Minnesota Disclosure of Data Security Breach (Minn. Stat. § 13.055, § 13.09, § 325E.61, § 325E.64)

Minnesota Disclosure of Data Security Breach

Minn. Stat. § 13.055, § 13.09, § 325E.61, § 325E.64

 

SUMMARY:

EFFECTIVE.  January 1, 2006

WHO DOES THIS LAW APPLY TO.  (1) Any person or entity that conducts business in Minnesota and owns or licenses data that includes Personal Information; and (2) any person or entity maintaining data that includes Personal Information.

WHAT IS A BREACH.  Unauthorized acquisition of computerized data that compromises the security, integrity, or confidentiality of Personal Information maintained by a person or business.  A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.

WHAT IS PERSONAL INFORMATION.  An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted or otherwise secured by any other method rendering the element unusable, or it was secured, and the encryption key or password was also acquired:

  • Social Security Number.
  • Driver’s license number or Minnesota identification card number.
  • Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.

Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records.

WHO TO NOTIFY OF THE BREACH.  Notification of the breach must be sent to the Minnesota residents affected.  If more than 500 individuals are involved in a breach, the person or business shall also notify within 48 hours all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a), of the timing, distribution, and content of the notices. 

EXCEPTIONThis Section does not apply to the following:

  • This Section does not apply to any “financial institution” as defined by United States Code, Title 15, § 6809(3).
  • A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected Minnesota individuals are notified by the person or business in accordance with its policies.

WHEN TO NOTIFY OF THE BREACHNotification must be sent following discovery of the breach.  The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, or any measures necessary to determine the scope of the breach, to identify the individual affected and to restore the reasonable integrity of the data system. Notification may be delayed to a specific date if a law enforcement agency determines it will impede a criminal investigation. 

HOW TO NOTIFY OF THE BREACH.  Notice may be provided by one of the following methods:

  • Written.
  • Electronic (if it is the primary means of communication or notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
  • Substitute notice as provided below.

SUBSTITUTE NOTICE AVAILABLE.  If the person or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used.  Substitute notice shall consist of all of the following:

  • Email notice if the person or business has an Email address for the individual(s) subject to notice.
  • Conspicuous posting of the notice on the website of the person or business if one is maintained.
  • Notification to major statewide media.

NOTICE TO THIRD-PARTIES.  If a person or business maintains data that includes Personal Information that it does not own, then the person or business shall notify the owner or licensee of the breach immediately upon discovery.  The person or business that owns or licenses the data shall provide notice to the affected individual(s). 

CONSEQUENCES FOR FAILING TO NOTIFYThe state Attorney General shall enforce violations to this Section.

PRIVATE RIGHT OF ACTIONYes.

REQUIREMENTS OF REASONABLE SECURITY MEASURES

DATA DISPOSAL PROVISIONSNone.

LEGISLATIVE UPDATES.

H.F. 2121 – Signed into law on 6/2/2005, Effective 1/1/2006.

 

 

CITATION:

Table of Chapters, 13 - 13C

13        GOVERNMENT DATA PRACTICES

13A      RELEASE OF INFORMATION BY FINANCIAL INSTITUTIONS

13B      MATCHING PROGRAMS; COMPUTERIZED COMPARISON OF DATA

13C     ACCESS TO CONSUMER REPORTS

 

13.055 DISCLOSURE OF BREACH IN SECURITY; NOTIFICATION AND INVESTIGATION REPORT REQUIRED.

Subdivision 1. Definitions. For purposes of this section, the following terms have the meanings given to them.

(a) "Breach of the security of the data" means unauthorized acquisition of data maintained by a government entity that compromises the security and classification of the data. Good faith acquisition of or access to government data by an employee, contractor, or agent of a government entity for the purposes of the entity is not a breach of the security of the data, if the government data is not provided to or viewable by an unauthorized person, or accessed for a purpose not described in the procedures required by section 13.05, subdivision 5. For purposes of this paragraph, data maintained by a government entity includes data maintained by a person under a contract with the government entity that provides for the acquisition of or access to the data by an employee, contractor, or agent of the government entity.

(b) "Contact information" means either name and mailing address or name and e-mail address for each individual who is the subject of data maintained by the government entity.

(c) "Unauthorized acquisition" means that a person has obtained, accessed, or viewed government data without the informed consent of the individuals who are the subjects of the data or statutory authority and with the intent to use the data for nongovernmental purposes.

(d) "Unauthorized person" means any person who accesses government data without a work assignment that reasonably requires access, or regardless of the person's work assignment, for a purpose not described in the procedures required by section 13.05, subdivision 5.

