Security Breach Policy in the State of Minnesota
Minn. Stat. §§ 325E.61, 325E.64 is a security breach notification law that was passed in the U.S. state of Minnesota in 2006. The provisions set forth in Minn. Stat. §§ 325E.61, 325E.64 established the protocol that business entities within the state are required to follow in the event that a security breach occurs, which includes notifying all affected residents, as well as the three major credit reporting bureaus in the U.S., among others. Alternatively, the law also provides the Minnesota attorney general with the authority to impose sanctions and penalties against business entities within the state that are found to be in violation of the law.
How is a security breach defined under Minn. Stat. §§ 325E.61, 325E.64?
Under Minn. Stat. §§ 325E.61, 325E.64, a security breach is defined as “an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.” Conversely, the “good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used or subject to further unauthorized disclosure.” Moreover, as it pertains to the scope and applicability of the law, Minn. Stat. §§ 325E.61, 325E.64 applies to “any person or business that conducts business in MN, and that owns or licenses data that includes PI.”
What are the data breach notification requirements under Minn. Stat. §§ 325E.61, 325E.64?
Under Minn. Stat. §§ 325E.61, 325E.64, business entities that experience a security breach during the course of their operations are responsible for providing notification to all affected individuals or parties. These notifications must be provided to residents of the state without undue delay and in the most expedient manner possible. Furthermore, these notifications must provide residents with various details, including the categories of personal information that were compromised, as well as any steps that were taken to restore the integrity of the data system that sustained the security breach, among other things.
What personal information is protected under Minn. Stat. §§ 325E.61, 325E.64?
Under Minn. Stat. §§ 325E.61, 325E.64, the following categories of personal information are legally protected should a security breach occur, in combination with a Minnesota resident’s first name and first initial and last name, permitting these data elements have not been secured by encryption or another form of technology that would render the data elements unusable or unreadable:
- Social security numbers.
- Drivers license numbers and Minnesota identification card numbers.
- Account numbers, credit, and debit card numbers, as well as any access codes, security codes, or other pertinent information that could be used to gain entry into an individual’s financial account.
What are the penalties for violating Minn. Stat. §§ 325E.61, 325E.64?
Individuals and businesses entities within the state of Minnesota that are found to be in violation of Minn. Stat. §§ 325E.61, 325E.64 are subject to a variety of penalties. More specifically, the law states that “a person or business is considered to be in violation if they fail to disclose a security breach or retain any access card transaction data for more than 48 hours after the transaction has been authorized. The attorney general is responsible for enforcing penalties to violators of under section 8.31, additional duties of the attorney general.” What’s more, Minn. Stat. §§ 325E.61, 325E.64 also provides residents of Minnesota with the private right of action to bring forth civil liability lawsuits against business entities that violate their rights under the law.
Minn. Stat. §§ 325E.61, 325E.64, in conjunction with numerous other state privacy laws that have been passed in Minnesota since the year 2006, ensure that residents of the state can enjoy a certain amount of legal protection as it relates to their personal data and information. While the categories of personal information that are covered under the law are somewhat minimal when compared to other state privacy laws around the country, the private right of action that is provided to Minnesota residents enables them to seek both compensation and justice should they feel that their rights have been infringed upon. As such, residents of the state can rest assured that they will have an avenue for recourse should their personal information be compromised during a security breach.