Minnesota Legislature
SF 2002
4th Engrossment - 84th Legislature (2005 - 2006) Posted on 12/15/2009 12:00am
1.11 1.12 1.13 1.14 1.15 1.16 1.17
1.18 1.19 1.20 1.21 1.22 1.23 1.24 1.25 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 2.32 2.33 2.34 2.35 2.36 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 3.32 3.33 3.34 3.35 3.36 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 4.32 4.33 4.34 4.35 4.36
5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10
5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19
5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28 5.29 5.30
5.31 5.32 5.33 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.23 6.24 6.25
6.26 6.27 6.28 6.29 6.30 6.31 6.32 6.33 6.34 6.35 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.21 7.22 7.23 7.24 7.25 7.26 7.27 7.28 7.29 7.30 7.31 7.32 7.33 7.34 7.35 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19
8.20 8.21 8.22 8.23 8.24 8.25
8.26 8.27 8.28 8.29 8.30 8.31 8.32 8.33 8.34 9.1 9.2 9.3 9.4 9.5 9.6
9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19 9.20 9.21 9.22 9.23 9.24
9.25 9.26 9.27 9.28 9.29 9.30 9.31 9.32
A bill for an act
relating to consumer protection; regulating security freezes on a consumer's
credit report; providing protections against identity theft; providing for the
adequate destruction of personal records and data; regulating data warehouses;
modifying notice requirements; regulating credit issued to minors; regulating
credit card offers and solicitations; amending Minnesota Statutes 2004,
sections 13.05, subdivision 5; 138.17, subdivision 7; Minnesota Statutes 2005
Supplement, section 325E.61, subdivisions 1, 4; proposing coding for new law
in Minnesota Statutes, chapters 13C; 325E; 325G.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
Minnesota Statutes 2004, section 13.05, subdivision 5, is amended to read:
Subd. 5.
Data protection.
new text begin (a)new text end The responsible authority shall (1) establish
procedures to assure that all data on individuals is accurate, complete, and current for the
purposes for which it was collected; and (2) establish appropriate security safeguards for
all records containing data on individuals.
new text begin
(b) When not public data is being disposed of, the data must be destroyed in a way
that prevents its contents from being determined.
new text end
Sec. 2.
new text begin
[13C.016] CONSUMER SECURITY FREEZE.
new text end
new text begin Subdivision 1. new text end
new text begin Definitions. new text end
new text begin
(a) For purposes of this section and sections 13C.017 to
13C.019, the terms defined in this section have the meanings given.
new text end
new text begin
(b) "Security freeze" means a notice placed in a consumer's consumer report, at the
request of the consumer and subject to certain exceptions, that prohibits the consumer
reporting agency from releasing the consumer report or any information from it, in
connection with the extension of credit or the opening of a new account, without the
express authorization of the consumer. If a security freeze is in place, information from
a consumer's consumer report may not be released to a third party, in connection with
the extension of credit or the opening of an account, without prior express authorization
from the consumer. This paragraph does not prevent a consumer reporting agency from
advising a third party that a security freeze is in effect with respect to the consumer report.
new text end
new text begin
(c) "Victim of identity theft" means a consumer who has a copy of a valid police
report evidencing that the consumer has alleged to be a victim of identity theft as defined
in section 609.527.
new text end
new text begin Subd. 2. new text end
new text begin Right to obtain security freeze. new text end
new text begin
A consumer may elect to place a security
freeze on the consumer's consumer report by making a request to a consumer reporting
agency. The consumer may make the request:
new text end
new text begin
(1) by certified mail;
new text end
new text begin
(2) by telephone by providing certain personal identification required by the
consumer reporting agency; or
new text end
new text begin
(3) directly to the consumer reporting agency through a secure electronic mail
connection if the connection is made available by the consumer reporting agency.
new text end
new text begin Subd. 3. new text end
new text begin Response of consumer reporting agency. new text end
new text begin
(a) A consumer reporting
agency shall place a security freeze on a consumer's consumer report no later than three
business days after receiving a request under subdivision 2 from the consumer.
