The State of Digital Privacy and Security in Michigan

Some states are much worse than others when it comes to protecting your online privacy and security. We wanted to find out if Michigan is among the best or worst states to live in for your digital safety.

In this article, we’ll explore the current laws in place to protect your information, including loopholes and exclusions in Michigan state law. We’ll also take a closer look at cybercrime in Michigan, focusing on known security breaches that have compromised the data of millions of locals in the past.

How Does Michigan Protect Your Online Privacy and Security?

Michigan doesn’t use federal laws to inform its decision-making process. It’s free to draft and introduce new state laws governing how your online privacy and security should be handled, and how companies can use your data. 

While states such as California, Connecticut, and Virginia have made considerable movements toward increasing their citizens’ online privacy, Michigan isn’t quite there yet. Michigan lawmakers submitted the Michigan Personal Data Privacy Act (MPDPA) bill in 2022, which would introduce strict laws around consent, data sharing and processing, and locals’ rights to privacy. The bill has not yet passed at the time of publishing.

Michigan does have some digital privacy and security laws in place, but they aren’t as comprehensive as in some other US states. It also doesn’t impose strict laws preventing surveillance, or restricting sites and platforms from collecting and using your data. This effectively means Michigan residents have little legal protection when they go online. 

Let’s explore which state laws Michigan implements to protect your digital freedom and privacy. 

Internet Privacy Protection Act

Michigan introduced the Internet Privacy Protection Act in 2012, alongside five other US states, to protect the privacy of workers, job applicants, and students. Previously, employers could request passwords for a job applicant’s social media platforms to explore their account activity, including their Facebook, Twitter, and Gmail credentials. They could then refuse to hire a job applicant based on what they uncovered in their accounts. The same applies to educational institutions for prospective or current students, including schools, colleges, and universities.

This act has exceptions, such as when the device has been paid for by the workplace or educational institution. They may also request access to your accounts if there’s suspected misconduct or someone has potentially shared confidential information. 

Alongside account logins, this act also limits websites and online services that gather personal information. Organizations must outline in their privacy policy which information they store, how it’s used, and whether it’s shared with any other third parties. That said, it doesn’t prohibit them from gathering, using, or sharing any of your data.

Identity Theft Protection Act (ITPA)

The Identity Theft Protection Act is one of Michigan’s earliest digital privacy and security laws, introduced in 2004. It provides rules around notifying Michigan citizens if their personal information has been involved in a data breach, or accessed by an unauthorized individual. 

The act outlines that companies must notify Michigan residents of any data breaches that affect them without unreasonable delay, but it doesn’t include a specific time frame. An organization must mention the type of breach, what it has done to mitigate it, and what kind of personal information was leaked. 

In 2010, Governor Jennifer Granholm amended the ITPA to include a new clause that protects residents from phishing scams and other online fraud attempts. It’s now illegal to gather personally identifiable information under false pretenses, whether or not this information will be used to commit a crime. This amendment includes protection against phishing websites, emails, and harmful software.

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (COPPA) is one of the only federal laws that has mandatory compliance across all US states. This act aims to protect children’s information (under the age of 13), mandating that websites and online services must gain parental consent before they collect any personal information. They must also have clear procedures for maintaining the security and privacy of the information they use. 

In addition to COPPA, Michigan implemented a Cyberbullying Prevention Law to limit online bullying via electronic devices or on digital platforms such as social media. People who commit these types of offenses can face jail time and fines of $500 or more. 

Michigan schools must also have clear internet safety policies for how they protect children’s information while using school-owned devices, such as tablets and computers. 

Michigan Personal Data Privacy Act (MPDPA)

The Michigan Personal Data Privacy Act (MPDPA) is the first step toward a comprehensive online privacy and data protection law. It was first introduced in late 2022, and modeled after the California Consumer Privacy Act (CCPA), but it hasn’t been approved yet at the time of publishing. 

If introduced, the MPDPA would place heavy restrictions on data brokers, websites, advertisers, and any other businesses that collect, process, and store Michigan residents’ sensitive personal information. This includes information such as social security numbers, financial information, names and addresses, and biometric data. 

If you live in the state, it would give you greater control over your data and how it’s used, with more transparency around how businesses share consumer information, for what purpose, and for how long. This means organizations would also need to introduce clear data protection policies and security provisions for managing your data.

The MPDPA mirrors some provisions of the EU’s General Data Protection Regulation (GDPR), which means businesses can’t process sensitive personal data without explicit consent through opt-in measures. They must give people the right to choose how their data is used. While promising, the Senate is still reviewing MPDPA (Bill 659) with no end date in sight, which raises concerns about the current reality of data privacy for Michiganders. 

