- 9 pharmacy groups warn revised ACIP charter could delay vaccine access: 6 notes
- Private equity’s legal playbook for physician practices
- The outpatient orthopedic model built around doing less
- Where ASCs can find cost savings after the easy wins are gone
- NYU Langone grows South Florida presence with 2 practices
- The hidden cost of the GLP-1 boom: 5 notes
- ‘Hospitals without an outpatient footprint will struggle’: Health systems race to build ASC networks
- ‘Hospitals without an outpatient footprint will struggle’: Health systems race to build ASC networks
- Montefiore leader joins Northwell hospital as CNO, VP of patient care services
- Bad debt, charity care surge continues to squeeze hospitals
- 3 cardiology societies urge CMS to update TAVR coverage rules: 5 priorities
- UCSF nurses, physicians protest ED ‘boarding crisis’
- Inova’s next clinical chief keeps a fish pillow in her office
- Missouri outlaws insurance time limits on anesthesia: 5 things to know
- Texas hospital temporarily closes due to flooding
- Trump’s CDC Nominee Praises Vaccines, Without Vowing Independence From Kennedy
- Why ASCs should be watching the Medicare Advantage exodus
- The health systems still juggling more than one EHR
- LightForce Orthodontics appoints new CEO
- 39 behavioral health executive moves to know
- Good news for anesthesia
- MAX Surgical Specialty Management selects Sensei Cloud as enterprise practice management system
- Why some ASCs ‘are going to be left out’ of healthcare’s next era
- Median pay for anesthesiologists reaches $391K: Breakdown by state
- Is dental school becoming unattainable? 6 dentists weigh in
- Peak Dental Services becomes 1st DSO to deploy clinician well-being framework
- Aspen Dental continues expansion with South Carolina practice
- Texas safety net behavioral health provider projects $15M shortfall
- 4 dental deals totaling $308M
- Huahai poaches quality chief from Hengrui amid FDA manufacturing citations
- 24 new behavioral health study findings to know
- Maryhaven CEO steps down amid financial concerns
- Thriveworks launches insight dashboard for referring providers
- GE HealthCare, Catholic Health strike 10-year, $500M technology partnership
- FDA Clears First Cholesterol Pill To Rival Costly Injections
- Virginia woman convicted of practicing dentistry without a license
- What’s driving Arizona’s drug death surge? 6 things to know
- Statement on Regulation E-Delivery
- Paper Taper: Statement on Proposed Regulation E-Delivery
- Statement on Proposed Regulation E-Delivery
- One Of The Largest Epidural Studies Ever Delivers Reassuring News For Parents
- Bipartisan Senate bill seeks to build vigilance around foreign companies making drugs in US
- Coalition for Health AI launches implementation initiative for public health agencies
- Vanda shifts Nereus marketing into high gear with Schumacher IndyCar sponsorship
- Could A Vaccine Prevent Pancreatic Cancer In Those At High Risk?
