Minnesota Data Breach Notification [Minn. Stat. §§ 325E.61 and 13.055]
Any person or business that maintains data that includes personal information that the person or business does not own must notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Definition of Personal Information. For Minnesota residents, personal information includes first name or first initial and last name plus one or more of the following: social security number, driver’s license number or state issued ID card number, account number, credit card number or debit card number combined with any security code, access code, PIN, or password needed to access an account and generally applies to computerized data that includes personal information. It does not include encrypted data. Definition of Breach . Breach of the “security system” means any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by the person or business. Content of Notice. There is no specific requirement as to content of the notification. Timing . The notification requirement is triggered upon discovery or notification of a breach of the security of the system. Notification must be in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system. In the event of a breach affecting over 500 people (1,000 for state agencies), consumer reporting agencies (CRA) must be notified within 48
90
Made with FlippingBook - Online Brochure Maker