November 8, 2006; Minnesota Office of Enterprise Technology
11/8/2006 10:14:43 AM
This is an opinion of the Commissioner of Administration issued pursuant to section 13.072 of Minnesota Statutes, Chapter 13 - the Minnesota Government Data Practices Act. It is based on the facts and information available to the Commissioner as described below.
Facts and Procedural History:On September 1, 2006, IPAD received a letter dated same, from Christopher Buse, Chief Information Security Officer with the Office of Enterprise Technology (OET). In his letter, Mr. Buse asked the Commissioner to issue an advisory opinion regarding the classification of certain data OET maintains. IPAD requested clarification and additional information, which Mr. Buse provided in a letter dated September 21, 2006. A summary of the facts is as follows. In his opinion request, Mr. Buse wrote: Minnesota Statutes Section 13.055 states that government entities must notify individuals after discovering that there has been a breach in security. . . . [Minnesota Statutes, section 13.055, subdivision 1(a)] defines a breach of security as an unauthorized acquisition that compromises the security and classification of the data. Data that is encrypted using modern encryption algorithms, such as the Advanced Encryption Standard, have virtually no chance of being decrypted by an individual who does not possess the cryptographic key. Therefore, even if encrypted data ends up in the hands of an unauthorized individual, the security and classification of the data is not in jeopardy. Notification is extremely expensive and results in a great deal of embarrassment for government officials. It also causes citizens to lose confidence in government's ability to protect their private data. Notification is important in situations where breached data is truly at risk. However, I do not believe that this is the case when data has been encrypted. . . . Also in his opinion request, Mr. Buse discussed Minnesota Statutes, section 325E.61, which relates to notice requirements for private businesses in possession of certain electronic information. He noted that businesses do not need to notify individual data subjects of a breach of the security of the system if the data are encrypted. Although this may be the case for private businesses, section 13.055, which applies to government entities, does not provide such an exception if the data are encrypted.
Issue:
Based on Mr. Buse's opinion request, the Commissioner agreed to address the following issue:
Discussion:Minnesota Statutes, section 13.055, subdivision 2, states: A state agency that collects, creates, receives, maintains, or disseminates private or confidential data on individuals must disclose any breach of the security of the data following discovery or notification of the breach. Notification must be made to any individual who is the subject of the data and whose private or confidential data was, or is reasonably believed to have been, acquired by an unauthorized person. . . . Section 13.055, subdivision 1(a), in part, defines breach of the security of the data as, unauthorized acquisition of data maintained by a state agency that compromises the security and classification of the data. Section 13.055, subdivision 1 (c), defines unauthorized acquisition as a person has obtained government data without the informed consent of the individuals who are the subjects of the data or statutory authority and with the intent to use the data for nongovernmental purposes. Mr. Buse's question is whether a government entity, in determining if a breach of security has occurred, may consider the fact that the data in question were encrypted. According to section 13.055, a security breach occurs when an unauthorized person obtains data, intending to use them for nongovernmental purposes, and the security and classification of the data are compromised. Clearly, if the data were encrypted, there is a stronger likelihood that the person who inappropriately obtained the data will not be able to read/understand them. If that person cannot read/understand the data, given the statutory definition of breach of the security of the data, it does not seem that a breach has occurred. Therefore, in the Commissioner's opinion, whether data are encrypted is one factor a government entity may consider when analyzing whether there has been a breach of security. The Commissioner is aware that, generally speaking, there are varying methods and levels of encryption. Thus, when a government entity analyzes whether a breach of security has occurred involving encrypted data, the entity should consider the complexity of the encryption and the security of the keys. The more complex the encryption and the more secure the keys, the lesser the risk that the data have been breached. Opinion:Based on the facts and information provided, my opinion on the issues that Mr. Buser raised is as follows:
Signed:
Dana B. Badgerow
Dated: November 8, 2006 |
Statutory responsibilities government
Breach of security data (13.055)