SB-0223, As Passed Senate, November 10, 2010

SUBSTITUTE FOR

SENATE BILL NO. 223

A bill to amend 2004 PA 452, entitled

"Identity theft protection act,"

by amending sections 9, 11, 12, and 12b (MCL 445.69, 445.71,

445.72, and 445.72b), sections 12 and 12b as added by 2006 PA 566,

and by adding sections 19, 19a, 19b, and 19c.

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

Sec. 9. (1) Subject to subsection (6), a person who violates

section 5 or 7 is guilty of a felony punishable as follows:

(a) Except as otherwise provided in subdivisions (b) and (c),

by imprisonment for not more than 5 years or a fine of not more

than $25,000.00, or both.

(b) If the violation is a second violation of section 5 or 7,

by imprisonment for not more than 10 years or a fine of not more

than $50,000.00, or both.

section 5 or 7, by imprisonment for not more than 15 years or a

fine of not more than $75,000.00, or both.

(2) Sections 5 and 7 apply whether an individual who is a

victim or intended victim of a violation of 1 of those sections is

alive or deceased at the time of the violation.

(3) This section does not prohibit a person from being charged

with, convicted of, or sentenced for any other violation of law

committed by that person using information obtained in violation of

this section or any other violation of law committed by that person

while violating or attempting to violate this section.

(4) The court may order that a term of imprisonment imposed

under this section be served consecutively to any term of

imprisonment imposed for a conviction of any other violation of law

committed by that person using the information obtained in

violation of this section or any other violation of law committed

by that person while violating or attempting to violate this

section.

(5) A person may assert as a defense in a civil action or as

an affirmative defense in a criminal prosecution for a violation of

section 5 or 7, and has the burden of proof on that defense by a

preponderance of the evidence, that the person lawfully

transferred, obtained, or attempted to obtain personal identifying

information of another person for the purpose of detecting,

preventing, or deterring identity theft or another crime or the

funding of a criminal activity.

(6) Subsection (1) does not apply to a violation of a statute

or rule administered by a regulatory board, commission, or officer

acting under authority of this state or the United States that

confers primary jurisdiction on that regulatory board, commission,

or officer to authorize, prohibit, or regulate the transactions and

conduct of that person, including, but not limited to, a state or

federal statute or rule governing a financial institution and the

insurance code of 1956, 1956 PA 218, MCL 500.100 to 500.8302, if

the act is committed by a person subject to and regulated by that

statute or rule, or by another person who has contracted with that

person to use personal identifying information.

Sec. 11. (1) A person shall not do any of the following in the

conduct of trade or commerce:

(a) Deny credit or public utility service to or reduce the

credit limit of a consumer solely because the consumer was a victim

of identity theft, if the person had prior knowledge that the

consumer was a victim of identity theft. A consumer is presumed to

be a victim of identity theft for the purposes of this subdivision

if he or she provides both of the following to the person:

(i) A copy of a police report evidencing the claim of the

victim of identity theft.

(ii) Either a properly completed copy of a standardized

affidavit of identity theft developed and made available by the

federal trade commission ~~pursuant to~~ under 15 USC 1681g or an

affidavit of fact that is acceptable to the person for that

purpose.

(b) Solicit to extend credit to a consumer who does not have

an existing line of credit, or has not had or applied for a line of

credit within the preceding year, through the use of an unsolicited

check that includes personal identifying information other than the

recipient's name, address, and a partial, encoded, or truncated

personal identifying number. In addition to any other penalty or

remedy under this act or the Michigan consumer protection act, 1976

PA 331, MCL 445.901 to 445.922, a credit card issuer, financial

institution, or other lender that violates this subdivision, and

not the consumer, is liable for the amount of the instrument if the

instrument is used by an unauthorized user and for any fees

assessed to the consumer if the instrument is dishonored.

current credit card, or has not had or applied for a credit card

within the preceding year, through the use of an unsolicited credit

card sent to the consumer. In addition to any other penalty or

remedy under this act or the Michigan consumer protection act, 1976

PA 331, MCL 445.901 to 445.922, a credit card issuer, financial

institution, or other lender that violates this subdivision, and

not the consumer, is liable for any charges if the credit card is

used by an unauthorized user and for any interest or finance

charges assessed to the consumer.

(d) Extend credit to a consumer without exercising reasonable

procedures to verify the identity of that consumer. Compliance with

regulations issued for depository institutions, and to be issued

for other financial institutions, by the United States department

of treasury under section 326 of the USA patriot act of 2001, 31

USC 5318, is considered compliance with this subdivision. This

subdivision does not apply to a purchase of a credit obligation in

an acquisition, merger, purchase of assets, or assumption of

liabilities or any change to or review of an existing credit

account.

(2) A person who knowingly or intentionally violates

subsection (1) is guilty of a misdemeanor punishable as follows:

(a) Except as otherwise provided in subdivisions (b) and (c),

by imprisonment for not more than 30 93 days or a fine of not more

than $1,000.00, or both. ~~This subsection~~

(b) For a second violation, by imprisonment for not more than

93 days or a fine of not more than $2,000.00, or both.

not more than 93 days or a fine of not more than $3,000.00, or

both.

(3) Subsection (2) does not ~~affect the availability of~~

prohibit a person from being liable for any civil remedy for a

violation of this act, the Michigan consumer protection act, 1976

PA 331, MCL 445.901 to 445.922, or any other state or federal law.

Sec. 12. (1) Unless the person or agency determines that the

security breach has not or is not likely to cause substantial loss

or injury to, or result in identity theft with respect to, 1 or

more residents of this state, a person or agency that owns or

licenses data that are included in a database that discovers a

security breach, or receives notice of a security breach under

subsection (2), shall provide a notice of the security breach to

each resident of this state who meets 1 or more of the following:

(a) That resident's unencrypted and unredacted personal

information was accessed and acquired by an unauthorized person.

(b) That resident's personal information was accessed and

acquired in encrypted form by a person with unauthorized access to

the encryption key.

(2) Unless the person or agency determines that the security

breach has not or is not likely to cause substantial loss or injury

to, or result in identity theft with respect to, 1 or more

residents of this state, a person or agency that maintains a

database that includes data that the person or agency does not own

or license that discovers a breach of the security of the database

shall provide a notice to the owner or licensor of the information

of the security breach.

(3) In determining whether a security breach is not likely to

cause substantial loss or injury to, or result in identity theft

with respect to, 1 or more residents of this state under subsection

(1) or (2), a person or agency shall act with the care an

ordinarily prudent person or agency in like position would exercise

under similar circumstances.

(4) A person or agency shall provide any notice required under

this section without unreasonable delay. A person or agency may

delay providing notice without violating this subsection if either

of the following is met:

(a) A delay is necessary in order for the person or agency to

take any measures necessary to determine the scope of the security

breach and restore the reasonable integrity of the database.

However, the agency or person shall provide the notice required

under this subsection without unreasonable delay after the person

or agency completes the measures necessary to determine the scope

of the security breach and restore the reasonable integrity of the

database.

(b) A law enforcement agency determines and advises the agency

or person that providing a notice will impede a criminal or civil

investigation or jeopardize homeland or national security. However,

the agency or person shall provide the notice required under this

section without unreasonable delay after the law enforcement agency

determines that providing the notice will no longer impede the

investigation or jeopardize homeland or national security.

(5) Except as provided in subsection (11), an agency or person

shall provide any notice required under this section by providing 1

or more of the following to the recipient:

(a) Written notice sent to the recipient at the recipient's

postal address in the records of the agency or person.

(b) Written notice sent electronically to the recipient if any

of the following are met:

(i) The recipient has expressly consented to receive electronic

notice.

