Data Privacy Map - Minnesota

Highlights

Covered Entities: Any person or business that conducts business in Minnesota, and that owns or licenses data that includes personal information.

Consumer Notification: When there has been a breach of the security of the system containing personal information following discovery or notification of the breach in the security of the data.

Regulatory Notification: No.

Notification Timeline: In the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.

Data Format: Electronic.

Citations: Minn. Stat. § 325E.61 and 325E.64

More Details

Definitions:

• Breach: A breach of the security of the system means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.
• Personal Information (PI):
  • Personal information means an individual’s first name or first initial and last name in combination with any one or more of the following data elements:
    • Social Security number;
    • Driver’s license number or Minnesota identification card number; or
    • Account number or credit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
• Medical Information: N/A
• Health Insurance Information: N/A

Safe Harbors:

• Encryption: Does not apply when the data is secured by encryption or another method of technology that makes electronic data unreadable or unusable, only if the encryption key, password, or other means necessary for reading or using the data is not also acquired.
• Good Faith: Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security system, provided that personal information is not used or subject to further unauthorized disclosure.
• Risk of Harm: N/A
• Law Enforcement Delay: Notification may be delayed to a date certain if a law enforcement agency affirmatively determines that the notification will impede a criminal investigation.

Direct Notice:

• Timing: Most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, identify the individual affected, and restore the reasonable integrity of the data system.
• Format: N/A
• Content: N/A
• Method: Written notice to the most recent available address the person or business has in its records. Electronic notice, if the person’s primarily method of communication with the individual is by electronic means, or if the notice is consistent with the provisions regarding electronic records and signatures in E-SIGN.

Substitute Notice:

If the person or business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice must consist of all of the following: (i) email notice when the person or business has an email address for the subject persons; (ii) conspicuous posting of the notice on the website page of the person or business, if the person or business maintains one; and (iii) notification to major statewide media.

Remediation Services:

N/A

Regulatory Notice:

N/A

Credit Reporting Agencies Notice:

If a person discovers circumstances requiring notification of more than 500 persons at one time, the person shall also notify, within 48 hours, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.

Third-Party Notice:

Any person or business that maintains data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

HIPAA:

N/A

Private Action:

N/A

Associated Regulations:

N/A

Highlights

Covered Entities: Any entity licensed, authorized to operate, or registered (or required to be licensed, authorized, or registered) by the Department of Commerce or the Department of Health under chapters 59A to 62M, 62Q to 62V, and 64B to 79A.

Security Standard: A licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment. The program must contain administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system.

Consumer Notification: If a licensee is required to submit a report to the Minnesota Commissioner of Commerce, the licensee shall notify any consumer residing in Minnesota if, as a result of the cybersecurity event reported to the commissioner, the consumer’s nonpublic information was or is reasonably believed to have been acquired by an unauthorized person, and there is a reasonable likelihood of material harm to the consumer as a result of the cybersecurity event. The notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.

Regulatory Notification: A licensee shall notify the Minnesota Commissioner of Commerce without unreasonable delay but in no event later than 5 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.

Notification Timeline: The licensee must notify the Minnesota Commissioner of Commerce without unreasonable delay but in no event later than 5 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred. Notice to the consumer must be sent without reasonable delay after the determination that a cybersecurity event has occurred.

Citations: Minn. Stat. Ann. § 60A.985 et seq.

More Details

Definitions:

• Consumer: An individual, including but not limited to an applicant, policyholder, insured, beneficiary, claimant, and certificate holder who is a resident of this state and whose nonpublic information is in a licensee’s possession, custody, or control.
• Cybersecurity Event: An event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system unless the licensee has determined that: (i) the unauthorized acquisition involved encrypted nonpublic information and the encryption key was not acquired, released, or used without authorization or (ii) the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
• Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered by the Department of Commerce or the Department of Health under chapters 59A to 62M, 62Q to 62V, and 64B to 79A.
• Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
  
  • Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with any one (1) or more of the following data elements:
    
    • Social Security number;
    • Driver’s license number or nondriver identification card number;
    • Financial account number, credit card number, or debit card number;
    • Any security code, access code, or password that would permit access to a consumer’s financial account; or
    • Biometric records.
  • Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify a particular consumer and that relates to:
    
    • The past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer’s family;
    • The provision of health care to any consumer; or
    • Payment for the provision of health care to any consumer.

