Security Breach Policy in the State of Minnesota

February 24, 2022 | 4 minutes read
Security Breach Policy in the State of Minnesota

Minn. Stat. §§ 325E.61, 325E.64 is a security breach notification law that was passed in the U.S. state of Minnesota in 2006. The provisions set forth in Minn. Stat. §§ 325E.61, 325E.64 established the protocol that business entities within the state are required to follow in the event that a security breach occurs, which includes notifying all affected residents, as well as the three major credit reporting bureaus in the U.S., among others. Alternatively, the law also provides the Minnesota attorney general with the authority to impose sanctions and penalties against business entities within the state that are found to be in violation of the law.

How is a security breach defined under Minn. Stat. §§ 325E.61, 325E.64?

Under Minn. Stat. §§ 325E.61, 325E.64, a security breach is defined as “an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.” Conversely, the “good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used or subject to further unauthorized disclosure.” Moreover, as it pertains to the scope and applicability of the law, Minn. Stat. §§ 325E.61, 325E.64 applies to “any person or business that conducts business in MN, and that owns or licenses data that includes PI.”

What are the data breach notification requirements under Minn. Stat. §§ 325E.61, 325E.64?

Under Minn. Stat. §§ 325E.61, 325E.64, business entities that experience a security breach during the course of their operations are responsible for providing notification to all affected individuals or parties. These notifications must be provided to residents of the state without undue delay and in the most expedient manner possible. Furthermore, these notifications must provide residents with various details, including the categories of personal information that were compromised, as well as any steps that were taken to restore the integrity of the data system that sustained the security breach, among other things.

What personal information is protected under Minn. Stat. §§ 325E.61, 325E.64?

Under Minn. Stat. §§ 325E.61, 325E.64, the following categories of personal information are legally protected should a security breach occur, in combination with a Minnesota resident’s first name and first initial and last name, permitting these data elements have not been secured by encryption or another form of technology that would render the data elements unusable or unreadable:

What are the penalties for violating Minn. Stat. §§ 325E.61, 325E.64?

Individuals and businesses entities within the state of Minnesota that are found to be in violation of Minn. Stat. §§ 325E.61, 325E.64 are subject to a variety of penalties. More specifically, the law states that “a person or business is considered to be in violation if they fail to disclose a security breach or retain any access card transaction data for more than 48 hours after the transaction has been authorized. The attorney general is responsible for enforcing penalties to violators of under section 8.31, additional duties of the attorney general.” What’s more, Minn. Stat. §§ 325E.61, 325E.64 also provides residents of Minnesota with the private right of action to bring forth civil liability lawsuits against business entities that violate their rights under the law.

Minn. Stat. §§ 325E.61, 325E.64, in conjunction with numerous other state privacy laws that have been passed in Minnesota since the year 2006, ensure that residents of the state can enjoy a certain amount of legal protection as it relates to their personal data and information. While the categories of personal information that are covered under the law are somewhat minimal when compared to other state privacy laws around the country, the private right of action that is provided to Minnesota residents enables them to seek both compensation and justice should they feel that their rights have been infringed upon. As such, residents of the state can rest assured that they will have an avenue for recourse should their personal information be compromised during a security breach.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »