Legislature Home Page Advanced Search Page Link Help Page Link Links to the World House of Representatives Senate Link Legislation and Bill Status Laws, Statutes, and Rules Joint Departments and Commissions
House  |   Senate  |   Joint Departments and Commissions  |   Bill Search and Status  |   Statutes, Laws, and Rules 
KEY: stricken = removed, old language.  underscored = added, new language.
Authors and Status List versions Printable window
Print help

S.F. No. 2002, 4th Engrossment - 84th Legislative Session (2005-2006)   Posted on May 20, 2006

1.1                                        A bill for an act
1.2     relating to consumer protection; regulating security freezes on a consumer's 
1.3     credit report; providing protections against identity theft; providing for the 
1.4     adequate destruction of personal records and data; regulating data warehouses; 
1.5     modifying notice requirements; regulating credit issued to minors; regulating 
1.6     credit card offers and solicitations;amending Minnesota Statutes 2004, 
1.7     sections 13.05, subdivision 5; 138.17, subdivision 7; Minnesota Statutes 2005 
1.8     Supplement, section 325E.61, subdivisions 1, 4; proposing coding for new law 
1.9     in Minnesota Statutes, chapters 13C; 325E; 325G.

1.11        Section 1. Minnesota Statutes 2004, section 13.05, subdivision 5, is amended to read:
1.12        Subd. 5. Data protection. (a) The responsible authority shall (1) establish 
1.13    procedures to assure that all data on individuals is accurate, complete, and current for the 
1.14    purposes for which it was collected; and (2) establish appropriate security safeguards for 
1.15    all records containing data on individuals.
1.16    (b) When not public data is being disposed of, the data must be destroyed in a way 
1.17    that prevents its contents from being determined.

