Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Michigan: Bill to amend Identity Theft Protection Act introduced
Senate Bill ('SB') 0672 for a bill to amend Public Act 452 of 2004 for the Identity Theft Protection Act, was introduced, on 5 October 2021, in the Michigan State Senate. In particular, SB 0672 seeks to introduce certain affirmative defences via information security programs. In addition, SB 0672 notes that a covered entity is entitled to an affirmative defence to any tort cause of action that alleges that the covered entity's failure to implement reasonable information security controls resulted in a security breach if the covered entity demonstrates all of the following:
- the covered entity established, maintained, and reasonably complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and personal identifying information that reasonably conforms to the current version of an industry-recognised cybersecurity framework or standard; and
- the covered entity's cybersecurity program is designed to do all of the following:
- protect the security and confidentiality of personal information and personal identifying information;
- protect against anticipated threats or hazards to the security or integrity of personal information and personal identifying information; and
- protect against unauthorised access to and acquisition of personal information and personal identifying information that is likely to result in a material risk of identity theft to the individual to whom the personal information and personal identifying information relate.
Moreover, SB 0672 outlines that a cybersecurity program is appropriate if it is based on all of the following factors:
- the size and complexity of the covered entity;
- the nature and scope of the activities of the covered entity;
- the sensitivity of the information to be protected;
- the cost and availability of tools to improve information security and reduce vulnerabilities; and
- the resources available to the covered entity.
Furthermore, SB 0672 highlights that it does not provide a private right of action, including a class action, with respect to any act or practice under the Identity Theft Protection Act.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
