Whether you're a small business owner, a manager at a large corporation, or a solo contractor, you are responsible for protecting your customer's information.
Michigan, like most other states, has an identity theft protection law that requires anyone who keeps personal information to protect it, and properly notify people if their information is released in a security breach.
You need to talk to an attorney first
You don't want to try figuring out what to do after a security breach. It's too easy to miss something or make a mistake. Come up with a plan. An attorney experienced in this field can make sure you're ready when something goes wrong. They will show you what to protect, how to protect it, and what needs to be done.
What kind of information do you need to worry about? Anything that can connect someone to a bank account or credit card. Names, bank account numbers, credit card numbers, PINs and passwords, social security numbers, driver licenses, even mother's maiden names.
How do you know you're protecting the right stuff?
You want an attorney who understands the law AND the technology and security systems involved. The right attorney can help you find better systems, and create safer procedures for keeping your customer's information safe.
What is a security breach? Any time an unauthorized person takes personal information, you have a security breach. Even if the information was encrypted, it is still a breach if they have the password or key to unlock that information.
Leaving a computer on a bus, or an ex-employee downloading files from company email or backups are obvious security breaches. But even throwing out printouts with names and account numbers could be a breach if there's reason to think someone may be going through the trash. (And believe me, that happens regularly.) Proper destruction of customer information is also a requirement.
How do you know when you've had a security breach?
You're not going to be told by someone when they take your customer's information without permission. The right attorney can show you not just which information you need to protect, but also what to look for so you know when you've had a security breach
Notifying your Customers
The law has complex rules about who must be notified, when you notify, how you send the notice, and what needs to be in the notice. Just the loss of one person's information triggers this law. The rules for proper notice are a bit too complex to lay out completely in a blog post. There are rules for providing the notice through postal mail, email, phone calls, websites, or news media. There are different rules based on your industry, such as for financial or medical businesses.
There are specific requirements about what needs to be in the notice. You may also be required to notify all credit reporting agencies for each customer.
This is not to be taken lightly. Failing to give proper notice can make you liable for civil fines up to $750,000 from the state, in addition to possible lawsuits by angry customers.
How Can I Help?
My years of experience in computer software, security, and small business mean that I can help you understand the law AND prepare your business for the possibility of a security breach and what to do to keep your customer's information safe.
This isn't something you can ignore. You shouldn't do this just because of the law, but also because it's just bad business to not protect your customer's privacy and finances.