The Identity Theft Protection Act would cover several areas, including notifying those whose personal information has been compromised in a breach, along with providing powers and duties to certain state and local government entities to address these issues.
It would also outline potential penalties, remedies, affirmative defenses and efforts to prevent cyber attacks.
“It’s simple, we were working with the legislative director at the time, and both read an article reviewing what states are doing regarding cyber technology and security,” said bill sponsor Sen. Wayne Schmidt. “Michigan has been ranked on the lower end of the scale regarding these issues, so we decided maybe it’s time we do something about it.”
If passed, the bill would encourage covered entities to establish, maintain and comply with a written cybersecurity program containing administrative, technical and physical safeguards to protect personal information.
“Designing something that protects identities for businesses is a bigger part of it all,” he added. “They are encouraged to use best practices and to put out well-written cyber programs.”
However, enforcing these practices would be a voluntary effort, Schmidt clarified, noting that the bill prescribes potential penalties but does not specifically enforce any.
For example, he said, if a business gets taken to court, it would be that much harder to prove they did anything wrong if they followed all the guidelines outlined in the bill.
“The goal is to stay ahead of the bad guy and encourage businesses to follow these guidelines, which I think this bill does,” he said.
But what about consumers? The answer might be that everyone benefits from better cybersecurity practices, said Lee Tien, senior staff attorney and Adams Chair for Internet Rights with the Electronic Frontier Foundation, but if that’s the case, why not require businesses to do things?
“Let’s imagine I’m a consumer, or I’m a class of people who have been injured by a data breach. What the bill seems to be saying is, you have an affirmative defense, right? You’re not liable for that if you can show you had a security program,” Tien said
As for businesses adopting these voluntary guidelines, he explained, “it’s not really obvious to me how it even creates an incentive to bring in these programs in the first place.”
“To me, it’s one of those things where it’s in the shape of a bill that looks like it’s not bad,” he added, “but when you stare at it like this, it doesn’t make any sense.”
As for next steps, the bill has been sent to the state’s Senate Energy and Technology Committee to be reviewed and discussed.
