1.1A bill for an act 1.2relating to data practices; enhancing certain penalties and procedures related to 1.3unauthorized access to data by a public employee; amending Minnesota Statutes 1.42012, sections 13.04, subdivision 3; 13.05, subdivision 5; 13.055; 13.09. 1.5BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA: 1.6    Section 1. Minnesota Statutes 2012, section 13.04, subdivision 3, is amended to read: 1.7    Subd. 3. Access to data by individual. new text begin (a) new text end Upon request to a responsible authority 1.8or designee, an individual shall be informed whether the individual is the subject of 1.9stored data on individuals, and whether it is classified as public, private or confidential. 1.10Upon further request, an individual who is the subject of stored private or public data 1.11on individuals shall be shown the data without any charge and, if desired, shall be 1.12informed of the content and meaning of that data. After an individual has been shown 1.13the private data and informed of its meaning, the data need not be disclosed to that 1.14individual for six months thereafter unless a dispute or action pursuant to this section is 1.15pending or additional data on the individual has been collected or created. The responsible 1.16authority or designee shall provide copies of the private or public data upon request by 1.17the individual subject of the data. The responsible authority or designee may require the 1.18requesting person to pay the actual costs of making and certifying the copies. 1.19new text begin (b) Notwithstanding section 13.15 or 13.43, or other law to the contrary, upon request, new text end 1.20new text begin to the extent the data are maintained by the government entity, an individual has access to new text end 1.21new text begin the name of persons who have obtained access to private data on the individual, unless the new text end 1.22new text begin data would identify an undercover law enforcement officer or are active investigative data.new text end 2.1    new text begin (c) new text end The responsible authority or designee shall comply immediately, if possible, with 2.2any request made pursuant to this subdivision, or within ten days of the date of the request, 2.3excluding Saturdays, Sundays and legal holidays, if immediate compliance is not possible. 2.4    Sec. 2. Minnesota Statutes 2012, section 13.05, subdivision 5, is amended to read: 2.5    Subd. 5. Data protection. (a) The responsible authority shallnew text begin :new text end 2.6 (1) establish procedures to assure that all data on individuals is accurate, complete, 2.7and current for the purposes for which it was collected; and 2.8 (2) establish appropriate security safeguards for all records containing data on 2.9individualsnew text begin , including procedures for ensuring that data that are not public are only new text end 2.10new text begin accessible to persons whose work assignment reasonably requires access to the data, and new text end 2.11new text begin is only being accessed by those persons for purposes described in the procedure; andnew text end 2.12new text begin (3) develop a policy incorporating these procedures, which may include a model new text end 2.13new text begin policy governing access to the data if sharing of the data with other government entities is new text end 2.14new text begin authorized by lawnew text end . 2.15(b) When not public data is being disposed of, the data must be destroyed in a way 2.16that prevents its contents from being determined. 2.17    Sec. 3. Minnesota Statutes 2012, section 13.055, is amended to read: 2.1813.055 STATE AGENCIES; DISCLOSURE OF BREACH IN SECURITYnew text begin ; new text end 2.19new text begin NOTIFICATION AND INVESTIGATION REPORT REQUIREDnew text end . 2.20    Subdivision 1. Definitions. For purposes of this section, the following terms have 2.21the meanings given to them. 2.22(a) "Breach of the security of the data" means unauthorized acquisition ofnew text begin or access new text end 2.23new text begin tonew text end data maintained by a state agencynew text begin government entitynew text end that compromises the security and 2.24classification of the data. Good faith acquisition of new text begin or access to new text end government data by an 2.25employee, contractor, or agent of a state agencynew text begin government entitynew text end for the purposes of 2.26the state agencynew text begin entitynew text end is not a breach of the security of the data, if the government data 2.27is not provided tonew text begin or viewable bynew text end an unauthorized personnew text begin , or accessed for a purpose not new text end 2.28new text begin described in the procedures required by section 13.05, subdivision 5new text end new text begin . For purposes of this new text end 2.29new text begin paragraph, data maintained by a government entity includes data maintained by a person new text end 2.30new text begin under a contract with the government entity that provides for the acquisition of or access new text end 2.31new text begin to the data by an employee, contractor, or agent of the government entitynew text end . 2.32(b) "Contact information" means either name and mailing address or name and 2.33e-mail address for each individual who is the subject of data maintained by the state 2.34agencynew text begin government entitynew text end . 3.1(c) "Unauthorized acquisition" means that a person has obtainednew text begin or viewednew text end 3.2 government data without the informed consent of the individuals who are the subjects of the 3.3data or statutory authority and with the intent to use the data for nongovernmental purposes. 3.4(d) "Unauthorized person" means any person who accesses government data without 3.5permission or without a work assignment that reasonably requires the person to have 3.6 access to the datanew text begin , or regardless of the person's work assignment, for a purpose not new text end 3.7new text begin described in the procedures required by section 13.05, subdivision 5new text end . 