Minnesota Disclosure of Data Security Breach
Minn. Stat. § 13.055, § 13.09, § 325E.61, § 325E.64
SUMMARY:
EFFECTIVE. January 1, 2006
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in Minnesota and owns or licenses data that includes Personal Information; and (2) any person or entity maintaining data that includes Personal Information.
WHAT IS A BREACH. Unauthorized acquisition of computerized data that compromises the security, integrity, or confidentiality of Personal Information maintained by a person or business. A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted or otherwise secured by any other method rendering the element unusable, or it was secured, and the encryption key or password was also acquired:
-
Social Security Number.
-
Driver’s license number or Minnesota identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the Minnesota residents affected. If more than 500 individuals are involved in a breach, the person or business shall also notify within 48 hours all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a), of the timing, distribution, and content of the notices.
EXCEPTION. This Section does not apply to the following:
-
This Section does not apply to any “financial institution” as defined by United States Code, Title 15, § 6809(3).
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected Minnesota individuals are notified by the person or business in accordance with its policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent following discovery of the breach. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, or any measures necessary to determine the scope of the breach, to identify the individual affected and to restore the reasonable integrity of the data system. Notification may be delayed to a specific date if a law enforcement agency determines it will impede a criminal investigation.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if it is the primary means of communication or notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains data that includes Personal Information that it does not own, then the person or business shall notify the owner or licensee of the breach immediately upon discovery. The person or business that owns or licenses the data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The state Attorney General shall enforce violations to this Section.
PRIVATE RIGHT OF ACTION. Yes.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
H.F. 2121 – Signed into law on 6/2/2005, Effective 1/1/2006.
For more information, see here: https://mn.gov/admin/data-practices/data/warnings/breaches/
AND
https://www.revisor.mn.gov/statutes/cite/325E.61
AND
https://www.revisor.mn.gov/statutes/cite/325E.64
AND
https://www.revisor.mn.gov/statutes/cite/13.055
AND
https://www.revisor.mn.gov/statutes/cite/13.09
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.