Minnesota Legislature
HF 1376
as introduced - 91st Legislature (2019 - 2020) Posted on 02/18/2019 02:16pm
Current Version - as introduced
1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20
A bill for an act
relating to data practices; modifying notification procedure related to an
unauthorized acquisition of government data; amending Minnesota Statutes 2018,
section 13.055, subdivision 2.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
Minnesota Statutes 2018, section 13.055, subdivision 2, is amended to read:
Subd. 2.
Notice to individuals; investigation report.
(a) A government entity that
collects, creates, receives, maintains, or disseminates private or confidential data on
individuals must disclose any breach of the security of the data following discovery or
notification of the breach. deleted text begin Writtendeleted text end Notification must be made to any individual who is the
subject of the data and whose private or confidential data was, or is reasonably believed to
have been, acquired by an unauthorized person deleted text begin anddeleted text end new text begin if the unauthorized acquisition creates
a significant risk of financial, reputational, or other harm to the subject of the data. In
evaluating whether an unauthorized acquisition creates a significant risk to the subject of
the data, the government entity must consider the following factors:
new text end
new text begin
(1) the nature of the unauthorized acquisition;
new text end
new text begin
(2) the nature and type of the data breached;
new text end
new text begin
(3) the likelihood that the breach caused the data to become accessible and usable outside
of the government entity;
new text end
new text begin
(4) the likelihood that the breach will result in harm to the subject of the data; and
new text end
new text begin
(5) the ability of the government entity to mitigate the risk of harm to the subject of the
data.
new text end
new text begin The notification new text end must inform the individual that a report will be prepared under paragraph
(b), how the individual may obtain access to the report, and that the individual may request
delivery of the report by mail or e-mail. The disclosure must be made in the most expedient
time possible and without unreasonable delay, consistent with deleted text begin (1)deleted text end new text begin (i)new text end the legitimate needs
of a law enforcement agency as provided in subdivision 3; or deleted text begin (2)deleted text end new text begin (ii)new text end any measures necessary
to determine the scope of the breach and restore the reasonable security of the data.
(b) Notwithstanding section 13.15 or 13.37, upon completion of an investigation into
any breach in the security of data and final disposition of any disciplinary action for purposes
of section 13.43, including exhaustion of all rights of appeal under any applicable collective
bargaining agreement, the responsible authority shall prepare a report on the facts and results
of the investigation. If the breach involves unauthorized access to or acquisition of data by
an employee, contractor, or agent of the government entity, the report must at a minimum
include:
(1) a description of the type of data that were accessed or acquired;
(2) the number of individuals whose data was improperly accessed or acquired;
(3) if there has been final disposition of disciplinary action for purposes of section 13.43,
the name of each employee determined to be responsible for the unauthorized access or
acquisition, unless the employee was performing duties under chapter 5B; and
(4) the final disposition of any disciplinary action taken against each employee in
response.