|Identity Theft Protection Act|
|CITATION||Michigan Compiled Laws: § 445.72|
Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents of this state, a person or agency that owns or licenses data that are included in a database that discovers a security breach, or receives notice of a security breach shall provide a notice of the security breach to each resident of this state who meets one or more of the following:
The law covers ‘Personal Information’ which is defined as the first name or first initial and last name linked to one or more of the following data elements of a resident of this state:
|INDUSTRY||A person or agency that licenses data that are included in a database that contains a Michigan resident’s personal information.|
A person that provides notice of a security breach in the manner described in this section when a security breach has not occurred, with the intent to defraud, is guilty of a misdemeanor punishable by imprisonment for not more than 30 days or a fine of not more than two hundred fifty dollars ($250) for each violation, or both.
A person that knowingly fails to provide any notice of a security breach required under this section may be ordered to pay a civil fine of not more than two hundred fifty dollars ($250) for each failure to provide notice. The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section.
The aggregate liability of a person cannot exceed seven hundred fifty thousand dollars ($750,000) for each security breach.