Minnesota Legislature
HF 183
Conference Committee Report - 88th Legislature (2013 - 2014) Posted on 05/14/2014 02:25pm
KEY: stricken = removed, old language.
underscored = added, new language.
1.1CONFERENCE COMMITTEE REPORT ON H. F. No. 183
1.3relating to data practices; enhancing certain penalties and procedures related to
1.4unauthorized access to data by a public employee;amending Minnesota Statutes
1.52012, sections 13.05, subdivision 5; 13.055; 13.09; 299C.40, subdivision 4.
1.6May 14, 2014
1.7The Honorable Paul Thissen
1.8Speaker of the House of Representatives
1.9The Honorable Sandra L. Pappas
1.10President of the Senate
1.11We, the undersigned conferees for H. F. No. 183 report that we have agreed upon the
1.12items in dispute and recommend as follows:
1.13That the Senate recede from its amendments and that H. F. No. 183 be further
1.14amended as follows:
1.15Delete everything after the enacting clause and insert:
1.16 "Section 1. Minnesota Statutes 2012, section 13.05, subdivision 5, is amended to read:
1.17 Subd. 5. Data protection. (a) The responsible authority shall:
1.18 (1) establish procedures to assure that all data on individuals is accurate, complete,
1.19and current for the purposes for which it was collected;and
1.20 (2) establish appropriate security safeguards for all records containing data on
1.21individuals, including procedures for ensuring that data that are not public are only
1.22accessible to persons whose work assignment reasonably requires access to the data, and
1.23is only being accessed by those persons for purposes described in the procedure; and
1.24(3) develop a policy incorporating these procedures, which may include a model
1.25policy governing access to the data if sharing of the data with other government entities is
1.26authorized by law.
1.27(b) When not public data is being disposed of, the data must be destroyed in a way
1.28that prevents its contents from being determined.
2.1 Sec. 2. Minnesota Statutes 2012, section 13.055, is amended to read:
2.213.055STATE AGENCIES; DISCLOSURE OF BREACH IN SECURITY;
2.3NOTIFICATION AND INVESTIGATION REPORT REQUIRED.
2.4 Subdivision 1. Definitions. For purposes of this section, the following terms have
2.5the meanings given to them.
2.6(a) "Breach of the security of the data" means unauthorized acquisition of data
2.7maintained by astate agency government entity that compromises the security and
2.8classification of the data. Good faith acquisition of or access to government data by an
2.9employee, contractor, or agent of astate agency government entity for the purposes of
2.10thestate agency entity is not a breach of the security of the data, if the government data
2.11is not provided to or viewable by an unauthorized person, or accessed for a purpose not
2.12described in the procedures required by section 13.05, subdivision 5. For purposes of this
2.13paragraph, data maintained by a government entity includes data maintained by a person
2.14under a contract with the government entity that provides for the acquisition of or access
2.15to the data by an employee, contractor, or agent of the government entity.
2.16(b) "Contact information" means either name and mailing address or name and
2.17e-mail address for each individual who is the subject of data maintained by thestate
2.18agency government entity.
2.19(c) "Unauthorized acquisition" means that a person has obtained, accessed, or viewed
2.20 government data without the informed consent of the individuals who are the subjects of the
2.21data or statutory authority and with the intent to use the data for nongovernmental purposes.
2.22(d) "Unauthorized person" means any person who accesses government datawithout
2.23permission or without a work assignment that reasonably requires the person to have
2.24 accessto the data, or regardless of the person's work assignment, for a purpose not
2.25described in the procedures required by section 13.05, subdivision 5.
2.26 Subd. 2. Notice to individuals; investigation report. (a) Astate agency
2.27 government entity that collects, creates, receives, maintains, or disseminates private or
2.28confidential data on individuals must disclose any breach of the security of the data
2.29following discovery or notification of the breach. Written notification must be made to
2.30any individual who is the subject of the data and whose private or confidential data was, or
2.31is reasonably believed to have been, acquired by an unauthorized person and must inform
2.32the individual that a report will be prepared under paragraph (b), how the individual may
2.33obtain access to the report, and that the individual may request delivery of the report by
2.34mail or e-mail. The disclosure must be made in the most expedient time possible and
2.35without unreasonable delay, consistent with (1) the legitimate needs of a law enforcement
3.1agency as provided in subdivision 3; or (2) any measures necessary to determine the scope
3.2of the breach and restore the reasonable security of the data.
