Data Breach Notification

Definitions

Breach of the security of the data is the “unauthorized acquisition of data…that compromises the security and classification of the data. Good faith acquisition of or access to government data by an employee, contractor, or agent of a state agency for the purposes of the state agency is not a breach of the security of the data, if the government data is not provided to or viewable by an unauthorized person.”

Unauthorized acquisition means “a person has obtained, accessed, or viewed government data without the informed consent of the individuals who are the subjects of the data or statutory authority and with the intent to use the data for nongovernmental purposes.”

Unauthorized person is “any person who accesses government data without a work assignment that reasonably requires access to the data.”

When has there been a data breach?

There has been a breach that generally triggers a notice per Minnesota Statutes, section 13.055, when all of the following apply:

  • A person with no reasonable, work-related, need to access private or confidential data;
  • Views or takes the data; and
  • With the intent to use the data for purposes unrelated to his/her job.

What should a breach notice look like?

A government entity must disclose any breach of private or confidential data to affected individuals who are the subjects of the data when they reasonably believe a qualifying breach has occurred. The required notice to individuals must:

  • Be in writing
  • Inform the individual that a report will be prepared about the breach investigation
  • State that an individual may request a copy of the report by mail or email
  • Be sent without unreasonable delay

How must an entity provide notice?

Government entities may provide the written notice to affected individuals either by first class mail or by electronic notice.

An entity may choose substitute notice if the cost of providing the written notice exceeds $250,000 or the group of individuals it must notify exceeds 500,000, or the entity does not have sufficient contact information. Substitute notice consists of all of the following:

  • Email notice if the entity has an email address for affected individuals
  • Post the notice on the website of the entity, if the entity maintains a website
  • Provide notification to major media outlets that reach the general public within the government entity’s jurisdiction

Must an entity notify consumer reporting agencies?

If a breach requires a government entity to notify more than 1,000 individuals, the entity must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

What type of report is required following a breach investigation?

When a breach occurs, a government entity is required to complete an investigation and prepare a report. The report must include the facts and the results of the investigation.

If the breach involved unauthorized access to or acquisition of data by an employee, contractor, or agent of the government entity, the report must include:

  • A description of the data that were accessed or acquired
  • The number of individuals affected

If there has been final disposition of disciplinary action against an employee, the report must include:

  • The name of each employee responsible for the unauthorized access or acquisition
  • The final disposition of any disciplinary action taken against each employee in response

What are the penalties for unauthorized access to private or confidential data?

Minnesota Statutes, section 13.09, provides that conduct which constitutes a knowing unauthorized acquisition of not public data is a misdemeanor and willful violations are subject to criminal penalties and are just cause for suspension without pay or dismissal.

Are there any additional requirements for state agencies?

Generally speaking, the data breach provision in section 13.055 encompasses only those unauthorized data accesses that were made with the intent to use the data for a non-government purpose.

State agencies are also subject to section 3.971, which contains an additional notification requirement to the Office of the Legislative Auditor (OLA). The circumstances that require a state agency to notify the OLA are much broader than the requirements of section 13.055. Section 3.971 requires notification every time an entity has knowledge of improper access or use of not public data, regardless of how the unauthorized party intended to use the data.

Examples of when the OLA notification is required, but the section 13.055 data breach provision may not generally apply, include:

  • Accidental access of a not public database by a government employee
  • Incorrectly typing an email address and sending not public data to the wrong government employee
  • Inadvertently reading a report with not public data without an appropriate work assignment

Each of the situations above requires corrective action by the government entity, and notification to the OLA, but does not require a data breach notification per section 13.055, because of the lack of wrongful intent.