Minnesota Breach Notification Law Highlights
- Enacted in 2005, Minnesota’s data breach notification law requires entities that conduct business in Minnesota, and that own or license personal information, to notify residents of Minnesota of any unauthorized acquisition of their unencrypted personal information.
- Notice must be given without unreasonable delay
- Breached third parties must notify the relevant data owners or licensees immediately following discovery of the breach
- If more than 500 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a, within 48 hours.
- Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
- Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. HIPAA-covered entities are deemed to comply with this law
Minnesota Breach Notification Law Details