Minnesota Legislature
HF 183
as introduced - 88th Legislature (2013 - 2014) Posted on 01/28/2013 01:40pm
1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14
1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 2.32 2.33 2.34 2.35 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 3.32 3.33 3.34
3.35 3.36
4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12
4.13 4.14
4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26
4.27 4.28
A bill for an act
relating to data practices; enhancing certain penalties and procedures related to
unauthorized access to data by a public employee; amending Minnesota Statutes
2012, sections 13.05, subdivision 5; 13.055; 13.08, subdivision 1; 13.09.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
Minnesota Statutes 2012, section 13.05, subdivision 5, is amended to read:
Subd. 5.
Data protection.
(a) The responsible authority shall (1) establish
procedures to assure that all data on individuals is accurate, complete, and current for the
purposes for which it was collected; and (2) establish appropriate security safeguards for
all records containing data on individualsnew text begin , including procedures for ensuring that data that
is not public is only accessible to persons explicitly authorized by law, and is only being
accessed by those persons for reasons explicitly authorized by lawnew text end .
(b) When not public data is being disposed of, the data must be destroyed in a way
that prevents its contents from being determined.
Sec. 2.
Minnesota Statutes 2012, section 13.055, is amended to read:
13.055 deleted text begin STATE AGENCIES;deleted text end DISCLOSURE OF BREACH IN SECURITYnew text begin ;
NOTIFICATION AND INVESTIGATION REPORT REQUIREDnew text end .
Subdivision 1.
Definitions.
For purposes of this section, the following terms have
the meanings given to them.
(a) "Breach of the security of the data" means unauthorized acquisition ofnew text begin or access
tonew text end data maintained by a deleted text begin state agencydeleted text end new text begin government entitynew text end that compromises the security and
classification of the data. Good faith acquisition of new text begin or access to new text end government data by an
employee, contractor, or agent of a deleted text begin state agencydeleted text end new text begin government entitynew text end for the purposes of
the deleted text begin state agencydeleted text end new text begin entitynew text end is not a breach of the security of the data, if the government data
is not provided tonew text begin or viewable bynew text end an unauthorized personnew text begin , or accessed for a reason not
explicitly authorized by lawnew text end .
(b) "Contact information" means either name and mailing address or name and
e-mail address for each individual who is the subject of data maintained by the deleted text begin state
agencydeleted text end new text begin government entitynew text end .
(c) "Unauthorized acquisition" means that a person has obtainednew text begin or viewed
new text end government data without the informed consent of the individuals who are the subjects
of the data or statutory authority and with the intent to use the data for nongovernmental
purposes.new text begin Intent to cause harm to a data subject is not a factor in determining whether an
acquisition of data is unauthorized.
new text end
(d) "Unauthorized person" means any person who accesses government data
deleted text begin without permission ordeleted text end without a work assignment that reasonably requires deleted text begin the person to
havedeleted text end access deleted text begin to the datadeleted text end new text begin , or regardless of the person's work assignment, for a reason not
explicitly permitted by lawnew text end .
Subd. 2.
Notice to individualsnew text begin ; investigation reportnew text end .
new text begin (a) new text end A deleted text begin state agencydeleted text end new text begin government
entitynew text end that collects, creates, receives, maintains, or disseminates private or confidential data
on individuals must disclose any breach of the security of the data following discovery or
notification of the breach. Notification must be made to any individual who is the subject of
the data and whose private or confidential data was, or is reasonably believed to have been,
acquired by an unauthorized person. The disclosure must be made in the most expedient
time possible and without unreasonable delay, consistent with (1) the legitimate needs of a
law enforcement agency as provided in subdivision 3; or (2) any measures necessary to
determine the scope of the breach and restore the reasonable security of the data.
new text begin
(b) Upon completion of an investigation into any breach in the security of data, the
responsible authority shall prepare a report on the facts and results of the investigation.
If the breach involved unauthorized acquisition to data by a public employee, the report
must at a minimum include:
new text end
new text begin
(1) a description of the data that were accessed or acquired;
new text end
new text begin
(2) the number of individuals whose data was improperly accessed or acquired;
new text end
new text begin
(3) the name of each employee determined responsible for the unauthorized access
or acquisition; and
new text end
new text begin
(4) the final disposition of any disciplinary action taken against each employee in
response, or if disciplinary action was determined to be unnecessary, the specific findings
and reasons for that determination.
new text end
new text begin
Notwithstanding any other provision of law, the full contents of this report shall be public
at all times, provided to any individual required to receive a notice under paragraph (a),
and posted on the affected government entity's Web site.
new text end
Subd. 3.
