Michigan Privacy Laws

Breach Notification

Mandated Timeframe

Without unreasonable delay

Fines & Penalties

Violations

$250 per failed notice

REGULATION LEVELS

Breach Reporting Consumer Notifications
Vendor Management Vendor Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Without unreasonable delay

Fines & Penalties

Violations

$250 per failed notice

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Without unreasonable delay

Fines & Penalties

Violations

$250 per failed notice

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Quick Facts

Michigan Privacy Law Information

  • Definition of Personal Information

    Michigan’s laws have a wide-ranging definition of what is considered personal identifying information relating to financial accounts, which includes biometric data, account numbers and passwords.

  • Privacy Program

    Organizations must have in place measures to destroy or arrange for the destruction of consumer’s personal identifying records so that the records are made unreadable or indecipherable.

  • Breach Reporting

    Breach reporting for cases involving 1,000 or more residents of Michigan must be made without unreasonable delay to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.

  • Consumer Notification

    There are specific requirements for consumer notification. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

  • Vendor/Third Parties

    Vendors must notify Organizations without delay after the discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification. Vendors who are “an individual, partnership, corporation, limited liability company, association, or other legal entity” and “maintains a database that includes personal information” must have measures in place for the destruction of records containing personal information.

  • Industry Specific Laws

    Michigan passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Effective January 20, 2021, licensees must comply with the breach notification requirements, including Commissioner notification within 10 business days.

  • Fines & Penalties

    Failure to provide any notice of a security breach as required may result in a civil fine of up to $250 for each failure to provide notice (with the collective liability for civil fines that arise from the same security breach up to $750,000). The Attorney General or a prosecuting attorney may bring an action to recover a civil fine. Violations of data disposal requirements have a misdemeanor penalty punishable by a fine of up to $250 for each violation.

Michigan

Statutes and Laws

MICH. COMP. LAWS § 380.1136

Protection of pupil privacy

MICH. COMP. LAWS § 445.72

Notice of security breach; requirements

MICH. COMP. LAWS § 445.72A

Destruction of data containing personal information required

MICH. COMP. LAWS § 445.83

Prohibited use of social security number of employee, student, or other individual

MICH. COMP. LAWS §§ 500.501 – 500-547

Insurance Code: Privacy of financial information

MICH. COMP. LAWS §§ 500.550 – 500.565

Insurance Code; Data security

MICH. COMP. LAWS CH. 445, ACT 452

Identity theft protection act