Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

HF 1410

as introduced - 84th Legislature (2005 - 2006) Posted on 12/15/2009 12:00am

KEY: stricken = removed, old language.
underscored = added, new language.

Current Version - as introduced

Line numbers 1.1 1.2 1.3 1.4 1.5 1.6 1.7
1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 1.25 1.26 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 2.32 2.33 2.34 2.35 2.36 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29

A bill for an act
relating to consumer protection; requiring disclosure
to consumers of a breach in security by businesses
maintaining personal information in electronic form;
proposing coding for new law in Minnesota Statutes,
chapter 325G.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

new text begin [325G.48] BUSINESS MAINTAINING COMPUTERIZED
DATA THAT INCLUDES PERSONAL INFORMATION; DISCLOSURE OF BREACH IN
SECURITY.
new text end

new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin For purposes of this
section, the terms defined in this subdivision have the meanings
given them.
new text end

new text begin (a) "Breach of the security of the system" means
unauthorized acquisition of computerized data that compromises
the security, confidentiality, or integrity of personal
information maintained by the person or business. Good faith
acquisition of personal information by an employee or agent of
the person or business for the purposes of the person or
business is not a breach of the security of the system, provided
that the personal information is not used or subject to further
unauthorized disclosure.
new text end

new text begin (b) "Personal information" means an individual's first name
or first initial and last name in combination with any one or
more of the following data elements, when either the name or the
data elements are not encrypted:
new text end

new text begin (1) Social Security number;
new text end

new text begin (2) driver's license number or Minnesota identification
card number; or
new text end

new text begin (3) account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account.
new text end

new text begin Personal information does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
new text end

new text begin Subd. 2. new text end

new text begin Notice to consumers. new text end

new text begin Any person or business
that conducts business in Minnesota, and that owns or licenses
computerized data that includes personal information, shall
disclose any breach of the security of the system following
discovery or notification of the breach in the security of the
data to any resident of Minnesota whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. The disclosure must be made
in the most expedient time possible and without unreasonable
delay, consistent with the legitimate needs of law enforcement,
as provided in subdivision 4, or any measures necessary to
determine the scope of the breach and restore the reasonable
integrity of the data system.
new text end

new text begin Subd. 3. new text end

new text begin Notice to owner or licensee of personal
information.
new text end

new text begin Any person or business that maintains computerized data
that includes personal information that the person or business
does not own shall notify the owner or licensee of the
information of any breach of the security of the data
immediately following discovery, if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person.
new text end

new text begin Subd. 4. new text end

new text begin Delayed notice. new text end

new text begin The notification required by
this section may be delayed if a law enforcement agency
determines that the notification will impede a criminal
investigation. The notification required by this section must
be made after the law enforcement agency determines that it will
not compromise the investigation.
new text end

new text begin Subd. 5. new text end

new text begin Method of notice. new text end

new text begin Notice under this section may
be provided by one of the following methods:
new text end

new text begin (1) written notice;
new text end

new text begin (2) electronic notice, if the notice provided is consistent
with the provisions regarding electronic records and signatures
set forth in United States Code, title 15, section 7001;
new text end

new text begin (3) substitute notice, if the person or business
demonstrates that the cost of providing notice would exceed
$250,000, or that the affected class of subject persons to be
notified exceeds 500,000, or the person or business does not
have sufficient contact information. Substitute notice consists
of all of the following:
new text end

new text begin (i) e-mail notice when the person or business has an e-mail
address for the subject persons;
new text end

new text begin (ii) conspicuous posting of the notice on the Web site page
of the person or business, if the person or business maintains
one; and
new text end

new text begin (iii) notification to major statewide media.
new text end

new text begin Subd. 6. new text end

new text begin Alternate compliance. new text end

new text begin Notwithstanding
subdivision 5, a person or business that maintains its own
notification procedures as part of an information security
policy for the treatment of personal information and is
otherwise consistent with the timing requirements of this
section, is considered to be in compliance with the notification
requirements of this section if the person or business notifies
subject persons in accordance with its policies in the event of
a breach of security of the system.
new text end