If you are a business and discover that your computers or other records have been compromised with a security breach, you may have some responsibilities under Michigan’s Identity Theft Protection Act. This law requires notices be sent to customers if any of their sensitive data (such as Social Security numbers, bank account information or credit card numbers) have possibly been disclosed.
Even though it can be embarrassing to a business to announce to customers that its computers were hacked, it will be more embarrassing (and very costly) if a hacker uses the information obtained and no notice was ever given.
These notices must be sent without “unreasonable delay” after the breach is discovered. The contents of the notices vary depending on what information was obtained, the type of business and how many customers had data that was compromised. The attorney general or a prosecuting attorney can impose large civil fines for failure to comply with these notice requirements.
In addition, if the data included medical information, HIPAA will require separate compliance requirements, and if the information involved credit card or debit card numbers, your agreement with the card issuer may require additional notices than are required by the Identity Theft Protection Act.