Skip to main content Skip to office menu Skip to footer
Minnesota Legislature

Office of the Revisor of Statutes

HF 474

2nd Engrossment - 88th Legislature (2013 - 2014) Posted on 05/17/2013 02:39pm

KEY: stricken = removed, old language.
underscored = added, new language.
Line numbers 1.1 1.2 1.3 1.4 1.5 1.6 1.7
1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20
1.21 1.22 1.23 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 2.32 2.33 2.34 2.35 2.36 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 3.32 3.33 3.34 3.35 3.36 4.1 4.2 4.3 4.4 4.5 4.6 4.7
4.8 4.9
4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18
4.19 4.20
4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 4.32 4.33 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14
5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28 5.29 5.30 5.31 5.32 5.33 5.34 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22

A bill for an act
relating to data practices; classifying data related to automated license plate
readers; requiring a log of use; requiring data to be destroyed in certain
circumstances; providing criminal penalties;amending Minnesota Statutes 2012,
sections 13.05, subdivision 5; 13.055; 13.09; 13.82, by adding a subdivision;
299C.40, subdivision 4.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

Minnesota Statutes 2012, section 13.05, subdivision 5, is amended to read:


Subd. 5.

Data protection.

(a) The responsible authority shallnew text begin:
new text end

(1) establish procedures to assure that all data on individuals is accurate, complete,
and current for the purposes for which it was collected; deleted text beginand
deleted text end

(2) establish appropriate security safeguards for all records containing data on
individualsnew text begin, including procedures for ensuring that data that are not public are only
accessible to persons whose work assignment reasonably requires access to the data, and
is only being accessed by those persons for purposes described in the procedure; and
new text end

new text begin (3) develop a policy incorporating these procedures, which may include a model
policy governing access to the data if sharing of the data with other government entities is
authorized by law
new text end.

(b) When not public data is being disposed of, the data must be destroyed in a way
that prevents its contents from being determined.

Sec. 2.

Minnesota Statutes 2012, section 13.055, is amended to read:


13.055 deleted text beginSTATE AGENCIES;deleted text end DISCLOSURE OF BREACH IN SECURITYnew text begin;
NOTIFICATION AND INVESTIGATION REPORT REQUIRED
new text end.

Subdivision 1.

Definitions.

For purposes of this section, the following terms have
the meanings given to them.

(a) "Breach of the security of the data" means unauthorized acquisition ofnew text begin or access
to
new text end data maintained by a deleted text beginstate agencydeleted text endnew text begin government entitynew text end that compromises the security and
classification of the data. Good faith acquisition of new text beginor access to new text endgovernment data by an
employee, contractor, or agent of a deleted text beginstate agencydeleted text endnew text begin government entitynew text end for the purposes of
the deleted text beginstate agencydeleted text endnew text begin entitynew text end is not a breach of the security of the data, if the government data
is not provided tonew text begin or viewable bynew text end an unauthorized personnew text begin, or accessed for a purpose not
described in the procedures required by section 13.05, subdivision 5
new text endnew text begin. For purposes of this
paragraph, data maintained by a government entity includes data maintained by a person
under a contract with the government entity that provides for the acquisition of or access
to the data by an employee, contractor, or agent of the government entity
new text end.

(b) "Contact information" means either name and mailing address or name and
e-mail address for each individual who is the subject of data maintained by the deleted text beginstate
agency
deleted text endnew text begin government entitynew text end.

(c) "Unauthorized acquisition" means that a person has obtainednew text begin or viewed
new text end government data without the informed consent of the individuals who are the subjects of the
data or statutory authority and with the intent to use the data for nongovernmental purposes.

(d) "Unauthorized person" means any person who accesses government data deleted text beginwithout
permission or
deleted text end without a work assignment that reasonably requires deleted text beginthe person to have
deleted text end access deleted text beginto the datadeleted text endnew text begin, or regardless of the person's work assignment, for a purpose not
described in the procedures required by section 13.05, subdivision 5
new text end.

Subd. 2.