new text end
new text begin
(b) The consumer reporting agency, within ten business days after receiving the
request, shall send a written confirmation of the security freeze to the consumer and
provide the consumer with a unique personal identification number or password to be used
by the consumer when providing authorization for the release of the consumer's consumer
report for a specific party or period of time.
new text end
new text begin
(c) When a consumer requests a security freeze, the consumer reporting agency shall
disclose the process of placing and temporarily lifting a freeze, including the process for
allowing access to information from the consumer's consumer report for a specific party
or period of time while the freeze is in place.
new text end
new text begin Subd. 4. new text end
new text begin Temporary lifting or permanent removal of the freeze. new text end
new text begin
(a) If the
consumer wishes to allow the consumer's consumer report to be accessed for a specific
party or period of time while a freeze is in place, the consumer shall contact the consumer
reporting agency, request that the freeze be temporarily lifted, and provide the following:
new text end
new text begin
(1) proper identification, which means that information generally deemed sufficient
to identify a person. Only if the consumer is unable to sufficiently provide self-identifying
information may a consumer reporting agency require additional information concerning
the consumer's employment and personal or family history in order to verify the
consumer's identity;
new text end
new text begin
(2) the unique personal identification number or password provided by the credit
reporting agency under subdivision 3, paragraph (b); and
new text end
new text begin
(3) the proper information regarding the third party who is to receive the consumer
report or the time period for which the report is to be available to users of the consumer
report.
new text end
new text begin
(b) A consumer reporting agency that receives a request from a consumer to
temporarily lift a freeze on a consumer report under paragraph (a) shall comply with the
request no later than three business days after receiving the request.
new text end
new text begin
(c) A consumer reporting agency may develop procedures involving the use of
telephone, fax, the Internet, or other electronic media to receive and process a request from
a consumer to temporarily lift a freeze on a consumer report under paragraph (a) in an
expedited manner, with the goal of processing a request within 15 minutes after the request.
new text end
new text begin
(d) A consumer reporting agency shall remove or temporarily lift a freeze placed on
a consumer report only in the following cases:
new text end
new text begin
(1) upon consumer request under paragraph (a) or (e); or
new text end
new text begin
(2) when the consumer report was frozen due to a material misrepresentation of
fact by the consumer. When a consumer reporting agency intends to remove a freeze
on a consumer report under this clause, the consumer reporting agency shall notify the
consumer in writing three business days prior to removing the freeze on the consumer
report.
new text end
new text begin
(e) A security freeze remains in place until the consumer requests that the security
freeze be removed. A consumer reporting agency shall remove a security freeze within
three business days of receiving a request for removal from the consumer, who provides
both of the following:
new text end
new text begin
(1) proper identification, as defined in paragraph (a), clause (1); and
new text end
new text begin
(2) the unique personal identification number or password referenced in paragraph
(a), clause (2).
new text end
new text begin Subd. 5. new text end
new text begin Response by third party to denial of access. new text end
new text begin
When a third party requests
access to a consumer report on which a security freeze is in effect, and this request is in
connection with an application for credit or the opening of an account and the consumer
does not allow the consumer's consumer report to be accessed for that specific party or
period of time, the third party may treat the application as incomplete.
