Politicians in the state of Michigan are trying to get the state to join the raft of states attempting to pass new data protection legislation to safeguard citizens' personal information.

Senate Bill No. 672, introduced by Senator Wayne Schmidt (and sponsored by Senators Adam Hollier, Kenneth Horn, Marshall Bullock, Curtis VanderWall) earlier this fall, would encourage organizations to establish, maintain, and comply with a written cybersecurity program.

As part of the legislation, the program would have to contain "administrative, technical, and physical safeguards for the protection of personal information that and personal identifying information” that reasonably conforms to the current version of an industry-recognized cybersecurity framework or a combination of those frameworks.

The legislation cites frameworks like the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure, FISMA, HIPAA, and PCI-DSS, to name a few.

The legislation would technically amend the 2004 Identity Theft Protection Act, designed to prohibit identity theft and require notification of a security breach. Absent from the bill has largely been defense, namely any means to address best practices around mitigating identity theft and security breaches in the first place.

The goal of having a cybersecurity program in place is to safeguard data. The bill's amendment outlines the following stupulations:

• Protect the security and confidentiality of personal information and personal identifying information.
• Protect against anticipated threats or hazards to the security or integrity of personal information and personal identifying information.
• Protect against unauthorized access to and acquisition of personal information and personal identifying information that is likely to result in a material risk of identity theft to the individual to whom the personal information and personal identifying information relate.

While it's unclear whether there will any immediate movement on the bill - Governor Gretchen Whitmer vetoed similar legislation, the Data Breach Notification Act, earlier this year - Michigan's legislature tracker points out its been referred to the Committee on Energy and Technology for further review.

The Data Breach Notification Act, for those curious, would have required organizations with more than 50 employees to adopt data security measures and look into data breaches and provide notice within 45 days. It also would have compelled organizations to implement reasonable data security policies.

While encouraging, even if Schmidt's amendement does move forward, it doesn't necessarily mean that those who fail to comply will be held accountable. As the Senator recently told Government Technology, enforcing these practices will be a voluntary effort. “

“Designing something that protects identities for businesses is a bigger part of it all," he told the publication, “they are encouraged to use best practices and to put out well-written cyber programs. The goal is to stay ahead of the bad guy and encourage businesses to follow these guidelines, which I think this bill does.”