new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin For the purposes of this
section, the following terms have the meanings given them:
new text end

new text begin (1) "security freeze" means a notice, at the request of the
consumer and subject to certain exceptions, prohibiting the
consumer reporting agency from releasing all or any part of the
consumer's credit report or any information derived from it
without the express authorization of the consumer. If a
security freeze is in place, such a report or information may
not be released to a third party without prior express
authorization from the consumer. This subdivision does not
prevent a consumer reporting agency from advising a third party
that a security freeze is in effect with respect to the
consumer's credit report; and
new text end

new text begin (2) "reviewing the account" or "account review" includes
activities related to account maintenance, monitoring, credit
line increases, and upgrades and enhancements.
new text end

new text begin Subd. 2. new text end

new text begin Timing; covered entities; cost. new text end

new text begin (a) A consumer
may elect to place a security freeze on a credit report by:
new text end

new text begin (1) making a request by certified mail;
new text end

new text begin (2) making a request by telephone by providing certain
personal identification; or
new text end

new text begin (3) making a request directly to the consumer reporting
agency through a secure electronic mail connection if the
connection is made available by the agency.
new text end

new text begin (b) A consumer reporting agency shall place a security
freeze on a consumer's credit report no later than five business
days after receiving a written or telephone request from the
consumer or three business days after receiving a secure
electronic mail request.
new text end

new text begin (c) The consumer reporting agency shall send a written
confirmation of the security freeze to the consumer within five
business days of placing the freeze and at the same time shall
provide the consumer with a unique personal identification
number or password to be used by the consumer when providing
authorization for the release of the consumer's credit for a
specific party or period of time.
new text end

new text begin (d) If the consumer wishes to allow the consumer's credit
report to be accessed for a specific party or period of time
while a freeze is in place, the consumer shall contact the
consumer reporting agency via telephone, certified mail, or
secure electronic mail; request that the freeze be temporarily
lifted; and provide the following:
new text end

new text begin (1) proper identification;
new text end

new text begin (2) the unique personal identification number or password
provided by the consumer reporting agency pursuant to paragraph
(c); and
new text end

new text begin (3) the proper information regarding the third party who is
to receive the credit report or the time period for which the
report must be available to users of the credit report.
new text end

new text begin (e) A consumer reporting agency that receives a request
from a consumer to temporarily lift a freeze on a credit report
pursuant to paragraph (d) shall comply with the request no later
than three business days after receiving the request.
new text end

new text begin (f) A consumer reporting agency may develop procedures
involving the use of telephone or fax, or upon the consent of
the consumer in the manner required by the Electronic Signatures
in Global and National Commerce Act, United States Code, title
15, section 7001 et seq., for legally required notices, by the
Internet, e-mail, or other electronic media to receive and
process a request from a consumer to temporarily lift a freeze
on a credit report pursuant to paragraph (d) in an expedited
manner.
new text end

new text begin (g) A consumer reporting agency shall remove or temporarily
lift a freeze placed on a consumer's credit report only in the
following cases:
new text end

new text begin (1) upon consumer request, pursuant to paragraph (d) or
(j); or
new text end

new text begin (2) if the freeze was due to a material misrepresentation
of fact by the consumer.
new text end

new text begin If a consumer reporting agency intends to remove a freeze upon a
consumer's credit report pursuant to this paragraph, the
consumer reporting agency shall notify the consumer in writing
five business days before removing the freeze on the consumer's
credit report.
new text end

new text begin (h) If a third party requests access to a consumer credit
report on which a security freeze is in effect, and this request
is in connection with an application for credit or any other
use, and the consumer does not allow the consumer's credit
report to be accessed for that specific party or period of time,
the third party may treat the application as incomplete.
new text end

new text begin (i) If a third party requests access to a consumer credit
report on which a security freeze is in effect for the purpose
of receiving, extending, or otherwise using the credit in the
report, and not for the sole purpose of account review, the
consumer reporting agency must notify the consumer that an
attempt has been made to access the credit report.
new text end

new text begin (j) Except as otherwise provided in paragraph (g), clause
(2), a security freeze shall remain in place until the consumer
requests that the security freeze be removed. A consumer
reporting agency shall remove a security freeze within three
business days of receiving a request for removal from the
consumer, who provides both of the following:
new text end