(ii) The person or agency has an existing business relationship

with the recipient that includes periodic electronic mail

communications and based on those communications the person or

agency reasonably believes that it has the recipient's current

electronic mail address.

(iii) The person or agency conducts its business primarily

through internet account transactions or on the internet.

notice given by telephone by an individual who represents the

person or agency if all of the following are met:

(i) The notice is not given in whole or in part by use of a

recorded message.

(ii) The recipient has expressly consented to receive notice by

telephone, or if the recipient has not expressly consented to

receive notice by telephone, the person or agency also provides

notice under subdivision (a) or (b) if the notice by telephone does

not result in a live conversation between the individual

representing the person or agency and the recipient within 3

business days after the initial attempt to provide telephonic

notice.

(d) Substitute notice, if the person or agency demonstrates

that the cost of providing notice under subdivision (a), (b), or

provide notice to more than 500,000 residents of this state. A

person or agency provides substitute notice under this subdivision

by doing all of the following:

(i) If the person or agency has electronic mail addresses for

any of the residents of this state who are entitled to receive the

notice, providing electronic notice to those residents.

(ii) If the person or agency maintains a website, conspicuously

posting the notice on that website.

(iii) Notifying major statewide media. A notification under this

subparagraph shall include a telephone number or a website address

that a person may use to obtain additional assistance and

information.

(6) A notice under this section shall ~~meet~~ do all of the

following:

(a) For a notice provided under subsection (5)(a) or (b), be

written in a clear and conspicuous manner and contain the content

required under subdivisions (c) to (g).

(b) For a notice provided under subsection (5)(c), clearly

communicate the content required under subdivisions (c) to (g) to

the recipient of the telephone call.

(d) Describe the type of personal information that is the

subject of the unauthorized access or use.

(e) If applicable, generally describe what the agency or

person providing the notice has done to protect data from further

security breaches.

(f) Include a telephone number where a notice recipient may

obtain assistance or additional information.

(g) Remind notice recipients of the need to remain vigilant

for incidents of fraud and identity theft.

(7) A person or agency may provide any notice required under

this section pursuant to an agreement between that person or agency

and another person or agency, if the notice provided pursuant to

the agreement does not conflict with any provision of this section.

(8) Except as provided in this subsection, after a person or

agency provides a notice under this section, the person or agency

shall notify each consumer reporting agency that compiles and

maintains files on consumers on a nationwide basis, as defined in

15 USC 1681a(p), of the security breach without unreasonable delay.

A notification under this subsection shall include the number of

notices that the person or agency provided to residents of this

state and the timing of those notices. This subsection does not

apply if either of the following is met:

(a) The person or agency is required under this section to

provide notice of a security breach to 1,000 or fewer residents of

this state.

(b) The person or agency is subject to ~~title V of the Gramm-~~

~~Leach-Bliley act,~~ 15 USC 6801 to 6809.

(9) A financial institution that is subject to, and has

notification procedures in place that are subject to examination by

the financial institution's appropriate regulator for compliance

with, the interagency guidance on response programs for

unauthorized access to customer information and customer notice

prescribed by the board of governors of the federal reserve system

and the other federal bank and thrift regulatory agencies, or

similar guidance prescribed and adopted by the national credit

union administration, and its affiliates, is considered to be in

compliance with this section.

(10) A person or agency that is subject to and complies with

the health insurance portability and accountability act of 1996,

Public Law 104-191, and with regulations promulgated under that

act, 45 CFR parts 160 and 164, for the prevention of unauthorized

access to customer information and customer notice is considered to

be in compliance with this section.

(11) A public utility that sends monthly billing or account

statements to the postal address of its customers may provide

notice of a security breach to its customers in the manner

described in subsection (5), or alternatively by providing all of

the following:

(a) As applicable, notice as described in subsection (5)(b).

(b) Notification to the media reasonably calculated to inform

the customers of the public utility of the security breach.

on the website of the public utility.