1.18        Sec. 2. [13C.016] CONSUMER SECURITY FREEZE.
1.19        Subdivision 1. Definitions. (a) For purposes of this section and sections 13C.017 to 
1.20    13C.019, the terms defined in this section have the meanings given. 
1.21    (b) "Security freeze" means a notice placed in a consumer's consumer report, at the 
1.22    request of the consumer and subject to certain exceptions, that prohibits the consumer 
1.23    reporting agency from releasing the consumer report or any information from it, in 
1.24    connection with the extension of credit or the opening of a new account, without the 
1.25    express authorization of the consumer. If a security freeze is in place, information from 
2.1     a consumer's consumer report may not be released to a third party, in connection with 
2.2     the extension of credit or the opening of an account, without prior express authorization 
2.3     from the consumer. This paragraph does not prevent a consumer reporting agency from 
2.4     advising a third party that a security freeze is in effect with respect to the consumer report.
2.5     (c) "Victim of identity theft" means a consumer who has a copy of a valid police 
2.6     report evidencing that the consumer has alleged to be a victim of identity theft as defined 
2.7     in section 609.527.
2.8         Subd. 2. Right to obtain security freeze. A consumer may elect to place a security 
2.9     freeze on the consumer's consumer report by making a request to a consumer reporting 
2.10    agency. The consumer may make the request:
2.11    (1) by certified mail;
2.12    (2) by telephone by providing certain personal identification required by the 
2.13    consumer reporting agency; or 
2.14    (3) directly to the consumer reporting agency through a secure electronic mail 
2.15    connection if the connection is made available by the consumer reporting agency.
2.16        Subd. 3. Response of consumer reporting agency. (a) A consumer reporting 
2.17    agency shall place a security freeze on a consumer's consumer report no later than three 
2.18    business days after receiving a request under subdivision 2 from the consumer.
2.19    (b) The consumer reporting agency, within ten business days after receiving the 
2.20    request, shall send a written confirmation of the security freeze to the consumer and 
2.21    provide the consumer with a unique personal identification number or password to be used 
2.22    by the consumer when providing authorization for the release of the consumer's consumer 
2.23    report for a specific party or period of time.
2.24    (c) When a consumer requests a security freeze, the consumer reporting agency shall 
2.25    disclose the process of placing and temporarily lifting a freeze, including the process for 
2.26    allowing access to information from the consumer's consumer report for a specific party 
2.27    or period of time while the freeze is in place.
2.28        Subd. 4. Temporary lifting or permanent removal of the freeze. (a) If the 
2.29    consumer wishes to allow the consumer's consumer report to be accessed for a specific 
2.30    party or period of time while a freeze is in place, the consumer shall contact the consumer 
2.31    reporting agency, request that the freeze be temporarily lifted, and provide the following:
2.32    (1) proper identification, which means that information generally deemed sufficient 
2.33    to identify a person. Only if the consumer is unable to sufficiently provide self-identifying 
2.34    information may a consumer reporting agency require additional information concerning 
2.35    the consumer's employment and personal or family history in order to verify the 
2.36    consumer's identity;
3.1     (2) the unique personal identification number or password provided by the credit 
3.2     reporting agency under subdivision 3, paragraph (b); and
3.3     (3) the proper information regarding the third party who is to receive the consumer 
3.4     report or the time period for which the report is to be available to users of the consumer 
3.5     report.
3.6     (b) A consumer reporting agency that receives a request from a consumer to 
3.7     temporarily lift a freeze on a consumer report under paragraph (a) shall comply with the 
3.8     request no later than three business days after receiving the request.
3.9     (c) A consumer reporting agency may develop procedures involving the use of 
3.10    telephone, fax, the Internet, or other electronic media to receive and process a request from 
3.11    a consumer to temporarily lift a freeze on a consumer report under paragraph (a) in an 
3.12    expedited manner, with the goal of processing a request within 15 minutes after the request.
3.13    (d) A consumer reporting agency shall remove or temporarily lift a freeze placed on 
3.14    a consumer report only in the following cases:
3.15    (1) upon consumer request under paragraph (a) or (e); or
3.16    (2) when the consumer report was frozen due to a material misrepresentation of 
3.17    fact by the consumer. When a consumer reporting agency intends to remove a freeze 
3.18    on a consumer report under this clause, the consumer reporting agency shall notify the 
3.19    consumer in writing three business days prior to removing the freeze on the consumer 
3.20    report.
3.21    (e) A security freeze remains in place until the consumer requests that the security 
3.22    freeze be removed. A consumer reporting agency shall remove a security freeze within 
3.23    three business days of receiving a request for removal from the consumer, who provides 
3.24    both of the following:
3.25    (1) proper identification, as defined in paragraph (a), clause (1); and
3.26    (2) the unique personal identification number or password referenced in paragraph 
3.27    (a), clause (2).
3.28        Subd. 5. Response by third party to denial of access. When a third party requests 
3.29    access to a consumer report on which a security freeze is in effect, and this request is in 
3.30    connection with an application for credit or the opening of an account and the consumer 
3.31    does not allow the consumer's consumer report to be accessed for that specific party or 
3.32    period of time, the third party may treat the application as incomplete.
3.33        Subd. 6. Nonapplicability. This section does not apply to the use of a consumer 
3.34    report by any of the following:
3.35    (1) a person or entity, or a subsidiary, affiliate, or agent of that person or entity, or 
3.36    an assignee of a financial obligation owing by the consumer to that person or entity, or a 
4.1     prospective assignee of a financial obligation owing by the consumer to that person or 
4.2     entity in conjunction with the proposed purchase of the financial obligation, with which 
4.3     the consumer has or had prior to assignment an account or contract, including a demand 
4.4     deposit account, or to whom the consumer issued a negotiable instrument, for the purposes 
4.5     of reviewing the account or collecting the financial obligation owing for the account, 
4.6     contract, or negotiable instrument. For purposes of this clause, "reviewing the account" 
4.7     includes activities related to account maintenance, monitoring, credit line increases, and 
4.8     account upgrades and enhancements;
4.9     (2) a subsidiary, affiliate, agent, assignee, or prospective assignee of a person to 
4.10    whom access has been granted under subdivision 4 for purposes of facilitating the 
4.11    extension of credit or other permissible use;
4.12    (3) any federal, state, or local governmental entity, including but not limited to a 
4.13    law enforcement agency, court, or its agents or assigns;
4.14    (4) a private collection agency acting under a court order, warrant, or subpoena;
4.15    (5) any person or entity for the purposes of prescreening as provided for by the 
4.16    federal Fair Credit Reporting Act;
4.17    (6) any person or entity administering a credit file monitoring subscription service to 
4.18    which the consumer has subscribed; and
4.19    (7) any person or entity for the purpose of providing a consumer with a copy of the 
4.20    consumer's consumer report upon the consumer's request.
4.21        Subd. 7. Information to government agencies not affected. This section does 
4.22    not prohibit a consumer reporting agency from furnishing to a governmental agency a 
4.23    consumer's name, address, former address, places of employment, or former places of 
4.24    employment.
4.25        Subd. 8. Fees. (a) A consumer reporting agency may charge a fee of $5 for placing, 
4.26    temporarily lifting, or removing a security freeze unless:
4.27    (1) the consumer is a victim of identity theft as defined in subdivision 1, paragraph 
4.28    (c); and 
4.29    (2) the consumer provides the consumer reporting agency with a valid copy of a 
4.30    police report or a police case number documenting the identity theft. 
4.31    (b) In addition to the charge, if any, permitted under paragraph (a), a consumer 
4.32    may be charged no more than $5 if the consumer fails to retain the original personal 
4.33    identification number given to the consumer by the agency, but the consumer may not 
4.34    be charged for a one-time reissue of the same or a new personal identification number. 
4.35    The consumer may be charged no more than $5 for subsequent instances of loss of the 
4.36    personal identification number.

