The Matrix

In order to avail itself of the affirmative defense, an entity must have “established, maintained, and reasonably complied with a written cybersecurity program.”  The program must be based on an industry recognized security framework, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, PCI-DSS, and others.  In addition, the program must be designed to protect the personal information and personally identifying information (defined differently under Michigan law) held by the entity, including against anticipated threats and unauthorized access.  To determine the appropriateness of the security program and whether it meets the design criteria, the bill creates a test to take into account the size, nature, and resources available to the entity, and the sensitivity of the information available to it, among other factors.  In creating the affirmative defense, the bill makes clear that it is not creating a private right of action for alleged breaches of the Act.

In short, the bill would incentivize businesses to implement – and comply with – a security program that is both recognized in the industry and appropriate for the particular type of data that business uses.  For those businesses that followed this path, the protection of a new affirmative defense would be available should they be sued for a tort claim under Michigan law. 

For further information, please contact Michael P. Hindelang.

The bill text can be found here.