MI SB0360

Requires persons and agencies that own, possess, collect, or access personal information to implement and maintain reasonable security procedures, including designating a security coordinator, identifying risks, and contractually requiring service providers to follow cybersecurity frameworks like NIST 2.0

Expands the definition of "personal information" to include medical history, health insurance identifiers, usernames/passwords for online accounts, genetic information, and biometric data such as fingerprints and iris images

Mandates that entities discovering a security breach notify affected Michigan residents within 45 days and notify the attorney general if 100 or more residents are affected, with specific required content including breach description and remediation steps

Requires entities to offer at least 24 months of free identity theft prevention and mitigation services when Social Security numbers or taxpayer identification numbers are compromised in a breach

Grants the attorney general expanded enforcement powers including authority to issue investigative demands, accept assurances of discontinuance, and seek civil fines up to $750,000 for failure to provide required breach notifications