Subdivision 1.

Definitions.

For purposes of this section, the following terms have
the meanings given to them.

(a) "Breach of the security of the data" means unauthorized acquisition ofnew text begin or access
tonew text end data maintained by a deleted text begin state agencydeleted text end new text begin government entitynew text end that compromises the security and
classification of the data. Good faith acquisition of new text begin or access to new text end government data by an
employee, contractor, or agent of a deleted text begin state agencydeleted text end new text begin government entitynew text end for the purposes of
the deleted text begin state agencydeleted text end new text begin entitynew text end is not a breach of the security of the data, if the government data
is not provided tonew text begin or viewable bynew text end an unauthorized personnew text begin , or accessed for a purpose not
described in the procedures required by section 13.05, subdivision 5new text end new text begin . For purposes of this
paragraph, data maintained by a government entity includes data maintained by a person
under a contract with the government entity that provides for the acquisition of or access
to the data by an employee, contractor, or agent of the government entitynew text end .

(b) "Contact information" means either name and mailing address or name and
e-mail address for each individual who is the subject of data maintained by the deleted text begin state
agencydeleted text end new text begin government entitynew text end .

(c) "Unauthorized acquisition" means that a person has obtainednew text begin or viewed
new text end government data without the informed consent of the individuals who are the subjects of the
data or statutory authority and with the intent to use the data for nongovernmental purposes.

(d) "Unauthorized person" means any person who accesses government data deleted text begin without
permission ordeleted text end without a work assignment that reasonably requires deleted text begin the person to have
deleted text end access deleted text begin to the datadeleted text end new text begin , or regardless of the person's work assignment, for a purpose not
described in the procedures required by section 13.05, subdivision 5new text end .

Subd. 2.

Notice to individualsnew text begin ; investigation reportnew text end .

new text begin (a) new text end A deleted text begin state agency
deleted text end new text begin government entitynew text end that collects, creates, receives, maintains, or disseminates private or
confidential data on individuals must disclose any breach of the security of the data
following discovery or notification of the breach. Notification must be made to any
individual who is the subject of the data and whose private or confidential data was, or is
reasonably believed to have been, acquired by an unauthorized personnew text begin and must inform
the individual that a report will be prepared under paragraph (b), how the individual may
obtain access to the report, and that the individual may request delivery of the report by
mail or e-mailnew text end . The disclosure must be made in the most expedient time possible and
without unreasonable delay, consistent with (1) the legitimate needs of a law enforcement
agency as provided in subdivision 3; or (2) any measures necessary to determine the scope
of the breach and restore the reasonable security of the data.

new text begin (b) Upon completion of an investigation into any breach in the security of data, the
responsible authority shall prepare a report on the facts and results of the investigation.
If the breach involves unauthorized access to or acquisition of data by an employee,
contractor, or agent of the government entity, the report must at a minimum include:
new text end

new text begin (1) a description of the data that were accessed or acquired;
new text end

new text begin (2) the number of individuals whose data was improperly accessed or acquired;
new text end

new text begin (3) if there has been final disposition of disciplinary action for purposes of section
13.43, the name of each employee determined to be responsible for the unauthorized
access or acquisition;
new text end

new text begin (4) the final disposition of any disciplinary action taken against each employee in
response; and
new text end

new text begin (5) if disciplinary action was determined to be unnecessary, the specific findings and
reasons for that determination.
new text end

new text begin The report must not include data that are not public under other law. The report is
public and must be posted on the government entity's Web site, if the government entity
maintains a Web site, and provided to an individual who received the notification under
paragraph (a) and requested delivery of the report. If the government entity does not
maintain a Web site, the report must be posted on the principal bulletin board of the
government entity, or if the government entity does not have a principal bulletin board, on
the door of its usual meeting room.
new text end

Subd. 3.

Delayed notice.

The notification required by this section may be delayed if
a law enforcement agency determines that the notification will impede an active criminal
investigation. The notification required by this section must be made after the law
enforcement agency determines that it will not compromise the investigation.

Subd. 4.

Method of notice.

Notice under this section may be provided by one of
the following methods:

(a) written notice by first class mail to each affected individual;

(b) electronic notice to each affected individual, if the notice provided is consistent
with the provisions regarding electronic records and signatures as set forth in United
States Code, title 15, section 7001; or

(c) substitute notice, if the deleted text begin state agencydeleted text end new text begin government entitynew text end demonstrates that the cost
of providing the written notice required by paragraph (a) would exceed $250,000, or
that the affected class of individuals to be notified exceeds 500,000, or the deleted text begin state agency
deleted text end new text begin government entitynew text end does not have sufficient contact information. Substitute notice consists
of all of the following:

(i) e-mail notice if the deleted text begin state agencydeleted text end new text begin government entitynew text end has an e-mail address for
the affected individuals;

(ii) conspicuous posting of the notice on the Web site page of the deleted text begin state agency
deleted text end new text begin government entitynew text end , if the deleted text begin state agencydeleted text end new text begin government entitynew text end maintains a Web site; and

(iii) notification to major media outlets that reach the general publicnew text begin within the
government entity's jurisdictionnew text end .

Subd. 5.

Coordination with consumer reporting agencies.

If the deleted text begin state agency
deleted text end new text begin government entitynew text end discovers circumstances requiring notification under this section of
more than 1,000 individuals at one time, the deleted text begin state agencydeleted text end new text begin government entitynew text end must also
notify, without unreasonable delay, all consumer reporting agencies that compile and
maintain files on consumers on a nationwide basis, as defined in United States Code, title
15, section 1681a, of the timing, distribution, and content of the notices.

Subd. 6.

Security assessments.

new text begin At least annually, new text end each government entity shall
conduct a comprehensive security assessment of any personal information maintained
by the government entity. For the purposes of this subdivision, personal information is
defined under section 325E.61, subdivision 1, paragraphs (e) and (f).