Senate Bill No. 633 Summary

• Requires persons collecting personal identifying information in regular business to store that information in encrypted form in computerized databases.

• Prohibits denying credit or reducing credit limits to identity theft victims solely based on victim status if the creditor had prior knowledge; victims must provide a police report and either an FTC-standardized affidavit or acceptable affidavit to establish presumption of identity theft.

• Mandates notification to financial institutions within 3 business days of discovering a security breach affecting credit or debit cards, and to affected Michigan residents without unreasonable delay unless breach is unlikely to cause substantial loss or identity theft.

• Specifies notification methods including written mail, email, telephone, or substitute notice (website posting and media notification) if costs exceed $250,000 or affecting more than 500,000 residents; requires notice content to include breach date, personal information types affected, and identity theft prevention services at no cost for 12 months.

• Establishes criminal penalties for violations (up to 93 days imprisonment or $1,000-$3,000 fines depending on offense count) and allows depository institutions to sue for actual damages from security breaches, including card reissuance and fraud prevention costs; takes effect 90 days after enactment contingent on Senate Bill 632 becoming law.