Minnesota State Victim Resources:
This page, hosted by the Minnesota Office of Justice Programs, a Division of the Minnesota Department of Public Safety, includes a wealth of information, links, and resources, including:
- the Minnesota Identity Theft Road Map in English and in Spanish
- the Minnesota Identity Theft Toolkit
- the Minnesota Criminal Identity Theft Roadmap
- Identity Theft Victim Rights in Minnesota
- and much more!
Attorney General: 651-296-3353
Minnesota Bureau of Criminal Apprehension: 651-793-2400
Agencies that offer assistance to IDT victims:
- Anishinabe Legal Services, Inc.: 800-422-1335
- Central Minnesota Legal Services, Inc.: 612-334-5970
- Legal Aid Service of Northeastern Minnesota: 800-622-7266
- Legal Services of Northwest Minnesota Corporation: 800-450-8585
- Southern Minnesota Regional Legal Services, Inc.: 651-228-9823
Security Freeze Law:
All Minnesota consumers are allowed to place security freezes on their consumer credit reports to prevent new accounts from being opened in their names. Such a freeze enables the consumer to prevent anyone from looking at his/her credit file for the purpose of granting credit unless the consumer chooses to allow a particular business look at the information. To request a freeze, a consumer must request one in writing by certified mail; by telephone; or directly to the consumer reporting agency through a secure electronic mail connection if the connection is made available by the consumer reporting agency.
Consumer reporting agencies may charge a fee of $5 to place or temporarily lift a security freeze. However, victims of identity theft with a valid police report may not be charged. The reporting agency must place the freeze within three business days after receiving the request, and within ten days, must send a written confirmation of the freeze and provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his credit for a specific party or period of time.
Requests for a temporary unlocking of the freeze must be completed within three business days.
Statute: §13C.016: https://www.revisor.mn.gov/statutes/?id=13C.016
How to Place a Security Freeze: http://consumersunion.org/research/state_security_freeze_laws/#MN
Minnesota Identity Theft Freeze Law:
Mandatory Police Report Law for IDT Victims:
A person who has learned or reasonably suspects that he/she is a victim of identity theft may initiate a law enforcement investigation by contacting the local law enforcement agency that has jurisdiction where the person resides, regardless of where the crime may have occurred. The agency must prepare a police report of the matter, provide the complainant with a copy of that report, and may begin an investigation of the facts, or, if the suspected crime was committed in a different jurisdiction, refer the matter to the law enforcement agency where the suspected crime was committed for an investigation of the facts. If a law enforcement agency refers a report to the law enforcement agency where the crime was committed, it need not include the report as a crime committed in its jurisdiction for purposes of information that the agency is required to provide to the commissioner of public safety.
ID Theft Passport Law:
No State law at this time.
Other ID Theft Laws:
It is a crime for a person to transfer, possess, or use an identity that is not the person’s own, with the intent to commit, aid, or abet any unlawful activity. Unlawful activities include any felony violations and lesser offenses involving theft, forgery, fraud, or misrepresentation to a public official. An unlawful activity is not limited to illegal acts for financial gain. “Identity” is defined as any name, number, or data transmission that may be used, alone or in conjunction with any other information, to identify a specific individual, including:
- Name, Social Security number, date of birth, driver’s license, passport, employer or taxpayer identification number;
- Unique electronic identification number, address, account number, or routing code; or
- Telecommunication identification information or access device.
Identity theft penalties vary and are tied to the resulting loss or harm involved. The offense level correlates with the amount of loss incurred, the number of direct victims involved, or the related offense. The value of the money or property, as well as the number of direct or indirect victims, may be aggregated within any six-month period. Loss is defined as the value obtained and the expenses incurred as a result of the crime.
State law criminalizes the electronic use of a false pretense to obtain another’s identity, often referred to as “phishing.” “False pretense” is defined as “any false, fictitious, misleading, or fraudulent information or pretense or pretext depicting or including or deceptively similar to the name, logo, Web site address, e-mail address, postal address, telephone number, or any other identifying information of a business or organization or of a governmental agency, to which the user has no legitimate claim of right.” A crime is committed even if a person does not obtain or use another’s identity. It is not a defense that the violator did not obtain personal information from another person, or that the crime did not result in loss to another. Phishing is a felony, punishable by up to five years in prison and/or a $10,000 fine.