3.8    Subd. 2. Notice to individualsnew text begin ; investigation reportnew text end . new text begin (a) new text end A state agency 3.9new text begin government entitynew text end that collects, creates, receives, maintains, or disseminates private or 3.10confidential data on individuals must disclose any breach of the security of the data 3.11following discovery or notification of the breach. new text begin Writtennew text end notification must be made to 3.12any individual who is the subject of the data and whose private or confidential data was, or 3.13is reasonably believed to have been, acquired by an unauthorized personnew text begin and must inform new text end 3.14new text begin the individual that a report will be prepared under paragraph (b), how the individual may new text end 3.15new text begin obtain access to the report, and that the individual may request delivery of the report by new text end 3.16new text begin mail or e-mailnew text end . The disclosure must be made in the most expedient time possible and 3.17without unreasonable delay, consistent with (1) the legitimate needs of a law enforcement 3.18agency as provided in subdivision 3; or (2) any measures necessary to determine the scope 3.19of the breach and restore the reasonable security of the data. 3.20new text begin (b) Upon completion of an investigation into any breach in the security of data, the new text end 3.21new text begin responsible authority shall prepare a report on the facts and results of the investigation. new text end 3.22new text begin If the breach involves unauthorized access to or acquisition of data by an employee, new text end 3.23new text begin contractor, or agent of the government entity, the report must at a minimum include:new text end 3.24new text begin (1) a description of the data that were accessed or acquired;new text end 3.25new text begin (2) the number of individuals whose data was improperly accessed or acquired; new text end 3.26new text begin (3) if there has been final disposition of disciplinary action for purposes of section new text end 3.27new text begin 13.43, the name of each employee determined to be responsible for the unauthorized new text end 3.28new text begin access or acquisition;new text end 3.29new text begin (4) the final disposition of any disciplinary action taken against each employee in new text end 3.30new text begin response; andnew text end 3.31new text begin (5) if disciplinary action was determined to be unnecessary, the specific findings and new text end 3.32new text begin reasons for that determination.new text end 3.33new text begin The report must not include data that are not public under other law. The report is new text end 3.34new text begin public and must be posted on the government entity's Web site, if the government entity new text end 3.35new text begin maintains a Web site, and provided to an individual who received the notification under new text end 3.36new text begin paragraph (a) and requested delivery of the report. If the government entity does not new text end 4.1new text begin maintain a Web site, the report must be posted on the principal bulletin board of the new text end 4.2new text begin government entity, or if the government entity does not have a principal bulletin board, on new text end 4.3new text begin the door of its usual meeting room. new text end 4.4    Subd. 3. Delayed notice. The notification required by this section may be delayed if 4.5a law enforcement agency determines that the notification will impede an active criminal 4.6investigation. The notification required by this section must be made after the law 4.7enforcement agency determines that it will not compromise the investigation. 4.8    Subd. 4. Method of notice. Notice under this section may be provided by one of 4.9the following methods: 4.10(a) written notice by first class mail to each affected individual; 4.11(b) electronic notice to each affected individual, if the notice provided is consistent 4.12with the provisions regarding electronic records and signatures as set forth in United 4.13States Code, title 15, section 7001; or 4.14(c) substitute notice, if the state agencynew text begin government entitynew text end demonstrates that the cost 4.15of providing the written notice required by paragraph (a) would exceed $250,000, or 4.16that the affected class of individuals to be notified exceeds 500,000, or the state agency 4.17new text begin government entitynew text end does not have sufficient contact information. Substitute notice consists 4.18of all of the following: 4.19(i) e-mail notice if the state agencynew text begin government entitynew text end has an e-mail address for 4.20the affected individuals; 4.21(ii) conspicuous posting of the notice on the Web site page of the state agency 4.22new text begin government entitynew text end , if the state agencynew text begin government entitynew text end maintains a Web site; and 4.23(iii) notification to major media outlets that reach the general publicnew text begin within the new text end 4.24new text begin government entity's jurisdictionnew text end . 4.25    Subd. 5. Coordination with consumer reporting agencies. If the state agency 4.26new text begin government entitynew text end discovers circumstances requiring notification under this section of 4.27more than 1,000 individuals at one time, the state agencynew text begin government entitynew text end must also 4.28notify, without unreasonable delay, all consumer reporting agencies that compile and 4.29maintain files on consumers on a nationwide basis, as defined in United States Code, title 4.3015, section 1681a, of the timing, distribution, and content of the notices. 4.31    Subd. 6. Security assessments. new text begin At least annually, new text end each government entity shall 4.32conduct a comprehensive security assessment of any personal information maintained 4.33by the government entity. For the purposes of this subdivision, personal information is 4.34defined under section 325E.61, subdivision 1, paragraphs (e) and (f). 4.35new text begin EFFECTIVE DATE.new text end new text begin This section is effective August 1, 2014, and applies to new text end 4.36new text begin security breaches occurring on or after that date.new text end 5.1    Sec. 4. Minnesota Statutes 2012, section 13.09, is amended to read: 5.213.09 PENALTIES. 5.3new text begin (a) new text end Any person who willfully violates the provisions of this chapter or any rules 5.4adopted under this chapter new text begin or whose conduct constitutes the knowing unauthorized new text end 5.5new text begin acquisition of not public data, as defined in section 13.055, subdivision 1, new text end is guilty of a 5.6misdemeanor. 5.7new text begin (b) new text end Willful violation of this chapter bynew text begin , including any action subject to a criminal new text end 5.8new text begin penalty under paragraph (a), bynew text end any public employee constitutes just cause for suspension 5.9without pay or dismissal of the public employee. 5.10new text begin EFFECTIVE DATE.new text end new text begin This section is effective August 1, 2014, and applies to crimes new text end 5.11new text begin committed on or after that date.new text end