Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Michigan: Bill to amend Identity Theft Protection Act introduced

Senate Bill ('SB') 0672 for a bill to amend Public Act 452 of 2004 for the Identity Theft Protection Act, was introduced, on 5 October 2021, in the Michigan State Senate. In particular, SB 0672 seeks to introduce certain affirmative defences via information security programs. In addition, SB 0672 notes that a covered entity is entitled to an affirmative defence to any tort cause of action that alleges that the covered entity's failure to implement reasonable information security controls resulted in a security breach if the covered entity demonstrates all of the following:

  • the covered entity established, maintained, and reasonably complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and personal identifying information that reasonably conforms to the current version of an industry-recognised cybersecurity framework or standard; and
  • the covered entity's cybersecurity program is designed to do all of the following:
    • protect the security and confidentiality of personal information and personal identifying information;
    • protect against anticipated threats or hazards to the  security or integrity of personal information and personal identifying information; and
    • protect against unauthorised access to and acquisition of personal information and personal identifying information that is likely to result in a material risk of identity theft to the individual to whom the personal information and personal identifying information relate.

Moreover, SB 0672 outlines that a cybersecurity program is appropriate if it is based on all of the following factors:

  • the size and complexity of the covered entity;
  • the nature and scope of the activities of the covered entity;
  • the sensitivity of the information to be protected;
  • the cost and availability of tools to improve information security and reduce vulnerabilities; and
  • the resources available to the covered entity.

Furthermore, SB 0672 highlights that it does not provide a private right of action, including a class action, with respect to any act or practice under the Identity Theft Protection Act.

You can read SB 0672 here and track its progress here.