- Heatwaves During Pregnancy Could Affect Baby's Brain Development, Study Suggests
- Brain 'Microstimulation' Works Long-Term To Restore Sense Of Touch After Spinal Cord Injury
- Otters, bears and Pharma Lions: inside Gilead’s bronze-winning Cannes spot
- 'Night Owls' At Risk Of Wider Waistlines, Unhealthy Hearts
- Facing Funding Losses, States Call Out Big Businesses With Employees On Medicaid
- Listen to the Latest ‘KFF Health News Minute’
- A Sales Tax on Doctor Visits and Medicine? In Missouri, Some Worry
- Readers Share Personal Insights on Deadly Denials and Pregnancy Centers
- Merck scores at FDA as Lipfendra becomes world's first oral PCSK9 treatment
- UnitedHealth Group to maintain 'restless' even after topping investor's Q2 expectations, CEO says
- 6 weeks into California’s psychiatric staffing mandate: What hospital leaders should know
- The best opportunities to expand behavioral healthcare access
- PsychPlus acquires Koa Health to scale mental health platform
- Median pay for general dentists in each state
- Dr. Renato Silva appointed dean of UTHealth Houston School of Dentistry
- Senate HELP committee grills CDC nominee Erica Schwartz on vaccine policy, resistance to political interference
- 2 states join in expanding psychologist prescribing authority
- Ohio behavioral health clinic owners indicted in $9.3M Medicaid fraud case
- Guardian Dentistry Partners acquires Select Dental Management, adds 38 locations
- Bipartisan House bill tying doc pay to inflation earns resounding applause from providers
- West Tennessee Healthcare expands critical care support through eICU Program in partnership with Philips and hellocare.ai
- Sanofi opens new chapters in Pfizer, Moderna mRNA patent litigation sagas
- Novo gains head start on Lilly with European Commission approval of Wegovy pill
- Merck touts Keytruda front-line win in endometrial cancer subtype, marking a PD-1 first
- Wildfire Smoke Puts Millions At Risk Across Midwest, Northeast
- Lark Health, Samsung team up on AI-powered health coach for U.S. seniors
- 340B drug purchases hit at least $100B in 2025, administrator reports
- Buzzy Veradermics shows its oral minoxidil can tackle female pattern hair loss, too
- No patent protection for Stelara? No problem for J&J as Tremfya fills the void
- Amazon Pharmacy partners with eNavvi to provide real-time medication pricing, delivery info to providers
- Are Microplastics Linked To Higher Heart Attack Risk?
- Impulsivity In Third Grade Could Point To Future Struggles
- AI Can Create 'Ghosts' Of Lost Loved Ones, But Would You Want To Meet Them?
- Blood Test May Predict Alzheimer's Risk Up To 10 Years Before Symptoms Begin
- Kelun scores sac-TMT win in first-line NSCLC population missing from Merck’s massive phase 3 program
- OpenAI’s health AI chief: ‘Bet on the models getting better’
- Knee Pain? Ragged Cartilage? Research Suggests Surgery's Not The Best Answer
- THC/CBD Combo Might Ease Agitation In Late-Stage Dementia
- Facing Funding Losses, States Call Out Big Businesses With Employees on Medicaid
- Full-body scan startup Neko Health scores $700M to break into the U.S. market
- Elevance Health leaves D.C. Medicaid market, mulls future exits
- Sanofi teams up with Special Olympics Unified Football World, raises respiratory health awareness
- Insilico signs on with CDMO Bora in $2.5B AI drug discovery deal
- CMS proposes major Medicare reforms to shift physician pay, phase out MIPS and expand ACO participation
- Judi Health rebrands PBM arm as Judi Rx, unveils Judi Care unit
- With FDA approval for its breast cancer blockbuster hopeful, Celcuity could ‘belong in the hands’ of a Big Pharma
- Anthropic bets bigger on healthcare with Optum tie-up, UST integration
- FTC, CVS unveil settlement in ongoing insulin pricing case
- HHS promises its final rule barring pediatric gender care providers from Medicare is still coming
- Director's Note on What to Expect at the 2026 Partnerships with Sites Summit
- AMA interoperability initiative brings structured clinical terminology to CPT codes
- Lettuce Suspected In Growing Multistate Cyclospora Outbreak
- Startup Sonata launches preventive healthcare membership, linking clinical decisions with AI
- Why Are Family Doctors Leaving The Workforce? Retirement, Burnout Creating A U.S. Primary Care 'Brain Drain'