 

Subd. 2. Notice to individuals; investigation report. (a) A government entity that collects, creates, receives, maintains, or disseminates private or confidential data on individuals must disclose any breach of the security of the data following discovery or notification of the breach. Written notification must be made to any individual who is the subject of the data and whose private or confidential data was, or is reasonably believed to have been, acquired by an unauthorized person and must inform the individual that a report will be prepared under paragraph (b), how the individual may obtain access to the report, and that the individual may request delivery of the report by mail or e-mail. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with (1) the legitimate needs of a law enforcement agency as provided in subdivision 3; or (2) any measures necessary to determine the scope of the breach and restore the reasonable security of the data.

(b) Notwithstanding section 13.15 or 13.37, upon completion of an investigation into any breach in the security of data and final disposition of any disciplinary action for purposes of section 13.43, including exhaustion of all rights of appeal under any applicable collective bargaining agreement, the responsible authority shall prepare a report on the facts and results of the investigation. If the breach involves unauthorized access to or acquisition of data by an employee, contractor, or agent of the government entity, the report must at a minimum include:

(1) a description of the type of data that were accessed or acquired;

(2) the number of individuals whose data was improperly accessed or acquired;

(3) if there has been final disposition of disciplinary action for purposes of section 13.43, the name of each employee determined to be responsible for the unauthorized access or acquisition, unless the employee was performing duties under chapter 5B; and

(4) the final disposition of any disciplinary action taken against each employee in response.

 

Subd. 3. Delayed notice. The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede an active criminal investigation. The notification required by this section must be made after the law enforcement agency determines that it will not compromise the investigation.

 

Subd. 4. Method of notice. Notice under this section may be provided by one of the following methods:

(a) written notice by first class mail to each affected individual;

(b) electronic notice to each affected individual, if the notice provided is consistent with the provisions regarding electronic records and signatures as set forth in United States Code, title 15, section 7001; or

(c) substitute notice, if the government entity demonstrates that the cost of providing the written notice required by paragraph (a) would exceed $250,000, or that the affected class of individuals to be notified exceeds 500,000, or the government entity does not have sufficient contact information. Substitute notice consists of all of the following:

(i) e-mail notice if the government entity has an e-mail address for the affected individuals;

(ii) conspicuous posting of the notice on the website page of the government entity, if the government entity maintains a website; and

(iii) notification to major media outlets that reach the general public within the government entity's jurisdiction.

 

Subd. 5. Coordination with consumer reporting agencies. If the government entity discovers circumstances requiring notification under this section of more than 1,000 individuals at one time, the government entity must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in United States Code, title 15, section 1681a, of the timing, distribution, and content of the notices.

 

Subd. 6. Security assessments. At least annually, each government entity shall conduct a comprehensive security assessment of any personal information maintained by the government entity. For the purposes of this subdivision, personal information is defined under section 325E.61, subdivision 1, paragraphs (e) and (f).

 

Subd. 7. Access to data for audit purposes. Nothing in this section or section 13.05, subdivision 5, restricts access to not public data by the legislative auditor or state auditor in the performance of official duties.

History: 2005 c 163 s 21; 2005 c 167 s 1; 2006 c 212 art 1 s 17,24; 2006 c 233 s 7,8; 2014 c 284 s 2

 

13.09 PENALTIES.

(a) Any person who willfully violates the provisions of this chapter or any rules adopted under this chapter or whose conduct constitutes the knowing unauthorized acquisition of not public data, as defined in section 13.055, subdivision 1, is guilty of a misdemeanor.

(b) Willful violation of this chapter, including any action subject to a criminal penalty under paragraph (a), by any public employee constitutes just cause for suspension without pay or dismissal of the public employee.

History: 1974 c 479 s 6; 1975 c 401 s 6; 1976 c 239 s 6; 1981 c 311 s 39; 1982 c 545 s 24; 1985 c 298 s 7; 2014 c 284 s 3

 

 

DATA WAREHOUSES; DISCLOSURE OF PERSONAL INFORMATION

325E.61           DATA WAREHOUSES; NOTICE REQUIRED FOR CERTAIN DISCLOSURES.

 

325E.61 DATA WAREHOUSES; NOTICE REQUIRED FOR CERTAIN DISCLOSURES.

Subdivision 1. Disclosure of personal information; notice required. (a) Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in paragraph (c), or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.

(b) Any person or business that maintains data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(c) The notification required by this section and section 13.055, subdivision 6, may be delayed to a date certain if a law enforcement agency affirmatively determines that the notification will impede a criminal investigation.

(d) For purposes of this section and section 13.055, subdivision 6, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security system, provided that the personal information is not used or subject to further unauthorized disclosure.

(e) For purposes of this section and section 13.055, subdivision 6, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not secured by encryption or another method of technology that makes electronic data unreadable or unusable, or was secured and the encryption key, password, or other means necessary for reading or using the data was also acquired:

(1) Social Security number;

(2) driver's license number or Minnesota identification card number; or

(3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

(f) For purposes of this section and section 13.055, subdivision 6, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

(g) For purposes of this section and section 13.055, subdivision 6, "notice" may be provided by one of the following methods:

(1) written notice to the most recent available address the person or business has in its records;

(2) electronic notice, if the person's primary method of communication with the individual is by electronic means, or if the notice provided is consistent with the provisions regarding electronic records and signatures in United States Code, title 15, section 7001; or

(3) substitute notice, if the person or business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice must consist of all of the following:

(i) e-mail notice when the person or business has an e-mail address for the subject persons;

(ii) conspicuous posting of the notice on the website page of the person or business, if the person or business maintains one; and

(iii) notification to major statewide media.

