Legislation that state lawmakers in Lansing are considering would raise requirements for how businesses must handle a data breach.
The bills would define the sensitive personal information covered and who is responsible for reporting a data breach, and establish processes and timelines for investigating, responding to and publicly reporting an incident. The law would cover entities with 50 or more employees.
The main sponsor of the two-bill package, state Rep. Diana Farrington, a Republican from Utica, notes that Michigan’s existing data breach law lacks a specific timeframe for notifying residents who’ve had their information compromised. Nor does it have any requirements to notify the state when a large-scale data breach occurs, she said.
“Consumers have a right to know when their personal information has been stolen and this legislation intends to make sure they are notified in a timely manner,” Farrington said in a statement following a recent unanimous vote in the House Financial Services Committee, which she chairs, to send the bills on for further consideration.
“This legislation is about one thing — the Michigan consumer and keeping their money safe and secure so that wrongdoers do not hold an advantage,” Farrington said.
The bills, backed by banks and credit unions, now sit in the new House Ways and Means Committee, where business advocates hope to gain support for amendments that would give flexibility in reporting a data breach, particularly for small businesses.
A coalition of business groups agrees that cybersecurity and data breaches are a growing issue, but views requirements in the bills as “untenable mandates.” A “few minor yet critical changes” could alter the coalition’s stance toward the bills, according to a memo submitted to the House Financial Services Committee.
One concern is that mandates in the bills could disproportionately affect small businesses that lack the resources of larger companies.
“We’re at this place where we recognize as a business community that this is a real issue. This is a serious problem when it comes to data,” said Alexa Kramer, public policy coordinator for the Grand Rapids Area Chamber of Commerce.
“So we see this bill as a great place to begin the conversation,” Kramer said. “We’re certainly grateful that this issue is getting attention and are willing to work with the legislature to find a real solution that would keep in mind those smaller businesses.”
The Grand Rapids Chamber is part of a coalition opposing the legislation as written. Other members include the Michigan Chamber of Commerce, Michigan Manufacturers Association, Michigan Retailers Association, Midwest Independent Retailers Association, the state office of the National Federation of Independent Businesses, Detroit Regional Chamber, Michigan Restaurant & Lodging Association, and General Motors.
‘LIMIT THE DAMAGE’
Among the requirements, the bills would mandate that businesses and organizations have to notify affected state residents within 45 days of determining a breach occurred, except in instances in which a state or federal law enforcement agency concludes notification would interfere with a criminal investigation or national security. Notification under those circumstances would have to wait until a law enforcement agency deems it necessary.
A business or organization could provide a substitute notice if direct notification is infeasible because of excessive cost or if it lacks contact information for people whose information was breached. In those cases, a notice conspicuously displayed on a website for 30 days and placed in print and broadcast media in urban and rural areas would suffice.
In instances when a breach involves more than 750 residents, businesses and organizations also would have to notify the Michigan Department of Technology, Management and Budget within 45 days of determining it occurred. The written notice to the state would have to include a summary of events, an estimated number of residents affected, services offered to those affected, and how somebody could obtain more information.
The bills have the backing of advocates for banks and credit unions.
In written testimony to the House Financial Service Committee in February, David Worthams of the Michigan Bankers Association noted that banks need notification as quickly as possible when, for example, a business experiences a breach involving customers’ credit card data.
“We all have a shared responsibility to protect the integrity of the payment system and by working together we can prevent or at least limit the damage caused by data breaches,” said Worthams, the MBA’s policy director.
“When merchants notify financial institutions in a timely manner, we are more quickly able to react to potentially fraudulent activity as a result of a data breach,” he said. “Our experience has shown, however, that merchants are reluctant to share that information.”
The MBA was joined in support of the legislation by the Community Bankers of Michigan and the Michigan Credit Union League.
‘SOME REAL CONCERNS’
The business coalition that objects to the bills wants to make requirements for investigating a suspected data breach “less prescriptive to allow greater flexibility for those smaller businesses that might not have the capacity to do everything laid out in the bills but are still able to put forth a good faith investigation,” said Kramer of the Grand Rapids Chamber.
The coalition also suggested amendments to the bills that would allow for additional notification periods based on whether a business uses a so-called “gateway” to transmit data to a credit card processor and require a third party that incurs a data breach to handle notifications when applicable. The group also suggested allowing a substitute notification either online or through the news media when a breach affects 500,000 residents or more, and prohibiting local cybersecurity ordinances.
Amy Drumm, vice president of government affairs at the Michigan Retailers Association, said that each data breach incident “is going to be a little different” and needs to be handled differently.
For example, small businesses may not store data from credit card transactions processed by a third party and may not know who was affected, Drumm said. Likewise, customer loyalty programs often are operated by third parties, she said.
Under current drafts of the legislation, those third parties, even if they experienced the data breach, would “have no responsibility,” Drumm said.
“All they have to do is tell the business that they work with that they had a breach. It’s on the business to then notify their customers, incur the cost of that, do the investigation, all those pieces,” she said. “We have some real concerns about the fact that there isn’t flexibility to address who’s really been breached and having the entity be the one that takes on that responsibility.”
A January report by the nonprofit Identity Theft Resource Center noted that subcontractor and third-party breaches “became a more common occurrence” in 2018, accounting for 102 of the total 1,244 breaches reported in the U.S. Third-party and subcontractor breaches also involved the release of four times the number of exposed records in 2018 compared to 2017.
SEEKING MIDDLE GROUND
The coalition of business interests worked with lawmakers in the prior legislative session on similar bills and reached a compromise with the Credit Union League and Michigan Bankers Association. The bills died at the end of the 2018 legislative session.
Drumm believes the coalition can again “find a reasonable middle ground” on the bills.
In his testimony in February to the House committee, the MBA’s Worthams said the data breach bills “continue the conversation on the best ways to inform the public, law enforcement and financial institutions” when an incident occurs. The MBA is open to “good faith discussions with Michigan retailers and with other concerned parties about their concerns and how we can find a balance that will increase our common customers’ trust in all our institutions,” he said.
In crafting the legislation, lawmakers need to take into consideration that businesses experiencing a data breach are victims of a crime and “not punish the victim,” Drumm said. The current legislation “doesn’t do anything to prevent data breaches or go after the hackers or criminals who’ve been causing the breaches and stealing your information,” and “only add further burden to the victim,” Drumm said.
“In most instances, it is the fact that (businesses) have been the victim of a criminal attack, essentially, versus some wrongdoing on their part,” Drumm said. “Typically these are incidents where the business that has been breached is a victim and they are the ones that are now being forced to pay more, and go above and beyond, and take the reputational hit because someone has hacked into their system or stolen their data.”
Since data breaches often occur across state lines, the Michigan Retailers Association prefers to see the issue be addressed at the federal level by Congress with a law “that’s clear for all businesses regardless of where they’re operating and so we don’t have these state versions for members who operate in more than one state,” Drumm said.