Skip to main content Skip to office menu Skip to footer
Minnesota Legislature

Office of the Revisor of Statutes

SF 2002

3rd Engrossment - 84th Legislature (2005 - 2006) Posted on 12/15/2009 12:00am

KEY: stricken = removed, old language.
underscored = added, new language.
Line numbers 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12
1.13 1.14
1.15 1.16 1.17 1.18 1.19
1.20 1.21 1.22 1.23 1.24 1.25 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21
2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 2.32 2.33 2.34 2.35 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 3.32 3.33 3.34 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 4.32 4.33 4.34 4.35 4.36 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28 5.29 5.30 5.31 5.32 5.33 5.34 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.23 6.24 6.25 6.26 6.27 6.28 6.29 6.30 6.31
6.32 6.33 6.34 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.21 7.22
7.23 7.24 7.25 7.26 7.27 7.28 7.29 7.30 7.31 7.32 7.33 7.34 7.35 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22 8.23 8.24
8.25 8.26 8.27 8.28 8.29 8.30 8.31 8.32 8.33 8.34 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19 9.20 9.21 9.22 9.23 9.24 9.25 9.26 9.27 9.28 9.29 9.30 9.31 9.32 9.33 9.34 9.35 9.36 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11 10.12 10.13 10.14
10.15 10.16 10.17 10.18 10.19 10.20 10.21 10.22 10.23 10.24 10.25 10.26 10.27 10.28 10.29 10.30 10.31 10.32 10.33 10.34 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 11.10 11.11 11.12 11.13 11.14 11.15 11.16 11.17 11.18 11.19 11.20 11.21 11.22 11.23 11.24 11.25 11.26 11.27 11.28 11.29 11.30 11.31 11.32 11.33 11.34 11.35 11.36 12.1 12.2 12.3 12.4 12.5 12.6 12.7
12.8 12.9 12.10 12.11 12.12 12.13 12.14 12.15 12.16 12.17 12.18 12.19 12.20 12.21 12.22 12.23
12.24 12.25
12.26 12.27 12.28 12.29 12.30 12.31 12.32 12.33 12.34 13.1 13.2 13.3 13.4 13.5 13.6 13.7 13.8 13.9 13.10 13.11 13.12 13.13 13.14 13.15 13.16 13.17 13.18 13.19 13.20 13.21 13.22 13.23 13.24 13.25 13.26 13.27 13.28 13.29 13.30 13.31 13.32 13.33 13.34 13.35 14.1 14.2 14.3 14.4 14.5 14.6 14.7 14.8 14.9 14.10 14.11 14.12 14.13 14.14 14.15 14.16 14.17 14.18 14.19 14.20 14.21
14.22 14.23 14.24 14.25 14.26 14.27 14.28 14.29 14.30 14.31 14.32 14.33 14.34 15.1 15.2 15.3 15.4 15.5 15.6 15.7 15.8 15.9 15.10 15.11 15.12 15.13 15.14 15.15
15.16 15.17 15.18 15.19 15.20 15.21

A bill for an act
relating to consumer protection; regulating identity theft; authorizing credit
blocks in cases of identity theft; authorizing a consumer to place a security
freeze on the consumer's credit report; providing notice of this right; providing
protections against identity theft; providing Social Security number protections;
providing credit monitoring; providing for the adequate destruction of personal
records; providing civil and criminal penalties; regulating data warehouses;
modifying notice requirements; amending Minnesota Statutes 2004, section
13.6905, by adding a subdivision; Minnesota Statutes 2005 Supplement, section
325E.61, subdivisions 1, 4, by adding a subdivision; proposing coding for new
law in Minnesota Statutes, chapters 13C; 325E; 325G.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

ARTICLE 1

IDENTITY THEFT

Section 1.