new text begin (1) proper identification; and
new text end

new text begin (2) the unique personal identification number or password
provided by the consumer reporting agency pursuant to paragraph
(c).
new text end

new text begin (k) A consumer reporting agency shall require proper
identification of the person making a request to place or remove
a security freeze.
new text end

new text begin (l) A consumer reporting agency may not suggest or
otherwise state or imply to a third party that the consumer's
security freeze reflects a negative credit score, history,
report, or rating.
new text end

new text begin (m) This section does not apply to the use of a consumer
credit report by any of the following:
new text end

new text begin (1) a person, or the person's subsidiary, affiliate, agent,
or assignee with which the consumer has or, prior to assignment,
had an account, contract, or debtor-creditor relationship for
the purposes of reviewing the account or collecting the
financial obligation owing for the account, contract, or debt;
new text end

new text begin (2) a subsidiary, affiliate, agent, assignee, or
prospective assignee of a person to whom access has been granted
under paragraph (d) for purposes of facilitating the extension
of credit or other permissible use;
new text end

new text begin (3) any person acting pursuant to a court order, warrant,
or subpoena;
new text end

new text begin (4) a state or local agency which administers a program for
establishing and enforcing child support obligations;
new text end

new text begin (5) the Department of Health or its agents or assigns
acting to investigate fraud;
new text end

new text begin (6) the Department of Revenue or its agents or assigns
acting to investigate or collect delinquent taxes or unpaid
court orders to fulfill any of its other statutory
responsibilities;
new text end

new text begin (7) a person for the purpose of prescreening as defined by
the federal Fair Credit Reporting Act;
new text end

new text begin (8) any person or entity administering a credit file
monitoring subscription service to which the consumer has
subscribed; and
new text end

new text begin (9) any person or entity for the purpose of providing a
consumer with a copy of the consumer's credit report upon the
consumer's request.
new text end

new text begin (n) A consumer may not be charged for any security freeze
services, including but not limited to the placement or lifting
of a security freeze. A consumer may be charged no more than $5
only if the consumer fails to retain the original personal
identification number given to the the consumer by the agency,
but the consumer may not be charged for a onetime reissue of the
same or a new personal identification number. The consumer may
be charged no more than $5 for subsequent instances of loss of
the personal identification number.
new text end

new text begin Subd. 3. new text end

new text begin Notice of rights. new text end

new text begin At any time that a consumer
is required to receive a summary of rights required under
section 609 of the federal Fair Credit Reporting Act, the
following notice must be included:
new text end

new text begin "Minnesota Consumers Have the Right
to Obtain a Security Freeze
new text end

new text begin You may obtain a security freeze on your credit report at
no charge to protect your privacy and ensure that credit is not
granted in your name without your knowledge. You have a right
to place a "security freeze" on your credit report pursuant to
........
new text end

new text begin The security freeze will prohibit a consumer reporting
agency from releasing any information in your credit report
without your express authorization or approval.
new text end

new text begin The security freeze is designed to prevent credit, loans,
and services from being approved in your name without your
consent. When you place a security freeze on your credit
report, within five business days you will be provided a
personal identification number or password to use if you choose
to remove the freeze on your credit report or to temporarily
authorize the release of your credit report for a specific
party, parties, or period of time after the freeze is in place.
To provide that authorization, you must contact the consumer
reporting agency and provide all of the following:
new text end

new text begin (1) the unique personal identification number or password
provided by the consumer reporting agency;
new text end

new text begin (2) proper identification to verify your identity; and
new text end

new text begin (3) the proper information regarding the third party or
parties who are to receive the credit report or the period of
time for which the report shall be available to users of the
credit report.
new text end

new text begin A consumer reporting agency that receives a request from a
consumer to lift temporarily a freeze on a credit report shall
comply with the request no later than three business days after
receiving the request.
new text end

new text begin A security freeze does not apply to circumstances where you
have an existing account relationship and a copy of your report
is requested by your existing creditor or its agents or
affiliates for certain types of account review, collection,
fraud control, or similar activities.
new text end

new text begin If you are actively seeking credit, you should understand
that the procedures involved in lifting a security freeze may
slow your own application for credit. You should plan ahead and
lift a freeze, either completely if you are shopping around, or
specifically for a certain creditor, a few days before actually
applying for new credit.
new text end

new text begin You have a right to bring a civil action against someone
who violates your rights under the credit reporting laws. The
action can be brought against a consumer reporting agency or a
user of your credit report.
new text end