new text end
new text begin Subd. 6. new text end
new text begin Nonapplicability. new text end
new text begin
This section does not apply to the use of a consumer
report by any of the following:
new text end
new text begin
(1) a person or entity, or a subsidiary, affiliate, or agent of that person or entity, or
an assignee of a financial obligation owing by the consumer to that person or entity, or a
prospective assignee of a financial obligation owing by the consumer to that person or
entity in conjunction with the proposed purchase of the financial obligation, with which
the consumer has or had prior to assignment an account or contract, including a demand
deposit account, or to whom the consumer issued a negotiable instrument, for the purposes
of reviewing the account or collecting the financial obligation owing for the account,
contract, or negotiable instrument. For purposes of this clause, "reviewing the account"
includes activities related to account maintenance, monitoring, credit line increases, and
account upgrades and enhancements;
new text end
new text begin
(2) a subsidiary, affiliate, agent, assignee, or prospective assignee of a person to
whom access has been granted under subdivision 4 for purposes of facilitating the
extension of credit or other permissible use;
new text end
new text begin
(3) any federal, state, or local governmental entity, including but not limited to a
law enforcement agency, court, or its agents or assigns;
new text end
new text begin
(4) a private collection agency acting under a court order, warrant, or subpoena;
new text end
new text begin
(5) any person or entity for the purposes of prescreening as provided for by the
federal Fair Credit Reporting Act;
new text end
new text begin
(6) any person or entity administering a credit file monitoring subscription service to
which the consumer has subscribed; and
new text end
new text begin
(7) any person or entity for the purpose of providing a consumer with a copy of the
consumer's consumer report upon the consumer's request.
new text end
new text begin Subd. 7. new text end
new text begin Information to government agencies not affected. new text end
new text begin
This section does
not prohibit a consumer reporting agency from furnishing to a governmental agency a
consumer's name, address, former address, places of employment, or former places of
employment.
new text end
new text begin Subd. 8. new text end
new text begin Fees. new text end
new text begin
(a) A consumer reporting agency may charge a fee of $5 for placing,
temporarily lifting, or removing a security freeze unless:
new text end
new text begin
(1) the consumer is a victim of identity theft as defined in subdivision 1, paragraph
(c); and
new text end
new text begin
(2) the consumer provides the consumer reporting agency with a valid copy of a
police report or a police case number documenting the identity theft.
new text end
new text begin
(b) In addition to the charge, if any, permitted under paragraph (a), a consumer
may be charged no more than $5 if the consumer fails to retain the original personal
identification number given to the consumer by the agency, but the consumer may not
be charged for a one-time reissue of the same or a new personal identification number.
The consumer may be charged no more than $5 for subsequent instances of loss of the
personal identification number.
new text end
Sec. 3.
new text begin
[13C.017] SECURITY FREEZE; CHANGES TO INFORMATION;
WRITTEN CONFIRMATION REQUIRED.
new text end
new text begin
If a security freeze is in place, a consumer reporting agency may not change any
of the following official information in a consumer report without sending a written
confirmation of the change to the consumer within 30 days of the change being posted
to the consumer's file: name, date of birth, Social Security number, and address.
Written confirmation is not required for technical modifications of a consumer's official
information, including name and street abbreviations, complete spellings, or transposition
of numbers or letters. In the case of an address change, the written confirmation shall be
sent to both the new address and to the former address.
new text end
Sec. 4.
new text begin
[13C.018] SECURITY FREEZE; NOT APPLICABLE TO CERTAIN
CONSUMER REPORTING AGENCIES.
new text end
new text begin
A consumer reporting agency is not required to place a security freeze in a
consumer report under section 13C.016 if it acts only as a reseller of credit information
by assembling and merging information contained in the database of another consumer
reporting agency or multiple consumer reporting agencies, and does not maintain a
permanent database of credit information from which new consumer reports are produced.
However, a consumer reporting agency must honor any security freeze placed on a
consumer report by another consumer reporting agency.
new text end
Sec. 5.
new text begin
[13C.019] SECURITY FREEZE; EXEMPT ENTITIES.
new text end
new text begin
The following entities are not required to place a security freeze on a consumer
report under section 13C.016:
new text end
new text begin
(1) a check services or fraud prevention services company that issues reports on
incidents of fraud or authorizations for the purpose of approving or processing negotiable
instruments, electronic funds transfers, or similar methods of payments; and
new text end
new text begin
(2) a deposit account information service company that issues reports regarding
account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative
information regarding a consumer, to inquiring banks or other financial institutions for
use only in reviewing a consumer request for a deposit account at the inquiring bank or
financial institution.
new text end
Sec. 6.
Minnesota Statutes 2004, section 138.17, subdivision 7, is amended to read:
Subd. 7.
