Minnesota's Data Breach Notification Law
Earlier this month, President Obama proposed a federal breach notification bill designed to inform those who may be at greater risk of fraud or identity theft due to the loss of personal information. But there is already a breach notification law on Minnesota's books that I suspect is frequently ignored: 325E.61.
The Minnesota law says in part that "any person or business that maintains [personal] data . . . shall notify the owner . . . of any [security] breach . . . immediately following discovery, if the personal information is reasonably believed to have been, acquired by an unauthorized person."
So, what exactly is personal information? For the purposes of the statute it is an individual's first name or first initial and last name in combination with:
(1) a Social Security number;
(2) driver's license number or Minnesota identification card number; or
(3) account number or credit or debit card number, in combination with any security code such as a PIN.
There's more to the law, but that's the gist of it.
But 325E.61 does provide a safe harbor: encryption. If the data is encrypted notifications are not required. This has been a common thread among federal and state breach notification requirements, as well as contractual obligations with credit vendors through the PCI-DSS standards.
So encrypt your data, folks. Tomorrow we will talk about what exactly "encryption" means.
Image credit: s-s at www.sxc.hu.