- HCA Healthcare now expects ACA exchange impacts to exceed $1B in 2026
- Huyabio scores with Opdivo combo in 'milestone' skin cancer trial
- Unruly Patients Are Stressing ER Staff, Undermining Care
- Pain Patients Should Taper Opioids At Their Own Pace, Study Suggests
- Heatwaves Raise Hospital Admissions For Mental Health Woes
- U.S. Gun Suicides Hit Record High, Even As Firearm Deaths Decline Overall
- AstraZeneca pays up to $1.5B for EGFR lung cancer drug Zegfrovy from its spinoff Dizal
- Worried About Your Aging Parents? Welcome To The Caregiving Club
- Lawmakers Look To Make Abortion Shield Laws Less Dependent on Who’s Governor
- Knee Pain? Ragged Cartilage? Research Suggests Surgery’s Not the Best Answer
- Real Chemistry builds body of AI healthcare commercialization tools with Anatomi launch
- Inside agency view: Havas SO on authenticity, connection and pushing back against the ‘sea of sameness’
- Cellares' recent automated cell therapy wins have 'opened the biotech floodgates'
- Insulet, Calm join forces for diabetes care offerings with ‘Mind in Range’ wellness tools
- Remarks before the American-Hellenic Chamber of Commerce
- What Is An Aortic Dissection? The Condition That Killed Sen. Lindsey Graham
- Weight-Loss Drugs Help, But Exercise Is Still The Key To A Healthier Heart
- FDA's latest onshoring move homes in on streamlined facility registration, foreign plant scrutiny
- GSK to seek FDA approval for Jemperli in small but high-profile cancer use after phase 2 win
- Smartphones Can Increase Seniors' Risk Of Depression
- Pro Soccer Players Show Signs Of Shrinking Brains
- Adderall Misuse Falls Sharply Among Young Adults, Study Finds
- New KFF Poll Reveals Who Is Most Likely To Endorse Vaccine Myths
- A New Option For Long-Term Care Costs
- As GOP Cries Fraud, Newsom Backs Medicaid Spending on Housing and Food
- Lupin recalls more than 2.5M prescription eye drop bottles, citing possible contamination
- Journalists Discuss Raw-Milk Marketing, Extreme Heat, Opioid Settlement Spending
- Katie Couric's Memory Loss Scare Puts Rare Brain Condition In Spotlight
- Mild COVID Can Lead To Long-Term Hidden Eye Problems
- LGBTQ+ People Less Likely To Be Screened For Some Common Cancers
- Smartphone App Uses Voice To Predict Asthma, COPD Flare-Ups
- Seniors Know How Sharp They Are At Any Given Time, Study Finds
- Patients Face A Thicket of Red Tape Trying To Maintain Consistent Health Coverage
- AI Can Detect Previously Invisible MS Scars In The Brain
- A New Option for Long-Term Care Costs
- Remarks at the Society for Corporate Governance Conference
- GLP-1 Use Hits Record High As Medicare Opens Access To Weight-Loss Drugs
- Foundation Fights Medical Errors That Claim 200,000 U.S. Lives A Year
- New, Highly Accurate Brush Test Can Detect Mouth Cancer Within An Hour
- Innovative Hip Replacement Cuts Post-Surgery Risk Of Dislocation By 70%
- Global Study Finds Kids Worldwide Skipping Fruits And Vegetables
- Zimmer Biomet to Hire 500 in India as New Bengaluru Technology Centre Drives AI and MedTech Innovation
- Zimmer Biomet to Hire 500 in India as New Bengaluru Technology Centre Drives AI and MedTech Innovation
- AdaptHealth Investigates Data Breach After Social Engineering Attack, Possible Link to ShinyHunters Emerges
- AdaptHealth Investigates Data Breach After Social Engineering Attack, Possible Link to ShinyHunters Emerges
- Statement on the 2026 Regulatory Agenda
- Applying Agentic AI to Healthcare Delivery: The Key to True Transformation
- Applying Agentic AI to Healthcare Delivery: The Key to True Transformation
- From Compliance to Clinical Action: Fixing the Broken Loop in Post-Market Surveillance
- From Compliance to Clinical Action: Fixing the Broken Loop in Post-Market Surveillance
- SCAN Health Plan, Alignment Healthcare sue to challenge CMS' MA star ratings recalculations
Michigan healthcare freedom community forum
The Michigan Senate Committee on Finance, Insurance, and Consumer Protection consists of:
Mary Cavanagh (D), Chair
Jeff Irwin (D), Majority Vice Chair
Sean McCann (D)
Rosemary Bayer (D)
Darrin Camilleri (D)
Mark E. Huizenga (R), Minority Vice Chair
Lana Theis (R)
Kevin Daley (R)
Meeting dates, documents, subscription and contact information are found at the committee home page.
