Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

MINNESOTA DATA PRIVACY REGULATIONS

Did You Know?

 

  • Limited methods of notification delivery
  • Data owners are responsible for breach reporting and notifications
  • Third parties must notify the MN Data Owner immediately if breached
  • Notification to Consumer Reporting Agencies must be within 48 hours
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply  

Who Me?

 

Minnesota breach and notification laws may apply if you:

  • Are a person, business, or state government agency that owns or licenses data containing PII 
  • Maintains PII received from a MN Data Owner

 There are exemptions.

What is PII?

 

PII relevant to a breach in Minnesota include a person's name plus one or more of the following:

  • Social Security Number
  • Driver license or state identification number
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account

LAWS

APPLICABLE LAWS

A few applicable statutes include, but are not limited to:

  • Minnesota Statutes: Trade Regulations, Consumer Protection / Chapter 325E / Section 325E.61 - Data Warehouses; Notice Required For Certain Disclosures / Subdivisions 1 - 6
  • Minnesota Statutes: Data Practices / Chapter 13 / Section 13.055 - Disclosure of Breach in Security; Notification and Investigation Report Required / Subdivisions 1 - 7

RELATED LAWS

  • Minnesota Statutes: Trade Regulations, Consumer Protection / Chapter 325E / Section 325E.59 – Use of Social Security Numbers / Subdivisions 1 - 5
  • Minnesota Statutes: Trade Regulations, Consumer Protection / Chapter 325E / Section 325E.64 – Access Devices; Breach of Security

PENALTIES

COMPLIANCE PENALTIES

The state attorney general enforces the law.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • If a security key or password was accessed
  • If it was acquired by an unauthorized person

TIME LIMITS

The notification may be delayed if law enforcement indicates the notification may interfere with an investigation. Otherwise, notification is required to be made in the most expedient time possible and without unreasonable delay.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

The notification may be delivered in written form or electronically (consistent with US Code Section 7001 of Title 15).

A substitute notice, with specific requirements, may be sent if the cost of providing the notice would exceed $250,000, or the persons to be notified exceeds 500,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR