Minnesota Legislature
HF 2843
as introduced - 84th Legislature (2005 - 2006) Posted on 12/15/2009 12:00am
1.9 1.10 1.11 1.12 1.13 1.14 1.15
1.16 1.17 1.18 1.19 1.20 1.21 1.22 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24
2.25
2.26 2.27 2.28 2.29 2.30 2.31 2.32 2.33 2.34 2.35 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19
3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 3.32 3.33 3.34 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 4.32 4.33 4.34 4.35 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9
5.10 5.11 5.12 5.13 5.14 5.15
5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23
5.24 5.25 5.26 5.27 5.28 5.29 5.30 5.31 5.32 5.33
6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18
6.19 6.20 6.21 6.22 6.23 6.24 6.25 6.26 6.27 6.28 6.29 6.30 6.31 6.32 6.33 6.34 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14
7.15
7.16 7.17 7.18 7.19 7.20 7.21 7.22 7.23 7.24 7.25 7.26 7.27 7.28 7.29 7.30 7.31 7.32 7.33 7.34 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22
8.23 8.24
8.25 8.26 8.27 8.28 8.29 8.30 8.31 8.32
A bill for an act
relating to consumer protections; reducing identity theft and assisting its
victims; providing penalties; amending Minnesota Statutes 2004, sections
13.05, subdivision 5; 138.17, subdivision 7; 609.527, by adding a subdivision;
Minnesota Statutes 2005 Supplement, section 325E.61, subdivisions 1, 4;
proposing coding for new law in Minnesota Statutes, chapters 13C; 325E; 325G;
609.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
Minnesota Statutes 2004, section 13.05, subdivision 5, is amended to read:
Subd. 5.
Data protection.
The responsible authority shall (1) establish procedures
to assure that all data on individuals is accurate, complete, and current for the purposes for
which it was collected; and (2) establish appropriate security safeguards for all records
containing data on individuals.new text begin When confidential or private data is being disposed of,
"appropriate security safeguards" means that the data is destroyed in a way that prevents
its contents from being determined.
new text end
Sec. 2.
new text begin
[13C.015] SECURITY FREEZES ON CREDIT REPORTS REGARDING
MINORS.
new text end
new text begin Subdivision 1. new text end
new text begin Definitions. new text end
new text begin
(a) For purposes of this section, the terms defined in this
subdivision have the meanings given them.
new text end
new text begin
(b) "Guardian" means a guardian as defined under section 524.5-102, subdivision 5.
new text end
new text begin
(c) "Minor" means an individual under the age of 18 years.
new text end
new text begin
(d) "Parent" means a person who has legal and physical custody of a child.
new text end
new text begin
(e) "Security freeze" means a situation in which a consumer reporting agency will
not provide a consumer report about a specific consumer to anyone, without a request from
the parent or guardian specifying the entity to whom a consumer report may be provided.
new text end
new text begin Subd. 2. new text end
new text begin
Security freeze required at request of parent or guardian of minor.
new text end
new text begin
(a) A consumer reporting agency shall impose a security freeze on the credit reports of
a minor at the written request of a parent or guardian of the minor. The written request
must include:
new text end
new text begin
(1) the full name and address, date of birth, and Social Security number of the minor;
new text end
new text begin
(2) the full name and address of the parent or guardian making the request;
new text end
new text begin
(3) a statement that the requesting parent or guardian is a custodial parent or
guardian of the minor; and
new text end
new text begin
(4) the signature of the requesting parent or guardian and the date of the signature.
new text end
new text begin
(b) The requesting parent or guardian need not give a reason for the request.
new text end
new text begin
(c) The security freeze must remain in place until the minor reaches the age of 18
years, unless terminated sooner at the request of the parent or guardian who requested
the freeze.
new text end
new text begin
(d) The security freeze must terminate automatically when the minor reaches of
the age of 18 years.
new text end
new text begin Subd. 3. new text end
new text begin Deadlines for imposition of freeze and notice. new text end
new text begin
(a) The consumer
reporting agency must impose the freeze no later than 15 days after its receipt of a request
that complies with this section.
new text end
new text begin
(b) The consumer reporting agency must notify the requesting person of its
imposition of the security freeze or of the request??a??a??s insufficiency under this section no
later than 20 days after its receipt of the request.
new text end
new text begin EFFECTIVE DATE. new text end
new text begin
This section is effective August 1, 2006.
new text end
Sec. 3.
Minnesota Statutes 2004, section 138.17, subdivision 7, is amended to read:
Subd. 7.
Records management program.
A records management program for the
application of efficient and economical management methods to the creation, utilization,
maintenance, retention, preservation, and disposal of official records shall be administered
by the commissioner of administration with assistance from the director of the historical
society. The State Records Center which stores and services state records not in state
archives shall be administered by the commissioner of administration. The commissioner
of administration is empowered to (1) establish standards, procedures, and techniques for
effective management of government records, (2) make continuing surveys of paper work
operations, and (3) recommend improvements in current records management practices
including the use of space, equipment, and supplies employed in creating, maintaining,
preserving and disposing of government records. It shall be the duty of the head of each
state agency and the governing body of each county, municipality, and other subdivision
of government to cooperate with the commissioner in conducting surveys and to establish
and maintain an active, continuing program for the economical and efficient management
of the records of each agency, county, municipality, or other subdivision of government.
When requested by the commissioner, public officials shall assist in the preparation of
an inclusive inventory of records in their custody, to which shall be attached a schedule,
approved by the head of the governmental unit or agency having custody of the records
and the commissioner, establishing a time period for the retention or disposal of each
series of records. When the schedule is unanimously approved by the records disposition
panel, the head of the governmental unit or agency having custody of the records may
dispose of the type of records listed in the schedule at a time and in a manner prescribed
in the schedule for particular records which were created after the approval. A list of
records disposed of pursuant to this subdivision shall be maintained by the governmental
unit or agency.new text begin When records containing confidential data as defined in section 13.02,
subdivision 3, or private data as defined in section 13.02, subdivision 12, are being
disposed of under this subdivision, the records must be destroyed in a way that prevents
their contents from being determined.
new text end
Sec. 4.
Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 1, is
amended to read:
Subdivision 1.
Disclosure of personal information; notice required.
(a) Any
person or business that conducts business in this state, and that owns or licenses data that
includes personal information, shall disclose any breach of the security of the system
following discovery or notification of the breach in the security of the data to any resident
of this state whose unencrypted personal information was, or is reasonably believed to
have been, acquired by an unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay, consistent with the legitimate
needs of law enforcement, as provided in paragraph (c), or with any measures necessary
to determine the scope of the breach, identify the individuals affected, and restore the
reasonable integrity of the data system.
(b) Any person or business that maintains data that includes personal information
that the person or business does not own shall notify the owner or licensee of the
information of any breach of the security of the data immediately following discovery,
if the personal information was, or is reasonably believed to have been, acquired by
an unauthorized person.
(c) The notification required by this section may be delayed to a date certain if a law
enforcement agency affirmatively determines that the notification will impede a criminal
investigation.
(d) For purposes of this section, "breach of the security of the system" means
new text begin successful new text end unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal information maintained by the person or business.
Good faith acquisition of personal information by an employee or agent of the person or
business for the purposes of the person or business is not a breach of the security system,
provided that the personal information is not used or subject to further unauthorized
disclosure.
(e) For purposes of this section, "personal information" means an individual's first
name or first initial and last name in combination with any one or more of the following
data elements, when either the name or the data elements is not encrypted:
(1) Social Security number;
(2) driver's license number or Minnesota identification card number; or
(3) account number or credit or debit card number, in combination with any required
security code, access code, or password that would permit access to an individual's
financial account.
(f) For purposes of this section, "personal information" does not include publicly
available information that is lawfully made available to the general public from federal,
state, or local government records.
(g) For purposes of this section, "notice" may be provided by one of the following
methods:
(1) written notice to the most recent available address the person or business has
in its records;
(2) electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures in United States Code, title 15, section 7001; or
(3) substitute notice, if the person or business demonstrates that the cost of providing
notice would exceed $250,000, or that the affected class of subject persons to be notified
exceeds 500,000, or the person or business does not have sufficient contact information.
Substitute notice must consist of all of the following:
(i) e-mail notice when the person or business has an e-mail address for the subject
persons;
(ii) conspicuous posting of the notice on the Web site page of the person or business,
if the person or business maintains one; and
(iii) notification to major statewide media.
(h) Notwithstanding paragraph (g), a person or business that maintains its own
notification procedures as part of an information security policy for the treatment of
personal information and is otherwise consistent with the timing requirements of this
section, shall be deemed to be in compliance with the notification requirements of this
section if the person or business notifies subject persons in accordance with its policies in
the event of a breach of security of the system.
Sec. 5.
Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 4, is
amended to read:
Subd. 4.
Exemption.
This section does not apply to any "financial institution"
as defined by United States Code, title 15, section 6809(3)deleted text begin , and to entities subject to
the federal privacy and security regulations adopted under the federal Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191deleted text end .
Sec. 6.
new text begin
[325E.62] RESPONSIBLE DISPOSAL OF PERSONAL INFORMATION.
new text end
new text begin
(a) Any individual or business entity, including any nonprofit entity, that conducts
business in this state must dispose of its paper or electronic records containing personal
information regarding customers, employees, and other persons only in a manner that
prevents their contents from being determined.
new text end
new text begin
(b) For purposes of this section, "personal information" has the meaning given in
section 325E.61, subdivision 1.
new text end
new text begin
(c) The attorney general shall enforce this section under section 8.31.
new text end
Sec. 7.
new text begin
[325E.63] CREDIT FREEZE REGARDING MINORS.
new text end
new text begin Subdivision 1. new text end
new text begin Definitions. new text end
new text begin
(a) For purposes of this section, the terms defined in this
subdivision have the meanings given them.
new text end
new text begin
(b) "Creditor" means a person or entity doing business in this state.
new text end
new text begin
(c) "Guardian" means a guardian as defined under section 524.5-102, subdivision 5.
new text end
new text begin
(d) "Minor" means an individual under the age of 18 years.
new text end
new text begin
(e) "Parent" means a person who has legal and physical custody of a child.
new text end
new text begin Subd. 2. new text end
new text begin Credit freeze. new text end
new text begin
No creditor shall offer or provide credit to a minor except
at the written request of the parent or guardian of the minor, until the minor reaches the
age of 18 years.
new text end
Sec. 8.
new text begin
[325G.052] CREDIT CARD OFFERS AND SOLICITATIONS; ADDRESS
VERIFICATIONS.
new text end
new text begin
(a) A credit card issuer that mails an offer or solicitation to receive a credit card and,
in response, receives a completed application for a credit card that lists an address that is
different from the address on the offer or solicitation shall verify the change of address by
contacting the person to whom the solicitation or offer was mailed.
new text end
new text begin
(b) Notwithstanding any other provision of law, a person to whom an offer or
solicitation to receive a credit card is made is not liable for the unauthorized use of a
credit card issued in response to that offer or solicitation if the credit card issuer does not
verify the change of address pursuant to paragraph (a) before the issuance of the credit
card, unless the credit card issuer proves that this person actually incurred the charge
on the credit card.
new text end
new text begin
(c) When a credit card issuer receives a written or oral request for a change of the
cardholder's billing address and then receives a written or oral request for an additional
credit card within ten days after the requested address change, the credit card issuer shall
not mail the requested additional credit card to the new address or, alternatively, activate
the requested additional credit card, unless the credit card issuer has verified the change
of address.
new text end
Sec. 9.
Minnesota Statutes 2004, section 609.527, is amended by adding a subdivision
to read:
new text begin Subd. 8. new text end
new text begin Identity theft passport. new text end
new text begin
(a) For purposes of this subdivision:
new text end
new text begin
(1) "identity theft" means a violation of subdivision 2; and
new text end
new text begin
(2) "identity theft passport" means a card or certificate issued by the attorney general
that identifies a person who has filed with a local or state law enforcement agency in this
state a signed written report that the person is a victim of an alleged crime of identity theft.
new text end
new text begin
(b) A person who is a victim of identity theft in this state, or who is a resident of
this state, and who has filed with a law enforcement agency in this state a signed written
report stating that the person is a victim of identity theft, may apply for an identity theft
passport through any law enforcement agency of this state.
new text end
new text begin
(c) A law enforcement agency that receives an application for an identity theft
passport shall submit the application and a copy of the written report to the attorney
general for processing and issuance of an identity theft passport to the applicant.
new text end
new text begin
(d) The attorney general, in cooperation with a law enforcement agency, may issue
an identity theft passport under this subdivision to a victim of identity theft.
new text end
new text begin
(e) A person who has been issued an identity theft passport under this subdivision
may present it to:
new text end
new text begin
(1) a law enforcement agency to aid in the investigation of identity theft or to help
prevent the arrest or prosecution of the person for an offense committed by another person
using the identity of the holder of the passport; or
new text end
new text begin
(2) a creditor to aid in the investigation of any fraudulent account opened in the
person's name or of any fraudulent charge made against an account in the person's name.
