DBN Statutes – Michigan

Data Breach Notification Statutes – Michigan

Last Updated: 02/28/2024

  • Applicable Statute: Mich. Comp. Laws §§ 445.61, 445.63, 444.64, 445.72
  • Attorney General Notice Required: No.
  • Consumer Notice Requirements:
    • Timing: Must be made without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the database.
    • Method:
      • Written notice sent to the recipient at the recipient’s postal address in the records of the Entity;
      • Telephonic notice given by an individual who represents the Entity if (i) the notice is not given in whole or in part by use of a recorded message, (ii) the recipient has expressly consented to receive notice by telephone, or if the recipient has not expressly consented to receive notice by telephone, the Entity also provides notice pursuant to the above methods if the notice by telephone does not result in a live conversation between the individual representing the Entity and the recipient within 3 business days after the initial attempt to provide telephonic notice; or
      • Written notice sent electronically to the recipient if (i) the recipient has expressly consented to receive electronic notice, (ii) the Entity has an existing business relationship with the recipient that includes periodic email communications and based on those communications the Entity reasonably believes that it has the recipient’s current email address, or (iii) the Entity conducts its business primarily through Internet account transactions or on the Internet.
    • Content: The security breach notification must be written in a clear and conspicuous manner and include:
      • A description of the breach in general terms;
      • The of types of personal information accessed;
      • A description of what the entity has done to protect against further breaches;
      • A telephone number where a recipient may obtain additional information;
      • A reminder to stay vigilant and watch for fraud and identity theft.
  • Consumer Reporting Agency Obligations: If more than 1,000 residents must be notified, must notify each nationwide consumer reporting agency of the breach without unreasonable delay. The notification must include the number of residents who received notices and the timing of those notices.
Please Note: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience; Klinedinst PC and its attorneys do not recommend or endorse the contents of the third-party sites. Readers of this website should contact an attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, Klinedinst PC or its attorneys. Content included on this site is subject to change and users should note the date of last update when reviewing such contents. The content is provided "as is;" no representations are made that the content is error-free. Klinedinst PC has offices in several US states but does not practice law where its attorneys are not licensed. While this website refers to the laws of all 50 states, Klinedinst PC does not practice law in a several such states and visitors of this website are put on notice that neither Klinedinst PC, nor its attorneys, are or will provide legal advice for states where its attorneys are not licensed.

Data Breach Notification Statutes

Practice Attorneys


Related Practice Areas



Subscribe to Privacy and Data Security Newsletter

* indicates required