December 4, 2007, Introduced by Senators PATTERSON, JELINEK, RICHARDVILLE, ANDERSON, OLSHOVE, ALLEN, BASHAM, BIRKHOLZ and HARDIMAN and referred to the Committee on Judiciary.
A bill to amend 2004 PA 452, entitled
"Identity theft protection act,"
by amending sections 3 and 7 (MCL 445.63 and 445.67), section 3 as
amended by 2006 PA 566, and by adding section 7a.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 3. As used in this act:
(a) "Agency" means a department, board, commission, office,
agency, authority, or other unit of state government of this state.
The term includes an institution of higher education of this state.
The term does not include a circuit, probate, district, or
municipal court.
(b) "Breach of the security of a database" or "security
breach" means the unauthorized access and acquisition of data that
compromises the security or confidentiality of personal information
maintained by a person or agency as part of a database of personal
information regarding multiple individuals. These terms do not
include unauthorized access to data by an employee or other
individual if the access meets all of the following:
(i) The employee or other individual acted in good faith in
accessing the data.
(ii) The access was related to the activities of the agency or
person.
(iii) The employee or other individual did not misuse any
personal information or disclose any personal information to an
unauthorized person.
(c) "Child or spousal support" means support for a child or
spouse, paid or provided pursuant to state or federal law under a
court order or judgment. Support includes, but is not limited to,
any of the following:
(i) Expenses for day-to-day care.
(ii) Medical, dental, or other health care.
(iii) Child care expenses.
(iv) Educational expenses.
(v) Expenses in connection with pregnancy or confinement under
the paternity act, 1956 PA 205, MCL 722.711 to 722.730.
(vi) Repayment of genetic testing expenses, under the paternity
act, 1956 PA 205, MCL 722.711 to 722.730.
(vii) A surcharge as provided by section 3a of the support and
parenting time enforcement act, 1982 PA 295, MCL 552.603a.
(d) "Credit card" means that term as defined in section 157m
of the Michigan penal code, 1931 PA 328, MCL 750.157m.
(e) "Data" means computerized personal information.
(f) "Depository institution" means a state or nationally
chartered bank or a state or federally chartered savings and loan
association, savings bank, or credit union.
(g) "Encrypted" means transformation of data through the use
of an algorithmic process into a form in which there is a low
probability of assigning meaning without use of a confidential
process or key, or securing information by another method that
renders the data elements unreadable or unusable.
(h) "False pretenses" means the representation of a fact or
circumstance which is not true and is calculated to mislead.
(i) (h)
"Financial institution"
means a depository
institution, an affiliate of a depository institution, a licensee
under the consumer financial services act, 1988 PA 161, MCL
487.2051 to 487.2072, 1984 PA 379, MCL 493.101 to 493.114, the
motor vehicle sales finance act, 1950 (Ex Sess) PA 27, MCL 492.101
to 492.141, the secondary mortgage loan act, 1981 PA 125, MCL
493.51 to 493.81, the mortgage brokers, lenders, and servicers
licensing act, 1987 PA 173, MCL 445.1651 to 445.1684, or the
regulatory loan act, 1939 PA 21, MCL 493.1 to 493.24, a seller
under the home improvement finance act, 1965 PA 332, MCL 445.1101
to 445.1431, or the retail installment sales act, 1966 PA 224, MCL
445.851 to 445.873, or a person subject to subtitle A of title V of
the Gramm-Leach-Bliley act, 15 USC 6801 to 6809.
(j) (i)
"Financial transaction
device" means that term as
defined in section 157m of the Michigan penal code, 1931 PA 328,
MCL 750.157m.
(k) (j)
"Identity theft" means
engaging in an act or conduct
prohibited in section 5(1).
(l) "Interactive computer service" means an information service
or system that enables computer access by multiple users to a
computer server, including, but not limited to, a service or system
that provides access to the internet or to software services
available on a server.
(m) (k)
"Law enforcement agency"
means that term as defined in
section 2804 of the public health code, 1978 PA 368, MCL 333.2804.
(n) (l) "Local
registrar" means that term as defined in section
2804 of the public health code, 1978 PA 368, MCL 333.2804.
(o) (m)
"Medical records or
information" includes, but is not
limited to, medical and mental health histories, reports,
summaries, diagnoses and prognoses, treatment and medication
information, notes, entries, and x-rays and other imaging records.
(p) (n)
"Person" means an
individual, partnership,
corporation, limited liability company, association, or other legal
entity.
