Employers – Know Your Data Breach Laws

Posted on Tuesday, May 5th, 2015

Almost every state in the United States has a data breach notification statute. Minnesota created data breach notification statutes some time ago, which provide, in part:

Any person or business that conducts business in [Minnesota], and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach . . . to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible . . . .

The entire section of this statute can be seen here: Minn. Stat. § 325E.61. But for the purpose of understanding what this means, the following definitions from the statute are helpful:

– “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security system, provided that the personal information is not used or subject to further unauthorized disclosure.

– “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not secured by encryption or another method of technology that makes electronic data unreadable or unusable, or was secured and the encryption key, password, or other means necessary for reading or using the data was also acquired:

(1) Social Security number;

(2) driver’s license number or Minnesota identification card number; or

(3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Note that even if an employer does not consider themselves to be the owner or licensee of personal information data, there are still notification requirements for unauthorized access (or what is reasonably believed to be unauthorized accesss) of unencrypted data for those persons or businesses that simply “maintain” personal information.

For those companies with employees, this statute means that employers could be held responsible for complying with the notification statute if a data breach involving “personal information” of employees occurs. For example, if a company’s employee/human resources records are not encrypted, a breach occurs, and just one of those records contains an employee’s first initial or name, last name and social security number, according to the broad language above, that company would need to comply with the notification requirements of the statute and provide notice to each employee whose unencrypted data was, or is reasonably believed to have been, acquired by an unauthorized person. If such a breach impacts more than 500 employees or individuals, additional notification requirements exist under the statute.

Employers should act fast (with assistance from legal counsel) to comply with notification requirements under Minnesota law, and any other state where the Employer has employees, when employee data is acquired or potentially acquired by an unauthorized person.