language to be deleted (2) new language
relating to data practices; enhancing certain penalties and procedures related to unauthorized access to data by a public employee; requiring disclosure of certain data related to use of the CIBRS law enforcement database;
amending Minnesota Statutes 2012, sections 13.05, subdivision 5; 13.055; 13.09; 299C.40, subdivision 4.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
(a) The responsible authority shall
(1) establish procedures to assure that all data on individuals is accurate, complete, and current for the purposes for which it was collected; and
(2) establish appropriate security safeguards for all records containing data on individuals
(b) When not public data is being disposed of, the data must be destroyed in a way that prevents its contents from being determined.
For purposes of this section, the following terms have the meanings given to them.
(a) "Breach of the security of the data" means unauthorized acquisition of data maintained by a state agency that compromises the security and classification of the data. Good faith acquisition of government data by an employee, contractor, or agent of a state agency for the purposes of the state agency is not a breach of the security of the data, if the government data is not provided to an unauthorized person.
(b) "Contact information" means either name and mailing address or name and e-mail address for each individual who is the subject of data maintained by the state agency.
(c) "Unauthorized acquisition" means that a person has obtained government data without the informed consent of the individuals who are the subjects of the data or statutory authority and with the intent to use the data for nongovernmental purposes.
(d) "Unauthorized person" means any person who accesses government data without permission or without a work assignment that reasonably requires the person to have access to the data.
A state agency that collects, creates, receives, maintains, or disseminates private or confidential data on individuals must disclose any breach of the security of the data following discovery or notification of the breach. notification must be made to any individual who is the subject of the data and whose private or confidential data was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with (1) the legitimate needs of a law enforcement agency as provided in subdivision 3; or (2) any measures necessary to determine the scope of the breach and restore the reasonable security of the data.
The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede an active criminal investigation. The notification required by this section must be made after the law enforcement agency determines that it will not compromise the investigation.
Notice under this section may be provided by one of the following methods:
(a) written notice by first class mail to each affected individual;
(b) electronic notice to each affected individual, if the notice provided is consistent with the provisions regarding electronic records and signatures as set forth in United States Code, title 15, section 7001; or
(c) substitute notice, if the state agency demonstrates that the cost of providing the written notice required by paragraph (a) would exceed $250,000, or that the affected class of individuals to be notified exceeds 500,000, or the state agency does not have sufficient contact information. Substitute notice consists of all of the following:
(i) e-mail notice if the state agency has an e-mail address for the affected individuals;
(ii) conspicuous posting of the notice on the Web site page of the state agency, if the state agency maintains a Web site; and
(iii) notification to major media outlets that reach the general public.
If the state agency discovers circumstances requiring notification under this section of more than 1,000 individuals at one time, the state agency must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in United States Code, title 15, section 1681a, of the timing, distribution, and content of the notices.
each government entity shall conduct a comprehensive security assessment of any personal information maintained by the government entity. For the purposes of this subdivision, personal information is defined under section 325E.61, subdivision 1, paragraphs (e) and (f).
Any person who willfully violates the provisions of this chapter or any rules adopted under this chapter is guilty of a misdemeanor.
Willful violation of this chapter by any public employee constitutes just cause for suspension without pay or dismissal of the public employee.
(a) The classification of data in the law enforcement agency does not change after the data is submitted to CIBRS. If CIBRS is the only source of data made public by section 13.82, subdivisions 2, 3, 6, and 7, data described in those subdivisions must be downloaded and made available to the public as required by section 13.03.
(b) Data on individuals created, collected, received, maintained, or disseminated by CIBRS is classified as confidential data on individuals as defined in section 13.02, subdivision 3, and becomes private data on individuals as defined in section 13.02, subdivision 12, as provided by this section.
(c) Data not on individuals created, collected, received, maintained, or disseminated by CIBRS is classified as protected nonpublic data as defined in section 13.02, subdivision 13, and becomes nonpublic data as defined in section 13.02, subdivision 9, as provided by this section.
(d) Confidential or protected nonpublic data created, collected, received, maintained, or disseminated by CIBRS must automatically change classification from confidential data to private data or from protected nonpublic data to nonpublic data on the earlier of the following dates:
(1) upon receipt by CIBRS of notice from a law enforcement agency that an investigation has become inactive; or
(2) when the data has not been updated by the law enforcement agency that submitted it for a period of 120 days.
(e) For the purposes of this section, an investigation becomes inactive upon the occurrence of any of the events listed in section 13.82, subdivision 7, clauses (a) to (c).
(f) Ten days before making a data classification change because data has not been updated, CIBRS must notify the law enforcement agency that submitted the data that a classification change will be made on the 120th day. The notification must inform the law enforcement agency that the data will retain its classification as confidential or protected nonpublic data if the law enforcement agency updates the data or notifies CIBRS that the investigation is still active before the 120th day. A new 120-day period begins if the data is updated or if a law enforcement agency notifies CIBRS that an active investigation is continuing.
(g) A law enforcement agency that submits data to CIBRS must notify CIBRS if an investigation has become inactive so that the data is classified as private data or nonpublic data. The law enforcement agency must provide this notice to CIBRS within ten days after an investigation becomes inactive.
(h) All queries and responses and all actions in which data is submitted to CIBRS, changes classification, or is disseminated by CIBRS to any law enforcement agency must be recorded in the CIBRS audit trail.
Presented to the governor May 16, 2014
Signed by the governor May 21, 2014, 10:36 a.m.