Minnesota Legislature
HF 3963
as introduced - 84th Legislature (2005 - 2006) Posted on 12/15/2009 12:00am
1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 1.25 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 2.32 2.33 2.34 2.35 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13
3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 3.32 3.33 3.34 4.1 4.2 4.3 4.4 4.5 4.6 4.7
4.8 4.9
A bill for an act
relating to consumer protection; regulating the disclosure of personal information
by data warehouses; providing notice content requirements; removing an
exemption for financial institutions and health care entities; amending Minnesota
Statutes 2005 Supplement, section 325E.61, subdivision 1, by adding a
subdivision; repealing Minnesota Statutes 2005 Supplement, section 325E.61,
subdivision 4.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 1, is
amended to read:
Subdivision 1.
Disclosure of personal information; notice required.
(a) Any
person or business that conducts business in this state, and that owns or licenses data that
includes personal information, shall disclose any breach of the security of the system
following discovery or notification of the breach in the security of the data to any resident
of this state whose unencrypted personal information was, or is reasonably believed to
have been, acquired by an unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay, consistent with the legitimate
needs of law enforcement, as provided in paragraph (c), or with any measures necessary
to determine the scope of the breach, identify the individuals affected, and restore the
reasonable integrity of the data system.
(b) Any person or business that maintains data that includes personal information
that the person or business does not own shall notify the owner or licensee of the
information of any breach of the security of the data immediately following discovery,
if the personal information was, or is reasonably believed to have been, acquired by
an unauthorized person.
(c) The notification required by this section may be delayed to a date certain if a law
enforcement agency affirmatively determines that the notification will impede a criminal
investigation.
(d) For purposes of this section, "breach of the security of the system" means
unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal information maintained by the person or business.
Good faith acquisition of personal information by an employee or agent of the person or
business for the purposes of the person or business is not a breach of the security system,
provided that the personal information is not used or subject to further unauthorized
disclosure.
(e) For purposes of this section, "personal information" means an individual's first
name or first initial and last name in combination with any one or more of the following
data elements, when either the name or the data elements is not encryptednew text begin or is encrypted
with an encryption key that was also acquirednew text end :
(1) Social Security number;
(2) driver's license number or Minnesota identification card number; deleted text begin or
deleted text end
(3) account number or credit or debit card number, in combination with any required
security code, access code, or password that would permit access to an individual's
financial accountdeleted text begin .deleted text end new text begin ;
new text end
new text begin
(4) account passwords, personal identification numbers, or other access codes; or
new text end
new text begin
(5) biometric data. For purposes of this clause, "biometric data" means biological
data derived from direct measurement of a part of the human body. Direct measurement
technologies include, but are not limited to, fingerprinting, iris recognition, hand geometry,
and facial recognition.
new text end
(f) For purposes of this section, "personal information" does not include publicly
available information that is lawfully made available to the general public from federal,
state, or local government records.
(g) For purposes of this section, "notice" may be provided by one of the following
methods:
(1) written notice to the most recent available address the person or business has
in its records;
(2) electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures in United States Code, title 15, section 7001; or
(3) substitute notice, if the person or business demonstrates that the cost of providing
notice would exceed $250,000, or that the affected class of subject persons to be notified
exceeds 500,000, or the person or business does not have sufficient contact information.
Substitute notice must consist of all of the following:
(i) e-mail notice when the person or business has an e-mail address for the subject
persons;
(ii) conspicuous posting of the notice on the Web site page of the person or business,
if the person or business maintains one; and
(iii) notification to major statewide media.
(h) Notwithstanding paragraph (g), a person or business that maintains its own
notification procedures as part of an information security policy for the treatment of
personal information and is otherwise consistent with the timing new text begin and content new text end requirements
of this section, shall be deemed to be in compliance with the notification requirements
of this section if the person or business notifies subject persons in accordance with its
policies in the event of a breach of security of the system.
Sec. 2.
Minnesota Statutes 2005 Supplement, section 325E.61, is amended by adding a
subdivision to read:
new text begin Subd. 1a. new text end
new text begin Content of notice. new text end
new text begin
The notice required by this section must be clear
and conspicuous. The notice must include:
new text end
new text begin
(a) to the extent possible, a description of the categories of information that were, or
are reasonably believed to have been, acquired by an unauthorized person, including Social
Security numbers, driver's license or state identification numbers, and financial data;
new text end
new text begin
(b) the steps taken by the person or business to protect personal information from
further unauthorized access;
new text end
new text begin
(c) a toll-free telephone number:
new text end
new text begin
(1) that the individual may use to contact a live representative of the agency or
person; and
new text end
new text begin
(2) from whom the individual may learn:
new text end
new text begin
(i) what types of information the agency or person maintained about that individual
or about individuals in general; and
new text end
new text begin
(ii) whether the agency or person maintained information about that individual;
new text end
new text begin
(d) the toll-free telephone numbers and addresses for the major consumer reporting
agencies, along with a description of, and an explanation of how to exercise, the following
rights under the federal Fair Credit Reporting Act:
new text end
new text begin
(1) the right to obtain a credit report free of charge from each nationwide credit
reporting agency;
new text end
new text begin
(2) the right to place a fraud alert in consumer reports to put creditors on notice that
the individual may be a victim of fraud; and
new text end
new text begin
(3) the right to block or delete specific items in consumer reports relating to
fraudulent transactions; and
new text end
new text begin
(e) the toll-free telephone number and Web site address of the Federal Trade
Commission, along with a recommendation that the individual should report any incidents
of identity theft to a local law enforcement agency and the Federal Trade Commission.
new text end
Sec. 3. new text begin REPEALER.
new text end
new text begin
Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 4,
new text end
new text begin
is repealed.
new text end