Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- $250 per failed notice

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • There are specific requirements for consumer notification.
  • Breach reporting for cases involving 1,000 or more residents of Michigan must be made without unreasonable delay to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.
  • Michigan’s laws have a wide-ranging definition of what is considered personal identifying information relating to financial accounts, which includes biometric data, account number and passwords.
  • Vendors must notify Organizations without delay after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Organizations must have in place measures to destroy or arrange for destruction of consumer’s personal identifying records so that the records are made unreadable or indecipherable.
  • Vendors who are “an individual, partnership, corporation, limited liability company, association, or other legal entity” and “maintains a database that includes personal information” must have measures in place for the destruction of records containing personal information.
  • Failure to provide any notice of a security breach as required may result in a civil fine of up to $250 for each failure to provide notice (with the collective liability for civil fines that arise from the same security breach up to $750,000). The Attorney General or a prosecuting attorney may bring an action to recover a civil fine.
  • Violations of data disposal requirements have a misdemeanor penalty punishable by a fine up to $250 for each violation.
  • Sector-specific laws (health, education) provide additional requirements for data protection, security and vendor management.
  • Michigan passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until January 20, 2021 to comply with the breach notification requirements, until January 20, 2022 to comply with the information security requirements, and until January 20, 2023 to comply with the vendor management requirements.
Statutes and Laws
  • Mich. Comp. Laws Ch. 445, Act 452 Identity Theft Protection Act

    • § 445.63 Definitions
    • § 445.72 Notice of Security Breach; Requirements
    • § 445.72a Destruction of data containing personal information required
    • § 445.83 Prohibited use of social security number of employee, student, or other individual 

    Mich. Comp. Laws §§ 333.26261 – 333.26271 Medical Records Access Act

    Mich. Comp. Laws § 380.1136 Protection of pupil privacy

    Mich. Comp. Laws §§ 500.501 – 500.547  Insurance Code; Privacy of Financial Information

    Mich. Comp. Laws §§ 500.550 – 500.565  Insurance Code; Data Security [Effective 1/20/2021]

BAck to map