documentation and governance controls. Even though these AI state regulations vary significantly in approach and have distinct differences, they build on core privacy concepts like data minimization, purpose limitation, consumer transparency and risk assessments, particularly where the artificial intelligence technology relies on or uses personal data or sensitive personal data. Through Executive Orders the Trump Administration is trying to limit the ability of states to regulate AI including one issued December 11, 2025 entitled Ensuring A National Policy Framework for Artificial Intelligence. State Laws Not Uniform . Most state laws, including Minnesota’s, provide a notification scheme and require notice to individuals after a “breach of the security system.” [See Minn. Stat. § 325E.61 on pages 88- 90]. But these state laws are not identical and include their own subtle distinctions and provisions. For example, some laws only require notice when there is a “material” or “significant” risk of harm from the security breach. Note that in Minnesota, social security or account numbers alone may not trigger notification, as they must be coupled with another identifier, such as a name. Some state security breach notification laws (such as Wisconsin) are triggered even if just account numbers or related access codes are compromised. Some states also have specific requirements for what must be included in the breach notification. Minnesota does not have a specific content requirement. Timing of the notice is vague in most states and is required to be done within a “reasonable” time frame. (Wisconsin requires notice within 45 days). Some states allow for a private right of action. Minnesota actions may be brought by the Minnesota Attorney General . One bill introduced in the Minnesota legislature would have required notification of a consumer within 48 hours of discovery of the data breach. The variety in state laws is one of the most compelling justifications for a comprehensive federal breach notification law. State Data Breach Notification Statute Updates. Now that each of the fifty states, Washington DC, Guam, Puerto Rico, and the U.S. Virgin Islands all have their own data breach notification statutes, the focus has
137
Made with FlippingBook - Online Brochure Maker