Minnesota Statutes 2004, section 13.6905, is amended by adding a
subdivision to read:


new text begin Subd. 33. new text end

new text begin Victim of identity theft data. new text end

new text begin Data maintained by the Department of
Public Safety that document victims of identity theft and determinations of innocence are
classified under section 325E.66, subdivision 6.
new text end

Sec. 2.

new text begin [13C.032] IDENTITY THEFT; CREDIT BLOCKS.
new text end

new text begin (a) If a consumer submits to a credit reporting agency a copy of a valid police report,
or a valid investigative report made by an investigator with peace officer status, the
consumer credit reporting agency shall promptly and permanently block reporting any
information that the consumer alleges appears on the consumer's credit report as a result
of a violation of section 609.527 so that the information cannot be reported. The consumer
credit reporting agency shall promptly notify the furnisher of the information that the
information has been blocked. Furnishers of information and consumer credit reporting
agencies shall ensure that information is unblocked only upon a preponderance of the
evidence establishing the facts required under paragraph (b), clause (1), (2), or (3).
new text end

new text begin (b) The permanently blocked information must be unblocked only if:
new text end

new text begin (1) the information was blocked due to a material misrepresentation of fact by the
consumer or fraud;
new text end

new text begin (2) the consumer agrees that the blocked information, or portions of the blocked
information, were blocked in error; or
new text end

new text begin (3) the consumer knowingly obtained possession of goods, services, or money as
a result of the blocked transaction or transactions or the consumer should have known
that the consumer obtained possession of goods, services, or money as a result of the
blocked transaction or transactions.
new text end

new text begin (c) If blocked information is unblocked pursuant to this section, the consumer must
be promptly notified. The prior presence of the blocked information in the consumer credit
reporting agency's file on the consumer is not evidence of whether the consumer knew
or should have known that the consumer obtained possession of any goods, services, or
money. For the purposes of this section, fraud may be demonstrated by circumstantial
evidence. In unblocking information pursuant to this section, furnishers and consumer
credit reporting agencies are subject to their respective requirements pursuant to this
chapter regarding the completeness and accuracy of information.
new text end

Sec. 3.

new text begin [13C.05] SECURITY FREEZE ON CONSUMER CREDIT REPORTS.
new text end

new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin For the purposes of this section, the following terms
have the meanings given them:
new text end

new text begin (1) "security freeze" means a notice, at the request of the consumer and subject to
certain exceptions, prohibiting the consumer reporting agency from releasing all or any
part of the consumer's credit report or any information derived from it without the express
authorization of the consumer. If a security freeze is in place, the report or information
may not be released to a third party without prior express authorization from the consumer.
This subdivision does not prevent a consumer reporting agency from advising a third party
that a security freeze is in effect with respect to the consumer's credit report; and
new text end

new text begin (2) "reviewing the account" or "account review" includes activities related to account
maintenance, monitoring, credit line increases, and upgrades and enhancements.
new text end

new text begin Subd. 2. new text end

new text begin Timing; covered entities; cost. new text end

new text begin (a) A consumer may elect to place a
security freeze on a credit report by:
new text end

new text begin (1) making a request by certified mail;
new text end

new text begin (2) making a request by telephone by providing certain personal identification; or
new text end

new text begin (3) making a request directly to the consumer reporting agency through a secure
electronic mail connection if the connection is made available by the agency.
new text end

new text begin (b) A consumer reporting agency shall place a security freeze on a consumer's credit
report no later than five business days after receiving a written or telephone request from
the consumer or three business days after receiving a secure electronic mail request.
new text end

new text begin (c) The consumer reporting agency shall send a written confirmation of the security
freeze to the consumer within five business days of placing the freeze and at the same time
shall provide the consumer with a unique personal identification number or password to
be used by the consumer when providing authorization for the release of the consumer's
credit for a specific party or period of time.
new text end

new text begin (d) If the consumer wishes to allow the consumer's credit report to be accessed for a
specific party or period of time while a freeze is in place, the consumer shall contact the
consumer reporting agency via telephone, certified mail, or secure electronic mail; request
that the freeze be temporarily lifted; and provide the following:
new text end

new text begin (1) proper identification;
new text end

new text begin (2) the unique personal identification number or password provided by the consumer
reporting agency pursuant to paragraph (c); and
new text end

new text begin (3) the proper information regarding the third party who is to receive the credit report
or the time period for which the report must be available to users of the credit report.
new text end

new text begin (e) A consumer reporting agency that receives a request from a consumer to
temporarily lift a freeze on a credit report pursuant to paragraph (d) shall comply with the
request no later than three business days after receiving the request.
new text end