Notice to individualsnew text begin; investigation reportnew text end.

new text begin(a) new text endA deleted text beginstate agency
deleted text endnew text begin government entitynew text end that collects, creates, receives, maintains, or disseminates private or
confidential data on individuals must disclose any breach of the security of the data
following discovery or notification of the breach. Notification must be made to any
individual who is the subject of the data and whose private or confidential data was, or is
reasonably believed to have been, acquired by an unauthorized personnew text begin and must inform
the individual that a report will be prepared under paragraph (b), how the individual may
obtain access to the report, and that the individual may request delivery of the report by
mail or e-mail
new text end. The disclosure must be made in the most expedient time possible and
without unreasonable delay, consistent with (1) the legitimate needs of a law enforcement
agency as provided in subdivision 3; or (2) any measures necessary to determine the scope
of the breach and restore the reasonable security of the data.

new text begin (b) Upon completion of an investigation into any breach in the security of data,
including exhaustion of all rights of appeal under any applicable collective bargaining
agreement or other law, the responsible authority shall prepare a report on the facts and
results of the investigation. If the breach involves unauthorized access to or acquisition of
data by an employee, contractor, or agent of the government entity, the report must at a
minimum include:
new text end

new text begin (1) a description of the data that were accessed or acquired; and
new text end

new text begin (2) if disciplinary action was taken against an employee:
new text end

new text begin (i) the number of individuals whose data was improperly accessed or acquired;
new text end

new text begin (ii) the name of each employee determined responsible for the unauthorized access
or acquisition; and
new text end

new text begin (iii) the final disposition of the disciplinary action taken against the employee in
response.
new text end

new text begin (c) The report must not include data that are not public under other law.
new text end

Subd. 3.

Delayed notice.

The notification required by this section may be delayed if
a law enforcement agency determines that the notification will impede an active criminal
investigation. The notification required by this section must be made after the law
enforcement agency determines that it will not compromise the investigation.

Subd. 4.

Method of notice.

Notice under this section may be provided by one of
the following methods:

(a) written notice by first class mail to each affected individual;

(b) electronic notice to each affected individual, if the notice provided is consistent
with the provisions regarding electronic records and signatures as set forth in United
States Code, title 15, section 7001; or

(c) substitute notice, if the deleted text beginstate agencydeleted text endnew text begin government entitynew text end demonstrates that the cost
of providing the written notice required by paragraph (a) would exceed $250,000, or
that the affected class of individuals to be notified exceeds 500,000, or the deleted text beginstate agency
deleted text endnew text begin government entitynew text end does not have sufficient contact information. Substitute notice consists
of all of the following:

(i) e-mail notice if the deleted text beginstate agencydeleted text endnew text begin government entitynew text end has an e-mail address for
the affected individuals;

(ii) conspicuous posting of the notice on the Web site page of the deleted text beginstate agency
deleted text endnew text begin government entitynew text end, if the deleted text beginstate agencydeleted text endnew text begin government entitynew text end maintains a Web site; and

(iii) notification to major media outlets that reach the general publicnew text begin within the
government entity's jurisdiction
new text end.

Subd. 5.

Coordination with consumer reporting agencies.

If the deleted text beginstate agency
deleted text endnew text begin government entitynew text end discovers circumstances requiring notification under this section of
more than 1,000 individuals at one time, the deleted text beginstate agencydeleted text endnew text begin government entitynew text end must also
notify, without unreasonable delay, all consumer reporting agencies that compile and
maintain files on consumers on a nationwide basis, as defined in United States Code, title
15, section 1681a, of the timing, distribution, and content of the notices.

Subd. 6.

Security assessments.

new text beginAt least annually, new text endeach government entity shall
conduct a comprehensive security assessment of any personal information maintained
by the government entity. For the purposes of this subdivision, personal information is
defined under section 325E.61, subdivision 1, paragraphs (e) and (f).

new text begin EFFECTIVE DATE. new text end

new text begin This section is effective August 1, 2013, and applies to
security breaches occurring on or after that date.
new text end

Sec. 3.

Minnesota Statutes 2012, section 13.09, is amended to read:


13.09 PENALTIES.

new text begin (a) new text endAny person who willfully violates the provisions of this chapter or any rules
adopted under this chapter new text beginor whose conduct constitutes the knowing unauthorized
acquisition of not public data, as defined in section 13.055, subdivision 1,
new text endis guilty of a
misdemeanor.

new text begin (b) new text endWillful violation of this chapter deleted text beginbydeleted text endnew text begin, including any action subject to a criminal
penalty under paragraph (a), by
new text end any public employee constitutes just cause for suspension
without pay or dismissal of the public employee.

new text begin EFFECTIVE DATE. new text end

new text begin This section is effective August 1, 2013, and applies to crimes
committed on or after that date.
new text end

Sec. 4.