Digital Privacy and Security Concerns in Michigan

Consumer Data Protection

Michigan has introduced a new bill to better protect your data, but it’s not in force yet. Without the MPDPA, your data is at risk. The ITPA makes sure you know about security breaches when they occur, but nothing stops your data from being involved in a leak in the first place. You have almost no control over how your data is collected, used, or shared with third parties. This lack of oversight and options to opt out increases the risk of your data being exposed to breaches. 

Even if the MPDPA was introduced, it only protects sensitive personal data, such as your name, address, and biometric information. It doesn’t protect data like your search history, browsing habits, and general location. This means companies may still be able to collect and use this information without your consent. They have to tell you how they use this information, but it doesn’t stop them from doing so.

Delays in Reporting Data Breaches

The ITPA makes it clear organizations should report security breaches as soon as reasonably possible, but it doesn’t set any timescale. This means a company could have leaked your data and potentially not tell you until months after it happened. 

In March 2023, for example, a healthcare provider experienced a phishing incident that led to cybercriminals accessing sensitive health data, including names, birth dates, lab results, medical record numbers, and private conversations between doctors and their patients. The provider didn’t inform anyone of this data breach until May, two months after the incident occurred. 

What’s worse, the ITPA states notice is not required if the data breach is considered unlikely to cause substantial loss or injury, or result in identity theft. This is open to the interpretation of the company itself, so in some cases, breaches involving your information could occur without you ever knowing. 

No Additional Provisions for Healthcare Data

Healthcare companies fall under the ITPA in Michigan, but they’re not governed by any additional legislation for reporting breaches. According to Trustwave SpiderLabs, 24% of all cyber attacks in the US in 2022 targeted the healthcare industry. For this reason, many states have implemented additional provisions for healthcare organizations, particularly around informing patients, notification to the state, and state investigation. 

As an example, in Connecticut, healthcare organizations must notify patients of any breaches within 90 days. They must also inform the Department of Attorney General immediately so that appropriate action can be taken. In Michigan, no such requirements exist. This leaves residents’ sensitive healthcare information at risk of exposure, with few repercussions for companies involved with data breaches. 

Federal Surveillance

Reports surfaced in 2021 of unknown software which allowed Michigan State Police to harvest data from residents. This included gathering data from social media accounts, Amazon, dating apps, the dark web, and other internet sites to help with their investigations and identify or profile individuals of interest. 

In 2015, it was also revealed that the Michigan FBI had been using cell-site simulators (also known as Stingrays) to spy on residents’ mobile phones without disclosing it to the public. According to reports, the FBI had been using this method to gather data for many years before the media became aware of it. This raises many questions about online privacy in Michigan, particularly if you’re being monitored without your knowledge.

Workplace Surveillance

Workplace surveillance is commonplace in Michigan. Although employers can no longer request passwords to view your social media accounts, they can still monitor activities within the workplace. This is standard in many countries and states, allowing employers to see what employees do on their devices, including their search history, visited websites, messages, and email content. 

Employers also often install firewalls to restrict access to certain platforms and websites, such as social media and streaming sites. Some workplaces may have disciplinary measures in place if employees try to access restricted websites. This is why some employees like to use VPNs to protect their privacy and unblock websites at work. It’s also useful when working remotely. A VPN encrypts your connection to keep your sensitive workplace communications concealed. You can try PIA VPN and connect to one of our secure servers in Michigan to boost your workplace privacy. 

Get PIA VPN

A Closer Look at Michigan Cybercrime 

Cybercrime in Michigan is increasing. Over the last few years, Michigan has consistently been ranked by the FBI as one of the top 10 states for monetary losses caused by online fraud and the number of victims of cybercrime. In 2022, Michigan ranked 3rd, with 13,566 victims. This is an increase from around 11,000 victims in 2021.

In total, victims of cybercrime in Michigan lost over $177 million in 2022, with the five most common attacks being phishing, data breaches, non-payment/non-delivery, extortion, and tech support. Identity theft, credit card fraud, ransomware, and direct data breaches are also common. In fact, Michigan has made headlines several times in recent years for large and costly data breaches affecting its residents, especially within healthcare. Let’s take a quick look at some of the most recent breaches in the state.

