Michigan’s laws have a wide-ranging definition of what is considered personal identifying information relating to financial accounts, which includes biometric data, account numbers and passwords.

Organizations must have in place measures to destroy or arrange for the destruction of consumer’s personal identifying records so that the records are made unreadable or indecipherable.

Breach reporting for cases involving 1,000 or more residents of Michigan must be made without unreasonable delay to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.

There are specific requirements for consumer notification. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Vendors must notify Organizations without delay after the discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification. Vendors who are “an individual, partnership, corporation, limited liability company, association, or other legal entity” and “maintains a database that includes personal information” must have measures in place for the destruction of records containing personal information.

Michigan passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Effective January 20, 2021, licensees must comply with the breach notification requirements, including Commissioner notification within 10 business days.

Failure to provide any notice of a security breach as required may result in a civil fine of up to $250 for each failure to provide notice (with the collective liability for civil fines that arise from the same security breach up to $750,000). The Attorney General or a prosecuting attorney may bring an action to recover a civil fine. Violations of data disposal requirements have a misdemeanor penalty punishable by a fine of up to $250 for each violation.