2024 Senate Bill 888

AI Analysis – Experimental

Senate Bill No. 888 aims to amend and expand the Identity Theft Protection Act (2004 PA 452). The bill proposes changes to sections 3, 12, and 12b, and introduces new sections 11a, 11b, 20, 20a, 20b, and 20c, while repealing certain acts and parts of acts. It clarifies and broadens key definitions related to identity theft protection, including terms like "agency," "encrypted," "financial institution," "identity theft," "personal identifying information," and "public utility," among others.

The bill mandates that entities handling personal information implement reasonable security procedures to prevent unlawful use or disclosure. These procedures must be appropriate to the entity's size, the nature and amount of personal information handled, and the entity's resources. In case of a security breach, entities are required to conduct prompt investigations, notify affected individuals and the attorney general if over 100 residents are affected, and take steps to restore security. The bill specifies how notices to affected individuals should be delivered and what information they must contain, including details of the breach and advice on how to protect oneself from identity theft.

Financial institutions and entities compliant with federal regulations like HIPAA are deemed in compliance with this bill's requirements. The bill also sets forth specific notification methods for public utilities and establishes penalties for misrepresenting security breaches or failing to comply with the bill's provisions. Civil actions for injunctive relief and fines can be brought against entities that do not implement required security procedures, investigate breaches, or provide necessary notices.