new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin For purposes of this
section, the terms defined in this subdivision have the meanings
given them.
new text end

new text begin (a) "Breach of the security of the system" means
unauthorized acquisition of computerized data that compromises
the security, confidentiality, or integrity of personal
information maintained by the person or business. Good faith
acquisition of personal information by an employee or agent of
the person or business for the purposes of the person or
business is not a breach of the security of the system, provided
that the personal information is not used or subject to further
unauthorized disclosure.
new text end

new text begin (b) "Personal information" means an individual's first name
or first initial and last name in combination with any one or
more of the following data elements, when either the name or the
data elements are not encrypted:
new text end

new text begin (1) Social Security number;
new text end

new text begin (2) driver's license number or Minnesota identification
card number; or
new text end

new text begin (3) account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account.
new text end

new text begin Personal information does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
new text end

new text begin Subd. 2. new text end

new text begin Notice to consumers. new text end

new text begin Any person or business
that conducts business in Minnesota, and that owns or licenses
computerized data that includes personal information, shall
disclose any breach of the security of the system following
discovery or notification of the breach in the security of the
data to any resident of Minnesota whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. The disclosure must be made
in the most expedient time possible and without unreasonable
delay, consistent with the legitimate needs of law enforcement,
as provided in subdivision 4, or any measures necessary to
determine the scope of the breach and restore the reasonable
integrity of the data system.
new text end

new text begin Subd. 3. new text end

new text begin Notice to owner or licensee of personal
information.
new text end

new text begin Any person or business that maintains data that includes
personal information shall notify the owner or licensee of the
information of any breach of the security of the data, including
the nature of the personal information taken, immediately
following discovery, if the personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person.
new text end

new text begin Subd. 4. new text end

new text begin Delayed notice. new text end

new text begin The notification required by
this section may be delayed to a date certain if a law
enforcement agency affirmatively determines that the
notification will impede a criminal investigation.
new text end

new text begin Subd. 5. new text end

new text begin Method of notice. new text end

new text begin Notice under this section
shall be provided by one of the following methods:
new text end

new text begin (1) written notice to the last known address or addresses;
new text end

new text begin (2) electronic notice, if the notice provided is consistent
with the provisions regarding electronic records and signatures
set forth in United States Code, title 15, section 7001;
new text end

new text begin (3) substitute notice, if the person or business
demonstrates that the cost of providing notice would exceed
$250,000, or that the affected class of subject persons to be
notified exceeds 500,000, or the person or business does not,
after a good-faith effort to acquire it, have sufficient contact
information. Substitute notice consists of all of the following:
new text end

new text begin (i) e-mail notice when the person or business has an e-mail
address for the subject persons;
new text end

new text begin (ii) conspicuous posting of the notice on the Web site page
of the person or business, if the person or business maintains
one; and
new text end

new text begin (iii) notification to major statewide media.
new text end

new text begin Subd. 6. new text end

new text begin Alternate compliance. new text end

new text begin Notwithstanding
subdivision 5, a person or business that maintains notification
procedures in accordance with state and federal law as part of
an information security policy for the treatment of personal
information in accordance with state and federal law and is
otherwise consistent with the timing requirements of this
section, is considered to be in compliance with the notification
requirements of this section if the person or business notifies
subject persons in accordance with its policies in the event of
a breach of security of the system.
new text end

new text begin Subd. 7. new text end

new text begin Coordination with consumer reporting agencies.
new text end

new text begin In the event that a person or business discovers circumstances
requiring notification pursuant to this section of more than 100
persons at one time, the person or business shall also notify,
within 48 hours, all consumer reporting agencies that compile
and maintain files on consumers on a nationwide basis, as
defined by United States Code, title 15, section 1681A, of the
timing, distribution, and content of the notices.
new text end

new text begin Subd. 8. new text end

new text begin Enforcement. new text end

new text begin This section may be enforced
pursuant to section 8.31, subdivisions 1 and 3a.
new text end