Minnesota Statutes § 325E.61

Enacted:  6.3.2005

Type of Data Covered: Computerized or electronic data. 

​

Is Breach Defined?

Yes! §325E.61(1)(d) says "For purposes of this section and section 13.055, subdivision 6, “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security system, provided that the personal information is not used or subject to further unauthorized disclosure."

​

​

When is notice required?

​

Notice is required for any affected resident "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement...or with any measures necessary to determine the scope of the breach, the identity of individuals affected, and restore the reasonable integrity of the data system." Notice may be written, electronic, or via "substitute notice" procedures and if over 500 residents are included then credit reporting agencies must be notified as well. 

​

What are the penalties for non-compliance?

​

Violations have their own section of the law, §325E.61(6), which reads as follows and refers to the section that outlines the Attorney General's duties: 

​

"Subd. 6.  Remedies and enforcement. — The attorney general shall enforce this section and section 13.055, subdivision 6, under section 8.31."

​

​