new text begin (f) A consumer reporting agency may develop procedures involving the use of
telephone or fax, or upon the consent of the consumer in the manner required by the
Electronic Signatures in Global and National Commerce Act, United States Code, title 15,
section 7001 et seq., for legally required notices, by the Internet, e-mail, or other electronic
media to receive and process a request from a consumer to temporarily lift a freeze on a
credit report pursuant to paragraph (d) in an expedited manner.
new text end

new text begin (g) A consumer reporting agency shall remove or temporarily lift a freeze placed
on a consumer's credit report only in the following cases:
new text end

new text begin (1) upon consumer request, pursuant to paragraph (d) or (j); or
new text end

new text begin (2) if the freeze was due to a material misrepresentation of fact by the consumer.
new text end

new text begin If a consumer reporting agency intends to remove a freeze upon a consumer's credit report
pursuant to this paragraph, the consumer reporting agency shall notify the consumer in
writing five business days before removing the freeze on the consumer's credit report.
new text end

new text begin (h) If a third party requests access to a consumer credit report on which a security
freeze is in effect, and this request is in connection with an application for credit or any
other use, and the consumer does not allow the consumer's credit report to be accessed for
that specific party or period of time, the third party may treat the application as incomplete.
new text end

new text begin (i) If a third party requests access to a consumer credit report on which a security
freeze is in effect for the purpose of receiving, extending, or otherwise using the credit in
the report, and not for the sole purpose of account review, the consumer reporting agency
must notify the consumer that an attempt has been made to access the credit report.
new text end

new text begin (j) Except as otherwise provided in paragraph (g), clause (2), a security freeze shall
remain in place until the consumer requests that the security freeze be removed. A
consumer reporting agency shall remove a security freeze within three business days of
receiving a request for removal from the consumer, who provides both of the following:
new text end

new text begin (1) proper identification; and
new text end

new text begin (2) the unique personal identification number or password provided by the consumer
reporting agency pursuant to paragraph (c).
new text end

new text begin (k) A consumer reporting agency shall require proper identification of the person
making a request to place or remove a security freeze.
new text end

new text begin (l) A consumer reporting agency may not suggest or otherwise state or imply to a
third party that the consumer's security freeze reflects a negative credit score, history,
report, or rating.
new text end

new text begin (m) This section does not apply to the use of a consumer credit report by any of
the following:
new text end

new text begin (1) a person, or the person's subsidiary, affiliate, agent, or assignee with which
the consumer has or, prior to assignment, had an account, contract, or debtor-creditor
relationship for the purposes of reviewing the account or collecting the financial obligation
owing for the account, contract, or debt;
new text end

new text begin (2) a subsidiary, affiliate, agent, assignee, or prospective assignee of a person to
whom access has been granted under paragraph (d) for purposes of facilitating the
extension of credit or other permissible use;
new text end

new text begin (3) any person acting pursuant to a court order, warrant, or subpoena;
new text end

new text begin (4) a state or local agency which administers a program for establishing and
enforcing child support obligations;
new text end

new text begin (5) the Department of Health or its agents or assigns acting to investigate fraud;
new text end

new text begin (6) the Department of Revenue or its agents or assigns acting to investigate or collect
delinquent taxes or unpaid court orders to fulfill any of its other statutory responsibilities;
new text end

new text begin (7) a person for the purpose of prescreening as defined by the federal Fair Credit
Reporting Act;
new text end

new text begin (8) any person administering a credit file monitoring subscription service to which
the consumer has subscribed; and
new text end

new text begin (9) any person for the purpose of providing a consumer with a copy of the
consumer's credit report upon the consumer's request.
new text end

new text begin (n) A consumer may not be charged for any security freeze services, including but
not limited to the placement or lifting of a security freeze. A consumer may be charged no
more than $5 only if the consumer fails to retain the original personal identification number
given to the consumer by the agency, but the consumer may not be charged for a onetime
reissue of the same or a new personal identification number. The consumer may be charged
no more than $5 for subsequent instances of loss of the personal identification number.
new text end

new text begin Subd. 3. new text end

new text begin Notice of rights. new text end

new text begin At any time that a consumer is required to receive a
summary of rights required under section 609 of the federal Fair Credit Reporting Act, the
following notice must be included:
new text end

new text begin "Minnesota Consumers Have the Right to Obtain a Security Freeze
new text end

new text begin You may obtain a security freeze on your credit report at no charge to protect your
privacy and ensure that credit is not granted in your name without your knowledge. You
have a right to place a "security freeze" on your credit report pursuant to Minnesota
Statutes, section 13C.05.
new text end

new text begin The security freeze will prohibit a consumer reporting agency from releasing any
information in your credit report without your express authorization or approval.
new text end

new text begin The security freeze is designed to prevent credit, loans, and services from being
approved in your name without your consent. When you place a security freeze on your
credit report, within five business days you will be provided a personal identification
number or password to use if you choose to remove the freeze on your credit report or
to temporarily authorize the release of your credit report for a specific party, parties, or
period of time after the freeze is in place. To provide that authorization, you must contact
the consumer reporting agency and provide all of the following:
new text end

new text begin (1) the unique personal identification number or password provided by the consumer
reporting agency;
new text end

new text begin (2) proper identification to verify your identity; and
new text end

new text begin (3) the proper information regarding the third party or parties who are to receive
the credit report or the period of time for which the report shall be available to users
of the credit report.
new text end

new text begin A consumer reporting agency that receives a request from a consumer to lift
temporarily a freeze on a credit report shall comply with the request no later than three
business days after receiving the request.
new text end

new text begin A security freeze does not apply to circumstances where you have an existing
account relationship and a copy of your report is requested by your existing creditor
or its agents or affiliates for certain types of account review, collection, fraud control,
or similar activities.
new text end

new text begin If you are actively seeking credit, you should understand that the procedures
involved in lifting a security freeze may slow your own application for credit. You should
plan ahead and lift a freeze, either completely if you are shopping around, or specifically
for a certain creditor, a few days before actually applying for new credit.
new text end

new text begin You have a right to bring a civil action against someone who violates your rights
under the credit reporting laws. The action can be brought against a consumer reporting
agency or a user of your credit report.
new text end

new text begin Subd. 4. new text end

new text begin Violations; penalties. new text end

new text begin (a) If a consumer reporting agency erroneously,
whether by accident or design, violates the security freeze by releasing credit information
that has been placed under a security freeze, the affected consumer is entitled to:
new text end

new text begin (1) notification within five business days of the release of the information, including
specificity as to the information released and the third-party recipient of the information;
new text end

new text begin (2) file a complaint with the Federal Trade Commission, the state attorney general,
and the Department of Commerce; and
new text end

new text begin (3) in a civil action against the consumer reporting agency recover:
new text end

new text begin (i) injunctive relief to prevent or restrain further violation of the security freeze;
new text end

new text begin (ii) a civil penalty in an amount not to exceed $10,000 for each violation plus any
damages available under other civil laws; and
new text end

new text begin (iii) reasonable expenses, court costs, investigative costs, and attorney fees.
new text end

new text begin (b) Each violation of the security freeze must be counted as a separate incident for
purposes of imposing penalties under this section.
new text end

Sec. 4.

new text begin [325E.65] DEFINITIONS.
new text end

new text begin Subdivision 1. new text end

new text begin Scope. new text end

new text begin For the purposes of sections 325E.65 to 325E.67, the terms in
subdivisions 2 to 6 have the meanings given.
new text end

new text begin Subd. 2. new text end

new text begin Person. new text end

new text begin "Person" means any individual, partnership, corporation, trust,
estate, cooperative, association, or other entity.
new text end

new text begin Subd. 3. new text end

new text begin Consumer. new text end

new text begin "Consumer" means an individual.
new text end

new text begin Subd. 4. new text end

new text begin Consumer reporting agency. new text end

new text begin "Consumer reporting agency" means any
person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly
engages in whole or in part in the practice of assembling or evaluating consumer credit
information or other information on consumers for the purpose of furnishing consumer
reports to third parties.
new text end

new text begin Subd. 5. new text end

new text begin Consumer report; credit report. new text end

new text begin "Consumer report" or "credit report"
means any written, oral, or other communication of any information by a consumer
reporting agency bearing on a consumer's creditworthiness, credit standing, credit
capacity, character, general reputation, personal characteristics, or mode of living which
is used or expected to be used or collected in whole or in part for the purpose of serving
as a factor in establishing the consumer's eligibility for:
new text end

new text begin (1) credit or insurance to be used primarily for personal, family, or household
purposes, except that nothing in sections 325E.65 to 325E.67 authorizes the use of credit
evaluations or credit scoring in the underwriting of personal lines of property or casualty
insurance;
new text end

new text begin (2) employment purposes; or
new text end

new text begin (3) any other purpose authorized under United States Code, title 15, section 1681b.
new text end

new text begin Subd. 6. new text end

new text begin Identity theft. new text end

new text begin "Identity theft" means theft, fraud, or attempted theft or
fraud committed using any identifying information of another person.
new text end

Sec. 5.

new text begin [325E.66] FACTUAL DECLARATION OF INNOCENCE AFTER
IDENTITY THEFT.
new text end

new text begin Subdivision 1. new text end

new text begin Judicial determination. new text end

new text begin A person who reasonably believes that the
person is the victim of identity theft may petition a court, or the court, on its own motion
or upon application of the prosecuting attorney, may move for an expedited judicial
determination of the person's factual innocence, where the perpetrator of the identity theft
was arrested for, cited for, or convicted of a crime under the victim's identity, or where a
criminal complaint has been filed against the perpetrator in the victim's name, or where
the victim's identity has been mistakenly associated with a record of criminal conviction.
Any judicial determination of factual innocence made pursuant to this section may be
heard and determined upon declarations, affidavits, police reports, or other material,
relevant, and reliable information submitted by the parties or ordered to be part of the
record by the court. Where the court determines that the petition or motion is meritorious
and that there is no reasonable cause to believe that the victim committed the offense for
which the perpetrator of the identity theft was arrested, cited, convicted, or subject to a
criminal complaint in the victim's name, or that the victim's identity has been mistakenly
associated with a record of criminal conviction, the court shall find the victim factually
innocent of that offense. If the victim is found factually innocent, the court shall issue an
order certifying this determination.
new text end

new text begin Subd. 2. new text end

new text begin Court order. new text end

new text begin After a court has issued a determination of factual innocence
pursuant to this section, the court may order the name and associated personal identifying
information contained in court records, files, and indexes accessible by the public
deleted, sealed, or labeled to show that the data is impersonated and does not reflect
the defendant's identity.
new text end

new text begin Subd. 3. new text end

new text begin Documentation. new text end

new text begin Upon making a determination of factual innocence, the
court must provide the consumer written documentation of such order.
new text end

new text begin Subd. 4. new text end

new text begin Vacating determination. new text end

new text begin A court that has issued a determination of
factual innocence pursuant to this section may at any time vacate that determination if
the petition, or any information submitted in support of the petition, is found to contain
any material misrepresentation or fraud.
new text end

new text begin Subd. 5. new text end

new text begin Form. new text end

new text begin The Supreme Court shall develop a form for use in issuing an order
pursuant to this section.
new text end

new text begin Subd. 6. new text end

new text begin Database. new text end

new text begin The Department of Public Safety shall establish and maintain a
database of individuals who have been victims of identity theft and that have received
determinations of factual innocence. The data are private data on individuals as defined in
section 13.02, subdivision 12. Law enforcement agencies have access to the data in order
to assist victims of identify theft.
new text end

Sec. 6.

new text begin [325E.67] CONSUMER-DRIVEN CREDIT MONITORING.
new text end

new text begin Subdivision 1. new text end

new text begin Disclosures. new text end

new text begin Every consumer credit reporting agency shall, upon
request from a consumer that is not covered by the free disclosures provided in United
States Code, title 15, section 1681j, subsections (a) to (d), clearly and accurately disclose
to the consumer:
new text end

new text begin (1) all information in the consumer's file at the time of the request, except that
nothing in this subdivision requires a consumer reporting agency to disclose to a consumer
any information concerning credit scores or other risk scores or predictors that are
governed by United States Code, title 15, section 1681g(f);
new text end

new text begin (2) the sources of the information;
new text end

new text begin (3) identification of each person, including each end-user identified under United
States Code, title 15, section 1681e, that procured a consumer report:
new text end

new text begin (i) for employment purposes, during the two-year period preceding the date on
which the request is made; or
new text end

new text begin (ii) for any purpose, during the one-year period preceding the date on which the
request is made;
new text end

new text begin (4) an identification of a person under clause (3) shall include:
new text end

new text begin (i) the name of the person or, if applicable, the trade name (written in full) under
which the person conducts business; and
new text end

new text begin (ii) upon request of the consumer, the address and telephone number of the person;
new text end

new text begin (5) clause (3) does not apply if:
new text end

new text begin (i) the end user is an agency or department of the United States government that
procures the report from the person for purposes of determining the eligibility of the
consumer to whom the report relates to receive access or continued access to classified
information (as defined in United States Code, title 15, section 1681b(b)(4)(E)(i)); and
new text end

new text begin (ii) the head of the agency or department makes a written finding as prescribed under
United States Code, title 15, section 1681b(b)(4)(A);
new text end

new text begin (6) the dates, original payees, and amounts of any checks upon which is based any
adverse characterization of the consumer, included in the file at the time of the disclosure
or which can be inferred from the file;
new text end

new text begin (7) a record of all inquiries received by the agency during the one-year period
preceding the request that identified the consumer in connection with a credit or insurance
transaction that was not initiated by the consumer;
new text end

new text begin (8) if the consumer requests the credit file and not the credit score, a statement that
the consumer may request and obtain a credit score.
new text end

new text begin Subd. 2. new text end

new text begin Cost of disclosure. new text end

new text begin In the case of a request under subdivision 1, a
consumer reporting agency may impose a reasonable charge on a consumer for making
a disclosure pursuant to this section, which charge must:
new text end

new text begin (1) not exceed $3 for each of the first 12 requests from the consumer in a calendar
year;
new text end

new text begin (2) not exceed $8 for any additional request beyond the initial 12 requests from the
consumer in a calendar year; and
new text end

new text begin (3) be indicated to the consumer before making the disclosure.
new text end

new text begin Subd. 3. new text end

new text begin Format of disclosure. new text end

new text begin In the case of a request under subdivision 1, a
consumer reporting agency must provide the consumer with an opportunity to access the
consumer's report through the following means:
new text end

new text begin (1) in writing;
new text end

new text begin (2) in person, upon the appearance of the consumer at the place of business of the
consumer reporting agency where disclosures are regularly provided, during normal
business hours, and on reasonable notice;
new text end

new text begin (3) by telephone, if the consumer has made a written request for disclosure;
new text end

new text begin (4) by electronic means, if the agency offers electronic access for any other purpose;
new text end

new text begin (5) by any other reasonable means that is available from the agency.
new text end

new text begin Subd. 4. new text end

new text begin Timing of disclosure. new text end

new text begin A consumer reporting agency shall provide a
consumer report under subdivision 1 no later than:
new text end

new text begin (1) 24 hours after the date on which the request is made, if the disclosure is made by
electronic means, as requested under subdivision 3, clause (4); and
new text end

new text begin (2) five days after the date on which the request is made, if the disclosure is made
in writing, in person, by telephone, or by any other reasonable means that is available
from the agency.
new text end

Sec. 7.

new text begin [325E.68] ADEQUATE DESTRUCTION OF PERSONAL RECORDS.
new text end

new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin For the purposes of this section, the following terms
shall have the meanings given them:
new text end

new text begin (a) "Business" means sole proprietorship, partnership, corporation, association,
or other group, however organized and whether or not organized to operate at a profit.
The term includes a financial institution organized, chartered, or holding a license or
authorization certificate under the laws of this state, any other state, the United States, or
any other country, or the parent or the subsidiary of the financial institution. The term also
includes an entity that destroys records.
new text end

new text begin (b) "Dispose" includes:
new text end

new text begin (1) the discarding or abandonment of records containing personal information; and
new text end

new text begin (2) the sale, donation, discarding, or transfer of any medium, including computer
equipment, or computer media, containing records of personal information, or other
nonpaper media upon which records of personal information is stored, or other equipment
for nonpaper storage of information.
new text end

new text begin (c) "Personal information" means any information that identifies, relates to,
describes, or is capable of being associated with a particular individual, including, but
not limited to, a name, signature, Social Security number, fingerprint, photograph or
computerized image, physical characteristics or description, address, telephone number,
passport number, driver's license or state identification card number, date of birth, medical
information, bank account number, credit card number, debit card number, or any other
financial information.
new text end

new text begin (d) "Records" means any material on which written, drawn, spoken, visual, or
electromagnetic information is recorded or preserved, regardless of physical form or
characteristics. "Records" does not include publicly available directories containing
information an individual has voluntarily consented to have publicly disseminated or
listed, such as name, address, or telephone number.
new text end