Welltok Healthcare Data Breach

The November 2023 Welltok breach reportedly compromised the data of over 1 million Michiganders. Welltok is a software company that provides communication services for Corewell Health and Priority Health, two well-known healthcare giants. In the breach, a cybercriminal managed to exploit a vulnerability in their system, known as the MOVEit Transfer server. This server was responsible for securely transferring sensitive information about patients. 

The breach compromised various types of sensitive personal data, including names, addresses, health insurance numbers, phone numbers, and medical records. Although Welltok did inform affected individuals of the security breach, it wasn’t reported until two months later when the company reviewed its internal systems. During the two months, cybercriminals had full access to all the patient data on the MOVEit Transfer server.  

HealthEC Data Breach

While dealing with the aftermath of the Welltok breach, Michigan residents were informed of another healthcare cybersecurity incident just a month later, in December 2023. This time, HealthEC, a vendor supplying health management software, fell victim to cybercriminals’ tactics.

Cybercriminals identified a vulnerability in their systems, allowing unauthorized access to servers storing patient data. This included sensitive data such as social security numbers, medical records, and interactions between patients and healthcare professionals. The breach exposed almost 4.5 million records affecting over 1 million patients. 

A statement published by HealthEC explains the breach came to light in July 2023, when cybercriminals began copying files. HealthEC began to inform their clients in October 2023, and patients were informed in December.

McLaren Healthcare Data Breach

In September 2023, McLaren Healthcare temporarily shut down the computer networks at 14 Michigan healthcare facilities after they detected suspicious and unauthorized activity on their servers. Reports suggest the breach exposed approximately 2.2 million patient records containing sensitive personal data, from names and addresses to health insurance numbers and billing details. 

McLaren Healthcare claimed the breach occurred between July and August 2023. In October 2023, a cybercriminal ransomware group named ALPHV/BlackCat publicly admitted to committing the data breach. The group suggested they had stolen around 6 terabytes of patient data. They said this information related to 2.5 million patients and threatened to sell the data on the dark web.

Patients were informed of the ransomware attack in November 2023, though McLaren Healthcare didn’t specify exactly which data was compromised or which systems the breach affected. 

University of Michigan

The University of Michigan fell victim to a cyber attack in August 2023. The University discovered unauthorized access to its systems, forcing it to shut them down and move students offline. Cybercriminals were able to access confidential student information stored on the campus’s servers, such as driver’s license numbers, social security numbers, and financial information.

The breach was reported to have affected around 63,000 people in total, including students, applicants, and employees. After discovering the breach, Michigan University hired external cybersecurity professionals to help contain it and minimize the impact on individuals. It then began to inform people who had been affected in October, two months after it occurred.

Boost Your Digital Privacy and Security in Michigan 

Michigan doesn’t have any comprehensive laws in place to protect your digital privacy. Websites, advertisers, and other third parties are free to monitor and gather your information without your consent and share it however they please. Your data could end up anywhere without you knowing, including on the dark web. 

Phishing scams and ransomware attacks are common in Michigan. Even your most private and sensitive information isn’t safe. Healthcare attacks are growing throughout the US, but Michigan has experienced more than most states in the last year alone.

To help strengthen your digital security and privacy, consider downloading a VPN. PIA protects your traffic using some of the strongest encryption methods available today, moving your data through a secure VPN tunnel. If a cybercriminal manages to exploit a security loophole in a network, they still can’t see what you’re doing on the network if you use a VPN, because they can’t get through the encrypted tunnel. It shields your activity from anyone on the network, stopping outsiders from snooping on your information, including your online searches and private communications. 

PIA VPN also swaps your IP address with another from one of our worldwide network of VPN servers, including fast 10-Gbps servers in Michigan. Any on-site trackers and cookies logging your information can only link it back to the VPN server’s IP address, not your real one. This limits how much information third parties have about you because they can’t link activity back to your real IP address. That’s especially important in Michigan, where third parties can collect just about any data they like without telling you. 

Take Control of Your Online Privacy

Michigan’s MPDPA will give you much greater control over your information and who has access to it, but the bill hasn’t yet passed. Third parties can track your every online move, and they don’t even need to ask your permission. If a data breach leaks your information, local laws only dictate they tell you without unreasonable delay. It’s up to the company to decide how to interpret that. 

So what can you do? The best thing you can do is take matters into your own hands. You can boost your online privacy with PIA VPN by encrypting your online traffic and limiting the amount of data third parties can gather from you. It won’t make you invisible, but it will help protect your privacy and make your devices more secure. If you’re ready to bolster your online protection, you can try PIA risk-free with a 30-day money-back guarantee.

Get PIA VPN

FAQ