Records management program.
A records management program for the
application of efficient and economical management methods to the creation, utilization,
maintenance, retention, preservation, and disposal of official records shall be administered
by the commissioner of administration with assistance from the director of the historical
society. The State Records Center which stores and services state records not in state
archives shall be administered by the commissioner of administration. The commissioner
of administration is empowered to (1) establish standards, procedures, and techniques for
effective management of government records, (2) make continuing surveys of paper work
operations, and (3) recommend improvements in current records management practices
including the use of space, equipment, and supplies employed in creating, maintaining,
preserving and disposing of government records. It shall be the duty of the head of each
state agency and the governing body of each county, municipality, and other subdivision
of government to cooperate with the commissioner in conducting surveys and to establish
and maintain an active, continuing program for the economical and efficient management
of the records of each agency, county, municipality, or other subdivision of government.
When requested by the commissioner, public officials shall assist in the preparation of
an inclusive inventory of records in their custody, to which shall be attached a schedule,
approved by the head of the governmental unit or agency having custody of the records
and the commissioner, establishing a time period for the retention or disposal of each
series of records. When the schedule is unanimously approved by the records disposition
panel, the head of the governmental unit or agency having custody of the records may
dispose of the type of records listed in the schedule at a time and in a manner prescribed in
the schedule for particular records which were created after the approval. A list of records
disposed of pursuant to this subdivision shall be maintained by the governmental unit or
agency.new text begin When records containing not public data as defined in section 13.02, subdivision
8a, are being disposed of under this subdivision, the records must be destroyed in a way
that prevents their contents from being determined.
new text end
Sec. 7.
Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 1, is
amended to read:
Subdivision 1.
Disclosure of personal information; notice required.
(a) Any
person or business that conducts business in this state, and that owns or licenses data that
includes personal information, shall disclose any breach of the security of the system
following discovery or notification of the breach in the security of the data to any resident
of this state whose unencrypted personal information was, or is reasonably believed to
have been, acquired by an unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay, consistent with the legitimate
needs of law enforcement, as provided in paragraph (c), or with any measures necessary
to determine the scope of the breach, identify the individuals affected, and restore the
reasonable integrity of the data system.
(b) Any person or business that maintains data that includes personal information
that the person or business does not own shall notify the owner or licensee of the
information of any breach of the security of the data immediately following discovery,
if the personal information was, or is reasonably believed to have been, acquired by
an unauthorized person.
(c) The notification required by this section may be delayed to a date certain if a law
enforcement agency affirmatively determines that the notification will impede a criminal
investigation.
(d) For purposes of this section, "breach of the security of the system" means
unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal information maintained by the person or business.
Good faith acquisition of personal information by an employee or agent of the person or
business for the purposes of the person or business is not a breach of the security system,
provided that the personal information is not used or subject to further unauthorized
disclosure.
(e) For purposes of this section, "personal information" means an individual's first
name or first initial and last name in combination with any one or more of the following
data elements, when deleted text begin either the name ordeleted text end the data deleted text begin elementsdeleted text end new text begin elementnew text end is not deleted text begin encrypteddeleted text end new text begin secured
by encryption or another method of technology that makes electronic data unreadable or
unusable, or was secured and the encryption key, password, or other means necessary for
reading or using the data was also acquirednew text end :
(1) Social Security number;
(2) driver's license number or Minnesota identification card number; or
(3) account number or credit or debit card number, in combination with any required
security code, access code, or password that would permit access to an individual's
financial account.
(f) For purposes of this section, "personal information" does not include publicly
available information that is lawfully made available to the general public from federal,
state, or local government records.
(g) For purposes of this section, "notice" may be provided by one of the following
methods:
(1) written notice to the most recent available address the person or business has
in its records;
(2) electronic notice, if the deleted text begin notice provideddeleted text end new text begin person's primary method of
communication with the individual is by electronic means, or if the notice provided new text end is
consistent with the provisions regarding electronic records and signatures in United States
Code, title 15, section 7001; or
(3) substitute notice, if the person or business demonstrates that the cost of providing
notice would exceed $250,000, or that the affected class of subject persons to be notified
exceeds 500,000, or the person or business does not have sufficient contact information.
