DATA BREACH NOTIFICATION ACT                                     H.B. 4186 (S-1) & 4187 (S-1):

                                                                                                    SUMMARY OF BILL

                                                                                     REPORTED FROM COMMITTEE










House Bill 4186 (Substitute S-1 as reported)

House Bill 4187 (Substitute S-1 as reported)

Sponsor:  Representative Diana Farrington

House Committee:  Financial Services

                             Ways and Means

Senate Committee:  Regulatory Reform




House Bill 4187 (S-1) would enact the "Data Breach Notification Act" to do the following:


 --    Require business entities to implement and maintain reasonable security measures designed to protect sensitive personally identifying information against a breach of security.

 --    Require a covered entity or third-party agent to consider specified circumstances in developing its reasonable security measures.

 --    Require a covered entity to conduct a good-faith and prompt investigation if it determined that a breach of security had or could have occurred.

 --    Require a covered entity to provide notice of a breach to each Michigan resident whose sensitive personally identifiable information was acquired in the breach and require the notice to be sent within 45 days after the covered entity completed the measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database.

 --    Prescribe the information a notice would have to include, including the date or estimated date of the breach, a description of the sensitive personally identifying information that was acquired, and a general description of steps a resident could take to protect himself or herself from identity theft.

 --    Allow a covered entity to provide a substitute notice instead of a direct notice under certain circumstances.

 --    Require a third-party agent that experienced a breach of security to notify a covered entity of the breach.

 --    Subject State agencies to the notice requirements proposed in the Act.

 --    Prescribe penalties for violating the Act. 

 --    Specify that certain entities would be exempt from the Act.


House Bill 4186 (S-1) would amend the Identity Theft Protection Act to specify that Sections 12 and 12a of the Act would not apply to a covered entity, as that term is defined in the Data Breach Notification Act. (Section 12 prescribes certain notice requirements regarding a security breach. Section 12a governs the destruction of data containing personal information.)


The bills are tie-barred. Each bill would take effect on January 20, 2022.


MCL 445.64                                                          Legislative Analyst:  Stephen Jackson






House Bill 4186 (S-1) would have no fiscal impact on State or local government.


House Bill 4187 (S-1) would have an indeterminate fiscal impact on State government, local units of government, and nonpublic entities. The required notifications could have a fiscal impact on entities that do not have related procedures in place; however, the proposed requirements also could lead to cost savings if breaches were identified and addressed sooner. The amount of cost or savings is indeterminate and would depend on the actual number and size of the breaches of security.


The bill also provides for civil fines for violations of the proposed notification requirements. Revenue from civil fines is deposited into the State Justice System Fund. The Fund supports justice-related activities across State government in the Departments of Corrections, Health and Human Services, State Police, and Treasury. The Fund also supports justice-related issues in the Legislative Retirement System and the Judiciary.


Date Completed:  12-4-20                                                   Fiscal Analyst:  Joe Carrasco

                                                                                                 Elizabeth Raczkowski





This analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent.