardize homeland or national security.

 

     (5) Except as provided in subsection (11), an agency or person

 

shall provide any notice required under this section by providing 1

 

or more of the following to the recipient:

 

     (a) Written notice sent to the recipient at the recipient's

 

postal address in the records of the agency or person.

 

     (b) Written notice sent electronically to the recipient if any

 

of the following are met:

 

     (i) The recipient has expressly consented to receive electronic

 

notice.

 

     (ii) The person or agency has an existing business relationship

 

with the recipient that includes periodic electronic mail


 

communications and based on those communications the person or

 

agency reasonably believes that it has the recipient's current

 

electronic mail address.

 

     (iii) The person or agency conducts its business primarily

 

through internet account transactions or on the internet.

 

     (c) If not otherwise prohibited by state or federal law,

 

notice given by telephone by an individual who represents the

 

person or agency if all of the following are met:

 

     (i) The notice is not given in whole or in part by use of a

 

recorded message.

 

     (ii) The recipient has expressly consented to receive notice by

 

telephone, or if the recipient has not expressly consented to

 

receive notice by telephone, the person or agency also provides

 

notice under subdivision (a) or (b) if the notice by telephone does

 

not result in a live conversation between the individual

 

representing the person or agency and the recipient within 3

 

business days after the initial attempt to provide telephonic

 

notice.

 

     (d) Substitute notice, if the person or agency demonstrates

 

that the cost of providing notice under subdivision (a), (b), or

 

(c) will exceed $250,000.00 or that the person or agency has to

 

provide notice to more than 500,000 residents of this state. A

 

person or agency provides substitute notice under this subdivision

 

by doing all of the following:

 

     (i) If the person or agency has electronic mail addresses for

 

any of the residents of this state who are entitled to receive the

 

notice, providing electronic notice to those residents.


 

     (ii) If the person or agency maintains a website, conspicuously

 

posting the notice on that website.

 

     (iii) Notifying major statewide media. A notification under this

 

subparagraph shall include a telephone number or a website address

 

that a person may use to obtain additional assistance and

 

information.

 

     (6) A notice under this section shall meet all of the

 

following:

 

     (a) For a notice provided under subsection (5)(a) or (b), be

 

written in a clear and conspicuous manner and contain the content

 

required under subdivisions (c) to (g).

 

     (b) For a notice provided under subsection (5)(c), clearly

 

communicate the content required under subdivisions (c) to (g) to

 

the recipient of the telephone call.

 

     (c) Describe the security breach in general terms.

 

     (d) Describe the type of personal information that is the

 

subject of the unauthorized access or use.

 

     (e) If applicable, generally describe what the agency or

 

person providing the notice has done to protect data from further

 

security breaches.

 

     (f) Include a telephone number where a notice recipient may

 

obtain assistance or additional information.

 

     (g) Remind notice recipients of the need to remain vigilant

 

for incidents of fraud and identity theft.

 

     (7) A person or agency may provide any notice required under

 

this section pursuant to an agreement between that person or agency

 

and another person or agency, if the notice provided pursuant to


 

the agreement does not conflict with any provision of this section.

 

     (8) Except as provided in this subsection, after a person or

 

agency provides a notice under this section, the person or agency

 

shall notify each consumer reporting agency that compiles and

 

maintains files on consumers on a nationwide basis, as defined in

 

15 USC 1681a(p), of the security breach without unreasonable delay.

 

A notification under this subsection shall include the number of

 

notices that the person or agency provided to residents of this

 

state and the timing of those notices. This subsection does not

 

apply if either of the following is met:

 

     (a) The person or agency is required under this section to

 

provide notice of a security breach to 1,000 or fewer residents of

 

this state.

 

     (b) The person or agency is subject to title V of the Gramm-

 

Leach-Bliley act, 15 USC 6801 to 6809.

 

     (9) A financial institution that is subject to, and has

 

notification procedures in place that are subject to examination by

 

the financial institution's appropriate regulator for compliance

 

with, the interagency guidance on response programs for

 

unauthorized access to customer information and customer notice

 

prescribed by the board of governors of the federal reserve system

 

and the other federal bank and thrift regulatory agencies, or

 

similar guidance prescribed and adopted by the national credit

 

union administration, and its affiliates, is considered to be in

 

compliance with this section.

 

     (10) A person or agency that is subject to and complies with

 

the health insurance portability and accountability act of 1996,


 

Public Law 104-191, and with regulations promulgated under that

 

act, 45 CFR parts 160 and 164, for the prevention of unauthorized

 

access to customer information and customer notice is considered to

 

be in compliance with this section.

 

     (11) A public utility that sends monthly billing or account

 

statements to the postal address of its customers may provide

 

notice of a security breach to its customers in the manner

 

described in subsection (5), or alternatively by providing all of

 

the following:

 

     (a) As applicable, notice as described in subsection (5)(b).

 

     (b) Notification to the media reasonably calculated to inform

 

the customers of the public utility of the security breach.

 

     (c) Conspicuous posting of the notice of the security breach

 

on the website of the public utility.

 

     (d) Written notice sent in conjunction with the monthly

 

billing or account statement to the customer at the customer's

 

postal address in the records of the public utility.

 

     (12) A person that provides notice of a security breach in the

 

manner described in this section when a security breach has not

 

occurred, with the intent to defraud, is guilty of a misdemeanor

 

punishable by imprisonment for not more than 30 days or a fine of

 

not more than $250.00 for each violation, or both.

 

     (13) Subject to subsection (14), a person that knowingly fails

 

to provide any notice of a security breach required under this

 

section may be ordered to pay a civil fine of not more than $250.00

 

for each failure to provide notice. The attorney general or a

 

prosecuting attorney may bring an action to recover a civil fine


 

under this section.

 

     (14) The aggregate liability of a person for civil fines under

 

subsection (13) for multiple violations of subsection (13) that

 

arise from the same security breach shall not exceed $750,000.00.

 

     (15) Subsections (12) and (13) do not affect the availability

 

of any civil remedy for a violation of state or federal law.

 

     (16) If a person maintains a computerized database that

 

includes personal identifying information about a depository

 

institution's customers, and a security breach of the computerized

 

database occurs, the depository institution may bring a civil

 

action against that person for any actual damages to the depository

 

institution, including, but not limited to, the depository

 

institution's costs incurred in connection with any of the

 

following:

 

     (a) The cancellation or reissuance of any credit or debit

 

cards affected by the security breach.

 

     (b) Closing any deposit, transaction, share draft, or other

 

accounts affected by the security breach and any action to stop

 

payments or block transactions with respect to the accounts.

 

     (c) Opening or reopening any deposit, transaction, share

 

draft, or other accounts affected by the security breach.

 

     (d) Any refund or credit made to a credit or debit cardholder

 

to cover the cost of any unauthorized transaction relating to the

 

security breach.

 

     (e) Notifying any customers of the depository institution

 

affected by the security breach.    

 

     (17) (16) This section applies to the discovery or


 

notification of a breach of the security of a database that occurs

 

on or after the effective date of the amendatory act that added

 

this section July 2, 2007.

 

     (18) (17) This section does not apply to the access or

 

acquisition by a person or agency of federal, state, or local

 

government records or documents lawfully made available to the

 

general public.

 

     (19) (18) This section deals with subject matter that is of

 

statewide concern, and any charter, ordinance, resolution,

 

regulation, rule, or other action by a municipal corporation or

 

other political subdivision of this state to regulate, directly or

 

indirectly, any matter expressly set forth in this section is

 

preempted.