BREACH NOTIFICATION – Mandated Timeframe
Within 48 hours (500+ notifs.)
FINES & PENALTIES – Violations
Up to $25,000
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Minnesota Privacy Law Information
No person or entity conducting business in Minnesota accepting an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.
There are specific considerations when determining if a breach is reportable.
Consumers must be notified without unreasonable delay. If notification by an organization for more than 500 persons at one time is required, consumer reporting agencies must be notified within 48 hours with specific information. If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications.
Internet service providers must take reasonable steps to maintain the security and privacy of a consumer’s personally identifiable information.
Organizations may be fined or penalized for Vendor violations. The Attorney General can investigate violations and take steps to enforce compliance and to recover a civil penalty of up to $25,000 from violators.
Minnesota Statutes and Laws
Additional duties of attorney general
Security of information
Use of social security numbers
Data warehouses; notice required for certain disclosures
Access devices; breach of security
The information provided is not legal guidance or recommendations and are for informational purposes only.