Your IT technician has just informed you that your business has suffered a data security breach. Now what should you do?
Content Provided by Defeat The Breach Member
Fraser Trebilcock P.C.
Click here for Part 1 of this series.
Step 4: You have notified affected customers and vendors of the data breach. Do you have to meet any additional notice requirements?
After you have provided notice to individual recipients, you must also notify consumer reporting agencies of the breach without unreasonable delay. The notice you provide to consumer reporting agencies (such as Experian, Equifax or TransUnion), which are defined in 15 USC §1681a(p), must include the number of notices that you have provided to residents of Michigan as well as the timing of those notices.
In some circumstances you may have a federal exemption from the state requirement to notify consumer reporting agencies of the data breach. Notification to consumer reporting agencies may not be required if:
1) the breach affected 1,000 or fewer residents of Michigan, or
2) your business is a financial institution subject to identified sections of federal law.
Those sections, 15 USC 1601 to 1609, are parts of the Gramm Leach-Bliley Act governing treatment of nonpublic personal consumer information by financial institutions. The complexities of this exclusion are outside the scope of this article. In all circumstances, seek legal counsel if you believe you may be exempt from this reporting requirement due to technical exception provided under federal law.
Additional limited exceptions to the notification requirements through compliance with federal regulations.
The Act carves out additional limited exceptions to the notification requirements for certain businesses complying with specific federal regulations. For example, a financial institution with notification procedures in place that are subject to inter-agency guidance prescribed by the federal reserve system and other federal bank and thrift regulatory agencies is considered to be in compliance with the Act. Similarly, a business that is subject to, and complies with, the Health Insurance and Portability Act of 1996 (HIPAA) and its attendant regulations is considered to be in compliance with the Act. As noted under the federal exemptions referenced in Step 4 above, the applicability of such exemptions can be highly detailed and technical. It is therefor best left to qualified legal counsel.
Penalties for failing to provide notification of a data security breach.
If you do not provide the notification required by the Act, the Attorney General or a county prosecuting attorney may seek a civil fine of not more than $250.00 for each failure to provide notice. The aggregate liability for multiple violations of the statute cannot exceed $750,000.00 for the same security breach.
Michigan's Identity Theft Protection Act is complex and the failure to comply with the statute's notification requirements can be significant.
This article is the fourth and final part of a brief summary of state law. Additional federal or common law principles may also apply, given the circumstances. Readers should not rely on this generalized, introductory article as it is not legal advice. Anyone affected by the law should seek competent counsel regarding the law. This content Provided by Defeat The Breach Member Fraser Trebilcock P.C.