Identity theft reportedly costs consumers and businesses billions of dollars each year. As this problem continues to receive more attention, businesses are being asked to do more to safeguard sensitive information they have about their customers and their employees. Michigan now joins the majority of states with a new law that may require notification in the event of a security breach.
On January 3, 2007, Governor Granholm signed into law an identity theft notification law that amends the Michigan Identity Theft Protection Act. This new law applies to sensitive information routinely found in employment records and imposes a notification obligation in the event of a security breach, unless the employer determines that "the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft" to Michigan residents. While we often think of electronic records when we hear the words "security breach," this law applies whether the records are in electronic or paper form.
If you discover a security incident, this law requires you to take reasonable steps to investigate whether the security incident resulted in unauthorized access and acquisition of "personal information," which is defined as a first name or initial and last name linked to a social security number, driver's license or state I.D. number, or a financial account number or code providing access to a financial account. Unless you reasonably conclude that the breach has not or is not likely to cause substantial loss or injury to Michigan residents, you will generally have an obligation to provide written notice to those individuals whose information was involved.
The law does not provide a specific deadline for providing notice, but instead requires that it be sent without unreasonable delay (with limited exceptions for the time it takes to determine the scope of the breach or when delay is necessary for certain law enforcement purposes). Among other things, the required notice must describe the security breach, the type of information involved, steps taken to prevent further security breaches, a contact number for additional information, and a reminder to remain vigilant for incidents of fraud and identity theft. If you fail to provide notice, the new law provides for a civil fine of up to $250 for each notification letter that was not sent, not to exceed $750,000 for any one security breach.
This new law has an important carve-out for an employer's health plan records that are subject to HIPAA, but the exception only applies if the employer is complying with the HIPAA privacy and security rules. And though the HIPAA privacy and security rules do not expressly require notification in the event of a security breach, notification may be necessary in order to minimize harm. Thus, if your health plan files have experienced a breach involving social security numbers or other information that could be used for identity theft, the mitigation requirements of HIPAA may require you to notify your employees so that they can take steps to protect themselves.
If you have any questions about this new law, please contact Norbert F. Kugele at 616.752.2186, or any other member of the Employee Benefits or Labor and Employment Practice Groups.