new text begin Subd. 2. new text end

new text begin Disposal of records containing personal information. new text end

new text begin Any business that
conducts business in Minnesota and any business that maintains or otherwise possesses
personal information of residents of Minnesota must take all reasonable measures to
protect against unauthorized access to or use of the information in connection with, or
after its disposal. Reasonable measures must include, but are not limited to:
new text end

new text begin (1) implementing and monitoring compliance with policies and procedures that
require the burning, pulverizing, or shredding of papers containing personal information
so that the information cannot practicably be read or reconstructed;
new text end

new text begin (2) implementing and monitoring compliance with policies and procedures that
require the destruction or erasure of electronic media and other nonpaper media containing
personal information so that the information cannot practicably be read or reconstructed;
new text end

new text begin (3) after due diligence, entering into and monitoring compliance with a written
contract with another party engaged in the business of record destruction to dispose of
personal information in a manner consistent with this statute. Due diligence should
ordinarily include, but may not be limited to, one or more of the following: reviewing
an independent audit of the disposal company's operations or its compliance with this
statute or its equivalent; obtaining information about the disposal company from several
references or other reliable sources and requiring that the disposal company be certified by
a recognized trade association or similar third party with a reputation for high standards
of quality review; reviewing and evaluating the disposal company's information security
policies or procedures; or taking other appropriate measures to determine the competency
and integrity of the disposal company; and
new text end

new text begin (4) for disposal companies explicitly hired to dispose of records containing personal
information: implementing and monitoring compliance with policies and procedures that
protect against unauthorized access to or use of personal information during or after
the collection and transportation and disposing of the information in accordance with
clauses (1) and (2).
new text end

new text begin Subd. 3. new text end

new text begin Business policy. new text end

new text begin Procedures relating to the adequate destruction or proper
disposal of personal records must be comprehensively described and classified as official
policy in the writings of the business entity, including corporate and employee handbooks
and similar corporate documents.
new text end

new text begin Subd. 4. new text end

new text begin Penalties and civil liability. new text end

new text begin (a) Any person or business that violates this
section is subject to a civil penalty of not more than $3,000.
new text end

new text begin (b) Any individual aggrieved by a violation may bring a civil action in district
court to enjoin further violations and to recover actual damages, costs, and reasonable
attorney fees.
new text end

Sec. 8.

new text begin [325G.052] CREDIT CARD OFFERS AND SOLICITATIONS; ADDRESS
VERIFICATIONS.
new text end

new text begin (a) A credit card issuer that mails an offer or solicitation to receive a credit card and,
in response, receives a completed application for a credit card that lists an address that is
different from the address on the offer or solicitation shall verify the change of address
before issuing a credit card.
new text end

new text begin (b) Notwithstanding any other provision of law, a person to whom an offer or
solicitation to receive a credit card is made is not liable for the unauthorized use of a credit
card issued in response to that offer or solicitation if the credit card issuer does not verify
the change of address before issuing a credit card.
new text end

new text begin (c) When a credit card issuer receives a written or oral request for a change of the
cardholder's billing address and then receives a written or oral request for an additional
credit card within ten days after the requested address change, the credit card issuer shall
not mail the requested additional credit card to the new address or, alternatively, activate
the requested additional credit card, unless the credit card issuer has verified the change
of address.
new text end

ARTICLE 2

DATA WAREHOUSES

Section 1.

Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 1, is
amended to read:


Subdivision 1.

Disclosure of personal information; notice required.

(a) Any
person or business that conducts business in this state, and that owns or licenses data that
includes personal information, shall disclose any breach of the security of the system
following discovery or notification of the breach in the security of the data to any resident
of this state whose unencrypted personal information was, or is reasonably believed to
have been, acquired by an unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay, consistent with the legitimate
needs of law enforcement, as provided in paragraph (c), or with any measures necessary
to determine the scope of the breach, identify the individuals affected, and restore the
reasonable integrity of the data system.

(b) Any person or business that maintains data that includes personal information
that the person or business does not own shall notify the owner or licensee of the
information of any breach of the security of the data immediately following discovery,
if the personal information was, or is reasonably believed to have been, acquired by
an unauthorized person.

(c) The notification required by this section may be delayed to a date certain if a law
enforcement agency affirmatively determines that the notification will impede a criminal
investigation.

