US Michigan
Consideration of an Enhanced Data Breach Notification Act
House Bills 4186 and 4187 look to enhance the notification requirements regarding data breaches. While it does not seem to take up the issue of consumer data privacy per se, it does define sensitive personally identifying information:
“Sensitive personally identifying information” would mean a username or electronic mail(e-mail)address, in combination with a password, security question and answer, or similar information, that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information. The term also would mean a State resident’s first name or first initial, and last name, in combination with one or more of the following data elements that relate to that resident:
- A nontruncated Social Security number.
- A nontruncated driver license number, enhanced driver license number, State personal identification (ID)card number, enhanced State personal ID card number, passport number, military ID number, or other unique ID number issued on a government document that is used to verify the identity of a specific individual.
- A financial account number, including, but not limited to, a bank account number, credit union account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, PIN, or similar security information, that is necessary to access the financial account or to conduct a transaction that will result in a credit or debit to the financial account.
- A State resident’s medical or mental history, treatment, or diagnosis issued by a health care professional.–A State resident’s health insurance policy number or subscriber ID number and any unique identifier used by a health insurer to identify the State resident.