Identity theft crimes may be prosecuted in either the county where the offense occurred, or the county of residence or place of business of the victim. If the same person commits two or more offenses in two or more counties, he may be prosecuted for all the offenses in any of the counties where an offense occurred.
Statute: § 628.26: https://www.revisor.mn.gov/statutes/?id=628.26
For phishing offenses, the venue is also located in the county of residence of the person whose identity was obtained or sought. In a phishing scheme, a person’s identity might not be taken; it is the scheme to deceive a person into revealing personal information that is prosecuted.
Statute of Limitations:
The limitations period for prosecuting identity theft and phishing is three years from the commission of the offense, excluding any period of time during which the defendant does not reside in Minnesota.
Statute: § 628.26: https://www.revisor.mn.gov/statutes/?id=609.527
Identity theft victims are entitled to a mandatory restitution payment of at least $1000. Mandatory restitution allows victims to seek compensation from a defendant without providing detailed documentation of losses incurred. This addresses the problem that victims may have in accounting for intangible losses and expenses involved in clearing their records, such as filling out paperwork and making phone calls.
Victims are also entitled to free certified court documents, including copies of the complaint, the judgment of conviction, and the order setting forth the facts of the case, upon written request.
Criminal History Records:
If a person’s identity is stolen and used by a thief to avoid prosecution, the victim’s criminal history record may incorrectly reflect crimes committed by the identity thief. If an individual believes that his or her criminal history record is inaccurate or incomplete, the individual may notify the Bureau of Criminal Apprehension in writing and seek a correction. Upon receiving notice, the Bureau has 30 days to correct the data or notify the individual that the authority believes the information to be correct. Data that is successfully challenged must be completed, corrected, or destroyed by the agency that holds the data.
Statute: §13.04: https://www.revisor.mn.gov/statutes/?id=13.04
State law requires any person or business that conducts business in the state and that owns or licenses data that includes personal information to disclose any breach of the security of the system to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. A security breach occurs upon “unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity” of personal information maintained by the person or business. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.
Personal information means an individual’s first name or first initial and last name, in combination with any one or more of the following data elements, when the data elements is not secured by encryption or another method of technology that makes electronic data unreadable or unusable, or was secured and the encryption key, password, or other means necessary for reading or using the data was also acquired: Social Security number; driver’s license or Minnesota identification card number; or an account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to the individual’s financial account. Publicly available information is not included. Notification can be provided to the affected persons by mail or e-mail. If the cost of providing regular notice would exceed $250,000, the amount of people to be notified exceeds 500,000, or the entity or business not have sufficient contact information, substitute notice may be provided. When substitute notice is used, it must consist of all of the following, as applicable: e-mail notice, conspicuous posting on the entity’s web site, and notification to major statewide media. In addition, if more than 500 people are to be notified, the national consumer reporting agencies must also be notified within 48 hours.
Statute: §325E.61: https://www.revisor.mn.gov/statutes/?id=325E.61
Starting August 1, 2008, certain retailers and other merchants will be liable to banks for costs associated with data breaches, including consumer notification and card replacement. This liability applies to entities that do not meet strict security standards regarding the amount of time they are allowed to retain information from credit or debit cards after transactions.
Statute: §325E.64: https://www.revisor.mn.gov/statutes/?id=325E.64
Driver’s Licenses & ID Cards:
It is a crime to control, possess, or use equipment or software designed to generate fraudulent drivers’ licenses and identification cards with the intent to manufacture, sell, issue, publish, or pass more than one fraudulent license or card. It is also a crime to manufacture or possess more than one fraudulent driver’s license or identification card with intent to sell. A first time offense under this section is a gross misdemeanor. A subsequent offense is a five-year felony offense subject to a $10,000 fine.
