Minnesota
|
Click here to review text of state statute |
Information Covered / Important Definitions
Information covered:
Personal information of Minnesota residents.
Important definitions:
“Security Breach” means an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
Definition does not include loss of a portable electronic device containing password protected personal information if the encryption key or process is not compromised.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or business doing business in Minnesota that owns or licenses computerized data containing personal information.
Third party recipients:
A covered entity that maintains data that includes personal information that the covered entity does not own must notify the owner or licensee of the information of any security breach immediately following discovery.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
Other obligations:
Any business that must notify more than 500 persons at one time of a security breach is also required to notify consumer reporting agencies of the security breach within 48 hours.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted and the encryption key, password, or other means necessary for reading or using the data has not been acquired.
Other exemptions:
Exemption for good faith acquisition of personal information by an employee or agent of a covered entity for the purposes of the covered entity so long as the personal information is not used or subject to further unauthorized disclosure.
Financial institutions subject to GLBA are exempt.
Covered entity deemed in compliance with the Minnesota statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Minnesota statute.
Penalties
Enforcement under Minn. Stat. §8.31.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
|
Click here to review text of state statute |