5.3     If a security freeze is in place, a consumer reporting agency may not change any 
5.4     of the following official information in a consumer report without sending a written 
5.5     confirmation of the change to the consumer within 30 days of the change being posted 
5.6     to the consumer's file: name, date of birth, Social Security number, and address. 
5.7     Written confirmation is not required for technical modifications of a consumer's official 
5.8     information, including name and street abbreviations, complete spellings, or transposition 
5.9     of numbers or letters. In the case of an address change, the written confirmation shall be 
5.10    sent to both the new address and to the former address.

5.13    A consumer reporting agency is not required to place a security freeze in a 
5.14    consumer report under section 13C.016 if it acts only as a reseller of credit information 
5.15    by assembling and merging information contained in the database of another consumer 
5.16    reporting agency or multiple consumer reporting agencies, and does not maintain a 
5.17    permanent database of credit information from which new consumer reports are produced. 
5.18    However, a consumer reporting agency must honor any security freeze placed on a 
5.19    consumer report by another consumer reporting agency.

5.20        Sec. 5. [13C.019] SECURITY FREEZE; EXEMPT ENTITIES.
5.21    The following entities are not required to place a security freeze on a consumer 
5.22    report under section 13C.016:
5.23    (1) a check services or fraud prevention services company that issues reports on 
5.24    incidents of fraud or authorizations for the purpose of approving or processing negotiable 
5.25    instruments, electronic funds transfers, or similar methods of payments; and
5.26    (2) a deposit account information service company that issues reports regarding 
5.27    account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative 
5.28    information regarding a consumer, to inquiring banks or other financial institutions for 
5.29    use only in reviewing a consumer request for a deposit account at the inquiring bank or 
5.30    financial institution.