new text begin Subd. 4. new text end

new text begin Violations; penalties. new text end

new text begin (a) If a consumer
reporting agency erroneously, whether by accident or design,
violates the security freeze by releasing credit information
that has been placed under a security freeze, the affected
consumer is entitled to:
new text end

new text begin (1) notification within five business days of the release
of the information, including specificity as to the information
released and the third-party recipient of the information;
new text end

new text begin (2) file a complaint with the Federal Trade Commission, the
state attorney general, and the Department of Commerce; and
new text end

new text begin (3) in a civil action against the consumer reporting agency
recover:
new text end

new text begin (i) injunctive relief to prevent or restrain further
violation of the security freeze;
new text end

new text begin (ii) a civil penalty in an amount not to exceed $10,000 for
each violation plus any damages available under other civil
laws; and
new text end

new text begin (iii) reasonable expenses, court costs, investigative
costs, and attorney fees.
new text end

new text begin (b) Each violation of the security freeze must be counted
as a separate incident for purposes of imposing penalties under
this section.
new text end

new text begin Subdivision 1. new text end

new text begin Scope. new text end

new text begin For the purposes of sections
325E.60 to 325E.62, the terms in subdivisions 2 to 10 have the
meanings given.
new text end

new text begin Subd. 2. new text end

new text begin Person. new text end

new text begin "Person" means any individual,
partnership, corporation, trust, estate, cooperative,
association, government or governmental subdivision or agency,
or other entity.
new text end

new text begin Subd. 3. new text end

new text begin Consumer. new text end

new text begin "Consumer" means an individual.
new text end

new text begin Subd. 4. new text end

new text begin Consumer reporting agency. new text end

new text begin "Consumer reporting
agency" means any person which, for monetary fees, dues, or on a
cooperative nonprofit basis, regularly engages in whole or in
part in the practice of assembling or evaluating consumer credit
information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses any
means or facility of interstate commerce for the purpose of
preparing or furnishing consumer reports.
new text end

new text begin Subd. 5. new text end

new text begin Consumer report; credit report. new text end

new text begin "Consumer
report" or "credit report" means any written, oral, or other
communication of any information by a consumer reporting agency
bearing on a consumer's creditworthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected to
be used or collected in whole or in part for the purpose of
serving as a factor in establishing the consumer's eligibility
for:
new text end

new text begin (1) credit or insurance to be used primarily for personal,
family, or household purposes, except that nothing in sections
325E.60 to 325E.62 authorizes the use of credit evaluations or
credit scoring in the underwriting of personal lines of property
or casualty insurance;
new text end

new text begin (2) employment purposes; or
new text end

new text begin (3) any other purpose authorized under United States Code,
title 15, section 1681b.
new text end

new text begin Subd. 6. new text end

new text begin Identity theft. new text end

new text begin "Identity theft" means theft,
fraud, or attempted theft or fraud committed using any
identifying information of another person.
new text end

new text begin Subd. 7. new text end

new text begin Nonpublic personal information. new text end

new text begin "Nonpublic
personal information" has the meaning given the term under
section 509(4) of the Gramm-Leach-Bliley Act, which defines
"nonpublic personal information" to mean personally identifiable
financial information that is provided by a consumer to a
financial institution, results from any transaction with the
consumer or any service performed for the consumer, or is
otherwise obtained by the financial institution. It also
includes any list, description, or other grouping of consumers
(and publicly available information pertaining to them) that is
derived using any nonpublic personal information other than
publicly available information.
new text end

new text begin Subd. 8. new text end

new text begin Credit card. new text end

new text begin "Credit card" has the same meaning
as in section 103 of the Truth in Lending Act.
new text end

new text begin Subd. 9. new text end

new text begin Debit card. new text end

new text begin "Debit card" means any card or
device issued by a financial institution to a consumer for use
in initiating an electronic fund transfer from the account
holding assets of the consumer at such financial institution,
for the purpose of transferring money between accounts or
obtaining money, property, labor, or services.
new text end

new text begin Subd. 10. new text end

new text begin Credit history. new text end

new text begin "Credit history" means any
written, oral, or other communication of any information by a
consumer reporting agency bearing on a consumer's
creditworthiness, credit standing, or credit capacity that is
used or expected to be used, or collected in whole or in part,
for the purpose of determining personal lines insurance premiums
or eligibility for coverage.
new text end

