Skip to main content

Minnesota Proposes Expansive Amendment to Data Breach Notification Law

Two days ago, we heard that Target Corporation has brought in an information security heavy hitter to oversee the company's post-breach data security and technology operations.  Now we learn that its home base of operations, Minnesota, is the latest state to propose a legislative reaction to the Target data breach.

The Minnesota legislature has introduced an expansive bill to amend the state's data breach notification law to effectively create a 50-state notification requirement for entities doing business in Minnesota.  The bill would:

  • Broaden the breach notification requirement to require that all individuals be notified, rather than only residents of Minnesota
  • Require notification to affected individuals or the owners/licensees of the information within 48 hours of discovery or notification of the breach
  • Require that the business required to give notice make available one year of free credit monitoring services to all affected individuals and that such services must be made available within 30 days of the breach
  • Require that breached retailers or wholesalers of consumer goods or services provide each affected individual with a $100 gift card for future use, valid for at least one year
  • Reimburse individuals who incur any charges or fees as a consequence of the breach

We will be following the progress of this amendment closely.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.