SENATE BILL NO. 653

November 13, 2019, Introduced by Senators MCBROOM, THEIS, MACDONALD and SANTANA and referred to the Committee on Insurance and Banking.

"Identity theft protection act,"

by amending section 3 (MCL 445.63), as amended by 2010 PA 318.

the people of the state of michigan enact:

Sec. 3. As used in this act:

(a) "Agency" means a department, board, bureau, commission, office, agency, authority, or other unit of state government of this state. The term includes an institution of higher education of this state. The term does not include a circuit, probate, district, or municipal court.

(b) "Breach of the security of a database" or "security breach" means the unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals. These terms do not include unauthorized access to data by an employee or other individual if the access meets all of the following:

(i) The employee or other individual acted in good faith in accessing the data.

(ii) The access was related to the activities of the agency or person.

(iii) The employee or other individual did not misuse any personal information or disclose any personal information to an unauthorized person.

(d) (c) "Child or spousal support" means support for a child or spouse, paid or provided pursuant to state or federal law under a court order or judgment. Support includes, but is not limited to, any of the following:

(i) Expenses for day-to-day care.

(ii) Medical, dental, or other health care.

(iii) Child care expenses.

(iv) Educational expenses.

(v) Expenses in connection with pregnancy or confinement under the paternity act, 1956 PA 205, MCL 722.711 to 722.730.

(vi) Repayment of genetic testing expenses, under the paternity act, 1956 PA 205, MCL 722.711 to 722.730.

(vii) A surcharge as provided by section 3a of the support and parenting time enforcement act, 1982 PA 295, MCL 552.603a.

(e) (d) "Credit card" means that term as defined in section 157m of the Michigan penal code, 1931 PA 328, MCL 750.157m.

(f) (e) "Data" means computerized personal information.

(g) (f) "Depository institution" means a state or nationally chartered bank or a state or federally chartered savings and loan association, savings bank, or credit union.

(h) (g) "Encrypted" means transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, or securing information by another method that renders the data elements unreadable or unusable.

(i) (h) "False pretenses" includes, but is not limited to, a false, misleading, or fraudulent representation, writing, communication, statement, or message, communicated by any means to another person, that the maker of the representation, writing, communication, statement, or message knows or should have known is false or fraudulent. The false pretense may be a representation regarding a past or existing fact or circumstance or a representation regarding the intention to perform a future event or to have a future event performed.

(j) (i) "Financial institution" means a depository institution, an affiliate of a depository institution, a licensee under the consumer financial services act, 1988 PA 161, MCL 487.2051 to 487.2072, 1984 PA 379, MCL 493.101 to 493.114, the motor vehicle sales finance act, 1950 (Ex Sess) PA 27, MCL 492.101 to 492.141, the secondary mortgage loan act, 1981 PA 125, MCL 493.51 to 493.81, the mortgage brokers, lenders, and servicers licensing act, 1987 PA 173, MCL 445.1651 to 445.1684, or the regulatory loan act, 1939 PA 21, MCL 493.1 to 493.24, a seller under the home improvement finance act, 1965 PA 332, MCL 445.1101 to 445.1431, or the retail installment sales act, 1966 PA 224, MCL 445.851 to 445.873, or a person subject to subtitle A of title V of the Gramm-Leach-Bliley act, 15 USC 6801 to 6809.

(k) (j) "Financial transaction device" means that term as defined in section 157m of the Michigan penal code, 1931 PA 328, MCL 750.157m.

(l) (k) "Identity theft" means engaging in an act or conduct prohibited in section 5(1).

(m) (l) "Interactive computer service" means an information service or system that enables computer access by multiple users to a computer server, including, but not limited to, a service or system that provides access to the internet or to software services available on a server.

(n) (m) "Law enforcement agency" means that term as defined in section 2804 of the public health code, 1978 PA 368, MCL 333.2804.

(o) (n) "Local registrar" means that term as defined in section 2804 of the public health code, 1978 PA 368, MCL 333.2804.

(p) (o) "Medical records or information" includes, but is not limited to, medical and mental health histories, reports, summaries, diagnoses and prognoses, treatment and medication information, notes, entries, and x-rays and other imaging records.

(q) (p) "Person" means an individual, partnership, corporation, limited liability company, association, or other legal entity.

(r) (q) "Personal identifying information" means a name, number, or other information that is used for the purpose of identifying a specific person or providing access to a person's financial accounts, including, but not limited to, a person's name, address, telephone number, driver license or state personal identification card number, social security enhanced driver license number or enhanced state personal identification card number, Social Security number, place of employment, employee identification number, employer or taxpayer identification number, government passport number, military identification number, health insurance identification number, mother's maiden name, demand deposit account number, savings account number, financial transaction device account number or the person's account password, any other account password in combination with sufficient information to identify and access the account, automated or electronic signature, biometrics, stock or other security certificate or account number, credit card number, vital record, or medical records or information.

(s) (r) "Personal information" means the first name or first initial and last name, or a username or electronic mail address, of a resident of this state that is linked to 1 or more of the following: data elements of a resident of this state:

(i) Social security A nontruncated Social Security number.

(ii) Driver An unredacted driver license number or state personal identification card number, enhanced driver license number or enhanced state personal identification card number, passport number, military identification number, or other unique identification number issued on a government document that is used to verify the identity of a specific individual.

(iii) Demand deposit or other financial account number, or credit card or debit card number, that in combination with any required security code, access code, or password, that would permit security question and answer, or other method permits access to any of the resident's financial accounts.

(iv) Any required security code, access code, password, security question and answer, or other method, that with the resident's name information, username, or electronic email address, permits access to a financial account of the resident, or to an online account affiliated with a person that has a confirmed or suspected breach of a database that is likely to contain personal identifying information of the resident.

(v) A health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the resident.

(t) (s) "Public utility" means that term as defined in section 1 of 1972 PA 299, MCL 460.111.

(u) (t) "Redact" means to alter or truncate data so that no more than 4 sequential digits of a driver license number, state personal identification card number, or a unique identification number on a government document described in subdivision (s)(ii), no more than 4 sequential digits of an account number, or no more than 5 sequential digits of a social security Social Security number , are accessible as part of personal information.

(v) (u) "State registrar" means that term as defined in section 2805 of the public health code, 1978 PA 368, MCL 333.2805.

(w) "Third-party agent" means a legal entity that maintains, processes, holds, or is otherwise permitted to access personal information in connection with providing services to another person under an agreement with that person.

(x) (v) "Trade or commerce" means that term as defined in section 2 of the Michigan consumer protection act, 1971 1976 PA 331, MCL 445.902.

(y) (w) "Vital record" means that term as defined in section 2805 of the public health code, 1978 PA 368, MCL 333.2805.

(z) (x) "Webpage" means a location that has a uniform resource locator or URL with respect to the world wide web or another location that can be accessed on the internet.

Enacting section 1. This amendatory act takes effect 90 days after the date it is enacted into law.

Enacting section 2. This amendatory act does not take effect unless all of the following bills of the 100th Legislature are enacted into law:

(a) Senate Bill No. 654.

(b) Senate Bill No. 652.