1.2relating to consumer protection; regulating data breach notification;amending
1.3Minnesota Statutes 2012, section 325E.61.
1.4BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

1.5    Section 1. Minnesota Statutes 2012, section 325E.61, is amended to read:
1.6325E.61 DATA WAREHOUSES; NOTICE REQUIRED FOR CERTAIN
1.7DISCLOSURES.
1.8    Subdivision 1. Disclosure of personal information; notice required. (a) Any
1.9person or business that conducts business in this state, and that owns or licenses data that
1.10includes personal information, shall disclose any breach of the security of the system
1.11following discovery or notification of the breach in the security of the data to any resident
1.12of this state individual whose unencrypted personal information was, or is reasonably
1.13believed to have been, acquired by an unauthorized person. The disclosure must be made
1.14in the most expedient time possible and without unreasonable delay, consistent with the
1.15legitimate needs of law enforcement, as provided in paragraph (c), or with any measures
1.16necessary to determine the scope of the breach, identify the individuals affected, and
1.17restore the reasonable integrity of the data system. All individuals whose unencrypted
1.18personal information has been breached under this paragraph must be notified that
1.19their unencrypted information has been compromised within 48 hours of discovery or
1.20notification of the breach.
1.21(b) Any person or business that maintains data that includes personal information
1.22that the person or business does not own shall notify the owner or licensee of the
1.23information within 48 hours of any breach of the security of the data immediately
2.1following discovery, if the personal information was, or is reasonably believed to have
2.2been, acquired by an unauthorized person.
2.3(c) The notification required by this section and section 13.055, subdivision 6, may
2.4be delayed to a date certain if a law enforcement agency affirmatively determines that the
2.5notification will impede a criminal investigation.
2.6(d) For purposes of this section and section 13.055, subdivision 6, "breach of
2.7the security of the system" means unauthorized acquisition of computerized data that
2.8compromises the security, confidentiality, or integrity of personal information maintained
2.9by the person or business. Good faith acquisition of personal information by an employee
2.10or agent of the person or business for the purposes of the person or business is not a breach
2.11of the security system, provided that the personal information is not used or subject to
2.12further unauthorized disclosure.
2.13(e) For purposes of this section and section 13.055, subdivision 6, "personal
2.14information" means an individual's first name or first initial and last name in combination
2.15with any one or more of the following data elements, when the data element is not secured
2.16by encryption or another method of technology that makes electronic data unreadable or
2.17unusable, or was secured and the encryption key, password, or other means necessary for
2.18reading or using the data was also acquired:
2.19(1) Social Security number;
2.20(2) driver's license number or Minnesota identification card number; or
2.21(3) account number or credit or debit card number, in combination with any required
2.22security code, access code, or password that would permit access to an individual's
2.23financial account.
2.24(f) For purposes of this section and section 13.055, subdivision 6, "personal
2.25information" does not include publicly available information that is lawfully made
2.26available to the general public from federal, state, or local government records.
2.27(g) For purposes of this section and section 13.055, subdivision 6, "notice" may be
2.28provided by one of the following methods:
2.29(1) written notice to the most recent available address the person or business has
2.30in its records;
2.31(2) electronic notice, if the person's primary method of communication with the
2.32individual is by electronic means, or if the notice provided is consistent with the provisions
2.33regarding electronic records and signatures in United States Code, title 15, section 7001; or
2.34(3) substitute notice, if the person or business demonstrates that the cost of providing
2.35notice would exceed $250,000, or that the affected class of subject persons to be notified
3.1exceeds 500,000, or the person or business does not have sufficient contact information.
3.2Substitute notice must consist of all of the following:
3.3(i) e-mail notice when the person or business has an e-mail address for the subject
3.4persons;
3.5(ii) conspicuous posting of the notice on the Web site page of the person or business,
3.6if the person or business maintains one; and
3.7(iii) notification to major statewide media.
3.8(h) Notwithstanding paragraph (g), a person or business that maintains its own
3.9notification procedures as part of an information security policy for the treatment of
3.10personal information and is otherwise consistent with the timing requirements of this
3.11section and section 13.055, subdivision 6, shall be deemed to be in compliance with the
3.12notification requirements of this section and section 13.055, subdivision 6, if the person or
3.13business notifies subject persons in accordance with its policies in the event of a breach
3.14of security of the system.
3.15    Subd. 2. Coordination with consumer reporting agencies. If a person discovers
3.16circumstances requiring notification under this section and section 13.055, subdivision
3.176 , of more than 500 persons at one time, the person shall also notify, within 48 hours,
3.18all consumer reporting agencies that compile and maintain files on consumers on a
3.19nationwide basis, as defined by United States Code, title 15, section 1681a, of the timing,
3.20distribution, and content of the notices.
3.21    Subd. 3. Waiver prohibited. Any waiver of the provisions of this section and
3.22section 13.055, subdivision 6, is contrary to public policy and is void and unenforceable.
3.23    Subd. 4. Exemption. This section and section 13.055, subdivision 6, do not apply
3.24to any "financial institution" as defined by United States Code, title 15, section 6809(3).
3.25    Subd. 6. Remedies and enforcement. The attorney general shall enforce this
3.26section and section 13.055, subdivision 6, under section 8.31.
3.27    Subd. 7. Credit monitoring. A person or business required to give notice under
3.28this section must also make available, at no charge to the individual, one year of credit
3.29monitoring services to an individual whose unencrypted personal information has been,
3.30or is reasonably believed to have been, acquired by an unauthorized individual, group of
3.31individuals, or entity. This service must be available to the individual within 30 days
3.32of the breach.
3.33    Subd. 8. Retailer breach. In the event that the person or business required to give
3.34notice under this section is a retailer or wholesaler of consumer goods or services, the
3.35person or business must provide each individual whose unencrypted personal information
3.36was breached a $100 gift card for future use, valid for at least one year.
4.1    Subd. 9. Repayment of fees. A person or business that is subject to notice under
4.2this section due to a data breach must reimburse an individual who incurs any charges or
4.3fees as a consequence of the breach. Only those charges or fees not otherwise covered by
4.4law are reimbursable under this section.
4.5EFFECTIVE DATE.This section is effective the day following final enactment.