Statute: §609.652: https://www.revisor.mn.gov/statutes/?id=609.652
A person commits financial transaction fraud if he:
- Without the consent of the cardholder, and knowing that the cardholder has not given consent, uses or attempts to use a card to obtain the property of another, or a public assistance benefit issued for the use of another;
- Uses or attempts to use a card knowing it to be forged, false, fictitious, or obtained in fraudulently;
- Without the consent of the cardholder and knowing that the cardholder has not given consent, falsely alters, makes, or signs any written document pertaining to a card transaction to obtain or attempt to obtain the property of another; or
- Upon applying for a financial transaction card to an issuer, or for a public assistance benefit which is distributed by means of a financial transaction card, knowingly gives a false name or occupation; knowingly and substantially overvalues assets or substantially undervalues indebtedness for the purpose of inducing the issuer to issue a financial transaction card; or knowingly makes a false statement or representation for the purpose of inducing an issuer to issue a financial transaction card used to obtain a public assistance benefit.
Violations for these offenses are punished based on the value of the property the person obtained or attempted to obtain. The value of the transactions made or attempted within any six-month period may be aggregated and the defendant charged accordingly. When two or more offenses are committed by the same person in two or more counties, the accused may be prosecuted in any county in which one of the card transactions occurred for all of the transactions aggregated.
- Sells or transfers a card knowing that the cardholder and issuer have not authorized the person to whom the card is sold or transferred to use the card, or that the card is forged, false, fictitious, or was obtained fraudulently.
- Without a legitimate business purpose, and without the consent of the cardholders, receives or possesses, with intent to use, or with intent to sell or transfer two or more cards issued in the name of another, or two or more cards knowing the cards to be forged, false, fictitious, or obtained fraudulently.
These violations are punishable by up to three years in prison and/or a fine up to $5000.
Statute: §609.821: https://www.revisor.mn.gov/statutes/?id=609.821
State law prohibits merchants from retaining specific information drawn from the magnetic stripe of a credit or debit card, including the personal identification number or access code, after completion of a transaction. For debit card transactions, merchants would be prohibited from storing such information for longer than 48 hours after completion of a transaction. If the merchant violates these anti-storage prohibitions, a bank would have standing to sue the merchant to recover “the cost of reasonable actions undertaken” to respond to any security breach, including the costs of cancelling and reissuing credit cards, closing and/or reopening accounts, stop-payment actions, unauthorized transaction reimbursements, and the providing of breach notification to account holders.
Statute: §325E.64: https://www.revisor.mn.gov/statutes/?id=325E.64
Social Security Numbers:
State law places limits on the use and dissemination of Social Security numbers (SSNs). The law prohibits a person or an entity (excluding government entities but including Minnesota state colleges and universities) from:
- Publicly posting or publicly displaying, defined as intentionally communicating or otherwise making available to the general public, in any manner an individual’s SSN;
- Printing an individual’s SSN on any card required to access products or services provided by the person or business;
- Requiring an individual to transmit his SSN over the Internet, unless the connection is secure or the Social Security number is encrypted;
- Requiring an individual to use his SSN to access an Internet website, unless a password or unique personal identification number or other authentication device is also required.
- Printing an individual’s SSN on any materials that are mailed to the individual, unless state or federal law requires the number to be on the document to be mailed.
- Assigning or using a number as the primary account identifier that is identical to or incorporates an individual’s complete SSN;
- Selling SSNs obtained from individuals in the courts of business.
- Restricting access to individual SSNs it holds so that only employees who require the numbers in order to perform their job duties have access to the numbers.
- However, if a business or government agency has previously used an individual’s SSN in a manner inconsistent with these provisions prior to July 1, 2007, it may continue using the SSN if the following conditions are met:
- The use of the SSN must be continuous. If its use is stopped for any reason, the provisions will apply.The individual is provided an annual disclosure that informs him/her that he/she has the right to stop the use of his or her Social Security number in a manner prohibited by the law.
- A written request by an individual to stop the use of his or her Social Security number is implemented within 30 days of the receipt of the request. There may not be a fee or charge for implementing the request.
- The business does not deny services to an individual because the individual makes a written request pursuant to this subsection.
Statute: §325E.59: https://www.revisor.mn.gov/statutes/?id=325E.59