Minnesota Statutes 2012, section 13.82, is amended by adding a subdivision to
read:


new text begin Subd. 31. new text end

new text begin License plate reader data. new text end

new text begin (a) For purposes of this subdivision,
"automated license plate reader data" means government data derived from an automated
reader that captures motor vehicle license plate numbers.
new text end

new text begin (b) Automated license plate reader data are private data on individuals or nonpublic
data. Notwithstanding section 138.17, automated license plate reader data must not be
retained, in any format, unless, based on a search of the Minnesota license plate data file,
the data identify a vehicle or license plate that has been stolen, there is a warrant for the
arrest of the owner of the vehicle or the owner has a suspended or revoked driver's license,
or the data are active investigative data.
new text end

new text begin (c) A law enforcement agency that installs or uses an automated license plate reader
must maintain a log of its use, including:
new text end

new text begin (1) locations at which the reader is installed or used;
new text end

new text begin (2) specific times of day that the reader actively collected data; and
new text end

new text begin (3) the aggregate number of vehicles or license plates on which data are collected for
each period of active use.
new text end

new text begin Notwithstanding any other law to the contrary, data contained in a log required under
this paragraph are public.
new text end

new text begin (d) The responsible law enforcement agency shall conduct a biennial audit of data
collected from automated license plate readers to determine whether the data has been
classified or destroyed as required under this subdivision. Specific data used in the audit
under this paragraph are classified as provided in paragraph (b). Summary data related to
the results of the audit are public.
new text end

new text begin (e) A law enforcement agency may not use an automated license plate reader unless
the agency has implemented policies and procedures necessary to ensure compliance
with this subdivision.
new text end

Sec. 5.

Minnesota Statutes 2012, section 299C.40, subdivision 4, is amended to read:


Subd. 4.

Data classification; general rule; changes in classification; audit trail.

(a) The classification of data in the law enforcement agency does not change after the data
is submitted to CIBRS. If CIBRS is the only source of data made public by section 13.82,
subdivisions 2, 3, 6, and 7
, data described in those subdivisions must be downloaded and
made available to the public as required by section 13.03.

(b) Data on individuals created, collected, received, maintained, or disseminated
by CIBRS is classified as confidential data on individuals as defined in section 13.02,
subdivision 3
, and becomes private data on individuals as defined in section 13.02,
subdivision 12
, as provided by this section.

(c) Data not on individuals created, collected, received, maintained, or disseminated
by CIBRS is classified as protected nonpublic data as defined in section 13.02, subdivision
13
, and becomes nonpublic data as defined in section 13.02, subdivision 9, as provided
by this section.

(d) Confidential or protected nonpublic data created, collected, received, maintained,
or disseminated by CIBRS must automatically change classification from confidential
data to private data or from protected nonpublic data to nonpublic data on the earlier of
the following dates:

(1) upon receipt by CIBRS of notice from a law enforcement agency that an
investigation has become inactive; or

(2) when the data has not been updated by the law enforcement agency that
submitted it for a period of 120 days.

(e) For the purposes of this section, an investigation becomes inactive upon the
occurrence of any of the events listed in section 13.82, subdivision 7, clauses (a) to (c).

(f) Ten days before making a data classification change because data has not been
updated, CIBRS must notify the law enforcement agency that submitted the data that a
classification change will be made on the 120th day. The notification must inform the law
enforcement agency that the data will retain its classification as confidential or protected
nonpublic data if the law enforcement agency updates the data or notifies CIBRS that the
investigation is still active before the 120th day. A new 120-day period begins if the data
is updated or if a law enforcement agency notifies CIBRS that an active investigation
is continuing.

(g) A law enforcement agency that submits data to CIBRS must notify CIBRS if an
investigation has become inactive so that the data is classified as private data or nonpublic
data. The law enforcement agency must provide this notice to CIBRS within ten days
after an investigation becomes inactive.

(h) All queries and responses and all actions in which data is submitted to CIBRS,
changes classification, or is disseminated by CIBRS to any law enforcement agency
must be recorded in the CIBRS audit trail.

new text begin (i) Notwithstanding paragraphs (b) and (c), the name of each law enforcement
agency that submits data to CIBRS, and a general description of the types of data
submitted by the agency, are public.
new text end