5.31        Sec. 6. Minnesota Statutes 2004, section 138.17, subdivision 7, is amended to read:
5.32        Subd. 7. Records management program. A records management program for the 
5.33    application of efficient and economical management methods to the creation, utilization, 
6.1     maintenance, retention, preservation, and disposal of official records shall be administered 
6.2     by the commissioner of administration with assistance from the director of the historical 
6.3     society. The State Records Center which stores and services state records not in state 
6.4     archives shall be administered by the commissioner of administration. The commissioner 
6.5     of administration is empowered to (1) establish standards, procedures, and techniques for 
6.6     effective management of government records, (2) make continuing surveys of paper work 
6.7     operations, and (3) recommend improvements in current records management practices 
6.8     including the use of space, equipment, and supplies employed in creating, maintaining, 
6.9     preserving and disposing of government records. It shall be the duty of the head of each 
6.10    state agency and the governing body of each county, municipality, and other subdivision 
6.11    of government to cooperate with the commissioner in conducting surveys and to establish 
6.12    and maintain an active, continuing program for the economical and efficient management 
6.13    of the records of each agency, county, municipality, or other subdivision of government. 
6.14    When requested by the commissioner, public officials shall assist in the preparation of 
6.15    an inclusive inventory of records in their custody, to which shall be attached a schedule, 
6.16    approved by the head of the governmental unit or agency having custody of the records 
6.17    and the commissioner, establishing a time period for the retention or disposal of each 
6.18    series of records. When the schedule is unanimously approved by the records disposition 
6.19    panel, the head of the governmental unit or agency having custody of the records may 
6.20    dispose of the type of records listed in the schedule at a time and in a manner prescribed in 
6.21    the schedule for particular records which were created after the approval. A list of records 
6.22    disposed of pursuant to this subdivision shall be maintained by the governmental unit or 
6.23    agency. When records containing not public data as defined in section 13.02, subdivision 
6.24    8a, are being disposed of under this subdivision, the records must be destroyed in a way 
6.25    that prevents their contents from being determined.

6.26        Sec. 7. Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 1, is 
6.27    amended to read:
6.28        Subdivision 1. Disclosure of personal information; notice required. (a) Any 
6.29    person or business that conducts business in this state, and that owns or licenses data that 
6.30    includes personal information, shall disclose any breach of the security of the system 
6.31    following discovery or notification of the breach in the security of the data to any resident 
6.32    of this state whose unencrypted personal information was, or is reasonably believed to 
6.33    have been, acquired by an unauthorized person. The disclosure must be made in the most 
6.34    expedient time possible and without unreasonable delay, consistent with the legitimate 
6.35    needs of law enforcement, as provided in paragraph (c), or with any measures necessary 
7.1     to determine the scope of the breach, identify the individuals affected, and restore the 
7.2     reasonable integrity of the data system.
7.3     (b) Any person or business that maintains data that includes personal information 
7.4     that the person or business does not own shall notify the owner or licensee of the 
7.5     information of any breach of the security of the data immediately following discovery, 
7.6     if the personal information was, or is reasonably believed to have been, acquired by 
7.7     an unauthorized person.
7.8     (c) The notification required by this section may be delayed to a date certain if a law 
7.9     enforcement agency affirmatively determines that the notification will impede a criminal 
7.10    investigation.
7.11    (d) For purposes of this section, "breach of the security of the system" means 
7.12    unauthorized acquisition of computerized data that compromises the security, 
7.13    confidentiality, or integrity of personal information maintained by the person or business. 
7.14    Good faith acquisition of personal information by an employee or agent of the person or 
7.15    business for the purposes of the person or business is not a breach of the security system, 
7.16    provided that the personal information is not used or subject to further unauthorized 
7.17    disclosure.
7.18    (e) For purposes of this section, "personal information" means an individual's first 
7.19    name or first initial and last name in combination with any one or more of the following 
7.20    data elements, when either the name or the data elements element is not encrypted secured 
7.21    by encryption or another method of technology that makes electronic data unreadable or 
7.22    unusable, or was secured and the encryption key, password, or other means necessary for 
7.23    reading or using the data was also acquired:
7.24    (1) Social Security number;
7.25    (2) driver's license number or Minnesota identification card number; or
7.26    (3) account number or credit or debit card number, in combination with any required 
7.27    security code, access code, or password that would permit access to an individual's 
7.28    financial account.
7.29    (f) For purposes of this section, "personal information" does not include publicly 
7.30    available information that is lawfully made available to the general public from federal, 
7.31    state, or local government records.
7.32    (g) For purposes of this section, "notice" may be provided by one of the following 
7.33    methods:
7.34    (1) written notice to the most recent available address the person or business has 
7.35    in its records;
8.1     (2) electronic notice, if the notice provided person's primary method of 
8.2     communication with the individual is by electronic means, or if the notice provided is 
8.3     consistent with the provisions regarding electronic records and signatures in United States 
8.4     Code, title 15, section 7001; or
8.5     (3) substitute notice, if the person or business demonstrates that the cost of providing 
8.6     notice would exceed $250,000, or that the affected class of subject persons to be notified 
8.7     exceeds 500,000, or the person or business does not have sufficient contact information. 
8.8     Substitute notice must consist of all of the following:
8.9     (i) e-mail notice when the person or business has an e-mail address for the subject 
8.10    persons;
8.11    (ii) conspicuous posting of the notice on the Web site page of the person or business, 
8.12    if the person or business maintains one; and
8.13    (iii) notification to major statewide media.
8.14    (h) Notwithstanding paragraph (g), a person or business that maintains its own 
8.15    notification procedures as part of an information security policy for the treatment of 
8.16    personal information and is otherwise consistent with the timing requirements of this 
8.17    section, shall be deemed to be in compliance with the notification requirements of this 
8.18    section if the person or business notifies subject persons in accordance with its policies in 
8.19    the event of a breach of security of the system.

