language to be deleted (2) new language
relating to consumer protection; regulating security freezes on a consumer's credit report; providing protections against identity theft; providing for the adequate destruction of personal records and data; regulating data warehouses; modifying notice requirements; regulating credit issued to minors; regulating credit card offers and solicitations;
amending Minnesota Statutes 2004, sections 13.05, subdivision 5; 138.17, subdivision 7; Minnesota Statutes 2005 Supplement, section 325E.61, subdivisions 1, 4; proposing coding for new law in Minnesota Statutes, chapters 13C; 325E; 325G.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
The responsible authority shall (1) establish procedures to assure that all data on individuals is accurate, complete, and current for the purposes for which it was collected; and (2) establish appropriate security safeguards for all records containing data on individuals.
A records management program for the application of efficient and economical management methods to the creation, utilization, maintenance, retention, preservation, and disposal of official records shall be administered by the commissioner of administration with assistance from the director of the historical society. The State Records Center which stores and services state records not in state archives shall be administered by the commissioner of administration. The commissioner of administration is empowered to (1) establish standards, procedures, and techniques for effective management of government records, (2) make continuing surveys of paper work operations, and (3) recommend improvements in current records management practices including the use of space, equipment, and supplies employed in creating, maintaining, preserving and disposing of government records. It shall be the duty of the head of each state agency and the governing body of each county, municipality, and other subdivision of government to cooperate with the commissioner in conducting surveys and to establish and maintain an active, continuing program for the economical and efficient management of the records of each agency, county, municipality, or other subdivision of government. When requested by the commissioner, public officials shall assist in the preparation of an inclusive inventory of records in their custody, to which shall be attached a schedule, approved by the head of the governmental unit or agency having custody of the records and the commissioner, establishing a time period for the retention or disposal of each series of records. When the schedule is unanimously approved by the records disposition panel, the head of the governmental unit or agency having custody of the records may dispose of the type of records listed in the schedule at a time and in a manner prescribed in the schedule for particular records which were created after the approval. A list of records disposed of pursuant to this subdivision shall be maintained by the governmental unit or agency.
(a) Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in paragraph (c), or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.
(b) Any person or business that maintains data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
(c) The notification required by this section may be delayed to a date certain if a law enforcement agency affirmatively determines that the notification will impede a criminal investigation.
(d) For purposes of this section, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security system, provided that the personal information is not used or subject to further unauthorized disclosure.
(e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements is not encrypted:
(1) Social Security number;
(2) driver's license number or Minnesota identification card number; or
(3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(f) For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(g) For purposes of this section, "notice" may be provided by one of the following methods:
(1) written notice to the most recent available address the person or business has in its records;
(2) electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures in United States Code, title 15, section 7001; or
(3) substitute notice, if the person or business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice must consist of all of the following:
(i) e-mail notice when the person or business has an e-mail address for the subject persons;
(ii) conspicuous posting of the notice on the Web site page of the person or business, if the person or business maintains one; and
(iii) notification to major statewide media.
(h) Notwithstanding paragraph (g), a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system.
This section does not apply to any "financial institution" as defined by United States Code, title 15, section 6809(3), and to entities subject to the federal privacy and security regulations adopted under the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
Presented to the governor May 22, 2006
Signed by the governor May 30, 2006, 2:45 p.m.