Skip to main content

New Michigan Bill Would Protect Personal Data

by Chris Brook on Wednesday December 8, 2021

Contact Us
Free Demo

While not sweeping, new legislation recently introduced in Michigan would push businesses to establish and maintain a written cybersecurity program to protect personal information.

Politicians in the state of Michigan are trying to get the state to join the raft of states attempting to pass new data protection legislation to safeguard citizens' personal information.

Senate Bill No. 672, introduced by Senator Wayne Schmidt (and sponsored by Senators Adam Hollier, Kenneth Horn, Marshall Bullock, Curtis VanderWall) earlier this fall, would encourage organizations to establish, maintain, and comply with a written cybersecurity program.

As part of the legislation, the program would have to contain "administrative, technical, and physical safeguards for the protection of personal information that and personal identifying information” that reasonably conforms to the current version of an industry-recognized cybersecurity framework or a combination of those frameworks.

The legislation cites frameworks like the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure, FISMA, HIPAA, and PCI-DSS, to name a few.

The legislation would technically amend the 2004 Identity Theft Protection Act, designed to prohibit identity theft and require notification of a security breach. Absent from the bill has largely been defense, namely any means to address best practices around mitigating identity theft and security breaches in the first place.

The goal of having a cybersecurity program in place is to safeguard data. The bill's amendment outlines the following stupulations:

  • Protect the security and confidentiality of personal information and personal identifying information.
  • Protect against anticipated threats or hazards to the security or integrity of personal information and personal identifying information.
  • Protect against unauthorized access to and acquisition of personal information and personal identifying information that is likely to result in a material risk of identity theft to the individual to whom the personal information and personal identifying information relate.

While it's unclear whether there will any immediate movement on the bill - Governor Gretchen Whitmer vetoed similar legislation, the Data Breach Notification Act, earlier this year - Michigan's legislature tracker points out its been referred to the Committee on Energy and Technology for further review.

The Data Breach Notification Act, for those curious, would have required organizations with more than 50 employees to adopt data security measures and look into data breaches and provide notice within 45 days. It also would have compelled organizations to implement reasonable data security policies.

While encouraging, even if Schmidt's amendement does move forward, it doesn't necessarily mean that those who fail to comply will be held accountable. As the Senator recently told Government Technology, enforcing these practices will be a voluntary effort. “

“Designing something that protects identities for businesses is a bigger part of it all," he told the publication, “they are encouraged to use best practices and to put out well-written cyber programs. The goal is to stay ahead of the bad guy and encourage businesses to follow these guidelines, which I think this bill does.”

Tags:  Government

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.