(d) Written notice sent in conjunction with the monthly

billing or account statement to the customer at the customer's

postal address in the records of the public utility.

(12) A person that provides notice of a security breach in the

manner described in this section when a security breach has not

occurred, with the intent to defraud, is guilty of a misdemeanor

punishable as follows:

(a) Except as otherwise provided under subdivisions (b) and

(c), by imprisonment for not more than 30 93 days or a fine of not

more than $250.00 for each violation, or both.

(b) For a second violation, by imprisonment for not more than

93 days or a fine of not more than $500.00 for each violation, or

both.

not more than 93 days or a fine of not more than $750.00 for each

violation, or both.

(13) Subject to subsection (14), a person that knowingly fails

to provide any notice of a security breach required under this

section may be ordered to pay a civil fine of not more than $250.00

for each failure to provide notice. The attorney general or a

prosecuting attorney may bring an action to recover a civil fine

under this section.

(14) The aggregate liability of a person for civil fines under

subsection (13) for multiple violations of subsection (13) that

arise from the same security breach shall not exceed $750,000.00.

(15) Subsections (12) and (13) do not affect the availability

of any civil remedy for a violation of state or federal law.

(16) This section applies to the discovery or notification of

a breach of the security of a database that occurs on or ~~after the~~

~~effective date of the amendatory act that added this section~~ July

2, 2006.

(17) This section does not apply to the access or acquisition

by a person or agency of federal, state, or local government

records or documents lawfully made available to the general public.

(18) This section deals with subject matter that is of

statewide concern, and any charter, ordinance, resolution,

regulation, rule, or other action by a municipal corporation or

other political subdivision of this state to regulate, directly or

indirectly, any matter expressly set forth in this section is

preempted.

Sec. 12b. (1) A person shall not distribute an advertisement

or make any other solicitation that misrepresents to the recipient

that a security breach has occurred that may affect the recipient.

(2) A person shall not distribute an advertisement or make any

other solicitation that is substantially similar to a notice

required under section 12(5) or by federal law, if the form of that

notice is prescribed by state or federal law, rule, or regulation.

(3) A person who knowingly or intentionally violates this

section is guilty of a misdemeanor punishable as follows:

(a) Except as otherwise provided in subdivisions (b) and (c),

by imprisonment for not more than 30 93 days or a fine of not more

than $1,000.00 for each violation, or both. ~~This subsection~~

(b) For a second violation, by imprisonment for not more than

93 days or a fine of not more than $2,000.00 for each violation, or

both.

not more than 93 days or a fine of not more than $3,000.00 for each

violation, or both.

(4) Subsection (3) does not affect the availability of any

civil remedy for a violation of this section or any other state or

federal law.

Sec. 19. (1) Except as provided in subsection (2), the

following property is subject to forfeiture:

(a) Any personal or real property that has been used,

possessed, or acquired in violation of this act.

(b) Except as provided in subparagraphs (i) to (iii), a

conveyance, including an aircraft, vehicle, or vessel, used or

intended for use to transport, or in any manner to facilitate the

transportation of, for the purpose of sale or receipt, property

described in subdivision (a):

(i) A conveyance used by a person as a common carrier in the

Senate Bill No. 223 as amended November 9, 2010

transaction of business as a common carrier is not subject to

forfeiture unless it is determined that the owner or other person

in charge of the conveyance is a consenting party or privy to a

violation of this act.

(ii) A conveyance is not subject to forfeiture by reason of any

act or omission established by the owner of that conveyance to have

been committed or omitted without the owner's knowledge or consent.

(iii) A forfeiture of a conveyance encumbered by a bona fide

security interest is subject to the interest of the secured party

who neither had knowledge of nor consented to the act or omission.

research products and materials, including microfilm, digital

media, tapes, and data, used or intended for use in violation of

this act.