8.20        Sec. 8. Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 4, is 
8.21    amended to read:
8.22        Subd. 4. Exemption. This section does not apply to any "financial institution" 
8.23    as defined by United States Code, title 15, section 6809(3), and to entities subject to 
8.24    the federal privacy and security regulations adopted under the federal Health Insurance 
8.25    Portability and Accountability Act of 1996, Public Law 104-191.

8.26        Sec. 9. [325E.63] CREDIT ISSUED TO MINORS.
8.27        Subdivision 1. Definitions. (a) For purposes of this section, the terms defined in this 
8.28    subdivision have the meanings given them.
8.29    (b) "Credit" means the right granted to a borrower to defer payment of a debt, to 
8.30    incur debt and defer its payment, or to purchase property or services and defer payment. 
8.31    Credit does not include an overdraft from a person's deposit account, whether through 
8.32    a check, ATM withdrawal, debit card, or otherwise, that is not pursuant to a written 
8.33    agreement to pay overdrafts with the right to defer payment of them.
8.34    (c) "Creditor" means a person or entity doing business in this state.
9.1     (d) "Guardian" means a guardian as defined under section 524.5-102, subdivision 5. 
9.2     (e) "Minor" means an individual under the age of 18 years. 
9.3     (f) "Parent" means a person who has legal and physical custody of a child. 
9.4         Subd. 2. Prohibition on offering credit to minors. No creditor shall knowingly 
9.5     offer or provide credit to a minor except at the request of the parent or guardian of the 
9.6     minor, until the minor reaches the age of 18 years.

9.7         Sec. 10. [325G.052] CREDIT CARD OFFERS AND SOLICITATIONS; 
9.9     (a) A credit card issuer that mails an offer or solicitation to receive a credit card and, 
9.10    in response, receives a completed application for a credit card that lists an address that is 
9.11    different from the address on the offer or solicitation shall verify the change of address 
9.12    before issuing a credit card. 
9.13    (b) Notwithstanding any other provision of law, a person to whom an offer or 
9.14    solicitation to receive a credit card is made is not liable for the unauthorized use of a 
9.15    credit card issued in response to that offer or solicitation if the credit card issuer does not 
9.16    verify the change of address pursuant to paragraph (a) before the issuance of the credit 
9.17    card, unless the credit card issuer proves that this person actually incurred the charge 
9.18    on the credit card.  
9.19    (c) When a credit card issuer receives a written or oral request for a change of the 
9.20    cardholder's billing address and then receives a written or oral request for an additional 
9.21    credit card within ten days after the requested address change, the credit card issuer shall 
9.22    not mail the requested additional credit card to the new address or, alternatively, shall not 
9.23    activate the requested additional credit card, unless the credit card issuer has verified the 
9.24    change of address.

9.27    The Minnesota Supreme Court is requested to consider amending its rules of 
9.28    evidence to permit admission of business records, at least in civil and criminal cases 
9.29    alleging identity theft, based upon an authenticating affidavit of the custodian of the 
9.30    business records, rather than requiring the in-person authentication testimony of the 
9.31    custodian of the business records. One model for such a rule is California Evidence Code, 
9.32    sections 1560 to 1567.