March 17, 2005, Introduced by Reps. Spade, Vagnozzi, Polidori, Tobocman, Bieda, Anderson, Gleason, Miller, Plakas, Kolb, Accavitti, Brown, Angerer and Lemmons, III and referred to the Committee on Judiciary.
A bill to amend 2004 PA 452, entitled
"Identity theft protection act,"
by amending section 11 (MCL 445.71) and by adding section 12.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 11. (1) A person shall not do any of the following in the
conduct of trade or commerce:
(a) Deny credit or public utility service to or reduce the
credit limit of a consumer solely because the consumer was a victim
of identity theft, if the person had prior knowledge that the
consumer was a victim of identity theft. A consumer is presumed to
be a victim of identity theft for the purposes of this subdivision
if he or she provides both of the following to the person:
(i) A copy of a police report evidencing the claim of the
victim of identity theft.
(ii) Either a properly completed copy of a standardized
affidavit of identity theft developed and made available by the
federal trade commission pursuant to 15 USC 1681g or an affidavit
of fact that is acceptable to the person for that purpose.
(b) Solicit to extend credit to a consumer who does not have
an existing line of credit, or has not had or applied for a line of
credit within the preceding year, through the use of an unsolicited
check that includes personal identifying information other than the
recipient's name, address, and a partial, encoded, or truncated
personal identifying number. In addition to any other penalty or
remedy under this act or the Michigan consumer protection act, 1976
PA 331, MCL 445.901 to 445.922, a credit card issuer, financial
institution, or other lender that violates this subdivision, and
not the consumer, is liable for the amount of the instrument if the
instrument is used by an unauthorized user and for any fees
assessed to the consumer if the instrument is dishonored.
(c) Solicit to extend credit to a consumer who does not have a
current credit card, or has not had or applied for a credit card
within the preceding year, through the use of an unsolicited credit
card sent to the consumer. In addition to any other penalty or
remedy under this act or the Michigan consumer protection act, 1976
PA 331, MCL 445.901 to 445.922, a credit card issuer, financial
institution, or other lender that violates this subdivision, and
not the consumer, is liable for any charges if the credit card is
used by an unauthorized user and for any interest or finance
charges assessed to the consumer.
(d) Extend credit to a consumer without exercising reasonable
procedures to verify the identity of that consumer. Compliance with
regulations issued for depository institutions, and to be issued
for other financial institutions, by the United States department
of treasury under section 326 of the USA patriot act of 2001, 31
USC 5318, is considered compliance with this subdivision. This
subdivision does not apply to a purchase of a credit obligation in
an acquisition, merger, purchase of assets, or assumption of
liabilities or any change to or review of an existing credit
account.
(e) Fail to provide notice required under section 12.
(2) A person who knowingly or intentionally violates
subsection (1) is guilty of a misdemeanor punishable by
imprisonment for not more than 30 days or a fine of not more than
$1,000.00, or both. This subsection does not affect the
availability of any civil remedy for a violation of this act, the
Michigan consumer protection act, 1976 PA 331, MCL 445.901 to
445.922, or any other state or federal law.
Sec. 12. (1) An agency of this state that owns or licenses
computerized data that include personal identifying information
shall provide notice of any breach of the security of the system
following discovery or notification of the breach in the security
of the data to any resident of this state whose unencrypted
personal identifying information is acquired by an unauthorized
person or if the agency reasonably believes that an unauthorized
person has acquired that information. The agency shall provide
notice in the most expedient time possible and without unreasonable
delay, unless 1 or both of the following apply:
(a) A law enforcement agency determines that providing notice
will impede a criminal investigation. However, the agency shall
provide notice after the law enforcement agency determines that
disclosure will not compromise the investigation.
(b) Delay is necessary to determine the scope of the breach
and restore the reasonable integrity of the data system.
(2) An agency that maintains computerized data that include
personal identifying information that the agency does not own shall
provide notice to the owner or licensee of the information of any
breach of the security of the data immediately following discovery,
if the personal identifying information is acquired by an
unauthorized person or if the agency reasonably believes that an
unauthorized person has acquired that information.
(3) A person doing business in this state that owns or
licenses computerized data that include personal identifying
information shall provide notice of any breach of the security of
the system following discovery or notification of the breach in the
security of the data to any resident of this state whose
unencrypted personal identifying information is acquired by an
unauthorized person or if the person reasonably believes that an
unauthorized person has acquired that information. The person shall
provide notice in the most expedient time possible and without
unreasonable delay, unless 1 or both of the following apply:
(a) A law enforcement agency determines that providing notice
will impede a criminal investigation. However, the person shall
provide notice after the law enforcement agency determines that
disclosure will not compromise the investigation.
(b) Delay is necessary to determine the scope of the breach
and restore the reasonable integrity of the data system.
(4) A person doing business in this state that maintains
computerized data that include personal identifying information
that the person does not own shall provide notice to the owner or
licensee of the information of any breach of the security of the
data immediately following discovery, if the personal identifying
information is acquired by an unauthorized person or if the person
reasonably believes that an unauthorized person has acquired that
information.
(5) An agency or person doing business in this state may
provide notice under this section by any of the following methods:
(a) Written notice.
(b) Electronic notice, if the notice provided is consistent
with the provisions regarding electronic records and signatures set
forth in section 101 of title I of the electronic signatures in
global and national commerce act, 15 USC 7001.
(c) Substitute notice, if the agency or person demonstrates
that the cost of providing notice will exceed $250,000.00, that the
agency or person has to provide notice to more than 500,000
individuals, owners, or licensees described in subsection (1), (2),
(3), or (4), as applicable, or that the agency or person does not
have sufficient contact information for the individuals, owners, or
licensees it is required to notify under that subsection. An agency
or person provides substitute notice under this subdivision by
doing all of the following:
(i) Providing notice by electronic mail to those individuals,
owners, or licensees for whom the agency or person has electronic
mail addresses.
(ii) If the agency or person maintains a website, conspicuously
posting the notice on that website.
(iii) Notifying major statewide media.
(iv) If the agency or person maintains its own notification
procedures for security breaches as part of an information security
policy for the treatment of personal identifying information that
are consistent with the time requirements of this section,
notifying the individuals, owners, or licensees in accordance with
those procedures.
(6) A person injured by a violation of this section may bring
a civil action in a court of competent jurisdiction to recover
actual damages and reasonable attorney fees or seek injunctive or
any other relief available at law or in equity.
(7) As used in this section:
(a) "Agency" means a department, board, commission, office,
agency, authority, or other unit of state government. The term
includes a state institution of higher education.
(b) "Breach of the security of the system" means unauthorized
acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal identifying information
maintained by an agency or a person doing business in this state.
The term does not include good faith acquisition of personal
identifying information by an employee or agent of the agency or
person related to the activities of the agency or person if the
personal identifying information is not used or subject to further
unauthorized disclosure.