(q) (o)
"Personal identifying
information" means a name,
number, or other information that is used for the purpose of
identifying a specific person or providing access to a person's
financial accounts, including, but not limited to, a person's name,
address, telephone number, driver license or state personal
identification card number, social security number, place of
employment, employee identification number, employer or taxpayer
identification number, government passport number, health insurance
identification number, mother's maiden name, demand deposit account
number, savings account number, financial transaction device
account number or the person's account password, stock or other
security certificate or account number, credit card number, vital
record, or medical records or information.
(r) (p)
"Personal information"
means the first name or first
initial and last name linked to 1 or more of the following data
elements of a resident of this state:
(i) Social security number.
(ii) Driver license number or state personal identification
card number.
(iii) Demand deposit or other financial account number, or
credit card or debit card number, in combination with any required
security code, access code, or password that would permit access to
any of the resident's financial accounts.
(s) (q)
"Public utility" means
that term as defined in section
1 of 1972 PA 299, MCL 460.111.
(t) (r)
"Redact" means to alter
or truncate data so that no
more than 4 sequential digits of a driver license number, state
personal identification card number, or account number, or no more
than 5 sequential digits of a social security number, are
accessible as part of personal information.
(u) (s)
"State registrar" means
that term as defined in
section 2805 of the public health code, 1978 PA 368, MCL 333.2805.
(v) (t)
"Trade or commerce" means
that term as defined in
section 2 of the Michigan consumer protection act, 1971 PA 331, MCL
445.902.
(w) (u)
"Vital record" means that
term as defined in section
2805 of the public health code, 1978 PA 368, MCL 333.2805.
(x) "Webpage" means a location that has a single uniform
resource locator or URL with respect to the world wide web or
another location that can be accessed on the internet.
Sec. 7. A person shall not do any of the following:
(a) Make any communication under false pretenses purporting to
be by or on behalf of a business, without the authority or approval
of the business, and use that communication to induce, request, or
solicit any individual to provide personal identifying information
with the intent to use that information to commit identity theft or
another crime.
(b) Create or operate a webpage that represents itself as
belonging to or being associated with a business, without the
authority or approval of that business, and induces, requests, or
solicits any user of the internet to provide personal identifying
information with the intent to use that information to commit
identity theft or another crime.
(c) Alter a setting on a user's computer or similar device or
software program through which the user may search the internet and
cause any user of the internet to view a communication that
represents itself as belonging to or being associated with a
business, which message has been created or is operated without the
authority or approval of that business, and induces, requests, or
solicits any user of the internet to provide personal identifying
information with the intent to use that information to commit
identity theft or another crime.
(d) (a)
Obtain or possess, or attempt to
obtain or possess,
personal identifying information of another person with the intent
to use that information to commit identity theft or another crime.
(e) (b)
Sell or transfer, or attempt to
sell or transfer,
personal identifying information of another person if the person
knows or has reason to know that the specific intended recipient
will use, attempt to use, or further transfer the information to
another person for the purpose of committing identity theft or
another crime.
(f) (c)
Falsify a police report of identity
theft, or
knowingly create, possess, or use a false police report of identity
theft.
Sec. 7a. (1) An interactive computer service provider shall
not be held liable under any provision of the laws of this state
for removing or disabling access to an internet domain name
controlled or operated by the registrar or by the provider, or to
content that resides on an internet website or other online
location controlled or operated by the provider, that the provider
believes in good faith is used to engage in a violation of this
act. This act does not apply to a telecommunications provider's or
internet service provider's good faith transmission or routing of,
or intermediate temporary storing or caching of, personal
identifying information.
(2) The attorney general, or an interactive computer service
provider or individual harmed by a violation of section 7(a), (b),
or (c), may bring a civil action against a person who has violated
that section.
(3) In each action brought under this section, the prevailing
party may be awarded reasonable attorney fees if the action is
found by the court to be frivolous.
(4) A person bringing an action under this section may recover
1 of the following:
(a) Actual damages, including reasonable attorney fees.
(b) In lieu of actual damages, the lesser of the following:
(i) $5,000.00 per violation.
(ii) $250,000.00 for each day that a violation occurs.
(5) If the attorney general has reason to believe that a
person has violated section 7(a), (b), or (c), the attorney general
may investigate the business transactions of that person. The
attorney general may require that person to appear, at a reasonable
time and place, to give information under oath and to produce such
documents and evidence necessary to determine whether the person is
in compliance with the requirements of that section.
(6) Any damages collected by the attorney general under this
section shall be credited to the attorney general for the costs of
investigating, enforcing, and defending this act.