2019 House Bill 4187

Expand data breach response requirements

Introduced in the House

Feb. 14, 2019

Introduced by Rep. Diana Farrington (R-30)

To establish detailed rules for personal information data breaches that create a substantial risk of identity theft or fraud, including notice requirements, reporting requirements, guidelines and more for businesses, associations and state agencies. Among other things the bill would distinguish between breaches that permit an outsider to gain access to an online account, versus breaches that expose sensitive personally identifying information. The bill authorizes $5,000-per-day civil penalties for noncompliance, up to a maximum of $250,000.

Referred to the Committee on Financial Services

March 13, 2019

Reported without amendment

Refer to the committee on Ways and means.

Referred to the Committee on Ways and Means

Dec. 10, 2019

Reported without amendment

Without amendment and with the recommendation that the bill pass.

Sept. 2, 2020

Passed in the House 97 to 12 (details)

Received in the Senate

Sept. 9, 2020

Referred to the Committee on Regulatory Reform

Dec. 3, 2020

Reported without amendment

With the recommendation that the substitute (S-1) be adopted and that the bill then pass.

Dec. 10, 2020

Passed in the Senate 38 to 0 (details)

To establish detailed rules for personal information data breaches that create a substantial risk of identity theft or fraud, including notice requirements, reporting requirements, guidelines and more for businesses, associations and state agencies. Among other things the bill would distinguish between breaches that permit an outsider to gain access to an online account, versus breaches that expose sensitive personally identifying information. The bill authorizes $5,000-per-day civil penalties for noncompliance, up to a maximum of $750,000.

Received in the House

Dec. 16, 2020

Passed in the House 93 to 15 (details)

To concur with the Senate-passed version of the bill.

Vetoed by Gov. Gretchen Whitmer

Dec. 30, 2020