new text begin Subdivision 1. new text end

new text begin Right to file. new text end

new text begin A person who has learned
or reasonably suspects that he or she has been the victim of
identity theft may contact the local law enforcement agency that
has jurisdiction over his or her actual residence. The local
law enforcement agency shall make a written report of the
matter, and provide the complainant with a copy of that report.
Notwithstanding the fact that jurisdiction may lie elsewhere for
investigation and prosecution of a crime of identity theft, the
local law enforcement agency shall take the complaint and
provide the complainant with a copy of the complaint and may
refer the complaint to a law enforcement agency in that
different jurisdiction.
new text end

new text begin Subd. 2. new text end

new text begin Consequences. new text end

new text begin Nothing in this section
interferes with the discretion of a local police department to
allocate resources for investigations of crimes. A complaint
filed under this section is not required to be counted as an
open case for purposes such as compiling open case statistics.
new text end

new text begin Subdivision 1. new text end

new text begin Judicial determination. new text end

new text begin A person who
reasonably believes that he or she is the victim of identity
theft may petition a court, or the court, on its own motion or
upon application of the prosecuting attorney, may move for an
expedited judicial determination of his or her factual
innocence, where the perpetrator of the identity theft was
arrested for, cited for, or convicted of a crime under the
victim's identity, or where a criminal complaint has been filed
against the perpetrator in the victim's name, or where the
victim's identity has been mistakenly associated with a record
of criminal conviction. Any judicial determination of factual
innocence made pursuant to this section may be heard and
determined upon declarations, affidavits, police reports, or
other material, relevant, and reliable information submitted by
the parties or ordered to be part of the record by the court.
Where the court determines that the petition or motion is
meritorious and that there is no reasonable cause to believe
that the victim committed the offense for which the perpetrator
of the identity theft was arrested, cited, convicted, or subject
to a criminal complaint in the victim's name, or that the
victim's identity has been mistakenly associated with a record
of criminal conviction, the court shall find the victim
factually innocent of that offense. If the victim is found
factually innocent, the court shall issue an order certifying
this determination.
new text end

new text begin Subd. 2. new text end

new text begin Court order. new text end

new text begin After a court has issued a
determination of factual innocence pursuant to this section, the
court may order the name and associated personal identifying
information contained in court records, files, and indexes
accessible by the public deleted, sealed, or labeled to show
that the data is impersonated and does not reflect the
defendant's identity.
new text end

new text begin Subd. 3. new text end

new text begin Documentation. new text end

new text begin Upon making a determination of
factual innocence, the court must provide the consumer written
documentation of such order.
new text end

new text begin Subd. 4. new text end

new text begin Vacating determination. new text end

new text begin A court that has issued
a determination of factual innocence pursuant to this section
may at any time vacate that determination if the petition, or
any information submitted in support of the petition, is found
to contain any material misrepresentation or fraud.
new text end

new text begin Subd. 5. new text end

new text begin Form. new text end

new text begin The Supreme Court shall develop a form
for use in issuing an order pursuant to this section.
new text end

new text begin Subd. 6. new text end

new text begin Database. new text end

new text begin The Department of Public Safety shall
establish and maintain a database of individuals who have been
victims of identity theft and that have received determinations
of factual innocence. The Department of Public Safety shall
provide a victim of identity theft or his or her authorized
representative access to the database in order to establish that
the individual has been a victim of identity theft. Access to
the database shall be limited to criminal justice agencies,
victims of identity theft, and individuals and agencies
authorized by the victims.
new text end

new text begin Subdivision 1. new text end

new text begin Disclosures. new text end

new text begin Every consumer credit
reporting agency shall, upon request from a consumer that is not
covered by the free disclosures provided in United States Code,
title 15, section 1681j, subsections (a) to (d), clearly and
accurately disclose to the consumer:
new text end

new text begin (1) all information in the consumer's file at the time of
the request, except that nothing in this subdivision requires a
consumer reporting agency to disclose to a consumer any
information concerning credit scores or other risk scores or
predictors that are governed by United States Code, title 15,
section 1681g(f);
new text end

new text begin (2) the sources of the information;
new text end

new text begin (3) identification of each person, including each end-user
identified under United States Code, title 15, section 1681e,
that procured a consumer report:
new text end

