Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

Office of the Revisor of Statutes

Key: (1) language to be deleted (2) new language

CHAPTER 233--S.F.No. 2002

An act

relating to consumer protection; regulating security freezes on a consumer's credit report; providing protections against identity theft; providing for the adequate destruction of personal records and data; regulating data warehouses; modifying notice requirements; regulating credit issued to minors; regulating credit card offers and solicitations;

amending Minnesota Statutes 2004, sections 13.05, subdivision 5; 138.17, subdivision 7; Minnesota Statutes 2005 Supplement, section 325E.61, subdivisions 1, 4; proposing coding for new law in Minnesota Statutes, chapters 13C; 325E; 325G.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

Minnesota Statutes 2004, section 13.05, subdivision 5, is amended to read:

Subd. 5.

Data protection.

new text begin (a)new text end The responsible authority shall (1) establish procedures to assure that all data on individuals is accurate, complete, and current for the purposes for which it was collected; and (2) establish appropriate security safeguards for all records containing data on individuals.

new text begin (b) When not public data is being disposed of, the data must be destroyed in a way that prevents its contents from being determined. new text end

Sec. 2.

new text begin [13C.016] CONSUMER SECURITY FREEZE. new text end

new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin (a) For purposes of this section and sections 13C.017 to 13C.019, the terms defined in this section have the meanings given. new text end

new text begin (b) "Security freeze" means a notice placed in a consumer's consumer report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer reporting agency from releasing the consumer report or any information from it, in connection with the extension of credit or the opening of a new account, without the express authorization of the consumer. If a security freeze is in place, information from a consumer's consumer report may not be released to a third party, in connection with the extension of credit or the opening of an account, without prior express authorization from the consumer. This paragraph does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer report. new text end

new text begin (c) "Victim of identity theft" means a consumer who has a copy of a valid police report evidencing that the consumer has alleged to be a victim of identity theft as defined in section 609.527. new text end

new text begin Subd. 2. new text end

new text begin Right to obtain security freeze. new text end

new text begin A consumer may elect to place a security freeze on the consumer's consumer report by making a request to a consumer reporting agency. The consumer may make the request: new text end

new text begin (1) by certified mail; new text end

new text begin (2) by telephone by providing certain personal identification required by the consumer reporting agency; or new text end

new text begin (3) directly to the consumer reporting agency through a secure electronic mail connection if the connection is made available by the consumer reporting agency. new text end

new text begin Subd. 3. new text end

new text begin Response of consumer reporting agency. new text end

new text begin (a) A consumer reporting agency shall place a security freeze on a consumer's consumer report no later than three business days after receiving a request under subdivision 2 from the consumer. new text end

new text begin (b) The consumer reporting agency, within ten business days after receiving the request, shall send a written confirmation of the security freeze to the consumer and provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of the consumer's consumer report for a specific party or period of time. new text end

new text begin (c) When a consumer requests a security freeze, the consumer reporting agency shall disclose the process of placing and temporarily lifting a freeze, including the process for allowing access to information from the consumer's consumer report for a specific party or period of time while the freeze is in place. new text end

new text begin Subd. 4. new text end

new text begin Temporary lifting or permanent removal of the freeze. new text end

new text begin (a) If the consumer wishes to allow the consumer's consumer report to be accessed for a specific party or period of time while a freeze is in place, the consumer shall contact the consumer reporting agency, request that the freeze be temporarily lifted, and provide the following: new text end

new text begin (1) proper identification, which means that information generally deemed sufficient to identify a person. Only if the consumer is unable to sufficiently provide self-identifying information may a consumer reporting agency require additional information concerning the consumer's employment and personal or family history in order to verify the consumer's identity; new text end

new text begin (2) the unique personal identification number or password provided by the credit reporting agency under subdivision 3, paragraph (b); and new text end

new text begin (3) the proper information regarding the third party who is to receive the consumer report or the time period for which the report is to be available to users of the consumer report. new text end

new text begin (b) A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a consumer report under paragraph (a) shall comply with the request no later than three business days after receiving the request. new text end

new text begin (c) A consumer reporting agency may develop procedures involving the use of telephone, fax, the Internet, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a consumer report under paragraph (a) in an expedited manner, with the goal of processing a request within 15 minutes after the request. new text end

new text begin (d) A consumer reporting agency shall remove or temporarily lift a freeze placed on a consumer report only in the following cases: new text end

new text begin (1) upon consumer request under paragraph (a) or (e); or new text end

new text begin (2) when the consumer report was frozen due to a material misrepresentation of fact by the consumer. When a consumer reporting agency intends to remove a freeze on a consumer report under this clause, the consumer reporting agency shall notify the consumer in writing three business days prior to removing the freeze on the consumer report. new text end

new text begin (e) A security freeze remains in place until the consumer requests that the security freeze be removed. A consumer reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer, who provides both of the following: new text end

new text begin (1) proper identification, as defined in paragraph (a), clause (1); and new text end

new text begin (2) the unique personal identification number or password referenced in paragraph (a), clause (2). new text end

new text begin Subd. 5. new text end

new text begin Response by third party to denial of access. new text end

new text begin When a third party requests access to a consumer report on which a security freeze is in effect, and this request is in connection with an application for credit or the opening of an account and the consumer does not allow the consumer's consumer report to be accessed for that specific party or period of time, the third party may treat the application as incomplete. new text end

new text begin Subd. 6. new text end

new text begin Nonapplicability. new text end

new text begin This section does not apply to the use of a consumer report by any of the following: new text end

new text begin (1) a person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owing by the consumer to that person or entity, or a prospective assignee of a financial obligation owing by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument. For purposes of this clause, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements; new text end

new text begin (2) a subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under subdivision 4 for purposes of facilitating the extension of credit or other permissible use; new text end

new text begin (3) any federal, state, or local governmental entity, including but not limited to a law enforcement agency, court, or its agents or assigns; new text end

new text begin (4) a private collection agency acting under a court order, warrant, or subpoena; new text end

new text begin (5) any person or entity for the purposes of prescreening as provided for by the federal Fair Credit Reporting Act; new text end

new text begin (6) any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed; and new text end

new text begin (7) any person or entity for the purpose of providing a consumer with a copy of the consumer's consumer report upon the consumer's request. new text end

new text begin Subd. 7. new text end

new text begin Information to government agencies not affected. new text end

new text begin This section does not prohibit a consumer reporting agency from furnishing to a governmental agency a consumer's name, address, former address, places of employment, or former places of employment. new text end

new text begin Subd. 8. new text end

new text begin Fees. new text end

new text begin (a) A consumer reporting agency may charge a fee of $5 for placing, temporarily lifting, or removing a security freeze unless: new text end

new text begin (1) the consumer is a victim of identity theft as defined in subdivision 1, paragraph (c); and new text end

new text begin (2) the consumer provides the consumer reporting agency with a valid copy of a police report or a police case number documenting the identity theft. new text end

new text begin (b) In addition to the charge, if any, permitted under paragraph (a), a consumer may be charged no more than $5 if the consumer fails to retain the original personal identification number given to the consumer by the agency, but the consumer may not be charged for a one-time reissue of the same or a new personal identification number. The consumer may be charged no more than $5 for subsequent instances of loss of the personal identification number. new text end

Sec. 3.

new text begin [13C.017] SECURITY FREEZE; CHANGES TO INFORMATION; WRITTEN CONFIRMATION REQUIRED. new text end

new text begin If a security freeze is in place, a consumer reporting agency may not change any of the following official information in a consumer report without sending a written confirmation of the change to the consumer within 30 days of the change being posted to the consumer's file: name, date of birth, Social Security number, and address. Written confirmation is not required for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and to the former address. new text end

Sec. 4.

new text begin [13C.018] SECURITY FREEZE; NOT APPLICABLE TO CERTAIN CONSUMER REPORTING AGENCIES. new text end

new text begin A consumer reporting agency is not required to place a security freeze in a consumer report under section 13C.016 if it acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer reporting agencies, and does not maintain a permanent database of credit information from which new consumer reports are produced. However, a consumer reporting agency must honor any security freeze placed on a consumer report by another consumer reporting agency. new text end

Sec. 5.

new text begin [13C.019] SECURITY FREEZE; EXEMPT ENTITIES. new text end

new text begin The following entities are not required to place a security freeze on a consumer report under section 13C.016: new text end

new text begin (1) a check services or fraud prevention services company that issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments; and new text end

new text begin (2) a deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution. new text end

Sec. 6.

Minnesota Statutes 2004, section 138.17, subdivision 7, is amended to read:

Subd. 7.

Records management program.

A records management program for the application of efficient and economical management methods to the creation, utilization, maintenance, retention, preservation, and disposal of official records shall be administered by the commissioner of administration with assistance from the director of the historical society. The State Records Center which stores and services state records not in state archives shall be administered by the commissioner of administration. The commissioner of administration is empowered to (1) establish standards, procedures, and techniques for effective management of government records, (2) make continuing surveys of paper work operations, and (3) recommend improvements in current records management practices including the use of space, equipment, and supplies employed in creating, maintaining, preserving and disposing of government records. It shall be the duty of the head of each state agency and the governing body of each county, municipality, and other subdivision of government to cooperate with the commissioner in conducting surveys and to establish and maintain an active, continuing program for the economical and efficient management of the records of each agency, county, municipality, or other subdivision of government. When requested by the commissioner, public officials shall assist in the preparation of an inclusive inventory of records in their custody, to which shall be attached a schedule, approved by the head of the governmental unit or agency having custody of the records and the commissioner, establishing a time period for the retention or disposal of each series of records. When the schedule is unanimously approved by the records disposition panel, the head of the governmental unit or agency having custody of the records may dispose of the type of records listed in the schedule at a time and in a manner prescribed in the schedule for particular records which were created after the approval. A list of records disposed of pursuant to this subdivision shall be maintained by the governmental unit or agency.new text begin When records containing not public data as defined in section 13.02, subdivision 8a, are being disposed of under this subdivision, the records must be destroyed in a way that prevents their contents from being determined.new text end

Sec. 7.

Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 1, is amended to read:

Subdivision 1.

Disclosure of personal information; notice required.

(a) Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in paragraph (c), or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.

(b) Any person or business that maintains data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(c) The notification required by this section may be delayed to a date certain if a law enforcement agency affirmatively determines that the notification will impede a criminal investigation.

(d) For purposes of this section, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security system, provided that the personal information is not used or subject to further unauthorized disclosure.

(e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when deleted text begin either the name ordeleted text end the data deleted text begin elementsdeleted text end new text begin elementnew text end is not deleted text begin encrypteddeleted text end new text begin secured by encryption or another method of technology that makes electronic data unreadable or unusable, or was secured and the encryption key, password, or other means necessary for reading or using the data was also acquirednew text end :

(1) Social Security number;

(2) driver's license number or Minnesota identification card number; or

(3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

(f) For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

(g) For purposes of this section, "notice" may be provided by one of the following methods:

(1) written notice to the most recent available address the person or business has in its records;

(2) electronic notice, if the deleted text begin notice provideddeleted text end new text begin person's primary method of communication with the individual is by electronic means, or if the notice provided new text end is consistent with the provisions regarding electronic records and signatures in United States Code, title 15, section 7001; or

(3) substitute notice, if the person or business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice must consist of all of the following:

(i) e-mail notice when the person or business has an e-mail address for the subject persons;

(ii) conspicuous posting of the notice on the Web site page of the person or business, if the person or business maintains one; and

(iii) notification to major statewide media.

(h) Notwithstanding paragraph (g), a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system.

Sec. 8.

Minnesota Statutes 2005 Supplement, section 325E.61, subdivision 4, is amended to read:

Subd. 4.

Exemption.

This section does not apply to any "financial institution" as defined by United States Code, title 15, section 6809(3)deleted text begin , and to entities subject to the federal privacy and security regulations adopted under the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191deleted text end .

Sec. 9.

new text begin [325E.63] CREDIT ISSUED TO MINORS. new text end

new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin (a) For purposes of this section, the terms defined in this subdivision have the meanings given them. new text end

new text begin (b) "Credit" means the right granted to a borrower to defer payment of a debt, to incur debt and defer its payment, or to purchase property or services and defer payment. Credit does not include an overdraft from a person's deposit account, whether through a check, ATM withdrawal, debit card, or otherwise, that is not pursuant to a written agreement to pay overdrafts with the right to defer payment of them. new text end

new text begin (c) "Creditor" means a person or entity doing business in this state. new text end

new text begin (d) "Guardian" means a guardian as defined under section 524.5-102, subdivision 5. new text end

new text begin (e) "Minor" means an individual under the age of 18 years. new text end

new text begin (f) "Parent" means a person who has legal and physical custody of a child. new text end

new text begin Subd. 2. new text end

new text begin Prohibition on offering credit to minors. new text end

new text begin No creditor shall knowingly offer or provide credit to a minor except at the request of the parent or guardian of the minor, until the minor reaches the age of 18 years. new text end

Sec. 10.

new text begin [325G.052] CREDIT CARD OFFERS AND SOLICITATIONS; ADDRESS VERIFICATIONS. new text end

new text begin (a) A credit card issuer that mails an offer or solicitation to receive a credit card and, in response, receives a completed application for a credit card that lists an address that is different from the address on the offer or solicitation shall verify the change of address before issuing a credit card. new text end

new text begin (b) Notwithstanding any other provision of law, a person to whom an offer or solicitation to receive a credit card is made is not liable for the unauthorized use of a credit card issued in response to that offer or solicitation if the credit card issuer does not verify the change of address pursuant to paragraph (a) before the issuance of the credit card, unless the credit card issuer proves that this person actually incurred the charge on the credit card. new text end

new text begin (c) When a credit card issuer receives a written or oral request for a change of the cardholder's billing address and then receives a written or oral request for an additional credit card within ten days after the requested address change, the credit card issuer shall not mail the requested additional credit card to the new address or, alternatively, shall not activate the requested additional credit card, unless the credit card issuer has verified the change of address. new text end

Sec. 11.

new text begin ADMISSIBILITY OF EVIDENCE OF IDENTITY THEFT; REQUEST TO SUPREME COURT. new text end

new text begin The Minnesota Supreme Court is requested to consider amending its rules of evidence to permit admission of business records, at least in civil and criminal cases alleging identity theft, based upon an authenticating affidavit of the custodian of the business records, rather than requiring the in-person authentication testimony of the custodian of the business records. One model for such a rule is California Evidence Code, sections 1560 to 1567. new text end

Presented to the governor May 22, 2006

Signed by the governor May 30, 2006, 2:45 p.m.

Official Publication of the State of Minnesota
Revisor of Statutes