Data Breach Notification

Minnesota Statutes, section 13.055 requires government entities to notify individuals when there has been a breach of the security of private or confidential data about those individuals. In general, there has been a breach that requires notice when all of the following apply:

A person,
Views or takes private or confidential data,
Without permission or statutory authority, and
With the intent to use the private or confidential data for nongovernmental purposes

Minnesota Statutes, section 13.055 requires a data breach notice when there has been a "breach of the security of the data" as defined by the statute. The statute provides the following definitions to determine if there was a breach:

Breach of the security of the data:

The “unauthorized acquisition of data…that compromises the security and classification of the data. Good faith acquisition of or access to government data by an employee, contractor, or agent of a state agency for the purposes of the state agency is not a breach of the security of the data, if the government data is not provided to or viewable by an unauthorized person.”

Unauthorized acquisition:

Means “a person has obtained, accessed, or viewed government data without the informed consent of the individuals who are the subjects of the data or statutory authority and with the intent to use the data for nongovernmental purposes.”

Unauthorized person:

“Any person who accesses government data without a work assignment that reasonably requires access to the data.”

What should a breach notice look like?
Government must disclose any breach of private or confidential data to affected individuals who are the subjects of the data when they reasonably believe a qualifying breach has occurred. The required notice to individuals must:
- Be in writing
- Inform the individual that a report will be prepared about the breach investigation
- State that an individual may request a copy of the report by mail or email
- Be sent without unreasonable delay
Sample breach notification letter
How must an entity provide notice?
Government may provide the written notice to affected individuals either by first class mail or by electronic notice. We have created a sample breach notification letter for reference purposes.

The government may choose substitute notice if the cost of providing the written notice exceeds $250,000 or the group of individuals it must notify exceeds 500,000, or the entity does not have sufficient contact information. Substitute notice consists of all of the following:
- Email notice if the entity has an email address for affected individuals
- Post the notice on the website of the entity, if the entity maintains a website
- Provide notification to major media outlets that reach the general public within the government entity’s jurisdiction
Must an entity notify consumer reporting agencies?
What type of report is required following a breach investigation?
When a breach occurs, a government entity is required to complete an investigation and prepare a report. The report must include the facts and the results of the investigation.

If the breach involved unauthorized access to or acquisition of data by an employee, contractor, or agent of the government entity, the report must include:
- A description of the data that were accessed or acquired
- The number of individuals affected
If there has been final disposition of disciplinary action against an employee, the report must include:
- The name of each employee responsible for the unauthorized access or acquisition
- The final disposition of any disciplinary action taken against each employee in response
What are the penalties for unauthorized access to private or confidential data?
Additional Reporting Requirements
Cybersecurity Incidents

Minnesota Statutes sec. 16E.36 requires public agencies to report cybersecurity incidents to the Minnesota Department of Information and Technology Services (MNIT). This reporting requirement applies to state agencies, political subdivisions, school districts, charter schools, intermediate districts, cooperative units under Minn. Stat. sec. 123A.24 subd. 2, and public postsecondary education institutions.

A cybersecurity incident is an action taken through the use of an information system or network that results in an actual or potentially adverse effect on an information system, network, or information residing therein. Under this definition, a cybersecurity incident may also be a data breach under Minn. Stat. sec. 13.055. However, not all data breaches under the Data Practices Act will be a cybersecurity incident. If you believe you may have a breach of data at your government entity, it is important to assess whether this possible breach is also a cybersecurity incident that also requires reporting to MNIT.

For more information, please visit MNIT's page on cybersecurity incidents.

State Agency Reporting

Generally speaking, the data breach provision in section 13.055 encompasses only those unauthorized data accesses that were made with the intent to use the data for a non-government purpose.

State agencies are also subject to section 3.971, which contains an additional notification requirement to the Office of the Legislative Auditor (OLA). The circumstances that require a state agency to notify the OLA are much broader than the requirements of section 13.055. Section 3.971 requires notification every time an entity has knowledge of improper access or use of not public data, regardless of how the unauthorized party intended to use the data.

Examples of when the OLA notification is required, but the section 13.055 data breach provision may not generally apply, include:
- Accidental access of a not public database by a government employee
- Incorrectly typing an email address and sending not public data to the wrong government employee
- Inadvertently reading a report with not public data without an appropriate work assignment
Each of the situations above requires corrective action by the government entity, and notification to the OLA, but does not require a data breach notification per section 13.055, because of the lack of wrongful intent.