2005 Senate Bill 309 (Require disclosures of unauthorized personal data releases )

Public Act 566 of 2006

[Comments on this legislation] [Post new comment] [Text and Analysis] [Add to Watch List]
[Previous] [Next]

Introduced by Sen. Shirley Johnson (R) on March 16, 2005, to require a state agency or a private company that maintains computerized data with personalized information on individuals to notify those individuals if a breach of security allows unencrypted personal identifying information to be acquired by an unauthorized person. Also, to require the notification of law enforcement agencies and the state Attorney General. A person damaged by an unauthorized release could sue for actual damages and costs. The bill was introduced following news stories about hackers obtaining personal data on 145,000 persons from the ChoicePoint database company. ChoicePoint voluntarily performed the actions that would be required by the bill.
- Referred to the Senate Judiciary Committee on March 16, 2005.
  - Reported in the Senate on November 30, 2006, with the recommendation that the substitute (S-5) be adopted and that the bill then pass.
- Substitute offered in the Senate on November 30, 2006, to replace the previous version of the bill with one that refines and specifies procedures that would be required in various kinds of security breaches. Among other changes it requires the notification of credit reporting agencies if a breach could lead to cases of identity theft, and revises penalties. The substitute passed in the Senate by voice vote on November 30, 2006.
Passed in the Senate (36 to 0) on November 30, 2006, to require a state agency or a private company that maintains computerized data with personalized information on individuals to notify those individuals if a breach of security allows unencrypted personal identifying information to be acquired by an unauthorized person. The bill specifies allowable formats for the notices and the information to be included in the notice. Also, to require the notification of credit reporting agencies of a security breach that could lead to indentity theft. Failure to comply with the notification requirements would be punishable by civil fines of $1,000 for each individual affected by a security breach, up to a maximum of $2.5 million. [Vote Details and Comments]
Received in the House on November 30, 2006.
- Referred to the House Banking and Financial Services Committee on November 30, 2006.
  - Reported in the House on December 5, 2006, with the recommendation that the substitute (H-3) be adopted and that the bill then pass.
- Substitute offered in the House on December 13, 2006, to replace the previous version of the bill with one that lowers the proposed penalty for each failure to notify an individual to $250, up the an aggregate maximum of $750,000, and makes other minor revisions. The substitute passed in the House by voice vote on December 13, 2006.
- Amendment offered by Rep. David Robertson (R) on December 13, 2006, to exempt courts from the entities covered by the bill. The amendment passed in the House by voice vote on December 13, 2006.
- Amendment offered by Rep. David Robertson (R) on December 13, 2006, to revise details the definition of "redacted" as it applies to personally identifying numbers (such as the last four digits of a person's social security number). The bill does not apply the same requirements to breaches of redacted information. The amendment passed in the House by voice vote on December 13, 2006.
Passed in the House (107 to 0) on December 14, 2006, to require a state agency or a private company that maintains computerized data with personalized information on individuals to notify those individuals if a breach of security allows unencrypted personal identifying information to be acquired by an unauthorized person. The bill specifies allowable formats for the notices and the information to be included in the notice. Also, to require the notification of credit reporting agencies of a security breach that could lead to identity theft. Failure to comply with the notification requirements would be punishable by civil fines of $250 for each individual affected by a security breach, up to a maximum of $750,000. [Vote Details and Comments]
Received in the Senate on December 14, 2006, to concur with the House-passed version of the bill. Passed in the Senate (36 to 0) on December 14, 2006. [Vote Details and Comments]
Signed by Gov. Jennifer Granholm on December 30, 2006.

Most Recent Comments

1) Re: 2005 Senate Bill 309 (Require disclosures of unauthorized personal data releases ) [by dchilds on April 9, 2009]

Does this bill apply to k-12 school districts in Michigan?

Line

2) Does this Include FOC? [by Anonymous Citizen on December 3, 2006]
Great Bill--thanks for passing!

However, does this include MICES via Friends of the Courts information? Michael Cox better be prepared for many lawsuits. Please start passing laws to abolish FOCs power—it’s getting out of hand. If not-- the state of Michigan will have MANY valid lawsuits—give it time, and your State will be bankrupted. Being too greedy always backfires. Thanks again!

Reply

Line

3) protect private information [by yorkark on December 3, 2006]
It appears that this legislation is a step in the right direction. Some employers I beleive do not take serious their data security. They get inadequate and inexpensive systems that do not have the kind of security necessary.

Thank you for taking these steps. If it is going to cost them if the info get out they may take the necessary step to make sure that it is secure.
Reply

Line

View Full Conversation