new text begin (i) for employment purposes, during the two-year period
preceding the date on which the request is made; or
new text end

new text begin (ii) for any purpose, during the one-year period preceding
the date on which the request is made;
new text end

new text begin (4) an identification of a person under clause (3) shall
include:
new text end

new text begin (i) the name of the person or, if applicable, the trade
name (written in full) under which such person conducts
business; and
new text end

new text begin (ii) upon request of the consumer, the address and
telephone number of the person;
new text end

new text begin (5) clause (3) does not apply if:
new text end

new text begin (i) the end user is an agency or department of the United
States government that procures the report from the person for
purposes of determining the eligibility of the consumer to whom
the report relates to receive access or continued access to
classified information (as defined in United States Code, title
15, section 1681b(b)(4)(E)(i)); and
new text end

new text begin (ii) the head of the agency or department makes a written
finding as prescribed under United States Code, title 15,
section 1681b(b)(4)(A);
new text end

new text begin (6) the dates, original payees, and amounts of any checks
upon which is based any adverse characterization of the
consumer, included in the file at the time of the disclosure or
which can be inferred from the file;
new text end

new text begin (7) a record of all inquiries received by the agency during
the one-year period preceding the request that identified the
consumer in connection with a credit or insurance transaction
that was not initiated by the consumer;
new text end

new text begin (8) if the consumer requests the credit file and not the
credit score, a statement that the consumer may request and
obtain a credit score.
new text end

new text begin Subd. 2. new text end

new text begin Cost of disclosure. new text end

new text begin In the case of a request
under subdivision 1, a consumer reporting agency may impose a
reasonable charge on a consumer for making a disclosure pursuant
to this section, which charge must:
new text end

new text begin (1) not exceed $3 for each of the first 12 requests from
the consumer in a calendar year;
new text end

new text begin (2) not exceed $8 for any additional request beyond the
initial 12 requests from the consumer in a calendar year; and
new text end

new text begin (3) be indicated to the consumer before making the
disclosure.
new text end

new text begin Subd. 3. new text end

new text begin Format of disclosure. new text end

new text begin In the case of a request
under subdivision 1, a consumer reporting agency must provide
the consumer with an opportunity to access his or her report
through the following means:
new text end

new text begin (1) in writing;
new text end

new text begin (2) in person, upon the appearance of the consumer at the
place of business of the consumer reporting agency where
disclosures are regularly provided, during normal business
hours, and on reasonable notice;
new text end

new text begin (3) by telephone, if the consumer has made a written
request for disclosure;
new text end

new text begin (4) by electronic means, if the agency offers electronic
access for any other purpose;
new text end

new text begin (5) by any other reasonable means that is available from
the agency.
new text end

new text begin Subd. 4. new text end

new text begin Timing of disclosure. new text end

new text begin A consumer reporting
agency shall provide a consumer report under subdivision 1 no
later than:
new text end

new text begin (1) 24 hours after the date on which the request is made,
if the disclosure is made by electronic means, as requested
under subdivision 3, clause (4); and
new text end

new text begin (2) five days after the date on which the request is made,
if the disclosure is made in writing, in person, by telephone,
or by any other reasonable means that is available from the
agency.
new text end

new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin For the purposes of this
section, the following terms shall have the following meanings:
new text end

new text begin (1) "data collector" may include but is not limited to
government agencies, public and private universities, privately
and publicly held corporations, financial institutions, retail
operators, and any other entity which, for any purpose, whether
by automated collection or otherwise, handles, collects,
disseminates, or otherwise deals with nonpublic personal
information;
new text end

new text begin (2) "breach of the security of the system data" means
unauthorized acquisition of computerized data that compromises
the security, and confidentiality, or integrity of personal
information maintained by the agency. Good faith acquisition of
personal information by an employee or agent of the agency for a
legitimate purpose of the agency is not a breach of the security
of the system data, provided that the personal information is
not used for a purpose unrelated to the agency or subject to
further unauthorized disclosure. Breach of the security of
noncomputerized data may include but is not limited to
unauthorized photocopying, facsimiles, or other paper-based
transmittal of documents;
new text end

new text begin (3) "personal information" means an individual's first name
or first initial and last name in combination with any one or
more of the following data elements, when either the name or the
data elements are not encrypted or redacted:
new text end

new text begin (i) Social Security number;
new text end

new text begin (ii) driver's license number or state identification card
number;
new text end

