Identity Theft Protection Act: Rules for Employers Concerning Information Security Breaches
More frequently than we would like, situations arise in which personal information of individuals may be compromised. In addition to "hacking" and obvious identity theft, examples may include the stolen company laptop or smart-phone, the lost thumb drive, and the infamous inadvertent "reply all" or forward of confidential e-mail. While many employers are well-familiar with Michigan's social security number privacy provisions, Michigan law provides protection to an even broader array of personal information maintained in the course of business. Michigan employers need to be familiar with Michigan's Identity Theft Protection Act (ITPA) in responding to situations involving the unintended disclosure of such personal information.
ITPA generally prohibits individuals and other legal entities from obtaining, or attempting to obtain, the personal identifying information of another, with the intent to violate the law or sell it to someone else who will use it for such illegal purposes. Importantly for Michigan businesses, ITPA also imposes requirements upon entities, including employers, which own or maintain databases of "personal information" concerning Michigan residents. Such rules require notification to individuals in the event of "security breaches," and proper destruction of personal information when it is no longer needed. ITPA's information security requirements are the focus of this article.
Who is Covered by the Security Breach Notification Provisions?
Individuals and businesses that own or license computerized "personal information" concerning one or more residents of Michigan must comply with ITPA's security breach notification rules. Any covered entity with a database that includes personal information of multiple individuals must comply with ITPA's rules for the destruction of such data.
What is "Personal Information?"
"Personal information" includes a Michigan resident's first name or first initial and last name, linked to any of the following:
- social security number;
- driver license or state identification card number; or
- demand deposit or other financial account number, or credit card or debit card number, in combination with any password or security code that would permit access to a person's financial accounts.
Most employers maintain electronic databases containing this at least certain of the above information for purposes of personnel administration.
What is a Breach Triggering Notice Requirements?
A "security breach" is the unauthorized access and acquisition of data that comprises the security or confidentiality of personal information maintained in a database. Unless the entity determines that a security breach "has not or is not likely to cause substantial loss or injury to one or more residents of the state," the entity must notify each Michigan resident whose personal information was improperly accessed.
Important for employers, ITPA provides an exception for unauthorized access by an employee, or other individual, if certain criteria are met. "Security breach" does not include unauthorized access to data by an employee or other individual where:
- the employee or other individual acted in good faith in accessing the data;
- the access was related to the activities of the agency or person; and
- the employee or other individual did not misuse any personal information or disclose any personal information to an unauthorized person.
What Time, Form, and Manner of Notice are required?
ITPA provides only that notice must be given "without unreasonable delay." ITPA specifically contemplates that some reasonable delay may be necessary in order to determine the scope of the breach and to restore the reasonable integrity of the database, or where a law enforcement agency advises that providing notice will impede an investigation or jeopardize national security.
In terms of content, the notice must:
- describe the security breach;
- specify the type of personal information subject to the unauthorized access or use;
- indicate the steps taken to protect data from further breaches;
- include a telephone number for more information; and
- remind recipients of the need to remain vigilant for incidents of fraud and identity theft.
The notice must generally be in writing. Exceptions allowing electronic, telephonic, or public notice apply in limited circumstances. When a breach affects more than 1000 residents, the entity generally must also report the breach to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.
What are ITPA's Data Destruction Rules?
ITPA requires any covered entity to destroy personal information when it is removed from the database and is not being retained elsewhere for another purpose permitted under state or federal law. "Destruction" means shredding, erasing, or otherwise modifying the data so they cannot be read, deciphered, or reconstructed through generally available means.
What Are Best Practices For Me As An Employer?
Employers should implement appropriate policies to protect the security of personal information. Rules concerning how and where personal information can be maintained, how it is discarded, and who can access such information will help minimize the likelihood of security breaches. It is a good idea to minimize the amount and/or type of personal information maintained to that which is necessary for personnel administration. Encryption of data, and the implementation of passwords on portable electronic equipment such as smart phones and computers are advisable steps. Employers should also consider what types of information should be permitted to be maintained on transportable equipment, such as laptop hard drives, portable hard drives, and the like.
In the event of any unintended disclosure, even where it is not clear that a notification would be legally required; employers should consider whether voluntary notification is prudent. Voluntary notification may be advisable, for example, where no clear risk of substantial injury exists, but where the disclosure was nonetheless outside the intended channels of communication. Done properly, voluntary notification sends the message that the entity takes protection of personal information seriously.
Employers should be aware that other laws, such as the Health Insurance Portability and Accountability Act, Michigan's Social Security Number Privacy Act, the identity theft protection laws of other states, and other federal laws also protect the security of various kinds of personal information. In each situation, is important to work appropriately with legal counsel to ensure that all relevant laws are considered in developing an appropriate response.
If you have any questions concerning identity theft protection issues in your workplace, please contact Stephanie Setterington or another member of Varnum's Labor and Employment Relations group.