Turtle Mountain Law Library
Turtle Mountain Band of Chippewa Indians Tribal Code.

43.03.020 Regulation of Consumer Data

(a) All Personal Information that is collected from an applicant for a Covered Loan by any Regulated Entity acting in connection with a Covered Loan shall be deemed to have entered into Tribal Lands and is protected by this Code and Tribal Consumer Protection Laws. Such Personal Information is within the regulation of the Commission.

(b) All Personal Information shall be protected from corruption, unauthorized transfer, or unauthorized use with physical, contractual, electronic, and encryption security measures appropriate for the nature of the data.

(1) Licensees shall limit access to Personal Information to those Persons with a business need use or access such Personal Information.

(2) Licensees shall monitor access to Personal Information.

(3) Licensees shall destroy in a method appropriate for the nature of the data any Personal Information that does not have a business purpose.

(4) Licensees shall possess a data breach response and remediation plan appropriate for the nature of Personal Information it accesses.

(5) Licensees shall report to the Commission all discovered security breaches and unauthorized transfers as soon as possible, but not later than thirty (30) days after a breach or unauthorized transfer was discovered.

(6) Licensees shall implement data and record retention schedules based on industry-wide security protocols and retention periods required by applicable federal law (which may include federal tax law). Where not otherwise specified, records may generally be destroyed after five years.

(c) Regulated Entities that have consumer contact must disclose clearly and conspicuously to applicants for a Covered Loan that Personal Information is protected by this Code, Tribal Consumer Protection Laws, and any regulations promulgated hereunder.

(1) Regulated Entities that have consumer contact must accurately disclose clearly and conspicuously by any means to all Covered Loan applicants within 5 days of receiving the Covered Loan application the Regulated Entity's policies and practices regarding:

(A) disclosure of Personal Information to affiliated and nonaffiliated third parties for any purpose, including: marketing; furnishing information to consumer reporting agencies; servicing Covered Loans; first or third-party collecting of Covered Loans; or for any other purpose;

(B) consumers' ability to opt-out of Personal Information disclosures to third parties; and

(C) the process, if any, for communicating the preference to opt-out of such disclosures.

(2) Adherence to the policies and practices disclosed under this section 7.3(a) shall be warrantied on any contract for a Covered Loan, disclosed on any public internet site or other electronic media portal operated by applicable Persons, and shall be made available by electronic linking on any email communications to borrowers of Covered Loans.

(3) A Regulated Entity's or Service Provider's policies and practices related to Personal Information shall be warrantied and are a material term of any contract related to the provision of Covered Loans.

(4) Absent an express agreement providing otherwise, or as required by law, a Regulated Entity's or Service Provider's license to use Personal Information shall be rescinded upon the termination of any contract with a Licensee related to the provision of Covered Loans. It is not a violation for a Regulated Entity or Service Provider to keep data that cannot be reasonably returned or destroyed, so long as the data is protected by sufficient security and is not used or transferred to any Person.

(5) The Commission shall promulgate rules to regulate further the handling of Personal Information, data, and record retention.