(h) Notwithstanding paragraph (g), a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section and section 13.055, subdivision 6, shall be deemed to be in compliance with the notification requirements of this section and section 13.055, subdivision 6, if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system.

 

Subd. 2. Coordination with consumer reporting agencies. If a person discovers circumstances requiring notification under this section and section 13.055, subdivision 6, of more than 500 persons at one time, the person shall also notify, within 48 hours, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by United States Code, title 15, section 1681a, of the timing, distribution, and content of the notices.

 

Subd. 3. Waiver prohibited. Any waiver of the provisions of this section and section 13.055, subdivision 6, is contrary to public policy and is void and unenforceable.

 

Subd. 4. Exemption. This section and section 13.055, subdivision 6, do not apply to any "financial institution" as defined by United States Code, title 15, section 6809(3).

 

Subd. 5. [Renumbered 13.055, subd 6]

 

Subd. 6. Remedies and enforcement. The attorney general shall enforce this section and section 13.055, subdivision 6, under section 8.31.

History: 2005 c 167 s 1; 2006 c 212 art 1 s 17,24; 2006 c 233 s 7,8

 

 

ACCESS DEVICES

325E.64           ACCESS DEVICES; BREACH OF SECURITY.

 

325E.64 ACCESS DEVICES; BREACH OF SECURITY.

Subdivision 1. Definitions. (a) For purposes of this section, the terms defined in this subdivision have the meanings given them.

(b) "Access device" means a card issued by a financial institution that contains a magnetic stripe, microprocessor chip, or other means for storage of information which includes, but is not limited to, a credit card, debit card, or stored value card.

(c) "Breach of the security of the system" has the meaning given in section 325E.61, subdivision 1, paragraph (d).

(d) "Card security code" means the three-digit or four-digit value printed on an access device or contained in the microprocessor chip or magnetic stripe of an access device which is used to validate access device information during the authorization process.

(e) "Financial institution" means any office of a bank, bank and trust, trust company with banking powers, savings bank, industrial loan company, savings association, credit union, or regulated lender.

(f) "Microprocessor chip data" means the data contained in the microprocessor chip of an access device.

(g) "Magnetic stripe data" means the data contained in the magnetic stripe of an access device.

(h) "PIN" means a personal identification code that identifies the cardholder.

(i) "PIN verification code number" means the data used to verify cardholder identity when a PIN is used in a transaction.

(j) "Service provider" means a person or entity that stores, processes, or transmits access device data on behalf of another person or entity.

 

Subd. 2. Security or identification information; retention prohibited. No person or entity conducting business in Minnesota that accepts an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.

 

Subd. 3. Liability. Whenever there is a breach of the security of the system of a person or entity that has violated this section, or that person's or entity's service provider, that person or entity shall reimburse the financial institution that issued any access devices affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders, including but not limited to, any cost incurred in connection with:

(1) the cancellation or reissuance of any access device affected by the breach;

(2) the closure of any deposit, transaction, share draft, or other accounts affected by the breach and any action to stop payments or block transactions with respect to the accounts;

(3) the opening or reopening of any deposit, transaction, share draft, or other accounts affected by the breach;

(4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach; and

(5) the notification of cardholders affected by the breach.

The financial institution is also entitled to recover costs for damages paid by the financial institution to cardholders injured by a breach of the security of the system of a person or entity that has violated this section. Costs do not include any amounts recovered from a credit card company by a financial institution. The remedies under this subdivision are cumulative and do not restrict any other right or remedy otherwise available to the financial institution.

History: 2007 c 108 s 1

 

Disclosure of Data Security Breach (Minnesota Statutes Sec. 325E.61, added by Laws of 2005, Chapter 167, approved June 2, 2005, effective January 1, 2006. Amended by Laws of 2006, Chapter 212, approved May 18, 2006, effective August 1, 2006 and Laws of 2006, Chapter 233, approved May 30,2006, effective August 1, 2006.)

 

 

For more information, see here:  https://mn.gov/admin/data-practices/data/warnings/breaches/

AND

https://www.revisor.mn.gov/statutes/cite/325E.61

AND

https://www.revisor.mn.gov/statutes/cite/325E.64

AND

https://www.revisor.mn.gov/statutes/cite/13.055

AND

https://www.revisor.mn.gov/statutes/cite/13.09

 

These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only.  No Claim to Original State Government Works.  This may not be the most recent version.  The State may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.