Retailers must notify after security breach

Businesses, individuals and state agencies will soon be required by state law to notify each Michigan resident whose personal information (including a credit card account number) may have been compromised in the event of a data security breach. The law, an amendment to the Identity Theft Protection Act of 2004, goes into effect July 2, 2007.

An important exception, won by MRA and other business groups, allows that notification is not necessary when it is determined that “the security breach has not or is not likely to cause substantial loss or injury, or result in identity theft.”

“This law is one more reason among many to be absolutely sure your business systems are not storing data that could be hacked by identity thieves. The data you keep must be properly secured,” said Eric Rule, director of governmental affairs at MRA.

A data security breach is defined in the law as “the unauthorized access and acquisition of computerized personal information that compromises the security or confidentiality of personal information maintained by an entity as part of a database of personal information.”

The law would not apply to unauthorized access by an employee or other individual if: “the person had acted in good faith in accessing the data; the access related to the activities of the business; and the employee or other individual did not misuse or disclose any of the information to an unauthorized person or business.”

The notification must be made “without reasonable delay,” a standard commonly used in state and federal law. The law also specifies several methods for notification, including mail, telephone or e-mail, but restrictions apply to when and how each method can be used.

Alternate means of notification are available if the cost of complying would exceed $250,000 or if more than 500,000 people would need to be notified.

The law sets a fine of $250 for each failure to notify (that is, for each Michigan resident whose information was compromised), capped at $750,000. The penalties do not affect the rights of individuals to sue for civil damages resulting from a violation of those provisions or any other state or federal law.

False notification of a security breach—for example, through an e-mail or an advertisement—is also penalized in this law. Such false notification is a tactic for luring customers to provide personal data to unauthorized individuals posing as representatives of a legitimate business.