Regulatory Notice:

A licensee shall notify the Minnesota Commissioner of Commerce without unreasonable delay but in no event later than 5 business days from a determination that a cybersecurity event has occurred when either of the following criteria has been met:

• Minnesota is the licensee’s state of domicile, in the case of an insurer, or Minnesota is the licensee’s home state, in the case of a producer, as those terms are defined in chapter 60K and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing Minnesota or any material part of the licensee’s operations.
• The licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in Minnesota and that is either of the following:
  
  • A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or
  • A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Minnesota or a material part of the licensee’s operations.

Content Requirements:

When notifying the Minnesota Commissioner of Commerce of a cybersecurity event, a licensee shall provide as much of the following information as possible:

• The date of the cybersecurity event.
• A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any.
• How the cybersecurity event was discovered.
• Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
• The identity of the source of the cybersecurity event.
• Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when such notification was provided.
• A description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
• The period during which the information system was compromised by the cybersecurity event.
• The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.
• The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
• A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
• A copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.
• The name of a contact person who is familiar with the cybersecurity event and authorized to act for the licensee.

Third-Party Notice Requirements:

If a licensee discovers that a cybersecurity incident occurred in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Minnesota Commissioner of Commerce unless the third-party service provider provides the notice.

Penalties:

In the case of violation under this statute, a licensee may be penalized in accordance with Minn. Stat. Ann. §60A.052. Penalties include the following: (1) revocation or suspension of any or all certificates of authority granted to the foreign or domestic insurance company or its agent; (2) censuring of the insurance company; (3) cancellation of all or some of the company's insurance contracts then in force in this state; (4) the imposition of a civil penalty; or (5) under a written agreement with the insurance company based upon the company's financial condition, imposition of conditions or restrictions on the insurance company's authority to transact business in Minnesota.

Associated Regulations:

N/A

Highlights

Covered Entities: Internet Service Providers.

First Party Security Standard: The Internet service provider shall take reasonable steps to maintain the security and privacy of a consumer’s personally identifiable information.

Third Party Security Standard: N/A

Disposal/Destruction Standard: N/A

Data Format: Electronic and Paper.

Citations: Minn. Stat. §§ 325M.01 – 325M.09.

More Details

Definitions:

• Consumer: A person who agrees to pay a fee to an Internet service provider for access to the Internet for personal, family, or household purposes, and who does not resell access.
• Internet Service Provider: A business or person who provides consumer authenticated access to, or presence on, the Internet by means of a switched or dedicated telecommunications channel upon which the provider provides transit routing of Internet Protocol (IP) packets for and on behalf of the consumer. Internet service provider does not include the offering, on a common carrier basis, of telecommunications facilities or of telecommunications by means of these facilities.
• Personal Information (PI): Personally identifiable information means information that identifies:
  
  • A consumer by physical or electronic address or telephone number;
  • A consumer as having requested or obtained specific materials or services from an Internet service provider;
  • Internet or online sites visited by a consumer, or
  • Any of the contents of a consumer’s data-storage devices.

Methods of Compliance:

The statute does not define what constitutes “reasonable steps” or other means of compliance are not defined by the statute.

Exclusions:

• Health Care: N/A
• Financial: N/A
• Other: An Internet service provider may disclose personally identifiable information concerning a consumer to:
  
  • • Any person if the disclosure is incident to the ordinary course of business of the Internet service provider;
  • • Another Internet service provider for purposes of reporting or preventing violations of the published acceptable use policy or customer service agreement of the Internet service provider; except that the recipient may further disclose the personally identifiable information only as provided by this chapter;
  • • Any person with the authorization of the consumer; or
  • • As provided in 626A.27.

Enforcement/Penalties:

A consumer who prevails or substantially prevails in an action brought under this chapter is entitled to the greater of $500 or actual damages. Costs, disbursements, and reasonable attorney fees may be awarded to a party awarded damages for a violation of this section. No class action shall be brought under this chapter.

In an action under this chapter, it is a defense that the defendant has established and implemented reasonable practices and procedures to prevent violations of this chapter.

Associated Regulations:

N/A