3.3(b) Notwithstanding section 13.15 or 13.37, upon completion of an investigation
3.4into any breach in the security of data and final disposition of any disciplinary action
3.5for purposes of section 13.43, including exhaustion of all rights of appeal under any
3.6applicable collective bargaining agreement, the responsible authority shall prepare a
3.7report on the facts and results of the investigation. If the breach involves unauthorized
3.8access to or acquisition of data by an employee, contractor, or agent of the government
3.9entity, the report must at a minimum include:
3.10(1) a description of the type of data that were accessed or acquired;
3.11(2) the number of individuals whose data was improperly accessed or acquired;
3.12(3) if there has been final disposition of disciplinary action for purposes of section
3.1313.43, the name of each employee determined to be responsible for the unauthorized
3.14access or acquisition, unless the employee was performing duties under chapter 5B; and
3.15(4) the final disposition of any disciplinary action taken against each employee in
3.16response.
3.17 Subd. 3. Delayed notice. The notification required by this section may be delayed if
3.18a law enforcement agency determines that the notification will impede an active criminal
3.19investigation. The notification required by this section must be made after the law
3.20enforcement agency determines that it will not compromise the investigation.
3.21 Subd. 4. Method of notice. Notice under this section may be provided by one of
3.22the following methods:
3.23(a) written notice by first class mail to each affected individual;
3.24(b) electronic notice to each affected individual, if the notice provided is consistent
3.25with the provisions regarding electronic records and signatures as set forth in United
3.26States Code, title 15, section 7001; or
3.27(c) substitute notice, if thestate agency government entity demonstrates that the cost
3.28of providing the written notice required by paragraph (a) would exceed $250,000, or
3.29that the affected class of individuals to be notified exceeds 500,000, or thestate agency
3.30 government entity does not have sufficient contact information. Substitute notice consists
3.31of all of the following:
3.32(i) e-mail notice if thestate agency government entity has an e-mail address for
3.33the affected individuals;
3.34(ii) conspicuous posting of the notice on the Web site page of thestate agency
3.35 government entity, if thestate agency government entity maintains a Web site; and
4.1(iii) notification to major media outlets that reach the general public within the
4.2government entity's jurisdiction.
4.3 Subd. 5. Coordination with consumer reporting agencies. If thestate agency
4.4 government entity discovers circumstances requiring notification under this section of
4.5more than 1,000 individuals at one time, thestate agency government entity must also
4.6notify, without unreasonable delay, all consumer reporting agencies that compile and
4.7maintain files on consumers on a nationwide basis, as defined in United States Code, title
4.815, section 1681a, of the timing, distribution, and content of the notices.
4.9 Subd. 6. Security assessments. At least annually, each government entity shall
4.10conduct a comprehensive security assessment of any personal information maintained
4.11by the government entity. For the purposes of this subdivision, personal information is
4.12defined under section 325E.61, subdivision 1, paragraphs (e) and (f).
4.13 Subd. 7. Access to data for audit purposes. Nothing in this section or section
4.1413.05, subdivision 5, restricts access to not public data by the legislative auditor or state
4.15auditor in the performance of official duties.
4.16EFFECTIVE DATE.This section is effective August 1, 2014, and applies to
4.17security breaches occurring on or after that date.
4.18 Sec. 3. Minnesota Statutes 2012, section 13.09, is amended to read:
4.1913.09 PENALTIES.
4.20(a) Any person who willfully violates the provisions of this chapter or any rules
4.21adopted under this chapter or whose conduct constitutes the knowing unauthorized
4.22acquisition of not public data, as defined in section 13.055, subdivision 1, is guilty of a
4.23misdemeanor.
4.24(b) Willful violation of this chapterby, including any action subject to a criminal
4.25penalty under paragraph (a), by any public employee constitutes just cause for suspension
4.26without pay or dismissal of the public employee.
4.27EFFECTIVE DATE.This section is effective August 1, 2014, and applies to crimes
4.28committed on or after that date.
4.29 Sec. 4. Minnesota Statutes 2012, section 299C.40, subdivision 4, is amended to read:
4.30 Subd. 4. Data classification; general rule; changes in classification; audit trail.
4.31(a) The classification of data in the law enforcement agency does not change after the data
4.32is submitted to CIBRS. If CIBRS is the only source of data made public by section13.82,
5.1subdivisions 2, 3, 6, and 7 , data described in those subdivisions must be downloaded and
5.2made available to the public as required by section13.03 .
