hours and must be informed of the timing, distribution, and content of the notices sent to Minnesota residents. Penalty. The Minnesota Attorney General may enforce this law by seeking injunctive relief and/or a civil penalty not to exceed $25,000. Exemptions. An exemption from this notification statute may apply to an entity that is otherwise covered by a federal law such as the GLBA or HIPAA. As noted above, encrypted information is exempt but the Minnesota statute does not define encryption. The full text of the Minnesota notification statute appears below. 325E.61 DATA WAREHOUSES; NOTICE REQUIRED FOR CERTAIN DISCLOSURES. Subdivision 1. Disclosure of personal information; notice required. (a) Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in paragraph (c), or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system. (b) Any person or business that maintains data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (c) The notification required by this section and Minn. Stat. § 13.055, subdivision 6, may be delayed to a date certain if a law enforcement agency affirmatively determines that the notification will impede a criminal investigation. (d) For purposes of this section and Minn. Stat. § 13.055, subdivision 6, “breach of the security of the system” means unauthorized acquisition
91
Made with FlippingBook - Online Brochure Maker