January 21, 2016, Introduced by Reps. Runestad, Moss, Lucido, Singh and Derek Miller and referred to the Committee on Financial Services.
A bill to amend 1999 PA 276, entitled
"Banking code of 1999,"
(MCL 487.11101 to 487.15105) by adding sections 3914, 3915, and
3916.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 3914. (1) A bank shall use reasonable care to secure an
individual's nonpublic personal financial information from
unauthorized access.
(2) Unless the disclosure is required by law, a bank shall not
disclose an individual's nonpublic personal financial information
to a person without the prior and specific informed consent, in
writing, of the individual, and the individual may withdraw his or
her consent at any time.
(3) If an individual has consented to the disclosure of
nonpublic personal financial information to a person under
subsection (2), the bank shall disclose nonpublic personal
financial information only if the person agrees to protect and use
the disclosed information only in the manner authorized by the bank
under section 3915. This subsection does not apply to a disclosure
made to the department of insurance and financial services, the
director of that department, another governmental agency or entity,
or a court.
(4) If an individual authorizes the release of nonpublic
personal financial information under subsection (2) to a specific
person, a bank shall disclose the information to that person only
if the person agrees not to release the information to another
person without another prior and specific informed consent from the
individual, in writing, authorizing the additional release.
(5) This section does not preclude the release of information
pertaining to an individual to that individual by telephone if the
identity of the individual is verified.
(6) A bank shall not refuse to extend or continue credit to,
refuse to open or continue an account for, terminate or refuse to
create a customer or depositor relationship with, refuse to provide
any benefits to which customers or depositors are entitled to, or
otherwise unfairly retaliate or discriminate against an individual
because that individual refuses or fails to consent to disclosure
of his or her nonpublic personal financial information under
subsection (2).
(7) As used in this section and section 3915:
(a) "Nonpublic personal financial information" means
personally identifiable financial information and any list,
description, or other grouping of consumers and publicly available
information pertaining to them that is derived using any personally
identifiable financial information that is not publicly available.
Nonpublic personal financial information does not include any of
the following:
(i) Financial information otherwise protected by state or
federal law.
(ii) Publicly available information.
(iii) Any list, description, or other grouping of consumers
and publicly available information pertaining to them that is
derived without using any personally identifiable financial
information that is not publicly available.
(b) "Personally identifiable financial information" means any
of the following:
(i) Information a consumer provides to a bank to obtain a
financial product or service from the bank.
(ii) Information about a consumer resulting from any
transaction involving a financial product or service between a bank
and a consumer.
(iii) Information a bank otherwise obtains about a consumer in
connection with providing a financial product or service to that
consumer.
(c) "Publicly available information" means any information
that a bank has a reasonable basis to believe is lawfully made
available to the general public from federal, state, or local
government records by wide distribution by the media or by
disclosures to the general public that are required to be made by
federal, state, or local law. A bank has a reasonable basis to
believe that information is lawfully made available to the general
public if both of the following apply:
(i) The bank has taken steps to determine that the information
is of the type that is available to the general public.
(ii) If an individual can direct that the information not be
made available to the general public, the bank's consumer has not
directed that the information not be made available to the general
public.
Sec. 3915. A bank shall establish and make public a policy
regarding the protection of privacy and the confidentiality of
nonpublic personal financial information. The policy shall do at
least all of the following:
(a) Provide for the bank's implementation of the requirements
of this act and other applicable laws respecting collection,
security, use, release of, and access to nonpublic personal
financial information.
(b) Identify the routine uses of nonpublic personal financial
information by the bank; prescribe the means by which individuals
will be notified regarding those uses; and provide for notification
regarding the actual release of nonpublic personal financial
information that may be identified with, or that may concern, an
individual, upon specific request by that individual. As used in
this subdivision, "routine use" means the ordinary use or release
of nonpublic personal financial information compatible with the
purpose for which the information was collected.
(c) Assure that no person has access to nonpublic personal
financial information except on the basis of a need to know.
(d) Establish the contractual or other conditions under which
the bank may release nonpublic personal financial information.
(e) Provide that enrollment applications and claim forms
developed by the bank shall contain an individual's consent to the
release of data and information that is limited to the data and
information necessary for the proper review and payment of claims,
and shall reasonably notify individuals of their rights under the
bank's policy and applicable law.
Sec. 3916. Sections 3914 and 3915 do not limit access to
records or enlarge or diminish the investigative and examination
powers of governmental agencies as provided for by law.
Enacting section 1. This amendatory act takes effect 90 days
after the date it is enacted into law.