5.3(b) Data on individuals created, collected, received, maintained, or disseminated
5.4by CIBRS is classified as confidential data on individuals as defined in section13.02,
5.5subdivision 3 , and becomes private data on individuals as defined in section
13.02,
5.6subdivision 12 , as provided by this section.
5.7(c) Data not on individuals created, collected, received, maintained, or disseminated
5.8by CIBRS is classified as protected nonpublic data as defined in section13.02, subdivision
5.913 , and becomes nonpublic data as defined in section
13.02, subdivision 9 , as provided
5.10by this section.
5.11(d) Confidential or protected nonpublic data created, collected, received, maintained,
5.12or disseminated by CIBRS must automatically change classification from confidential
5.13data to private data or from protected nonpublic data to nonpublic data on the earlier of
5.14the following dates:
5.15(1) upon receipt by CIBRS of notice from a law enforcement agency that an
5.16investigation has become inactive; or
5.17(2) when the data has not been updated by the law enforcement agency that
5.18submitted it for a period of 120 days.
5.19(e) For the purposes of this section, an investigation becomes inactive upon the
5.20occurrence of any of the events listed in section13.82, subdivision 7 , clauses (a) to (c).
5.21(f) Ten days before making a data classification change because data has not been
5.22updated, CIBRS must notify the law enforcement agency that submitted the data that a
5.23classification change will be made on the 120th day. The notification must inform the law
5.24enforcement agency that the data will retain its classification as confidential or protected
5.25nonpublic data if the law enforcement agency updates the data or notifies CIBRS that the
5.26investigation is still active before the 120th day. A new 120-day period begins if the data
5.27is updated or if a law enforcement agency notifies CIBRS that an active investigation
5.28is continuing.
5.29(g) A law enforcement agency that submits data to CIBRS must notify CIBRS if an
5.30investigation has become inactive so that the data is classified as private data or nonpublic
5.31data. The law enforcement agency must provide this notice to CIBRS within ten days
5.32after an investigation becomes inactive.
5.33(h) All queries and responses and all actions in which data is submitted to CIBRS,
5.34changes classification, or is disseminated by CIBRS to any law enforcement agency
5.35must be recorded in the CIBRS audit trail.
6.1(i) Notwithstanding paragraphs (b) and (c), the name of each law enforcement
6.2agency that submits data to CIBRS, and a general description of the types of data
6.3submitted by the agency, are public."
6.4Delete the title and insert:
6.6relating to data practices; enhancing certain penalties and procedures related
6.7to unauthorized access to data by a public employee; requiring disclosure of
6.8certain data related to use of the CIBRS law enforcement database;amending
6.9Minnesota Statutes 2012, sections 13.05, subdivision 5; 13.055; 13.09; 299C.40,
6.10subdivision 4."
1.3relating to data practices; enhancing certain penalties and procedures related to
1.4unauthorized access to data by a public employee;amending Minnesota Statutes
1.52012, sections 13.05, subdivision 5; 13.055; 13.09; 299C.40, subdivision 4.
1.6May 14, 2014
1.7The Honorable Paul Thissen
1.8Speaker of the House of Representatives
1.9The Honorable Sandra L. Pappas
1.10President of the Senate
1.11We, the undersigned conferees for H. F. No. 183 report that we have agreed upon the
1.12items in dispute and recommend as follows:
1.13That the Senate recede from its amendments and that H. F. No. 183 be further
1.14amended as follows:
1.15Delete everything after the enacting clause and insert:
1.16 "Section 1. Minnesota Statutes 2012, section 13.05, subdivision 5, is amended to read:
1.17 Subd. 5. Data protection. (a) The responsible authority shall:
1.18 (1) establish procedures to assure that all data on individuals is accurate, complete,
1.19and current for the purposes for which it was collected;
1.20 (2) establish appropriate security safeguards for all records containing data on
1.21individuals, including procedures for ensuring that data that are not public are only
1.22accessible to persons whose work assignment reasonably requires access to the data, and
1.23is only being accessed by those persons for purposes described in the procedure; and
1.24(3) develop a policy incorporating these procedures, which may include a model
1.25policy governing access to the data if sharing of the data with other government entities is
1.26authorized by law.
1.27(b) When not public data is being disposed of, the data must be destroyed in a way
1.28that prevents its contents from being determined.
