Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

HF 4084

as introduced - 91st Legislature (2019 - 2020) Posted on 03/04/2020 03:36pm

KEY: stricken = removed, old language.
underscored = added, new language.

Bill Text Versions

Engrossments
Introduction Posted on 03/04/2020

Current Version - as introduced

Line numbers 1.1 1.2 1.3 1.4 1.5 1.6 1.7
1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20
2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8
3.9 3.10 3.11 3.12 3.13
3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22
3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22
4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 4.32 4.33 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16
5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24

A bill for an act
relating to elections; providing for election technology and cybersecurity
assessment, maintenance, and enhancement; requiring certain election security
notifications; amending Minnesota Statutes 2018, sections 201.022, subdivision
1; 204B.27, subdivisions 5, 10; 206.57, subdivision 6; proposing coding for new
law in Minnesota Statutes, chapters 5; 209.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

new text begin [5.42] TECHNOLOGY AND CYBERSECURITY FUND.
new text end

new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin For the purposes of this section, the terms defined in this
subdivision have the meanings given them:
new text end

new text begin (1) "information and telecommunications technology systems and services" has the
meaning given in section 16E.03, subdivision 1, paragraph (b); and
new text end

new text begin (2) "cybersecurity" has the meaning given in section 16E.03, subdivision 1, paragraph
(e).
new text end

new text begin Subd. 2. new text end

new text begin Special revenue fund. new text end

new text begin (a) The secretary of state may retain two percent of all
statutory fees collected by the secretary of state for costs to maintain and enhance the
secretary of state's information and telecommunications technology systems and services
and for cybersecurity.
new text end

new text begin (b) Money received under this subdivision must be deposited in an account in the special
revenue fund and is appropriated to the secretary of state for purposes of this subdivision.
new text end

Sec. 2.

Minnesota Statutes 2018, section 201.022, subdivision 1, is amended to read:


Subdivision 1.

Establishment.

The secretary of state shall maintain a statewide voter
registration system to facilitate voter registration and to provide a central database containing
voter registration information from around the state. The system must be accessible to deleted text begin thedeleted text end new text begin
any
new text end county auditor deleted text begin of each county in the statedeleted text end new text begin who has completed any required training
established under section 204B.27, subdivision 10
new text end . The system must also:

(1) provide for voters to submit their voter registration applications to any county auditor,
the secretary of state, or the Department of Public Safety;

(2) provide for the definition, establishment, and maintenance of a central database for
all voter registration information;

(3) provide for entering data into the statewide registration system;

(4) provide for electronic transfer of completed voter registration applications from the
Department of Public Safety to the secretary of state or the county auditor;

(5) assign a unique identifier to each legally registered voter in the state;

(6) provide for the acceptance of the Minnesota driver's license number, Minnesota state
identification number, and last four digits of the Social Security number for each voter
record;

(7) coordinate with other agency databases within the state;

(8) allow county auditors and the secretary of state to add or modify information in the
system to provide for accurate and up-to-date records;

(9) allow county auditors, municipal and school district clerks, and the secretary of state
to have electronic access to the statewide registration system for review and search
capabilities;

(10) provide security and protection of all information in the statewide registration
system and ensure that unauthorized access is not allowed;

(11) provide access to municipal clerks to use the system;

(12) provide a system for each county to identify the precinct to which a voter should
be assigned for voting purposes;

(13) provide daily reports accessible by county auditors on the driver's license numbers,
state identification numbers, or last four digits of the Social Security numbers submitted on
voter registration applications that have been verified as accurate by the secretary of state;
deleted text begin and
deleted text end

(14) provide reports on the number of absentee ballots transmitted to and returned and
cast by voters under section 203B.16deleted text begin .deleted text end new text begin ; and
new text end

new text begin (15) require all users to use a multifactor authentication method approved by the secretary
of state to access the system.
new text end

The appropriate state or local official shall provide security measures to prevent
unauthorized access to the computerized list established under section 201.021.

Sec. 3.

Minnesota Statutes 2018, section 204B.27, subdivision 5, is amended to read:


Subd. 5.

Conferences for county auditors.

Before each state primary the secretary of
state shall conduct conferences with county auditors to instruct them on the administration
of election lawsnew text begin , election security and best practices,new text end and the training of local election
officials and election judges.

Sec. 4.

Minnesota Statutes 2018, section 204B.27, subdivision 10, is amended to read:


Subd. 10.

Training for county auditors; training materials.

The secretary of state
shall develop a training program in election administration for county auditors and shall
certify each county auditor who successfully completes the training program. The secretary
of state shall provide each county auditor with materials for use in training local election
officials and election judges.new text begin The training program and materials for use in training local
election officials must include training on election security and best practices. The secretary
of state may require additional training for an election official before providing the election
official access to the statewide voter registration system.
new text end

Sec. 5.

Minnesota Statutes 2018, section 206.57, subdivision 6, is amended to read:


Subd. 6.

Required certificationnew text begin testingnew text end .

new text begin (a) new text end In addition to the requirements in subdivision
1, a voting system must be certified by an independent testing authority accredited by the
Election Assistance Commission or appropriate federal agency responsible for testing and
certification of compliance with the federal voting systems guidelines at the time of
submission of the application required by subdivision 1 to be in conformity with voluntary
voting system guidelines issued by the Election Assistance Commission or other previously
referenced agency. The application must be accompanied by the certification report of the
voting systems test laboratory. A certification under this section from an independent testing
authority accredited by the Election Assistance Commission or other previously referenced
agency meets the requirement of Minnesota Rules, part 8220.0350, item L.

new text begin (b)new text end A vendor must provide a copy of the source code for the voting system to the secretary
of state.new text begin The secretary of state may facilitate assessments of the voting system, the source
code, and the voting system's cybersecurity protections by an independent third-party
evaluator, in cooperation with the vendor, to identify and report election security
vulnerabilities. An independent technical expert must promptly notify the secretary of state
and vendor about any relevant cybersecurity vulnerabilities discovered through the assessment
and provide technical assistance in remedying the vulnerabilities.
new text end

new text begin (c)new text end A chair of a major political party deleted text begin or the secretary of statedeleted text end may select, in consultation
with the vendor, an independent third-party evaluator to examine the source code to ensure
that it functions as represented by the vendor and that the code is free from defects. A major
political party that elects to have the source code examined must pay for the examination.

new text begin (d)new text end Except as provided by this subdivision, a source code that is trade secret information
must be treated as nonpublic information, according to section 13.37. A third-party evaluator
must not disclose the source code to anyone else.

new text begin (e) Before completing a purchase agreement for a voting system with a county or
municipality, a vendor must provide the county or municipality with end-of-life and
end-of-support dates for systems, devices, or products containing software or upgradable
firmware. The vendor must provide timely security updates to a voting system provided to
a county or municipality during the agreed-upon period for use of the voting system to
maintain the voting system's certification under this section.
new text end

Sec. 6.

new text begin [209.96] VENDOR NOTIFICATIONS.
new text end

new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin (a) For the purposes of this section, the terms defined in this
subdivision have the meanings given.
new text end

new text begin (b) "Cybersecurity incident" means an event that may indicate that an organization's
systems or data have been compromised or that measures put in place to protect them have
failed.
new text end

new text begin (c) "Information security incident" means a targeted attempt or successful unauthorized
access, use, disclosure, modification, or destruction of information or interference with
system operations in an information system.
new text end

new text begin (d) "Vendor" means any person or entity that provides, programs, supports, or maintains
election services or infrastructure on behalf of the state or unit of local government.
new text end

new text begin Subd. 2. new text end

new text begin Cybersecurity and information security incidents. new text end

new text begin (a) If a vendor becomes
aware of the possibility of an election cybersecurity incident, including breaches of
component suppliers, the vendor must promptly assess whether an election cybersecurity
incident has occurred.
new text end

new text begin (b) If a vendor has reason to believe that an election cybersecurity incident may have
occurred, or that an information security incident related to the role of the vendor as an
election service provider may have occurred, including breaches of component suppliers,
the vendor must notify the secretary of state of the incident in the most expedient time
possible and without reasonable delay but in no event may the notice be provided to the
secretary of state more than three calendar days after discovery of the possible incident.
new text end

new text begin (c) If a local election official becomes aware of the possibility of an election cybersecurity
incident or information security incident that impacts election data, systems, or infrastructure,
the election official must immediately notify the secretary of state.
new text end

new text begin Subd. 3. new text end

new text begin Ownership. new text end

new text begin A vendor must notify the secretary of state of any foreign national
that directly or indirectly owns or controls a vendor, as well as any material change in
ownership resulting in ownership or control by a foreign national.
new text end

Sec. 7. new text begin SECURITY EXPERT.
new text end

new text begin The secretary of state must engage a security expert to conduct an assessment of the
secretary of state's data exchange partnerships with counties, cities, the Department of Public
Safety, the Social Security Administration, the State Court Administrator's Office, and
organizations governed by Minnesota Statutes, section 201.13, subdivision 3, paragraph
(d). The security expert must notify the secretary of state of the assessment's findings and
recommend any necessary improvements to increase security and accuracy of data being
exchanged.
new text end