Minnesota Data Breach Notification

Unfortunately for businesses, there is not one place in federal statutes or state law that contains all data privacy law. Therefore, business owners and professionals have to make sure they become acquainted with various data privacy laws, especially laws that deal with the personal information that the business uses, but does not own.

If the company becomes aware of a breach of the personal information it collects, but does not own, it shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. Minn. Stat. § 325E.61, subd. 1 (2014).


“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data:

  • Social Security number,
  • Driver’s license number or Minnesota identification card number; or
  • Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.

Personal Information does not include publicly available information that is lawfully made available to the general public.

“Breach of the Security System” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.


Notice must be given when there is discovery or notification of a breach of security of the system. Notice must be given without unreasonable delay. If the breach affects more 500 (1,000 for state agencies), then consumer reporting agencies must be notified within 48 hours.

How Much Notice Must Be Given?

Notice can be provided by written notice to the most recent available address the person or business has in its records, electronic notice if the person’s primary method of communication with the individual is by electronic means, or substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000 or that affected class of subject persons to be notified exceeds 5,000,000, or the person or business does not have sufficient contact information.

There is no specific requirement as to the content of the notification.


The Minnesota attorney general enforces this law and can obtain injunctive relief and/or civil penalty not to exceed $25,000.


These rules do not apply to entities otherwise covered by federal law such as the Graham-Leach-Bliley Act or HIPPA.

This article was written by attorney Maureen A. Carlson.