Can I skip having an information security program in place in Michigan? What are the requirements?

Based on the documents provided, it is not possible to skip having an information security program in place in Michigan. Michigan law requires each licensee to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information ^{[1.1][1.2][3.1][5.1][5.2]}. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities ^{[1.1][1.2][5.1][5.2]}. The information security program must be designed to protect the security and confidentiality of nonpublic information and the security of the information system, protect against any threats or hazards to the security or integrity of nonpublic information and the information system, protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any customer ^{[1.2][5.1][5.2]}. The licensee must also maintain policies and procedures for the secure disposal on a periodic basis of any nonpublic information that is no longer necessary for business operations or for other legitimate business purposes ^[5.1][5.2].

Additionally, Michigan law requires that a registrant, applicant, or affiliate or contractor described in section 2(m)(vi)(B) shall conduct a background check of each employee or independent contractor of the registrant, applicant, affiliate, or contractor who, in the normal course of his or her employment or engagement, enters a customer’s premises to sell, lease, rent, maintain, repair, install, or otherwise provide a security alarm system at a protected premises ^[3.1]. The background check required under this subsection shall include the taking of fingerprints of the employee or independent contractor and submission of those fingerprints to the department of state police or the federal bureau of investigation for the purpose of a criminal history record search ^[3.1].

Therefore, it is mandatory for licensees to have an information security program in place in Michigan, and failure to comply with these requirements may result in penalties and legal consequences.

Source(s):

• [1.1] Information security program
• [1.2] Objectives of information security program
• [3.1] Registration statement; affidavit; contents; background check of each employee or independent contractor; employment prohibited; conditions.
• [5.1] Comprehensive written information security program; requirements; duties of licensee and board of directors; third-party service provider; incident response plan; certification of compliance.
• [5.2] Comprehensive written information security program; requirements; duties of licensee and board of directors; third-party service provider; incident response plan; certification of compliance.

Jurisdiction

Michigan

• Privacy