new text begin (iii) account number, credit or debit card number, if
circumstances exist wherein such a number could be used without
additional identifying information, access codes, or passwords;
new text end

new text begin (iv) account passwords or personal identification numbers
(PINs) or other access codes;
new text end

new text begin (v) any of items (i) to (iv) when not in connection with
the individual's first name or first initial and last name, if
the information compromised would be sufficient to perform or
attempt to perform identity theft against the person whose
information was compromised.
new text end

new text begin "Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
new text end

new text begin Subd. 2. new text end

new text begin Notice of breach. new text end

new text begin (a) Except as provided in
paragraph (b), any data collector that owns or uses personal
information in any form, whether computerized, paper, or
otherwise, that includes personal information concerning a
Minnesota resident shall notify the resident that there has been
a breach of the security that data following discovery or
notification of the breach, without regard for whether or not
the data has or has not been accessed by an unauthorized third
party for legal or illegal purposes. The disclosure
notification must be made in the most expedient time possible
and without unreasonable delay, consistent with the legitimate
needs of law enforcement, as provided in paragraph (b), or with
any measures necessary to determine the scope of the breach and
restore the reasonable integrity, security, and confidentiality
of the data system.
new text end

new text begin (b) The notification required by this section may be
delayed if a law enforcement agency determines that the
notification may impede a criminal investigation. The
notification required by this section shall be made after the
law enforcement agency determines that it will not compromise
the investigation.
new text end

new text begin (c) For purposes of this section, "notice" to consumers may
be provided by one of the following methods:
new text end

new text begin (1) written notice;
new text end

new text begin (2) electronic notice, if the notice provided is consistent
with the provisions regarding electronic records and signatures,
for notices legally required to be in writing, set forth in
United States Code, title 15, section 7001;
new text end

new text begin (3) substitute notice, if the agency demonstrates that the
cost of providing notice would exceed $250,000 or that the
affected class of subject persons to be notified exceeds
500,000, or the agency does not have sufficient contact
information. Substitute notice consists of all of the following:
new text end

new text begin (i) e-mail notice when the agency has an e-mail address for
the subject persons;
new text end

new text begin (ii) conspicuous posting of the notice on the agency's Web
site page, if the agency maintains one; and
new text end

new text begin (iii) notification to major statewide media.
new text end

new text begin Subdivision 1. new text end

new text begin Prohibitions. new text end

new text begin Except as provided in
subdivision 2, a person or entity, including a state or local
agency, may not do any of the following:
new text end

new text begin (1) intentionally communicate or otherwise make available
to the general public an individual's Social Security number;
new text end

new text begin (2) print an individual's Social Security number on any
card required for the individual to access products or services
provided by the person or entity;
new text end

new text begin (3) require an individual to transmit his or her Social
Security number over the Internet, unless the connection is
secure or the Social Security number is encrypted;
new text end

new text begin (4) require an individual to use his or her Social Security
number to access an Internet Web site, unless a password or
unique personal identification number or other authentication
device is also required to access the Internet Web site;
new text end

new text begin (5) print an individual's Social Security number on any
materials that are mailed to the individual, unless state or
federal law requires the Social Security number to be on the
document to be mailed; or
new text end

new text begin (6) sell, lease, loan, trade, rent, or otherwise disclose
an individual's Social Security number to a third party for any
purpose without written consent to the disclosure from the
individual.
new text end

new text begin Subd. 2. new text end

new text begin Nonapplication. new text end

new text begin This section does not apply to
documents that are recorded or required to be open to the public
pursuant to chapter 13. This section does not apply to records
that are required by statute, case law, or court order to be
made available to the public by entities provided for in the
Minnesota Constitution.
new text end

new text begin Subd. 3. new text end

new text begin Health care services. new text end

new text begin In the case of a health
care service plan, a provider of health care, an insurer or a
pharmacy benefits manager, a contractor, or the provision by any
person or entity of administrative or other services relative to
health care or insurance products or services, including
third-party administration or administrative services only, this
section shall become operative no later than July 1, 20...
new text end

new text begin Subd. 4. new text end

new text begin Cooperation. new text end

new text begin Any entity covered by this section
shall make reasonable efforts to cooperate, through systems
testing and other means, to ensure that the requirements of this
section are implemented on or before the dates specified in this
section.
new text end

