13.055 STATE AGENCIES; DISCLOSURE OF BREACH IN SECURITY.
Subdivision 1. Definitions.
For purposes of this section, the following terms have the
meanings given to them.
(a) "Breach of the security of the data" means unauthorized acquisition of data maintained by
a state agency that compromises the security and classification of the data. Good faith acquisition
of government data by an employee, contractor, or agent of a state agency for the purposes of the
state agency is not a breach of the security of the data, if the government data is not provided
to an unauthorized person.
(b) "Contact information" means either name and mailing address or name and e-mail
address for each individual who is the subject of data maintained by the state agency.
(c) "Unauthorized acquisition" means that a person has obtained government data without
the informed consent of the individuals who are the subjects of the data or statutory authority and
with the intent to use the data for nongovernmental purposes.
(d) "Unauthorized person" means any person who accesses government data without
permission or without a work assignment that reasonably requires the person to have access
to the data.
Subd. 2. Notice to individuals.
A state agency that collects, creates, receives, maintains, or
disseminates private or confidential data on individuals must disclose any breach of the security
of the data following discovery or notification of the breach. Notification must be made to
any individual who is the subject of the data and whose private or confidential data was, or is
reasonably believed to have been, acquired by an unauthorized person. The disclosure must be
made in the most expedient time possible and without unreasonable delay, consistent with (1) the
legitimate needs of a law enforcement agency as provided in subdivision 3; or (2) any measures
necessary to determine the scope of the breach and restore the reasonable security of the data.
Subd. 3. Delayed notice.
The notification required by this section may be delayed if a law
enforcement agency determines that the notification will impede an active criminal investigation.
The notification required by this section must be made after the law enforcement agency
determines that it will not compromise the investigation.
Subd. 4. Method of notice.
Notice under this section may be provided by one of the
(a) written notice by first class mail to each affected individual;
(b) electronic notice to each affected individual, if the notice provided is consistent with the
provisions regarding electronic records and signatures as set forth in United States Code, title
15, section 7001; or
(c) substitute notice, if the state agency demonstrates that the cost of providing the written
notice required by paragraph (a) would exceed $250,000, or that the affected class of individuals
to be notified exceeds 500,000, or the state agency does not have sufficient contact information.
Substitute notice consists of all of the following:
(i) e-mail notice if the state agency has an e-mail address for the affected individuals;
(ii) conspicuous posting of the notice on the Web site page of the state agency, if the state
agency maintains a Web site; and
(iii) notification to major media outlets that reach the general public.
Subd. 5. Coordination with consumer reporting agencies.
If the state agency discovers
circumstances requiring notification under this section of more than 1,000 individuals at one time,
the state agency must also notify, without unreasonable delay, all consumer reporting agencies
that compile and maintain files on consumers on a nationwide basis, as defined in United States
Code, title 15, section 1681a, of the timing, distribution, and content of the notices.
Subd. 6. Security assessments.
Each government entity shall conduct a comprehensive
security assessment of any personal information maintained by the government entity. For the
purposes of this subdivision, personal information is defined under section 325E.61, subdivision
1, paragraphs (e) and (f).
History: 2005 c 163 s 21; 2005 c 167 s 1; 2006 c 212 art 1 s 17,24; 2006 c 233 s 7,8