What Are the Minnesota Data Breach Notification Rules?

Does your organization handle personal client information? Do you know what you should do in case your organization becomes the victim of a cyberattack? In this article, we explore the data breach notification laws in Minnesota.

What Are the Minnesota Data Breach Notification Rules?

Does your organization handle personal client information? Do you know what you should do in case your organization becomes the victim of a cyberattack? In this article, we explore the data breach notification laws in Minnesota.

As the years have gone by, the volume of data breaches and other cyber threats has skyrocketed. In Minnesota alone, hundreds of thousands of people received letters informing them that their data might have been compromised earlier this year. Over 3 million Americans have been affected to date by what was the second-largest healthcare breach in Minnesota’s history,

However robust your security posture may seem, data breaches are an ever-present threat. And if this recent case teaches us anything, it’s that it doesn’t matter what industry you’re in; data breaches are a vital concern for any organization.

Which brings us to the question: are you aware of the legally mandated steps you need to take in the event of a data breach? If you’re not entirely up to speed, allow us to offer some perspective!

  • What Is an Unauthorized Acquisition? An unauthorized acquisition occurs when an individual has viewed, accessed, or obtained government data without the informed consent of the subjects of the data or statutory authority and intends to use the data for nongovernmental purposes.
  • Who Is an Unauthorized Person? Any individual who accesses government data without a work assignment that reasonably requires access to that data is an unauthorized person.
  • What Is a Data Security Breach? A data security breach refers to the unauthorized acquisition of data that compromises the data’s classification and security. Suppose an employee, contractor, or agent of a state agency accesses government data in good faith for the state agency’s purposes. In that case, a breach can only occur if the data is viewable by or provided to an unauthorized person.
  • When Has a Data Breach Occurred? When a data breach occurs, it typically triggers a notice according to Minnesota Statutes, section 13.055. But first, you need to know which scenarios qualify as data breaches. A data breach has occurred when an individual takes or views private data without state authority or permission and intends to use it for nongovernmental purposes.
  • How Should a Breach Notice Appear? The government must disclose any data breach to the subjects of the data who are the impacted individuals. If they believe a qualifying data breach has occurred, they must issue a notice that:
    • Is in writing
    • Is sent without an unreasonable delay
    • Notifies the subjects that a report on the breach investigation is being prepared
    • States that once the report is ready, the individual may request a copy by mail or email.
  • Must Your Organization Provide Notice? Using your organization’s contact information, the government may notify the impacted individuals via first class mail or electronic notice. However, if you don’t have sufficient contact information, the government may opt for a substitute notice. They may also choose a substitute notice if the written notices cost over $250,000 or if they must notify more than 500,000 individuals.
  • How Must a Substitute Notice Appear? A substitute notice involves the following:
    • Email notice if you have an email address for impacted individuals
    • Posting the notice on your organization’s website if you have one
    • Informing major media outlets that can reach the general public within your organization’s jurisdiction.
    • What Should Be Included in the Breach Investigation Report? If the breach involved unauthorized access, the report on the investigation’s findings must include:
    • A description of the data that was stolen
    • The number of people that were impacted
    • If appropriate disciplinary action has been taken, then the report must mention:
      • The name of all the individuals responsible for the unauthorized access
      • The disciplinary action that was taken against each responsible employee

Hear From Our
Happy Clients

Read Our Reviews

Looking for Reliable IT Support in Case of a Data Breach?

Our experienced team at On-Site Computers is ready to offer your Minnesota organization reliable IT support even when disaster strikes.

Contact us now to be confident in your IT support.

Latest Blog Posts

Read Technology Insights
pixel-geo