Some early agendas from this year, with italics applied to items with no clear healthcare impact.
Tuesday, May 20, 2025 9:45 a.m.AGENDA
SB 134
Sen. Singh
Consumer protection: other; amendments to the Michigan consumer protection act; provide for.And any other business properly before the committee.
The first bill in the series is linked to that bill page; there, use the previous/next bill function to find the other bills.
Wednesday, June 11, 2025 12:30 p.m.
AGENDA
SB 158
Sen. Cavanagh
Consumer protection: other; certain uses of automated programs to purchase event tickets online; prohibit.SB 159
Sen. Damoose
Consumer protection: other; attorney general investigations of the event online ticket sales act; provide for, and prescribe fines and remedies.SB 359
Sen. Bayer
Consumer protection: privacy; personal data privacy act; create.SB 360
Sen. Bayer
Consumer protection: identity theft; identity theft protection act; modify.SB 361
Sen. McBroom
Consumer protection: identity theft; references to identity theft protection act in deferred presentment service transactions act; revise.SB 362
Sen. Damoose
Consumer protection: identity theft; references to identity theft protection act in Michigan penal code; revise.SB 363
Sen. Shink
Consumer protection: identity theft; references to identity theft protection act in 1846 RS 1; update.SB 364
Sen. Cavanagh
Consumer protection: identity theft; references to identity theft protection act in code of criminal procedure; update.And any other business properly before the committee.
All bills of interest are reintroduced from the 2023-24 session.
Written at the time, and still relevant to the Personal Data Privacy Act debate, Mackinac Center for Public Policy's longform exploration of the issue.
Clipped here for length.
https://www.mackinac.org/blog/2024/michigans-data-privacy-proposal-is-filled-with-problems
Michigan’s data privacy proposal is filled with problems
Federal privacy bill would eliminate need for state action
By Dr. Ted Bolema | May 22, 2024
It is important for people who engage online to have confidence that their personal data will be handled with care. When personal and financial data is misused or hacked, consumers can suffer significant harms. Criminals can use personal data to commit fraud, such as identify theft. Private data can be sold to advertisers or other parties without users’ consent. Data breaches can also limit free expression if they enable governments or online platforms to monitor and censor people’s activities and speech on the internet.
In response to growing concerns about data privacy, many states, including Michigan, are considering or have enacted new data privacy laws. Several Michigan lawmakers introduced the Personal Data Privacy Act in November 2023. Lawmakers in other states have passed similar bills with bipartisan support.
While these state privacy laws address legitimate concerns about consumers’ data, they raise several serious issues. When each state has its own privacy law, that creates a patchwork of inconsistent and sometimes conflicting standards, which is problematic for companies operating across state lines. They must incur significant legal expenses to comply with these laws, which do little to help consumers but may expose companies to expensive class action lawsuits. Some of the laws undermine people’s data privacy rights by giving governments easier access to some personal data without first obtaining a warrant.
The proposed Michigan Personal Data Privacy Act, unfortunately, suffers from all these concerns.
<clip>
Recent state-level data privacy laws
As people become more dependent on the internet for purchases, other financial transactions, and sharing personal data with medical professionals, the importance of data privacy has increased. Websites, apps and social media companies collect and store increasing amounts of personal data about users, which they use to provide better services. But some apps, websites and platforms may be overly aggressive in collecting data or may not safeguard it as much as consumers expect.
The current wave of legislative activity started with the California Consumer Privacy Act of 2018, which was amended in 2020 when California voters approved Proposition 24. Fifteen other states have enacted new data privacy laws since 2018.
