The amount of personal and financial information stored and communicated electronically on a daily basis in United States is staggering. This trend will only increase as new technologies develop and integrate into mainstream society. As a result, legislatures are making data privacy and cybersecurity laws a higher priority. Although there is no unified federal law on the subject, all fifty states have enacted data breach notification statutes.
Minnesota, in particular, requires every business or person that owns or licenses personal information to notify individuals of a data breach that resulted in or is reasonably believed to have resulted in the unauthorized “acquisition” of their personal information. In general, notice to affected individuals must be provided in the most convenient way possible and without unreasonable delay; however, notification can be delayed if law enforcement determines that notification would impede the criminal investigation.
Not all personal information in covered by Minnesota’s breach notification statute. To trigger the notification requirements, a hacker must have accessed your first name or first initial and last name combined with any of the following unencrypted pieces of information: social security number, driver’s license number; or a financial account number.
A growing number of states also require that organizations and individuals who own private information to implement measures for the protection of that data. Twenty-two states have enacted such laws, including Massachusetts, New York, and California. It is not clear when Minnesota will enact substantive protections for private information but given the importance of private information and the increase in cyber attacks it is likely that Minnesota will eventually enact legislation requiring businesses to implement administrative, technical, and physical safeguards for the protection of private, personal information.
Regardless of when Minnesota enacts cybersecurity legislation, it is important to be proactive in protecting your information system. Organizations that are the subject of a data beach will usually face litigation, including class action lawsuits, from individuals whose information has been affected. The best way to mitigate your legal liability is by implementing a comprehensive information security program.
At a minimum, every security program should have a designated employee to maintain the information system, procedures for identifying and assessing internal and external risks to the security of the system, policies relating to the storage, access and transportation of records containing personal information, reasonable restrictions upon physical access to records containing personal information, and regular monitoring to ensure that the program is operating effectively.
This information is general in nature and should not be construed as tax or legal advice.
