Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws:
- $250 per failed notice

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting for cases involving 1,000 or more consumers must be made without unreasonable delay to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.
  • There are specific requirements for consumer notification.
  • Failure to provide any notice of a security breach as required may result in a civil fine of up to $250 for each failure to provide notice (with the aggregate liability of a person for civil fines that arise from the same security breach shall not exceed $750,000). The Attorney General or a prosecuting attorney may bring an action to recover a civil fine.
  • There is a separate data disposal law, and violations could have the penalty of a misdemeanor punishable by a fine up to $250 for each violation.
  • Michigan’s laws have a wide-ranging definition of what is considered personal identifying information relating to financial accounts, which includes biometric data, account number and passwords, etc.
  • Additional requirements may apply to those entities in the insurance industry.
  • Heightened protection and handling requirements apply to social security numbers.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • Mich. Comp. Laws §§ 500.501 – 500.547  Privacy of Financial Information

    Mich. Comp. Laws Ch. 445, Act 452 Identity Theft Protection Act

    • § 445.63 Definitions
    • § 445.72 Notice of Security Breach; Requirements
    • § 445.72a Destruction of data containing personal information required
    • § 445.83 Prohibited use of social security number of employee, student, or other individual 
BAck to map