new text begin Subd. 5. new text end

new text begin Penalties for violations of this section. new text end

new text begin (a) A
person who violates this section is subject to a civil penalty
of not more than $3,000.
new text end

new text begin (b) A person who knowingly violates this section is guilty
of a misdemeanor punishable by imprisonment for not more than ..
days or a fine of not more than $5,000 or both.
new text end

new text begin (c) An individual may bring a civil action against a person
who violates this act and may recover actual damages or $5,000,
whichever is greater, plus reasonable court costs and attorney
fees.
new text end

new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin For the purposes of this
section, the following terms shall have the meanings given them:
new text end

new text begin (a) "Business" means sole proprietorship, partnership,
corporation, association, or other group, however organized and
whether or not organized to operate at a profit. The term
includes a financial institution organized, chartered, or
holding a license or authorization certificate under the laws of
this state, any other state, the United States, or any other
country, or the parent or the subsidiary of any such financial
institution. The term also includes an entity that destroys
records.
new text end

new text begin (b) "Dispose" includes:
new text end

new text begin (1) the discarding or abandonment of records containing
personal information; and
new text end

new text begin (2) the sale, donation, discarding, or transfer of any
medium, including computer equipment, or computer media,
containing records of personal information, or other nonpaper
media upon which records of personal information is stored, or
other equipment for nonpaper storage of information.
new text end

new text begin (c) "Personal information" means any information that
identifies, relates to, describes, or is capable of being
associated with a particular individual, including, but not
limited to, a name, signature, Social Security number,
fingerprint, photograph or computerized image, physical
characteristics or description, address, telephone number,
passport number, driver's license or state identification card
number, date of birth, medical information, bank account number,
credit card number, debit card number, or any other financial
information.
new text end

new text begin (d) "Records" means any material on which written, drawn,
spoken, visual, or electromagnetic information is recorded or
preserved, regardless of physical form or characteristics.
"Records" does not include publicly available directories
containing information an individual has voluntarily consented
to have publicly disseminated or listed, such as name, address,
or telephone number.
new text end

new text begin Subd. 2. new text end

new text begin Disposal of records containing personal
information. new text end

new text begin Any business that conducts business in Minnesota
and any business that maintains or otherwise possesses personal
information of residents of Minnesota must take all reasonable
measures to protect against unauthorized access to or use of the
information in connection with, or after its disposal. Such
reasonable measures must include, but may not be limited to:
new text end

new text begin (1) implementing and monitoring compliance with policies
and procedures that require the burning, pulverizing, or
shredding of papers containing personal information so that the
information cannot practicably be read or reconstructed;
new text end

new text begin (2) implementing and monitoring compliance with policies
and procedures that require the destruction or erasure of
electronic media and other nonpaper media containing personal
information so that the information cannot practicably be read
or reconstructed;
new text end

new text begin (3) after due diligence, entering into and monitoring
compliance with a written contract with another party engaged in
the business of record destruction to dispose of personal
information in a manner consistent with this statute. Due
diligence should ordinarily include, but may not be limited to,
one or more of the following: reviewing an independent audit of
the disposal company's operations and/or its compliance with
this statute or its equivalent; obtaining information about the
disposal company from several references or other reliable
sources and requiring that the disposal company be certified by
a recognized trade association or similar third party with a
reputation for high standards of quality review; reviewing and
evaluating the disposal company's information security policies
or procedures; or taking other appropriate measures to determine
the competency and integrity of the disposal company; and
new text end

new text begin (4) for disposal companies explicitly hired to dispose of
records containing personal information: implementing and
monitoring compliance with policies and procedures that protect
against unauthorized access to or use of personal information
during or after the collection and transportation and disposing
of such information in accordance with clauses (1) and (2).
new text end

new text begin Subd. 3. new text end

new text begin Business policy. new text end

new text begin Procedures relating to the
adequate destruction or proper disposal of personal records must
be comprehensively described and classified as official policy
in the writings of the business entity, including corporate and
employee handbooks and similar corporate documents.
new text end

new text begin Subd. 4. new text end

new text begin Penalties and civil liability. new text end

new text begin (a) Any person
or business that violates this section is subject to a civil
penalty of not more than $3,000.
new text end

new text begin (b) Any individual aggrieved by a violation may bring a
civil action in district court to enjoin further violations and
to recover actual damages, costs, and reasonable attorney fees.
new text end