Subdivision 1.Terms.

For the purposes of this chapter, the terms defined in this section have the meanings given them.

Subd. 2.Authorized user.

"Authorized user" means any employee, contractor, agent, or other person who: (1) participates in a financial institution's business operations; and (2) is authorized to access and use any of the financial institution's information systems and data.

Subd. 3.Commissioner.

"Commissioner" means the commissioner of commerce.

Subd. 4.Consumer.

(a) "Consumer" means an individual who obtains or has obtained from a financial institution a financial product or service that is used primarily for personal, family, or household purposes, or is used by the individual's legal representative. Consumer includes but is not limited to an individual who:

(1) applies to a financial institution for credit for personal, family, or household purposes, regardless of whether the credit is extended;

(2) provides nonpublic personal information to a financial institution in order to obtain a determination whether the individual qualifies for a loan used primarily for personal, family, or household purposes, regardless of whether the loan is extended;

(3) provides nonpublic personal information to a financial institution in connection with obtaining or seeking to obtain financial, investment, or economic advisory services, regardless of whether the financial institution establishes a continuing advisory relationship with the individual; or

(4) has a loan for personal, family, or household purposes in which the financial institution has ownership or servicing rights, even if the financial institution or one or more other institutions that hold ownership or servicing rights in conjunction with the financial institution hires an agent to collect on the loan.

(b) Consumer does not include an individual who:

(1) is a consumer of another financial institution that uses a different financial institution to act solely as an agent for, or provide processing or other services to, the consumer's financial institution;

(2) designates a financial institution solely for the purposes to act as a trustee for a trust;

(3) is the beneficiary of a trust for which the financial institution serves as trustee; or

(4) is a participant or a beneficiary of an employee benefit plan that the financial institution sponsors or for which the financial institution acts as a trustee or fiduciary.

Subd. 5.Continuing relationship.

(a) "Continuing relationship" means a consumer:

(1) has a credit or investment account with a financial institution;

(2) obtains a loan from a financial institution;

(3) purchases an insurance product from a financial institution;

(4) holds an investment product through a financial institution, including but not limited to when the financial institution acts as a custodian for securities or for assets in an individual retirement arrangement;

(5) enters into an agreement or understanding with a financial institution whereby the financial institution undertakes to arrange or broker a home mortgage loan, or credit to purchase a vehicle, for the consumer;

(6) enters into a lease of personal property on a nonoperating basis with a financial institution;

(7) obtains financial, investment, or economic advisory services from a financial institution for a fee;

(8) becomes a financial institution's client to obtain tax preparation or credit counseling services from the financial institution;

(9) obtains career counseling while: (i) seeking employment with a financial institution or the finance, accounting, or audit department of any company; or (ii) employed by a financial institution or department of any company;

(10) is obligated on an account that a financial institution purchases from another financial institution, regardless of whether the account is in default when purchased, unless the financial institution does not locate the consumer or attempt to collect any amount from the consumer on the account;

(11) obtains real estate settlement services from a financial institution; or

(12) has a loan for which a financial institution owns the servicing rights.

(b) Continuing relationship does not include situations where:

(1) the consumer obtains a financial product or service from a financial institution only in isolated transactions, including but not limited to: (i) using a financial institution's automated teller machine to withdraw cash from an account at another financial institution; (ii) purchasing a money order from a financial institution; (iii) cashing a check with a financial institution; or (iv) making a wire transfer through a financial institution;

(2) a financial institution sells the consumer's loan and does not retain the rights to service the loan;

(3) a financial institution sells the consumer airline tickets, travel insurance, or traveler's checks in isolated transactions;

(4) the consumer obtains onetime personal or real property appraisal services from a financial institution; or

(5) the consumer purchases checks for a personal checking account from a financial institution.

Subd. 6.Customer.

"Customer" means a consumer who has a customer relationship with a financial institution.

Subd. 7.Customer information.

"Customer information" means any record containing nonpublic personal information about a financial institution's customer, whether the record is in paper, electronic, or another form, that is handled or maintained by or on behalf of the financial institution or the financial institution's affiliates.

Subd. 8.Customer relationship.

"Customer relationship" means a continuing relationship between a consumer and a financial institution under which the financial institution provides to the consumer one or more financial products or services that are used primarily for personal, family, or household purposes.

Subd. 9.Encryption.

"Encryption" means the transformation of data into a format that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.

Subd. 10.Federally insured depository financial institution.

"Federally insured depository financial institution" means a bank, credit union, savings and loan association, trust company, savings association, savings bank, industrial bank, or industrial loan company organized under the laws of the United States or any state of the United States, when the bank, credit union, savings and loan association, trust company, savings association, savings bank, industrial bank, or industrial loan company has federally insured deposits.

Subd. 11.Financial product or service.

"Financial product or service" means any product or service that a financial holding company could offer by engaging in a financial activity under section 4(k) of the Bank Holding Company Act of 1956, United States Code, title 12, section 1843(k). Financial product or service includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.

Subd. 12.Financial institution.

