Can I avoid having a data breach response plan in Michigan? What are the requirements?

Data Breach Response Plan Requirements in Michigan

No, you cannot avoid having a data breach response plan in Michigan. Michigan law requires that a person or agency that owns or licenses data that are included in a database that discovers a security breach, or receives notice of a security breach, shall provide a notice of the security breach to each resident of Michigan who meets certain criteria ^[1.1]. Additionally, each licensee shall develop, implement, and maintain a comprehensive written information security program, based on the licensee’s risk assessment, that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system ^[3.1].

Requirements for a Data Breach Response Plan in Michigan

The requirements for a data breach response plan in Michigan include providing a notice of the security breach to each resident of Michigan who meets certain criteria, as well as developing, implementing, and maintaining a comprehensive written information security program based on the licensee’s risk assessment ^[1.1][3.1]. The information security program must contain administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system, and must be designed to protect against any threats or hazards to the security or integrity of nonpublic information and the information system ^[3.1].

Reporting Requirements for Cybersecurity Incidents

Electric utilities or cooperatives in Michigan are required to provide a written or oral annual report to designated members of the commission staff regarding the electric utility’s or cooperative’s cybersecurity program and related risk planning ^[2.1]. The report must contain an overview of the program describing the electric utility’s or cooperative’s approach to cybersecurity awareness and protection, a description of cybersecurity awareness training efforts for the electric utility’s or cooperative’s staff members, specialized cybersecurity training for cybersecurity personnel, and participation by the electric utility’s or cooperative’s cybersecurity staff in emergency preparedness exercises in the previous calendar year ^[2.1]. Additionally, electric utilities or cooperatives must orally report the confirmation of a cybersecurity incident to a designated member of the commission staff and to the Michigan intelligence operations center, unless prohibited by law or court order or instructed otherwise by official law enforcement personnel ^[2.1].

Comprehensive Written Information Security Program Requirements

Michigan law requires each licensee to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system ^[3.1]. The information security program must be based on the licensee’s risk assessment and designed to protect against any threats or hazards to the security or integrity of nonpublic information and the information system ^[3.1]. The licensee’s board of directors must approve the information security program, and the licensee must designate one or more employees to coordinate the program ^[3.1]. The information security program must also include an incident response plan that is designed to promptly respond to, and recover from, any security breach ^[3.1].

Conclusion

In summary, it is not possible to avoid having a data breach response plan in Michigan. The requirements for a data breach response plan include providing a notice of the security breach to each resident of Michigan who meets certain criteria, as well as developing, implementing, and maintaining a comprehensive written information security program based on the licensee’s risk assessment. The information security program must contain administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system, and must be designed to protect against any threats or hazards to the security or integrity of nonpublic information and the information system. Electric utilities or cooperatives in Michigan are also required to provide an annual report on their cybersecurity program and related risk planning, and to orally report the confirmation of a cybersecurity incident to designated members of the commission staff and the Michigan intelligence operations center ^{[1.1][2.1][3.1]}.

Source(s):

• [1.1] Notice of security breach; requirements.
• [2.1] Security reporting
• [3.1] Comprehensive written information security program; requirements; duties of licensee and board of directors; third-party service provider; incident response plan; certification of compliance.

Jurisdiction

Michigan

• Privacy