Type of Data Covered |
Deadline for Notification |
Government Notice |
Electronic. |
Without unreasonable delay. |
No. |
Subject Entities |
Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information.Insurance companies are regulated by a separate statute – see below “Notification Requirements for Insurers” |
Definition of Personal Information |
First name or first initial and last name, in combination with one or more of the following data elements:
|
Definition of Breach |
Unauthorized access and acquisition of computerized data that is part of a database that includes the personal information of multiple individuals, which compromises the security or confidentiality of personal information maintained as part of a database of personal information regarding multiple individuals, excluding certain good faith acquisitions. |
Type of Data Covered |
Electronic. |
Encryption Safe Harbor |
Statute does not apply to encrypted or redacted information, provided that the encryption key is also not acquired. |
Risk of Harm Analysis |
Notification not required if the entity determines that the breach has not or is not likely to cause substantial loss, injury, or identity theft to one or more Michigan residents. |
Consumer Notice Requirements |
Timing: Must be made without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the database. Content: The security breach notification must be written in a clear and conspicuous manner and include:
Method: Written notice; email if the resident has expressly consented, has a business relationship with entity that includes email communications, or the entity conducts its business primarily through Internet transactions; or telephonic notice if the resident expressly consented, and the notice is not left on voicemail. Substitute notice is available in certain circumstances. |
Substitute Notice Requirements |
Substitute notice may be provided if the cost of providing notice would exceed $250,000, or that the affected class of residents to be notified exceeds 500,000, or the entity does not have sufficient contact information. Substitute notice must include all of the following:
|
Delayed Notice Requirements |
Notification may be delayed if law enforcement determines that notice will impede a criminal or civil investigation or jeopardize homeland or national security. |
Third Party Notice Requirements |
If personal information is maintained on behalf of another entity, the entity must be notified unless it determines the breach is not likely to cause substantial loss or injury to or result in the identity theft of residents. |
Consumer Reporting Agency Obligations |
If more than 1,000 residents must be notified, must notify each nationwide consumer reporting agency of the breach without unreasonable delay. The notification must include the number of residents who received notices and the timing of those notices. |
Potential Penalties |
Violations may result in civil or criminal penalties or other remedies. |
Notification Requirements for Government Agencies |
Please see the statute for specific requirements and/or penalties for applicable government agencies. |
Notification Requirements for Insurers |
Entities subject to, or regulated under Michigan’s insurance code are exempt from the state’s data breach notification statute and instead are governed by Mich Comp Laws §§ 500.550 – 500.563. Includes a requirement for a comprehensive information security plan, annual certification by the Department of Insurance and Financial Services and notice to the Director of the Department in the event of a breach. |
Last updated: January 2024