2.1 Sec. 2. Minnesota Statutes 2012, section 13.055, is amended to read:
2.213.055
2.3NOTIFICATION AND INVESTIGATION REPORT REQUIRED.
2.4 Subdivision 1. Definitions. For purposes of this section, the following terms have
2.5the meanings given to them.
2.6(a) "Breach of the security of the data" means unauthorized acquisition of data
2.7maintained by a
2.8classification of the data. Good faith acquisition of or access to government data by an
2.9employee, contractor, or agent of a
2.10the
2.11is not provided to or viewable by an unauthorized person, or accessed for a purpose not
2.12described in the procedures required by section 13.05, subdivision 5. For purposes of this
2.13paragraph, data maintained by a government entity includes data maintained by a person
2.14under a contract with the government entity that provides for the acquisition of or access
2.15to the data by an employee, contractor, or agent of the government entity.
2.16(b) "Contact information" means either name and mailing address or name and
2.17e-mail address for each individual who is the subject of data maintained by the
2.18
2.19(c) "Unauthorized acquisition" means that a person has obtained, accessed, or viewed
2.20 government data without the informed consent of the individuals who are the subjects of the
2.21data or statutory authority and with the intent to use the data for nongovernmental purposes.
2.22(d) "Unauthorized person" means any person who accesses government data
2.23
2.24 access
2.25described in the procedures required by section 13.05, subdivision 5.
2.26 Subd. 2. Notice to individuals; investigation report. (a) A
2.27 government entity that collects, creates, receives, maintains, or disseminates private or
2.28confidential data on individuals must disclose any breach of the security of the data
2.29following discovery or notification of the breach. Written notification must be made to
2.30any individual who is the subject of the data and whose private or confidential data was, or
2.31is reasonably believed to have been, acquired by an unauthorized person and must inform
2.32the individual that a report will be prepared under paragraph (b), how the individual may
2.33obtain access to the report, and that the individual may request delivery of the report by
2.34mail or e-mail. The disclosure must be made in the most expedient time possible and
2.35without unreasonable delay, consistent with (1) the legitimate needs of a law enforcement
3.1agency as provided in subdivision 3; or (2) any measures necessary to determine the scope
3.2of the breach and restore the reasonable security of the data.
3.3(b) Notwithstanding section 13.15 or 13.37, upon completion of an investigation
3.4into any breach in the security of data and final disposition of any disciplinary action
3.5for purposes of section 13.43, including exhaustion of all rights of appeal under any
3.6applicable collective bargaining agreement, the responsible authority shall prepare a
3.7report on the facts and results of the investigation. If the breach involves unauthorized
3.8access to or acquisition of data by an employee, contractor, or agent of the government
3.9entity, the report must at a minimum include:
3.10(1) a description of the type of data that were accessed or acquired;
3.11(2) the number of individuals whose data was improperly accessed or acquired;
3.12(3) if there has been final disposition of disciplinary action for purposes of section
3.1313.43, the name of each employee determined to be responsible for the unauthorized
3.14access or acquisition, unless the employee was performing duties under chapter 5B; and
3.15(4) the final disposition of any disciplinary action taken against each employee in
3.16response.
3.17 Subd. 3. Delayed notice. The notification required by this section may be delayed if
3.18a law enforcement agency determines that the notification will impede an active criminal
3.19investigation. The notification required by this section must be made after the law
3.20enforcement agency determines that it will not compromise the investigation.
3.21 Subd. 4. Method of notice. Notice under this section may be provided by one of
3.22the following methods:
3.23(a) written notice by first class mail to each affected individual;
3.24(b) electronic notice to each affected individual, if the notice provided is consistent
3.25with the provisions regarding electronic records and signatures as set forth in United
3.26States Code, title 15, section 7001; or
3.27(c) substitute notice, if the
3.28of providing the written notice required by paragraph (a) would exceed $250,000, or
3.29that the affected class of individuals to be notified exceeds 500,000, or the
3.30 government entity does not have sufficient contact information. Substitute notice consists
3.31of all of the following:
3.32(i) e-mail notice if the
3.33the affected individuals;
3.34(ii) conspicuous posting of the notice on the Web site page of the
3.35 government entity, if the
4.1(iii) notification to major media outlets that reach the general public within the
4.2government entity's jurisdiction.
4.3 Subd. 5. Coordination with consumer reporting agencies. If the
4.4 government entity discovers circumstances requiring notification under this section of
4.5more than 1,000 individuals at one time, the
4.6notify, without unreasonable delay, all consumer reporting agencies that compile and
4.7maintain files on consumers on a nationwide basis, as defined in United States Code, title
4.815, section 1681a, of the timing, distribution, and content of the notices.