(d) Any money, negotiable instruments, securities, or any

other thing of value that is found in close proximity to any

property that is subject to forfeiture under subdivision (a), (b),

or (c) is presumed to be subject to forfeiture. This presumption

may be rebutted by clear and convincing evidence.

<<(2) Property used to commit a violation of this act is not

subject to forfeiture unless the owner of the property actively

participates in or consents to the violation of this act.

(3) Property of any of the following providers is not subject to

forfeiture under this act unless it is determined that the provider is a

consenting party or privy to a violation of this act:

(a) A telecommunication provider.

(b) An internet service provider.

(d) An Interactive computer service provider.>>

Sec. 19a. Property that is subject to forfeiture under this

act may be seized upon process issued by the circuit court having

jurisdiction over the property. Seizure without process may be made

under any of the following circumstances:

(a) The property is seized incident to a lawful arrest,

pursuant to a search warrant, or pursuant to an inspection under an

administrative inspection warrant.

(b) The property is the subject of a prior judgment in favor

of this state in an injunction or forfeiture proceeding under this

act.

directly or indirectly dangerous to health or safety.

(d) There is probable cause to believe that the property was

used or is intended to be used in violation of this act.

(e) There is probable cause to believe that the property is

the proceeds from activity in violation of this act.

Sec. 19b. (1) If property is seized pursuant to section 19a,

forfeiture proceedings shall be instituted promptly. If the

property is seized without process as provided under section 19a

and the total value of the property seized does not exceed

$50,000.00, the following procedure shall be used:

(a) The local unit of government that seized the property or,

if the property was seized by the state, the state shall notify the

owner of the property that the property has been seized and that

the local unit of government or, if applicable, the state intends

to forfeit and dispose of the property by delivering a written

notice to the owner of the property or by sending the notice to the

owner by certified mail. If the name and address of the owner are

not reasonably ascertainable or delivery of the notice cannot be

reasonably accomplished, the notice shall be published in a

newspaper of general circulation in the county in which the

property was seized, for 10 successive publishing days.

(b) Unless all criminal proceedings involving or relating to

the property have been completed, the seizing agency shall

immediately notify the prosecuting attorney for the county in which

the property was seized or, if the attorney general is actively

handling a case involving or relating to the property, the attorney

general of the seizure of the property and the intention to forfeit

and dispose of the property.

subject of a notice under subdivision (a) may, within 20 days after

receipt of the notice or of the date of the first publication of

the notice, file a written claim signed by the claimant with the

local unit of government or the state expressing his or her

interest in the property. The person filing the claim shall give a

bond to the local unit of government or the state in the amount of

10% of the value of the claimed property, but not less than $250.00

or greater than $5,000.00, with sureties approved by the local unit

of government or the state containing the condition that if the

property is ordered forfeited by the court the obligor shall pay

all costs and expenses of the forfeiture proceedings. The local

unit of government or, if applicable, the state shall transmit the

claim and bond with a list and description of the property seized

to the attorney general, the prosecuting attorney for the county,

or the city or township attorney for the local unit of government

in which the seizure was made. The attorney general, the

prosecuting attorney, or the city or township attorney shall

promptly institute forfeiture proceedings after the expiration of

the 20-day period. However, unless all criminal proceedings

involving or relating to the property have been completed, a city

or township attorney shall not institute forfeiture proceedings

without the consent of the prosecuting attorney or, if the attorney

general is actively handling a case involving or relating to the

property, the attorney general.

(d) If no claim is filed or bond given within the 20-day

period as described in subdivision (c), the local unit of

government or the state shall declare the property forfeited and

shall dispose of the property as provided under section 19c.

However, unless all criminal proceedings involving or relating to

the property have been completed, the local unit of government or

the state shall not dispose of the property under this subdivision

without the written consent of the prosecuting attorney or, if the

attorney general is actively handling a case involving or relating

to the property, the attorney general.

(2) Property taken or detained under this act is not subject

to an action to recover personal property, but is considered to be

in the custody of the seizing agency subject only to this section

or an order and judgment of the court having jurisdiction over the

forfeiture proceedings. When property is seized under this act, the

seizing agency may do any of the following:

(a) Place the property under seal.

(b) Remove the property to a place designated by the court.

and remove it to an appropriate location for disposition in

accordance with law.

(d) Deposit money seized under this act into an interest-

bearing account in a financial institution. As used in this

subdivision, "financial institution" means a state or nationally

chartered bank or a state or federally chartered savings and loan

association, savings bank, or credit union whose deposits are

insured by an agency of the United States government and that

maintains a principal office or branch office located in this state

under the laws of this state or the United States.

(3) Title to real property forfeited under this act shall be

determined by a court of competent jurisdiction. A forfeiture of

real property encumbered by a bona fide security interest is

subject to the interest of the secured party who neither had

knowledge of nor consented to the act or omission.

(4) An attorney for a person who is charged with a crime

involving or related to the money seized under this act has 60 days

within which to examine that money. This 60-day period begins to

run after notice is given under subsection (1)(a) but before the

money is deposited into a financial institution under subsection

(2)(d). If the attorney general, prosecuting attorney, or city or

township attorney fails to sustain his or her burden of proof in

forfeiture proceedings under this act, the court shall order the

return of the money, including any interest earned on money

deposited into a financial institution under subsection (2)(d).

Sec. 19c. (1) When property is forfeited under this act, the

local unit of government that seized the property may do any of the

following or, if the property is seized by or in the custody of the

state, the state may do any of the following:

(a) Retain it for official use.

(b) Sell that which is not required to be destroyed by law and

which is not harmful to the public. The proceeds and any money,

negotiable instruments, securities, or any other thing of value as

described in section 19(d) that are forfeited under this act shall

be deposited with the treasurer of the entity having budgetary

authority over the seizing agency and applied as follows:

(i) For the payment of proper expenses of the proceedings for

forfeiture and sale, including expenses incurred during the seizure

process, maintenance of custody, advertising, and court costs,

except as otherwise provided in subsection (3).

(ii) The balance remaining after the payment of expenses shall

be distributed by the court having jurisdiction over the forfeiture

proceedings to the treasurer of the entity having budgetary

authority over the seizing agency. If more than 1 agency was

substantially involved in effecting the forfeiture, the court

having jurisdiction over the forfeiture proceeding shall equitably

distribute the money among the treasurers of the entities having

budgetary authority over the seizing agencies. The money received

by a seizing agency under this subparagraph and all interest and

other earnings on money received by the seizing agency under this

subparagraph shall be used to enhance law enforcement efforts as

appropriated by the entity having budgetary authority over the

seizing agency. A distribution made under this subparagraph shall

serve as a supplement to, and not a replacement for, the funds

budgeted on the date that the amendatory act that added this

section takes effect for law enforcement efforts pertaining to this

act.

and remove it for disposition in accordance with law.

(2) In the course of selling real property under subsection

(1)(b), the court that has entered an order of forfeiture may, on

motion of the agency to whom the property has been forfeited,

appoint a receiver to dispose of the real property forfeited. The

receiver shall be entitled to reasonable compensation. The receiver

shall have authority to do all of the following:

(a) List the forfeited real property for sale.

(b) Make whatever arrangements are necessary for the

maintenance and preservation of the forfeited real property.

(d) Execute instruments transferring title to the forfeited

real property.

(3) If a court enters an order of forfeiture, the court may

order a person who claimed an interest in the forfeited property

under section 19b(1)(c) to pay the expenses of the proceedings of

forfeiture to the entity having budgetary authority over the

seizing agency.

Enacting section 1. This amendatory act does not take effect

unless all of the following bills of the 95th Legislature are

enacted into law:

(a) Senate Bill No. 224.

(b) Senate Bill No. 225.