Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- $250 per failed notice

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • There are specific requirements for consumer notification.
  • Breach reporting for cases involving 1,000 or more residents of Michigan must be made without unreasonable delay to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.
  • Michigan’s laws have a wide-ranging definition of what is considered personal identifying information relating to financial accounts, which includes biometric data, account number and passwords.
  • If vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Businesses must have in place measures to destroy or arrange for destruction of consumer’s personal identifying records so that the records are made unreadable or indecipherable.
  • Failure to provide any notice of a security breach as required may result in a civil fine of up to $250 for each failure to provide notice (with the collective liability for civil fines that arise from the same security breach up to $750,000). The Attorney General or a prosecuting attorney may bring an action to recover a civil fine.
  • Education-sector vendors must be contracted and abide by a contractual requirement for the protection of educational records, including a provision for penalties for noncompliance.
  • Sector-specific laws (health, education) provide for an individual’s right to access their personal information.
  • Michigan passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until January 20, 2021 to comply with the breach notification requirements, until January 20, 2022 to comply with the information security requirements, and until January 20, 2023 to comply with the vendor management requirements.
Statutes and Laws
  • Mich. Comp. Laws Ch. 445, Act 452 Identity Theft Protection Act

    • § 445.63 Definitions
    • § 445.72 Notice of Security Breach; Requirements
    • § 445.72a Destruction of data containing personal information required
    • § 445.83 Prohibited use of social security number of employee, student, or other individual 

    Mich. Comp. Laws §§ 333.26261 – 333.26271 Medical Records Access Act

    Mich. Comp. Laws § 380.1136 Protection of pupil privacy

    Mich. Comp. Laws §§ 500.501 – 500.547  Insurance Code; Privacy of Financial Information

    Mich. Comp. Laws §§ 500.550 – 500.565  Insurance Code; Data Security [Effective 1/20/2021]

BAck to map