4.9 Subd. 6. Security assessments. At least annually, each government entity shall
4.10conduct a comprehensive security assessment of any personal information maintained
4.11by the government entity. For the purposes of this subdivision, personal information is
4.12defined under section 325E.61, subdivision 1, paragraphs (e) and (f).
4.13 Subd. 7. Access to data for audit purposes. Nothing in this section or section
4.1413.05, subdivision 5, restricts access to not public data by the legislative auditor or state
4.15auditor in the performance of official duties.
4.16EFFECTIVE DATE.This section is effective August 1, 2014, and applies to
4.17security breaches occurring on or after that date.
4.18 Sec. 3. Minnesota Statutes 2012, section 13.09, is amended to read:
4.1913.09 PENALTIES.
4.20(a) Any person who willfully violates the provisions of this chapter or any rules
4.21adopted under this chapter or whose conduct constitutes the knowing unauthorized
4.22acquisition of not public data, as defined in section 13.055, subdivision 1, is guilty of a
4.23misdemeanor.
4.24(b) Willful violation of this chapter
4.25penalty under paragraph (a), by any public employee constitutes just cause for suspension
4.26without pay or dismissal of the public employee.
4.27EFFECTIVE DATE.This section is effective August 1, 2014, and applies to crimes
4.28committed on or after that date.
4.29 Sec. 4. Minnesota Statutes 2012, section 299C.40, subdivision 4, is amended to read:
4.30 Subd. 4. Data classification; general rule; changes in classification; audit trail.
4.31(a) The classification of data in the law enforcement agency does not change after the data
4.32is submitted to CIBRS. If CIBRS is the only source of data made public by section
5.1subdivisions 2, 3, 6, and 7
5.2made available to the public as required by section
5.3(b) Data on individuals created, collected, received, maintained, or disseminated
5.4by CIBRS is classified as confidential data on individuals as defined in section
5.5subdivision 3
5.6subdivision 12
5.7(c) Data not on individuals created, collected, received, maintained, or disseminated
5.8by CIBRS is classified as protected nonpublic data as defined in section
5.913
5.10by this section.
5.11(d) Confidential or protected nonpublic data created, collected, received, maintained,
5.12or disseminated by CIBRS must automatically change classification from confidential
5.13data to private data or from protected nonpublic data to nonpublic data on the earlier of
5.14the following dates:
5.15(1) upon receipt by CIBRS of notice from a law enforcement agency that an
5.16investigation has become inactive; or
5.17(2) when the data has not been updated by the law enforcement agency that
5.18submitted it for a period of 120 days.
5.19(e) For the purposes of this section, an investigation becomes inactive upon the
5.20occurrence of any of the events listed in section
5.21(f) Ten days before making a data classification change because data has not been
5.22updated, CIBRS must notify the law enforcement agency that submitted the data that a
5.23classification change will be made on the 120th day. The notification must inform the law
5.24enforcement agency that the data will retain its classification as confidential or protected
5.25nonpublic data if the law enforcement agency updates the data or notifies CIBRS that the
5.26investigation is still active before the 120th day. A new 120-day period begins if the data
5.27is updated or if a law enforcement agency notifies CIBRS that an active investigation
5.28is continuing.
5.29(g) A law enforcement agency that submits data to CIBRS must notify CIBRS if an
5.30investigation has become inactive so that the data is classified as private data or nonpublic
5.31data. The law enforcement agency must provide this notice to CIBRS within ten days
5.32after an investigation becomes inactive.
5.33(h) All queries and responses and all actions in which data is submitted to CIBRS,
5.34changes classification, or is disseminated by CIBRS to any law enforcement agency
5.35must be recorded in the CIBRS audit trail.
6.1(i) Notwithstanding paragraphs (b) and (c), the name of each law enforcement
6.2agency that submits data to CIBRS, and a general description of the types of data
6.3submitted by the agency, are public."
6.4Delete the title and insert:
6.6relating to data practices; enhancing certain penalties and procedures related
6.7to unauthorized access to data by a public employee; requiring disclosure of
6.8certain data related to use of the CIBRS law enforcement database;amending
6.9Minnesota Statutes 2012, sections 13.05, subdivision 5; 13.055; 13.09; 299C.40,
6.10subdivision 4."