- FTC Scrutinizes Children’s Privacy Issues Involving Education Technology
- Utah Becomes the Fourth State to Enact a Comprehensive Privacy Law
- Courts Requiring General and Professional Liabilities Policies to Respond to Cyberattacks
- The US and EU Announce a New Trans-Atlantic Data Privacy Framework
- BIPA Claims Following the McDonald Decision
- NY Attorney General Offers Guidance on Dealing with Credential Stuffing
- “Silent Cyber” Continues to Make Noise in State Appellate Courts
- The FBI Warns M&A Participants on the Increasing Ransomware Threat
- FTC Updates Safeguards Rule for Non-Banking Financial Institutions
- The DOJ’s Civil Cyber-Fraud Initiative
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
A bipartisan bill was introduced on October 5, 2021, in the Michigan Senate to amend the Michigan Identity Theft Protection Act (the “Act”). The bill, linked below, would create an affirmative defense to tort claims arising out of a security breach.
In order to avail itself of the affirmative defense, an entity must have “established, maintained, and reasonably complied with a written cybersecurity program.” The program must be based on an industry recognized security framework, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, PCI-DSS, and others. In addition, the program must be designed to protect the personal information and personally identifying information (defined differently under Michigan law) held by the entity, including against anticipated threats and unauthorized access. To determine the appropriateness of the security program and whether it meets the design criteria, the bill creates a test to take into account the size, nature, and resources available to the entity, and the sensitivity of the information available to it, among other factors. In creating the affirmative defense, the bill makes clear that it is not creating a private right of action for alleged breaches of the Act.
In short, the bill would incentivize businesses to implement – and comply with – a security program that is both recognized in the industry and appropriate for the particular type of data that business uses. For those businesses that followed this path, the protection of a new affirmative defense would be available should they be sued for a tort claim under Michigan law.
For further information, please contact Michael P. Hindelang.
The bill text can be found here.
Mike Hindelang is an experienced commercial litigator whose practice has two major components. Mike has significant experience litigating high value cases, especially those with a financial or securities law component. This ...