Substitute notice must consist of all of the following:
(i) e-mail notice when the person or business has an e-mail address for the subject
persons;
(ii) conspicuous posting of the notice on the Web site page of the person or business,
if the person or business maintains one; and
(iii) notification to major statewide media.
(h) Notwithstanding paragraph (g), a person or business that maintains its own
notification procedures as part of an information security policy for the treatment of
personal information and is otherwise consistent with the timing requirements of this
section, shall be deemed to be in compliance with the notification requirements of this
section if the person or business notifies subject persons in accordance with its policies in
the event of a breach of security of the system.
Sec. 8.
Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 4, is
amended to read:
Subd. 4.
Exemption.
This section does not apply to any "financial institution"
as defined by United States Code, title 15, section 6809(3)deleted text begin , and to entities subject to
the federal privacy and security regulations adopted under the federal Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191deleted text end .
Sec. 9.
new text begin
[325E.63] CREDIT ISSUED TO MINORS.
new text end
new text begin Subdivision 1. new text end
new text begin Definitions. new text end
new text begin
(a) For purposes of this section, the terms defined in this
subdivision have the meanings given them.
new text end
new text begin
(b) "Credit" means the right granted to a borrower to defer payment of a debt, to
incur debt and defer its payment, or to purchase property or services and defer payment.
Credit does not include an overdraft from a person's deposit account, whether through
a check, ATM withdrawal, debit card, or otherwise, that is not pursuant to a written
agreement to pay overdrafts with the right to defer payment of them.
new text end
new text begin
(c) "Creditor" means a person or entity doing business in this state.
new text end
new text begin
(d) "Guardian" means a guardian as defined under section 524.5-102, subdivision 5.
new text end
new text begin
(e) "Minor" means an individual under the age of 18 years.
new text end
new text begin
(f) "Parent" means a person who has legal and physical custody of a child.
new text end
new text begin Subd. 2. new text end
new text begin Prohibition on offering credit to minors. new text end
new text begin
No creditor shall knowingly
offer or provide credit to a minor except at the request of the parent or guardian of the
minor, until the minor reaches the age of 18 years.
new text end
Sec. 10.
new text begin
[325G.052] CREDIT CARD OFFERS AND SOLICITATIONS;
ADDRESS VERIFICATIONS.
new text end
new text begin
(a) A credit card issuer that mails an offer or solicitation to receive a credit card and,
in response, receives a completed application for a credit card that lists an address that is
different from the address on the offer or solicitation shall verify the change of address
before issuing a credit card.
new text end
new text begin
(b) Notwithstanding any other provision of law, a person to whom an offer or
solicitation to receive a credit card is made is not liable for the unauthorized use of a
credit card issued in response to that offer or solicitation if the credit card issuer does not
verify the change of address pursuant to paragraph (a) before the issuance of the credit
card, unless the credit card issuer proves that this person actually incurred the charge
on the credit card.
new text end
new text begin
(c) When a credit card issuer receives a written or oral request for a change of the
cardholder's billing address and then receives a written or oral request for an additional
credit card within ten days after the requested address change, the credit card issuer shall
not mail the requested additional credit card to the new address or, alternatively, shall not
activate the requested additional credit card, unless the credit card issuer has verified the
change of address.
new text end
Sec. 11. new text begin ADMISSIBILITY OF EVIDENCE OF IDENTITY THEFT; REQUEST
TO SUPREME COURT.
new text end
new text begin
The Minnesota Supreme Court is requested to consider amending its rules of
evidence to permit admission of business records, at least in civil and criminal cases
alleging identity theft, based upon an authenticating affidavit of the custodian of the
business records, rather than requiring the in-person authentication testimony of the
custodian of the business records. One model for such a rule is California Evidence Code,
sections 1560 to 1567.
new text end