These state data privacy laws fall into two broad categories: comprehensive and targeted. Comprehensive laws cover all varieties of private data and apply broadly to nearly all companies, although exemptions for some small businesses are common. Targeted laws address specific types of data privacy concerns. Some targeted data privacy laws limit the collection and retention of biometric data, such as fingerprints or retinal measurements. Others create protections specifically for children or apply only to certain industries. The proposed Michigan data privacy law and the proposed federal law are both comprehensive.
Legislative responses to data privacy concerns are not new. Anyone who has visited a doctor’s office is familiar with the Health Insurance Portability and Accountability Act of 1996, or HIPAA, which governs how medical professionals handle personal health care data. In 2012 Michigan passed the Internet Privacy Protection Act, which prohibits employees or job applicants from having to give employers access to their personal social media, email, or other internet accounts. The law also applies to educational institutions. Michigan also has the Identify Theft Protection Act, passed in 2004, that requires companies to notify their customers of data breaches without unreasonable delay.
The more recent state data privacy laws create various requirements of companies and other entities using online personal data. They must tell consumers what personal data is collected and give them a certain level of control over their own data, such as the right to tell companies not to sell it. These proposals tend to attract bipartisan support, as their protections are usually perceived as being politically popular.
Problems with state privacy laws
While state data privacy laws intend to address consumers' legitimate concerns about keeping their private data protected, they raise several serious concerns.
A patchwork of requirements
Each state privacy law is unique. Having 16 new data privacy laws since 2018 makes it difficult to understand consumers’ rights. It also creates huge compliance costs for companies as they try to keep up with new legal requirements. Even more states are considering new data privacy bills in their current legislative sessions, which would increase these problems.
Costly risk assessments mandates
Most comprehensive state privacy laws, including Michigan’s proposed Personal Data Privacy Act, create specific risk assessment requirements that are often costly to produce. These risk assessments do little to protect consumers, however.
If the goal is to protect consumers’ privacy, laws should encourage companies to comply with the best practices established by the National Institute of Standards and Technology, writes Logan Kolas of the Buckeye Institute. Companies could then meet their legal obligations to protect consumer data by demonstrating adherence to the latest industry standards for the use of private data. This is preferable to making them carry out costly risk assessments.
Frivolous lawsuits
When states mandate risk assessments and create overly specific compliance requirements, they expose businesses to frivolous lawsuits. Some state privacy statutes, and the proposed Michigan law, create a private right of action by which individuals may sue without having to prove they were injured by the use of their private data. These laws invite class action lawsuits that may win millions of dollars for plaintiffs’ attorneys but only nominal awards for individuals.
This concern is grounded in experience from the 1991 Telephone Consumer Protection Act. This federal law was supposed to limit the number of automated marketing calls made to cellphone numbers. While it may have limited some robocalls to cellphones, it led to a wave of class action lawsuits. The average attorneys' fee in these lawsuits was $2.4 million per case, while the individual consumers in the class received an average of just $4.12.
Dangerous government exemptions
State data privacy laws typically exempt government entities, because they are subject to the Freedom of Information Act and other public transparency laws. Theoretically, people or companies could request private data kept by governments through these public transparency tools, which would defeat the purpose of data protection laws. Further, allowing people to demand that governments delete the personal data they store might interfere with police investigations, government regulatory activities and other government functions.
This problem is further complicated by the existence of government entities that directly compete with private businesses. Examples include government-run cable and internet systems, electric utilities, trash collection departments and universities. Allowing these entities broad exemptions from data privacy laws gives them an unfair advantage over the private businesses they compete with, harming consumers by reducing market competition.
Giving governments access to private data
Some state data privacy laws, including the proposed Michigan law, allow government agencies to collect personal data from companies without a warrant. This is permitted to ensure compliance with mandated risk assessments and other provisions in the statute. Ironically, these laws may undermine the very data privacy rights they claim to protect by giving governments easier access to personal data. This problem might be addressed by explicitly prohibiting government agencies from collecting consumer and personal data from companies without a warrant.
