+1 State Expands Data Breach Notification Statutes

The State: Michigan HB 4186 (2020 | MI)

What new information will trigger a notification if hackers get access to it?

• A state resident’s first name or first initial and last name in combination with one or more of the following data elements that relate to the resident:

• A nontruncated  Social  Security  number,  driver  license  number,  state  personal identification  card  number,  passport  number,  military  identification  number,  or other unique identification number issued on a government document.
• A financial account number.
• A  medical  or  mental  history,  treatment,  or  diagnosis  issued  by  a  health  care professional.
• A  health  insurance  policy  number  or  subscriber  identification  number  and  any unique identifier used by a health insurer.
• A username or email address, in combination with a password or a security question and answer, that would allow access to an online account that is likely to have or is used to obtain sensitive personally identifying information.

Notification timeline: Not more than 45 days from determining that a breach has occurred 

Potential fines: $2,000 for each violation or not more than $5,000 per day for each consecutive day up to a total of $250,000