(d) For purposes of this section, "breach of the security of the system" means
unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal information maintained by the person or business.
Good faith acquisition of personal information by an employee or agent of the person or
business for the purposes of the person or business is not a breach of the security system,
provided that the personal information is not used or subject to further unauthorized
disclosure.

(e) For purposes of this section, "personal information" means an individual's first
name or first initial and last name in combination with any one or more of the following
data elements, when either the name or the data elements is not encryptednew text begin or is encrypted
with an encryption key that was also acquired
new text end:

(1) Social Security number;

(2) driver's license number or Minnesota identification card number; deleted text beginor
deleted text end

(3) account number or credit or debit card number, in combination with any required
security code, access code, or password that would permit access to an individual's
financial accountdeleted text begin.deleted text endnew text begin;
new text end

new text begin (4) account passwords, personal identification numbers, or other access codes; or
new text end

new text begin (5) biometric data. For purposes of this clause, "biometric data" means biological
data derived from direct measurement of a part of the human body. Direct measurement
technologies include, but are not limited to, fingerprinting, iris recognition, hand geometry,
and facial recognition.
new text end

(f) For purposes of this section, "personal information" does not include publicly
available information that is lawfully made available to the general public from federal,
state, or local government records.

(g) For purposes of this section, "notice" may be provided by one of the following
methods:

(1) written notice to the most recent available address the person or business has
in its records;

(2) electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures in United States Code, title 15, section 7001; or

(3) substitute notice, if the person or business demonstrates that the cost of providing
notice would exceed $250,000, or that the affected class of subject persons to be notified
exceeds 500,000, or the person or business does not have sufficient contact information.
Substitute notice must consist of all of the following:

(i) e-mail notice when the person or business has an e-mail address for the subject
persons;

(ii) conspicuous posting of the notice on the Web site page of the person or business,
if the person or business maintains one; and

(iii) notification to major statewide media.

(h) Notwithstanding paragraph (g), a person or business that maintains its own
notification procedures as part of an information security policy for the treatment of
personal information and is otherwise consistent with the timing new text beginand content new text endrequirements
of this section, shall be deemed to be in compliance with the notification requirements
of this section if the person or business notifies subject persons in accordance with its
policies in the event of a breach of security of the system.

Sec. 2.

Minnesota Statutes 2005 Supplement, section 325E.61, is amended by adding a
subdivision to read:


new text begin Subd. 1a. new text end

new text begin Content of notice. new text end

new text begin The notice required by this section must be clear
and conspicuous. The notice must include:
new text end

new text begin (a) to the extent possible, a description of the categories of information that were, or
are reasonably believed to have been, acquired by an unauthorized person, including Social
Security numbers, driver's license or state identification numbers, and financial data;
new text end

new text begin (b) the steps taken by the person or business to protect personal information from
further unauthorized access;
new text end

new text begin (c) a toll-free telephone number:
new text end

new text begin (1) that the individual may use to contact a live representative of the agency or
person; and
new text end

new text begin (2) from whom the individual may learn:
new text end

new text begin (i) what types of information the agency or person maintained about that individual
or about individuals in general; and
new text end

new text begin (ii) whether the agency or person maintained information about that individual;
new text end

new text begin (d) the toll-free telephone numbers and addresses for the major consumer reporting
agencies, along with a description of, and an explanation of how to exercise, the following
rights under the federal Fair Credit Reporting Act:
new text end

new text begin (1) the right to obtain a credit report free of charge from each nationwide credit
reporting agency;
new text end

new text begin (2) the right to place a fraud alert in consumer reports to put creditors on notice that
the individual may be a victim of fraud; and
new text end

new text begin (3) the right to block or delete specific items in consumer reports relating to
fraudulent transactions; and
new text end

new text begin (e) the toll-free telephone number and Web site address of the Federal Trade
Commission, along with a recommendation that the individual should report any incidents
of identity theft to a local law enforcement agency and the Federal Trade Commission.
new text end

Sec. 3.

Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 4, is
amended to read:


Subd. 4.

Exemption.

This section does not apply to any "financial institution"
as defined by United States Code, title 15, section 6809(3)deleted text begin, and to entities subject to
the federal privacy and security regulations adopted under the federal Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191
deleted text end.