MI SB0717

Establishes the "Information Security Program Standards Act" requiring persons that own, license, store, or maintain personal information about Michigan residents to develop, implement, and maintain a comprehensive written information security program consistent with industry best practices such as ISO 27000.

Defines "personal information" as first name or initial and last name linked to social security number, driver license number, state ID card number, or financial account numbers with security codes that would permit account access.

Requires comprehensive security programs to include administrative, technical, and physical safeguards covering employee training, risk assessment, security policies, third-party service provider management, access controls, encryption, intrusion detection systems, and incident response documentation.

Grants civil immunity from damages resulting from unauthorized access or data breaches to any person who develops, implements, maintains, and monitors a comprehensive written information security program meeting the act's standards.

Mandates annual review of security measures and updates whenever material changes in business practices occur that may affect the security or integrity of records containing personal information.