What to do if you're a victim of data breach


Mark Hynes


If your business has been the victim of a data security breach, you will need to follow the breach notification requirements in Michigan's Identity Theft Protection Act. You should consider these steps: 

Step. 1: Determine what harm may result from the breach.

You must provide notice of the breach of personal information to each affected Michigan resident, unless you establish the breach is not likely to cause substantial loss of injury or result in identify theft to one or more Michigan residents. 

Personal information means the first initial or name and last name of a Michigan resident linked to a Social Security number, driver's license or state identification card number, or bank account or credit card number. 

You should immediately begin a thorough, reasonable investigation into the security breach before concluding that harm is unlikely.

Step 2: How should you notify your customers or contacts?

The form of notification you will use is determined by the relationship with your customers and vendors.  

Written notification may be sent to the recipient's postal address on file. Email notice may be used if the recipient expressly consented to electronic notice, you conduct business primarily through the Internet, or your existing relationship with the recipient includes email and you reasonably believe you have the recipient's current email address. 

Phone notification and substitute notice are appropriate only in limited circumstances. 

Step 3: What information should the notification contain?

All notifications must: 1) be written in a clear, conspicuous manner; 2) generally describe the breach; 3) describe the personal information affected; 4) generally describe actions taken to protect data from further breaches; 5) include a telephone number where additional information or assistance may be obtained; and 6) remind notice recipients to remain vigilant for incidents of identity theft and fraud. 

Step 4: Are there additional notification requirements?

Consumer reporting agencies must be notified of the number and timing of notices provided to Michigan residents unless the breach affected 1,000 or fewer Michigan residents, or your business is a financial institution subject to the Gramm-Leach-Bliley Act.  

Penalties for failing to provide notification.

Failure to provide the required notification could result in a fine of up to $250 for each failure to provide notice, up to a total of $750,000 for the same security breach. 


The author is an attorney with Fraser Trebilcock. He can be reached at mhynes@fraserlawfirm.com or (517) 377-0874.