new text end
new text begin
(f) A law enforcement agency or creditor that is presented with an identity theft
passport has sole discretion to accept or reject the passport. In making that determination,
the law enforcement agency or creditor may consider the surrounding circumstances and
available information regarding the alleged identity theft.
new text end
new text begin
(g) An application for an identity theft passport, including any supporting
documentation, is private data on individuals as defined in section 13.02, subdivision 12,
except that it may be released to a law enforcement agency in this or another state.
new text end
new text begin EFFECTIVE DATE. new text end
new text begin
This section is effective August 1, 2006.
new text end
Sec. 10.
new text begin
[609.822] SKIMMING CARD FRAUD.
new text end
new text begin Subdivision 1. new text end
new text begin Short title. new text end
new text begin
This section shall be cited as the "Anti-Skimming Act."
new text end
new text begin Subd. 2. new text end
new text begin Definitions. new text end
new text begin
As used in this section, the following terms have the meanings
given them.
new text end
new text begin
(a) "Card" means a payment card or a government-issued identification card.
new text end
new text begin
(b) "Government-issued identification card" means a driver's license, state
identification card, passport, Social Security card, or other government-issued card that
contains personally identifiable information about the person to whom it was issued, and
that permits the user to obtain, purchase, or receive goods, services, money, or anything of
value from a merchant.
new text end
new text begin
(c) "Merchant" means an owner or operator of a retail mercantile establishment or an
agent, employee, lessee, consignee, officer, director, franchisee, or independent contractor
of the owner or operator, who receives from an authorized user of a card, or from someone
the person believes to be an authorized user, a card or information from a card, or what the
person believes to be a card or information from a card, as the instrument for obtaining,
purchasing, or receiving goods, services, money, or anything of value from the person.
new text end
new text begin
(d) "Payment card" means a credit card, charge card, debit card, or any other card
that is issued to an authorized card user and that allows the user to obtain, purchase, or
receive goods, services, money, or anything of value from a merchant.
new text end
new text begin
(e) "Re-encoder" means an electronic device that places encoded information from
the magnetic strip or stripe of a card onto the magnetic strip or stripe of a different card.
new text end
new text begin
(f) "Scanning device" means a scanner, reader, or any other electronic device that
is used to access, read, scan, obtain, memorize, or store, temporarily or permanently,
information encoded on the magnetic strip or stripe of a card.
new text end
new text begin new text end
new text begin new text end
new text begin new text end
new text begin Subd. 3. new text end
new text begin Skimming card fraud. new text end
new text begin
(a) A person who does any of the following
commits skimming card fraud:
new text end
new text begin
(1) uses a scanning device to access, read, obtain, memorize, or store, temporarily or
permanently, information encoded on the magnetic strip or stripe of a card without the
permission of the authorized user of the card and with the intent to defraud the authorized
user, the issuer of the authorized user's card, or a merchant; or
new text end
new text begin
(2) uses a re-encoder to place information encoded on the magnetic strip or stripe of
a card onto the magnetic strip or stripe of a different card without the permission of the
authorized user of the card from which the information is being re-encoded and with the
intent to defraud the authorized user, the issuer of the authorized user's card, or a merchant.
new text end
new text begin Subd. 4. new text end
new text begin Penalties. new text end
new text begin
(a) If no money, property, or services is obtained by skimming
card fraud, as defined in subdivision 3, the person shall be sentenced to imprisonment for
not more than 90 days, or to payment of a fine of not more than $1,000.
new text end
new text begin
(b) If money, property, or services is obtained by skimming card fraud, as defined
in subdivision 3, the value of the loss shall be determined as provided in section 609.52,
subdivision 1, clause (3), and the person obtaining the money, property, or services may be
sentenced as provided in section 609.52, subdivision 3.
new text end
new text begin EFFECTIVE DATE. new text end
new text begin
This section is effective August 1, 2006, and applies to crimes
committed on or after that date.
new text end
Sec. 11. new text begin ADMISSIBILITY OF EVIDENCE OF IDENTITY THEFT; REQUEST
TO SUPREME COURT.
new text end
new text begin
The Minnesota Supreme Court is requested to consider amending its rules of
evidence to permit admission of business records, at least in civil and criminal cases
alleging identity theft, based upon an authenticating affidavit of the custodian of the
business records, rather than requiring the in-person authentication testimony of the
custodian of the business records. One model for such a rule is California Evidence Code,
sections 1560 to 1567.
new text end