"Financial institution" means a consumer small loan lender under section 47.60, a person owning or maintaining electronic financial terminals under section 47.62, a trust company under chapter 48A, a loan and thrift company under chapter 53, a currency exchange under chapter 53A, a money transmitter under chapter 53B, a sales finance company under chapter 53C, a regulated loan lender under chapter 56, a residential mortgage originator or servicer under chapter 58, a student loan servicer under chapter 58B, a credit service organization under section 332.54, a debt management service provider or person providing debt management services under chapter 332A, or a debt settlement service provider or person providing debt settlement services under chapter 332B.

Subd. 13.Information security program.

"Information security program" means the administrative, technical, or physical safeguards a financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.

Subd. 14.Information system.

"Information system" means a discrete set of electronic information resources organized to collect, process, maintain, use, share, disseminate, or dispose of electronic information, as well as any specialized system, including but not limited to industrial process controls systems, telephone switching and private branch exchange systems, and environmental controls systems, that contains customer information or that is connected to a system that contains customer information.

Subd. 15.Multifactor authentication.

"Multifactor authentication" means authentication through verification of at least two of the following factors:

(1) knowledge factors, including but not limited to a password;

(2) possession factors, including but not limited to a token; or

(3) inherence factors, including but not limited to biometric characteristics.

Subd. 16.Nonpublic personal information.

(a) "Nonpublic personal information" means:

(1) personally identifiable financial information; or

(2) any list, description, or other grouping of consumers, including publicly available information pertaining to the list, description, or other grouping of consumers, that is derived using personally identifiable financial information that is not publicly available.

(b) Nonpublic personal information includes but is not limited to any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, including account numbers.

(c) Nonpublic personal information does not include:

(1) publicly available information, except as included on a list described in paragraph (a), clause (2);

(2) any list, description, or other grouping of consumers, including publicly available information pertaining to the list, description, or other grouping of consumers, that is derived without using any personally identifiable financial information that is not publicly available; or

(3) any list of individuals' names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any individual on the list is the financial institution's consumer.

Subd. 17.Notification event.

"Notification event" means the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is considered unencrypted for purposes of this subdivision if the encryption key was accessed by an unauthorized person. Unauthorized acquisition is presumed to include unauthorized access to unencrypted customer information unless the financial institution has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of customer information.

Subd. 18.Penetration testing.

"Penetration testing" means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting to penetrate databases or controls from outside or inside a financial institution's information systems.

Subd. 19.Personally identifiable financial information.

(a) "Personally identifiable financial information" means any information:

(1) a consumer provides to a financial institution to obtain a financial product or service;

(2) about a consumer resulting from any transaction involving a financial product or service between a financial institution and a consumer; or

(3) a financial institution otherwise obtains about a consumer in connection with providing a financial product or service to the customer.

(b) Personally identifiable financial information includes:

(1) information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service;

(2) account balance information, payment history, overdraft history, and credit or debit card purchase information;

(3) the fact that an individual is or has been a financial institution's customer or has obtained a financial product or service from the financial institution;

(4) any information about a financial institution's consumer, if the information is disclosed in a manner that indicates that the individual is or has been the financial institution's consumer;

(5) any information that a consumer provides to a financial institution or that a financial institution or a financial institution's agent otherwise obtains in connection with collecting on or servicing a credit account;

(6) any information a financial institution collects through an Internet information collecting device from a web server; and

(7) information from a consumer report.

(c) Personally identifiable financial information does not include:

(1) a list of customer names and addresses for an entity that is not a financial institution; and

(2) information that does not identify a consumer, including but not limited to aggregate information or blind data that does not contain personal identifiers, including account numbers, names, or addresses.

Subd. 20.Publicly available information.

(a) "Publicly available information" means any information that a financial institution has a reasonable basis to believe is lawfully made available to the general public from:

(1) federal, state, or local government records;

(2) widely distributed media; or

(3) disclosures to the general public that are required under federal, state, or local law.

(b) Publicly available information includes but is not limited to:

(1) with respect to government records, information in government real estate records and security interest filings; and

(2) with respect to widely distributed media, information from a telephone book, a television or radio program, a newspaper, or a website that is available to the general public on an unrestricted basis. A website is not restricted merely because an Internet service provider or a site operator requires a fee or a password, provided that access is available to the general public.

(c) For purposes of this subdivision, a financial institution has a reasonable basis to believe that information is lawfully made available to the general public if the financial institution has taken steps to determine: (1) that the information is of the type that is available to the general public; and (2) whether an individual can direct that the information not be made available to the general public and, if so, that the financial institution's consumer has not directed that the information not be made available to the general public. A financial institution has a reasonable basis to believe that mortgage information is lawfully made available to the general public if the financial institution determines the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded. A financial institution has a reasonable basis to believe that an individual's telephone number is lawfully made available to the general public if the financial institution has located the telephone number in the telephone book or the consumer has informed the financial institution that the telephone number is not unlisted.

Subd. 21.Qualified individual.

"Qualified individual" means the individual designated by a financial institution to oversee, implement, and enforce the financial institution's information security program.

Subd. 22.Security event.

"Security event" means an event resulting in unauthorized access to, or disruption or misuse of: (1) an information system or information stored on an information system; or (2) customer information held in physical form.

Subd. 23.Service provider.

"Service provider" means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through the service provider's provision of services directly to a financial institution that is subject to this chapter.