Michigan Data Breach Notification Laws: Reporting Rules & Timelines (2026)

When a Michigan business discovers that hackers accessed its customer database, the clock starts ticking. The Identity Theft Protection Act sets out exactly what must happen next, who must be told, and what the consequences are for staying silent. Whether you are a business owner trying to comply or a resident who received a breach notice, understanding these rules is essential.

This guide covers Michigan's current data breach notification requirements under MCL 445.72, the penalties for noncompliance, safe harbor provisions, and pending legislation that could significantly tighten the rules. For broader context on privacy protections in the state, see the parent guide to [Michigan Data Privacy Laws](/us-laws/data-privacy-laws/michigan-data-privacy-laws).

What Law Governs Data Breach Notification in Michigan

Michigan's data breach notification obligations come from the Identity Theft Protection Act, enacted as Act 452 of 2004 and effective since March 1, 2005. The breach notification provisions are found primarily in MCL 445.72, with key definitions in MCL 445.63.

The law applies to any person or agency that owns or licenses data included in a database containing personal information of Michigan residents. "Person" is defined broadly to include individuals, partnerships, corporations, limited liability companies, associations, and other legal entities. "Agency" covers state government departments, boards, commissions, and public universities.

What Triggers a Notification Obligation

A breach notification is required when there is unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained in a database. Under MCL 445.63, a "security breach" means the unauthorized access and acquisition of data that compromises the security or confidentiality of personal information.

Personal Information That Triggers Notification

The law protects a Michigan resident's first name or first initial combined with last name, linked to one or more of the following unencrypted data elements:

• Social Security number
• Driver's license number or state personal identification card number
• Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to the account

If a breach involves only a name without any of these linked data elements, notification is not required under this statute.

When Notification Is Not Required

An entity can skip notification if it determines that the breach "has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to" Michigan residents. The entity must exercise the care that "an ordinarily prudent person or agency in like position would exercise under similar circumstances" when making this determination.

The Encryption Safe Harbor

Michigan provides a clear encryption safe harbor. If the compromised data was encrypted or redacted, and the encryption key was not also accessed or acquired, no notification is required.

Under MCL 445.63, "encrypted" means data transformed through an algorithmic process into a form with a low probability of assigning meaning without a confidential process or key. "Redacted" means altering data so that no more than four digits of a driver's license, state ID, or account number are accessible, or no more than five digits of a Social Security number.

However, if an unauthorized person gains access to both the encrypted data and the encryption key, the safe harbor does not apply, and notification is required.

The Good-Faith Employee Exception

Not every unauthorized access counts as a breach. Under MCL 445.63, a security breach does not include access by an employee or other individual when all three conditions are met:

1. The employee acted in good faith
2. The access was related to the activities of the agency or person
3. The employee did not misuse or disclose any personal information to an unauthorized person

This exception recognizes that employees sometimes access records outside their normal scope while performing legitimate work functions. As long as the access was well-intentioned, job-related, and no information was misused or shared, it falls outside the breach definition.

Notification Timeline and Methods

How Quickly Must Notice Be Sent

Michigan requires notification "without unreasonable delay." Unlike many newer state laws, Michigan does not currently set a specific number of days. The law does allow two exceptions to the timing requirement:

• Scope determination. A delay is permitted if necessary to determine the scope of the breach and restore the integrity of the database.
• Law enforcement request. Notice may be delayed at the request of a law enforcement agency investigating the breach.

Acceptable Notification Methods

MCL 445.72 allows several methods:

• Written notice by postal mail to the affected resident's last known address
• Electronic notice if the resident previously consented to electronic communications or has an existing business relationship with the entity
• Telephone notice via a live representative, with a follow-up written notice
• Substitute notice when the cost of direct notification exceeds $250,000, the affected population exceeds 500,000 residents, or the entity lacks sufficient contact information. Substitute notice requires all three: email notification (when addresses are available), conspicuous posting on the entity's website, and notification to major statewide media.

What the Notice Must Include

Michigan law requires breach notifications to contain:

• A description of the security breach in general terms
• The type of personal information compromised
• What remedial measures the entity has taken to prevent further breaches
• A telephone number where affected individuals can get more information
• A reminder to remain vigilant for signs of fraud and identity theft

Consumer Reporting Agency Notification

For breaches affecting more than 1,000 Michigan residents, the entity must also notify each nationwide consumer reporting agency without unreasonable delay. The notice must include the number of affected residents and the timing of the notification to those residents.

Third-Party Data Holders

An entity that maintains a database containing personal information that it does not own or license must notify the owner or licensor of the data after discovering a breach. The data owner then assumes responsibility for notifying affected individuals.

This provision is particularly relevant for cloud service providers, data processors, and IT vendors that store personal information on behalf of other businesses.

