Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonable delay
Government Notification Required: No
Scope of this Summary:
Notification requirements applicable to individuals or entities that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if entity determines that the breach has not and is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents.
Breach Defined
Unauthorized access and acquisition that compromises the security or confidentiality of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or redacted so long as encryption key was not accessed or acquired.
Form of Covered Information
Electronic Only
Covered Info
An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Driver's license number or identification card number.
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Consumer Notice Timing
Must be made without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Consumer Notice Method
Written notice to the most recent available address the person or business has in its records. Electronic notice, if the person's primary method of communication with the individual is by electronic means, or if the notice provided is consistent with the provisions regarding electronic records and signatures in United States Code, title 15, section 7001. Substitute notice is available if certain criteria are satisfied
Consumer Notice Content
Michigan statute does not specify notice content requirements.
Delayed Notice
Notification may be delayed if law enforcement determines that notification will impede a criminal or civil investigation or jeopardize national or homeland security and if a delay is necessary to determine the scope of the breach and restore the reasonable integrity of the database.
Government Notice
The Michigan breach notification statute does not require notice to any government or regulatory agencies.
Consumer Reporting Agency Notice
If more than 1,000 residents are notified, after notifying those residents the covered entity must notify all major Consumer Reporting Agencies without unreasonable delay of timing and number of resident notices.
Exceptions for Other Laws
Financial institutions that are subject to and in compliance with applicable interagency regulatory guidance provided at 70 Fed. Reg. 15,736 (March 29, 2005) or entities covered by and in compliance with the Health Information Portability and Accountability Act of 1996 (HIPAA)
Third-Party Notice
If you maintain covered info on behalf of another entity, you must notify it of a breach unless you determine that the breach has not and is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents.
Private Right of Action
Michigan's general breach notification statute does not include a private right of action but explicitly notes that it does not eliminate other remedies available by law (MCL 445.72(15)).
Potential Penalties
Violations may result in civil penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023