<clip>
Michigan lawmakers should wait before moving forward with the current data privacy proposal in Lansing. If Congress passes the American Privacy Rights Act, there will be no reason for the state to pass a similar law, especially given these concerns.
Fisher-Phillips offers perspective on SB 359 and 360 from the world of international workplace law.
Health-related text bolded by me. Clipped for length.
Eyes on Michigan: What Businesses Need to Know About Pending Consumer Privacy and Identity Theft Legislation
Insights | 9.09.25
Michigan lawmakers are considering sweeping updates to the state’s identity theft protection law while also debating whether Michigan will become one of nearly half the states that have passed a consumer privacy law. Fisher Phillips is closely monitoring both SB 359 and SB 360 to prepare businesses for changes that may be on the horizon on both fronts. This Insight explores the current state of Michigan law, the proposed changes being debated, and some steps your business can take to prepare for new potential obligations.
Overview of Senate Bill 359: The Personal Data Privacy Act
The Personal Data Privacy Act, introduced in June 2025, would create Michigan’s first comprehensive consumer privacy framework. We outline the key provisions below.
Applicability Thresholds
Entities covered would be those that conduct business in Michigan or produce products or services that are targeted to residents of Michigan and, during the calendar year, either control or process personal data from over 100,000 consumers or control or process personal data of 25,000 or more consumers and derive any revenue from the sale of personal data. There are also a number of exemptions.
Consumer Rights
If enacted, the law would grant residents new rights to access, correct, delete, and obtain copies of their data. It would also create new rights related to opting out of processing for targeted advertising, the sale of personal data, and profiling.
Notice Requirements
If enacted, the law would require entities subject to the law to provide a notice to consumers explaining the categories of data they collect, the third parties with whom they sell or chare the data, the purpose for collecting the data, and a description of their rights and how to exercise them.
Data Protection Impact Assessment
Controllers would need to conduct and document a data protection impact assessment (DIPA) for certain processing activities involving personal data including:
Processing of personal data for targeted advertising
Sale of personal data
Processing of personal data for the purposes of profiling if the profiling has certain risks
Processing of sensitive data
Any processing activities that involve personal data that present a heightened risk of harm to consumers
The Michigan Attorney General would be able to request a copy of the DIPA, but it would remain confidential and exempt from public requests under FOIA. This is a unique twist that is different than other consumer privacy laws.Data Broker Registry
The bill proposes that, beginning on February 1, 2026, and every year after that, data brokers register with the attorney general. The list of registered data brokers would be publicly assessable on the Attorney General’s website.
If a data broker does not register, there is a proposed fine of $100 per day until registration occurs or an amount equal to the registration fees that were due and not paid.
Geofencing
Michigan proposes to join a minority of states that prohibit geofencing within 1,750 of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, or collecting data from or sending any notification to a consumer regarding the consumer’s health data.
Enforcement
There is no private right of action under the proposed bill. Instead, the Attorney General would be solely responsible for enforcement. Before bringing any action, the AG would need to provide notice.
The civil fines are not to exceed $7,500 per violation, unless related to data brokers not registering with the AG. Additionally, if a person does not cooperate with the Attorney General’s investigation, the office could issue a maximum fine of $5,000.
Overview of Senate Bill 360: Identity Theft Act
Before examining the potential changes on tap, here’s an overview of the current Michigan Identify Theft Act.
Businesses that own or license data must notify Michigan residents if their unencrypted “personal information” is accessed and acquired by an unauthorized person, or if their encrypted data is accessed and acquired along with the encryption key – unless the business determines that the security breach is not likely to cause substantial loss, injury, or result in identity theft.
Such notice must be provided “without unreasonably delay.”
There is no requirement to notify the Attorney General. However, if 1,000 or more Michigan residents are affected, the business must notify the Consumer Reporting Agencies (Experian, Equifax, and TransUnion).
