A Legal Guide to PRIVACY AND DATA SECURITY 2024

State Breach Notification Laws Minnesota and all other states have enacted laws that require notification to individuals in the event of a security breach of sensitive or personal information. These laws usually cover any businesses that conduct business in the state and own, license, or maintain information covered by the statute (usually defined as the person’s name, combined with their social security number, driver’s license number, or credit and banking account information), regardless of the size of the business. In general, most state laws require that companies disclose a data breach to affected residents of the state. Some statutes also require notification of law enforcement, consumer protection boards, or credit agencies. Most breach notification laws set forth notification guidelines as to how soon a company is required to inform customers of a data breach (e.g., without unreasonable delay); the existence of civil or criminal penalties for failure to notify; the existence of a private right of action, if any, against the company; and any exemptions that apply to certain businesses or certain breaches. Some state laws distinguish between material and nonmaterial breaches. State Laws Not Uniform . Most state laws, including Minnesota’s, provide a notification scheme and require notice to individuals after a “breach of the security system.” [See Minn. Stat. § 325E.61 on pages 88- 90]. But these state laws are not identical and include their own subtle distinctions and provisions. For example, some laws only require notice when there is a “material” or “significant” risk of harm from the security breach. Note that in Minnesota, social security or account numbers alone may not trigger notification, as they must be coupled with another identifier, such as a name. Some state security breach notification laws (such as Wisconsin) are triggered even if just account numbers or related access codes are compromised. Some states also have specific requirements for what must be included in the breach notification. Minnesota does not have a specific content requirement. Timing of the notice is vague in most states and is required to be done within a

126

Made with FlippingBook - Online Brochure Maker