Skip to main content Skip to office menu Skip to footer
Minnesota Legislature

Office of the Revisor of Statutes

SF 2062

as introduced - 91st Legislature (2019 - 2020) Posted on 03/07/2019 03:53pm

KEY: stricken = removed, old language.
underscored = added, new language.

Current Version - as introduced

Line numbers 1.1 1.2 1.3 1.4 1.5
1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20

A bill for an act
relating to data practices; modifying notification procedure related to an
unauthorized acquisition of government data; amending Minnesota Statutes 2018,
section 13.055, subdivision 2.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

Minnesota Statutes 2018, section 13.055, subdivision 2, is amended to read:


Subd. 2.

Notice to individuals; investigation report.

(a) A government entity that
collects, creates, receives, maintains, or disseminates private or confidential data on
individuals must disclose any breach of the security of the data following discovery or
notification of the breach. deleted text beginWrittendeleted text end Notification must be made to any individual who is the
subject of the data and whose private or confidential data was, or is reasonably believed to
have been, acquired by an unauthorized person deleted text beginanddeleted text endnew text begin if the unauthorized acquisition creates
a significant risk of financial, reputational, or other harm to the subject of the data. In
evaluating whether an unauthorized acquisition creates a significant risk to the subject of
the data, the government entity must consider the following factors:
new text end

new text begin (1) the nature of the unauthorized acquisition;
new text end

new text begin (2) the nature and type of the data breached;
new text end

new text begin (3) the likelihood that the breach caused the data to become accessible and usable outside
of the government entity;
new text end

new text begin (4) the likelihood that the breach will result in harm to the subject of the data; and
new text end

new text begin (5) the ability of the government entity to mitigate the risk of harm to the subject of the
data.
new text end

new text begin The notification new text endmust inform the individual that a report will be prepared under paragraph
(b), how the individual may obtain access to the report, and that the individual may request
delivery of the report by mail or e-mail. The disclosure must be made in the most expedient
time possible and without unreasonable delay, consistent with deleted text begin(1)deleted text endnew text begin (i)new text end the legitimate needs
of a law enforcement agency as provided in subdivision 3; or deleted text begin(2)deleted text endnew text begin (ii)new text end any measures necessary
to determine the scope of the breach and restore the reasonable security of the data.

(b) Notwithstanding section 13.15 or 13.37, upon completion of an investigation into
any breach in the security of data and final disposition of any disciplinary action for purposes
of section 13.43, including exhaustion of all rights of appeal under any applicable collective
bargaining agreement, the responsible authority shall prepare a report on the facts and results
of the investigation. If the breach involves unauthorized access to or acquisition of data by
an employee, contractor, or agent of the government entity, the report must at a minimum
include:

(1) a description of the type of data that were accessed or acquired;

(2) the number of individuals whose data was improperly accessed or acquired;

(3) if there has been final disposition of disciplinary action for purposes of section 13.43,
the name of each employee determined to be responsible for the unauthorized access or
acquisition, unless the employee was performing duties under chapter 5B; and

(4) the final disposition of any disciplinary action taken against each employee in
response.