“Personal information” means the first name or first initial and last name linked to one or more of the following data elements: Social Security number, driver license number or state personal identification card number, and demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the individual's financial accounts.
Businesses that are subject to the GLBA or HIPAA, and comply with the notification requirements under those statutes, are considered to be in compliance with Michigan’s law.
Penalties for failing to notify can reach $250 per violation, capped at $750,000 per breach.
Notice RequirementsSB 360 proposes to add a notification requirement to the Attorney General if 100 or more Michigan residents are affected by a security breach. This notice would need to be provided no later than 45 days after the determination of the breach.
The bill also proposes to add the same notice timeframe of 45 days for notifying individuals.
The threshold for notifying the Consumer Reporting Agencies would remain the same.
Additionally, if the security breach results in a resident’s Social Security number or taxpayer identification number being accessed or acquired, or is reasonably believed to have been accessed or acquired, the business would need to offer appropriate identity theft prevention services and, if applicable, identity theft mitigation services that must be provided at no charge to the resident for not less than 24 months.
Personal Information Definition Changes
The proposed law would add additional elements to the definition of “personal information,” including:
passport number
other unique identification number issued on a governmental document that is used to verify the identity of an individual
any individually identifiable information contained in the individual’s current or historical record of medical history, medical treatment, or diagnosis created by a health care professional
a health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify an individual
a username or email address, in combination with a password or security question and answer, that would permit access to an online account that is reasonably likely to contain or is used to obtain personal identifying information
any genetic information or biometric information that is used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina, or iris image
The proposed addition to the definition of personal information is a growing trend among states. Right now, about half of states require notice to individuals if their health information was impacted by a data breach.Cybersecurity
The bill adds a new section related to cybersecurity – a new trend that has not yet spread to most other states with data breach laws. Entities that handle personal information would be required to implement and maintain reasonable security procedures to prevent unlawful use or disclosure. These procedures must include appointing a responsible coordinator, identifying internal and external risks, implementing safeguards tailored to those risks, and regularly assessing their effectiveness.
Additionally, service providers would be required to be contractually obligated to follow recognized cybersecurity standards, such as the NIST Cybersecurity Framework 2.0. Security protocols would need to be adaptable to changing circumstances that could affect data protection.
Fines
The bill would add additional potential fines and penalties.
The failure to notify would remain the same: $250 per person.
However, the bill adds a $2,000 fine for failure to maintain reasonable security procedures and $2,000 for failing to investigate a breach.
Finally, the aggregate liability per breach would remain the same and not exceed $750,000.
What’s Next?The bill to amend the existing data breach law (SB 360) seems to have more momentum than the bill to revise the consumer privacy law (SB 359). SB 360 was reported favorably without amendment by both the Committee on Finance, Insurance, and Consumer Protection and the Committee of the Whole, and it’s now been referred to the House Committee on Government Operations.
However, the Michigan Chamber of Commerce has come out against both bills. It argues that they would hurt small business, create an additional patchwork of regulations, and lead to confusion for businesses trying to comply.
Both bills must be voted on and passed by the end of the legislative session in December of this year. [Actually December 2026 - AN] If either bill is passed, it will be presented to Governor Gretchen Whitmer for her signature in order to become law. The Governor has not expressed a position on either bill.
What Should Businesses Do?
We recommend that businesses continue to monitor the progress of Michigan Senate Bills 359 and 360. The best way to track this legislation is to subscribe to Fisher Phillips’ Insight System to get the most up-to-date information direct to your inbox. Also:
Consider any necessary changes to your identity theft protection and cyber security practices, particularly focusing on the expanded scope of the definition of personal information and timelines for notification under the proposed bill.
Conduct regular risk assessments and test your Incident Response Plan.
Evaluate your current Privacy Policy to determine any changes that may be required if your business needs to comply with Senate Bill 359.
Get MHF Insights
News and tips for your healthcare freedom.
We never spam you. One-step unsubscribe.























