The “unauthorized acquisition of data…that compromises the security and classification of the data. Good faith acquisition of or access to government data by an employee, contractor, or agent of a state agency for the purposes of the state agency is not a breach of the security of the data, if the government data is not provided to or viewable by an unauthorized person.”
Unauthorized acquisitionMeans “a person has obtained, accessed, or viewed government data without the informed consent of the individuals who are the subjects of the data or statutory authority and with the intent to use the data for nongovernmental purposes.”
Unauthorized person“Any person who accesses government data without a work assignment that reasonably requires access to the data.”
There has been a breach that generally triggers a notice per Minnesota Statutes, section 13.055, when all of the following apply:
Government must disclose any breach of private or confidential data to affected individuals who are the subjects of the data when they reasonably believe a qualifying breach has occurred. The required notice to individuals must:
Sample breach notification letter
Government may provide the written notice to affected individuals either by first class mail or by electronic notice. We have created a sample breach notification letter for reference purposes.
The government may choose substitute notice if the cost of providing the written notice exceeds $250,000 or the group of individuals it must notify exceeds 500,000, or the entity does not have sufficient contact information. Substitute notice consists of all of the following:
If a breach requires a government entity to notify more than 1,000 individuals, the entity must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
When a breach occurs, a government entity is required to complete an investigation and prepare a report. The report must include the facts and the results of the investigation.
If the breach involved unauthorized access to or acquisition of data by an employee, contractor, or agent of the government entity, the report must include:
If there has been final disposition of disciplinary action against an employee, the report must include:
Minnesota Statutes, section 13.09, provides that conduct which constitutes a knowing unauthorized acquisition of not public data is a misdemeanor and willful violations are subject to criminal penalties and are just cause for suspension without pay or dismissal.
Generally speaking, the data breach provision in section 13.055 encompasses only those unauthorized data accesses that were made with the intent to use the data for a non-government purpose.
State agencies are also subject to section 3.971, which contains an additional notification requirement to the Office of the Legislative Auditor (OLA). The circumstances that require a state agency to notify the OLA are much broader than the requirements of section 13.055. Section 3.971 requires notification every time an entity has knowledge of improper access or use of not public data, regardless of how the unauthorized party intended to use the data.
Examples of when the OLA notification is required, but the section 13.055 data breach provision may not generally apply, include:
Each of the situations above requires corrective action by the government entity, and notification to the OLA, but does not require a data breach notification per section 13.055, because of the lack of wrongful intent.