Data Breach Security Assessment
The Data Practices Act requires a government entity to perform a yearly, comprehensive security assessment of any personal information it maintains. (See Minnesota Statutes, section 13.055, subdivision 6)
What is "personal information"?
Personal information is an individual's first name or first initial and last name in combination with one or more of these elements when unencrypted:
- a social security number;
- driver's license number or Minnesota ID card number; or
- account number or credit/debit card number in combination with any required security code, access code, or password that would permit access to the individual's financial account;
This definition comes from Minnesota Statutes, section 325E.61, subdivision 1(e). Personal information does not include public data.
What are some examples of personal information?
- Unencrypted computer files,
- Paper documents, or
- Other records maintained in a non-computer medium (i.e., that cannot be encrypted)
What is a security assessment
An entity's security assessment will vary depending on the amount of personal information the entity maintains. Developing the security assessment will require collaboration with an entity's legal counsel and internal auditor.
The Department of Administration uses the Control Environment Self-Assessment Tool, developed by Minnesota Management and Budget (MMB). Lines 45, 48, 49, and 51 target the requirements in section 13.055. You can learn more about control environments at MMB's website.