Delayed notice.
The notification required by this section may be delayed if
a law enforcement agency determines that the notification will impede an active criminal
investigation. The notification required by this section must be made after the law
enforcement agency determines that it will not compromise the investigation.
Subd. 4.
Method of notice.
Notice under this section may be provided by one of
the following methods:
(a) written notice by first class mail to each affected individual;
(b) electronic notice to each affected individual, if the notice provided is consistent
with the provisions regarding electronic records and signatures as set forth in United
States Code, title 15, section 7001; or
(c) substitute notice, if the deleted text begin state agencydeleted text end new text begin government entitynew text end demonstrates that the cost
of providing the written notice required by paragraph (a) would exceed $250,000, or
that the affected class of individuals to be notified exceeds 500,000, or the deleted text begin state agency
deleted text end new text begin government entitynew text end does not have sufficient contact information. Substitute notice consists
of all of the following:
(i) e-mail notice if the deleted text begin state agencydeleted text end new text begin government entitynew text end has an e-mail address for
the affected individuals;
(ii) conspicuous posting of the notice on the Web site page of the deleted text begin state agency
deleted text end new text begin government entitynew text end , if the deleted text begin state agencydeleted text end new text begin government entitynew text end maintains a Web site; and
(iii) notification to major media outlets that reach the general publicnew text begin within the
government entity's jurisdictionnew text end .
Subd. 5.
Coordination with consumer reporting agencies.
If the deleted text begin state agency
deleted text end new text begin government entitynew text end discovers circumstances requiring notification under this section of
more than 1,000 individuals at one time, the deleted text begin state agencydeleted text end new text begin government entitynew text end must also
notify, without unreasonable delay, all consumer reporting agencies that compile and
maintain files on consumers on a nationwide basis, as defined in United States Code, title
15, section 1681a, of the timing, distribution, and content of the notices.
Subd. 6.
Security assessments.
new text begin At least annually, new text end each government entity shall
conduct a comprehensive security assessment of any personal information maintained
by the government entity. For the purposes of this subdivision, personal information is
defined under section 325E.61, subdivision 1, paragraphs (e) and (f).
new text begin EFFECTIVE DATE. new text end
new text begin
This section is effective the day following final enactment
and applies to security breaches occurring on or after that date.
new text end
Sec. 3.
Minnesota Statutes 2012, section 13.08, subdivision 1, is amended to read:
Subdivision 1.
Action for damages.
Notwithstanding section 466.03, a responsible
authority or government entity which violates any provision of this chapter is liable to a
person or representative of a decedent who suffers any damage as a result of the violation,
and the person damaged or a representative in the case of private data on decedents or
confidential data on decedents may bring an action against the responsible authority or
government entity to cover any damages sustained, plus costs and reasonable attorney
fees. In the case of a willful violation, new text begin or in the case of any violation resulting from a
public employee's unauthorized access to not public data, new text end the government entity shall, in
addition, be liable to exemplary damages of not less than $1,000, nor more than $15,000
for each violation. The state is deemed to have waived any immunity to a cause of action
brought under this chapter.
new text begin EFFECTIVE DATE. new text end
new text begin
This section is effective the day following final enactment
and applies to violations occurring on or after that date.
new text end
Sec. 4.
Minnesota Statutes 2012, section 13.09, is amended to read:
13.09 PENALTIES.
new text begin (a)(1) new text end Any person who willfully violates the provisions of this chapter or any rules
adopted under this chapter is guilty of a misdemeanor.
new text begin
(2) A public employee who acquires or accesses not public data in a manner not
explicitly authorized by law is guilty of a gross misdemeanor if the employee:
new text end
new text begin
(i) acquired or accessed data on a single data subject on more than one occasion; or
new text end
new text begin
(ii) acquired or accessed data on multiple data subjects, regardless of the number
of occasions on which the acquisition or access occurred.
new text end
deleted text begin Willful violation of this chapter bydeleted text end new text begin (b) Any action subject to a criminal penalty under
paragraph (a) bynew text end any public employee constitutes just cause for suspension without pay or
new text begin immediate new text end dismissal of the public employee.
new text begin EFFECTIVE DATE. new text end
new text begin
This section is effective the day following final enactment
and applies to violations occurring on or after that date.
new text end