Penalties and Enforcement

Civil Fines

Under MCL 445.72, a person that knowingly fails to provide required breach notification may face civil fines of up to $250 per failure to notify. The aggregate liability from a single breach event is capped at $750,000.

The Michigan Attorney General or a county prosecuting attorney may bring an action to recover these civil fines.

Criminal Penalties

Filing a fraudulent or false breach notification with intent to defraud is a misdemeanor under the Identity Theft Protection Act:

• First offense: Up to 93 days imprisonment or a fine up to $250 per violation, or both
• Second offense: Up to 93 days imprisonment or a fine up to $500 per violation, or both
• Third or subsequent offense: Up to 93 days imprisonment or a fine up to $750 per violation, or both

No Private Right of Action

Michigan's breach notification statute does not create a private right of action. Individual consumers cannot sue a company directly for failing to provide breach notification. However, the statute explicitly states that it does not eliminate other remedies available under existing law. Affected individuals may still pursue claims under common law theories such as negligence if they can demonstrate actual damages.

Violations as Unfair Trade Practices

Breach notification failures can also be pursued as unfair or deceptive trade practices under the Michigan Consumer Protection Act (MCL 445.903), giving the Attorney General additional enforcement authority beyond the Identity Theft Protection Act penalties.

Data Destruction Requirements

Michigan also imposes obligations for securely disposing of personal information. Under MCL 445.72a, any entity that maintains a database of personal information must destroy that data when it is removed from the database, unless retention serves another lawful purpose.

"Destroy" means shredding, erasing, or otherwise modifying the data to make it unreadable or indecipherable. Violations of the destruction requirement carry misdemeanor penalties of up to $250 per violation.

Compliance Safe Harbors

Michigan recognizes two important compliance safe harbors:

• Financial institutions that comply with Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information are deemed in compliance with Michigan's notification requirements.
• HIPAA-covered entities that comply with federal health data breach notification rules under the HITECH Act satisfy Michigan's requirements.

Pending Legislation: SB 360 Would Overhaul Michigan Breach Rules

Senate Bill 360, part of a five-bill package (SB 360-364), passed the Michigan Senate on August 26, 2025, by a vote of 19-15. It has been referred to the House Committee on Government Operations. If enacted, it would represent the most significant update to Michigan's breach notification framework since the original 2004 law.

45-Day Notification Deadline

SB 360 would replace the current "without unreasonable delay" standard with a firm requirement to notify affected individuals no later than 45 days after the entity determines a breach occurred.

Attorney General Notification

Breaches affecting 100 or more Michigan residents would require written notice to the Attorney General no later than the date notice is provided to individuals. Current law does not require AG notification.

Expanded Personal Information Definition

The bill would add biometric data (fingerprints, voiceprints, retina or iris images, and genetic information used for identity authentication) to the categories of personal information that trigger notification obligations.

Mandatory Identity Theft Services

When a breach involves Social Security numbers or taxpayer identification numbers, the entity would be required to offer identity theft prevention and mitigation services at no cost for at least 24 months.

Cybersecurity Program Requirements

A new Section 11a would require entities handling personal information to implement and maintain reasonable security procedures, including:

• Appointing a security coordinator
• Identifying and assessing reasonably foreseeable risks
• Implementing safeguards aligned with the NIST Cybersecurity Framework 2.0 or equivalent industry standards
• Contractually requiring service providers to maintain similar safeguards

Enhanced Penalties

SB 360 would add civil fines of up to $2,000 for failing to maintain required security procedures or failing to investigate a potential breach, in addition to the existing $250-per-notification-failure penalties.

As of March 2026, SB 360 remains pending in the House Committee on Government Operations. A previous version of the bill (SB 888 in the 2023-2024 session) passed the Senate but stalled in the House.

Employer Obligations After a Breach

Michigan does not have a separate employer-specific breach notification statute. However, employers that maintain databases of employee personal information (Social Security numbers, direct deposit details, driver's license numbers) are subject to the same notification requirements under MCL 445.72 as any other data holder.

Employers should take these steps after discovering a breach affecting employee data:

1. Assess the scope of the breach and what personal information was accessed
2. Determine notification obligations based on whether the data was encrypted and whether harm is likely
3. Notify affected employees without unreasonable delay using one of the approved methods
4. Report to consumer reporting agencies if more than 1,000 employees are affected
5. Document the investigation and remedial actions taken
6. Review and strengthen security measures to prevent future incidents

More Michigan Laws

• Michigan Data Privacy Laws
• Michigan Recording Laws
• Michigan Recording Laws
• Michigan Whistleblower Laws
• Michigan Recording Laws
• Michigan Recording Laws
• Michigan Recording Laws
• Michigan Recording Laws

This article provides general legal information about Michigan data breach notification laws. It is not legal advice. Data breach notification requirements are subject to change through legislation and regulatory guidance. Consult a qualified Michigan attorney for advice about your specific situation.