Minnesota Breach Law Amendment Bill Would Require Notice Within 48 Hours

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Feb. 28 --A Minnesota House bill ( H.F. 2253 ) introduced Feb. 25 would amend the state's breach notification statute to require all covered entities that face a breach to notify affected individuals within 48 hours of discovering the breach.  

The bill would also require companies to provide one year of free credit monitoring services to affected individuals.

Sponsor Rep. Dan Schoen (DFL) said he authored the bill in response to the breach of credit card and other personal data of millions of customers of Minneapolis-based retailer Target Corp. (13 PVLR 61, 1/13/14).

“Target was not entirely forthright with their problems and the extent of the data breach, causing great uncertainly among consumers. Often these breaches aren't detected or revealed for months, putting consumers at greater risk,” Schoen said in a Feb. 18 statement.

“While Target did the right thing in providing credit reporting services to those who requested it, we need to require companies that make these mistakes to help the people whose private data they exposed. Schoen said.

The bill was referred to the House Commerce and Consumer Protection Finance and Policy Committee, which held a hearing Feb. 25 on the Target breach.

Meanwhile, in California, a new bill would mandate the implementation of more secure payment card technology.

Expands Those Requiring Notice

The proposed law would change the notice statute to require notification of “individuals” affected by the breach rather than just “state residents.”

Under Minnesota H.F. 2253, individuals whose personal information was breached by retailers would be entitled to a $100 gift card valid for one year from the retailer.

The bill would require covered entities facing a breach to reimburse affected individuals for any fees charged in relation to the breach.

In 2005, Minnesota became the eighth state to enact a data breach notice law (4 PVLR 757, 6/13/05). Forty-six states and the District of Columbia now have breach notice laws.

California Chip and PIN Bill

In California, a bill (S.B. 1351) introduced Feb. 21 would require payment card companies to adopt more secure technology.

Introduced by Sen. Jerry Hill (D), the bill would require banks, credit unions and other financial institutions that issue credit or debit cards to only issue cards that include an embedded microchip that contain personal data and require customers to input a personal identification number at the point of sale (POS) to complete a transaction.

The bill would also require that retailers put in place POS card readers that accept either a magnetic stripe swipe transaction or a chip and PIN transaction.

Under S.B. 1351, covered entities would have to begin using chip and PIN technology by Oct. 1, 2015.

Financial institutions are already mostly on track to meet that same deadline, set by MasterCard, Visa and American Express Co., to begin using chip and PIN cards, the California Bankers Association told a California Assembly oversight panel Feb. 18 (13 PVLR 320, 2/24/14).

Minnesota: Full text of H.F. 2253, as introduced, is available at http://op.bna.com/pl.nsf/r?Open=dapn-9gps5h.

California:S.B. 1351, as introduced, is available at http://www.leginfo.ca.gov/pub/13-14/bill/sen/sb_1351-1400/sb_1351_bill_20140221_introduced.pdf.

Request Bloomberg Law Privacy and Data Security