Data Access Security Legislation Signed by Governor

Additional requirements on how cities maintain and protect nonpublic data go into effect Aug. 1.
(Published May 19, 2014)

(Updated May 23, 2014)
The governor signed data access security legislation on May 21 that has been debated over the past two years. The House and Senate passed the legislation unanimously on May 15.

Chapter 284 was introduced primarily in response to media reports and lawsuits alleging the unauthorized access of private data in the driver’s license database maintained by the Department of Public Safety.

The language, authored by Rep. Mary Liz Holberg (R-Lakeville) and Sen. Scott Dibble (DFL-Minneapolis), will go into effect on Aug. 1, 2014.

Requirements in the bill
The bill will require local governments to establish additional security measures to help ensure that private data is “only accessible to persons whose work assignment reasonably requires access to the data, and is only being accessed by those persons for purposes described in the procedure . . .” Government entities will also have to perform an annual security assessment of personal information maintained by the entity. “Personal information” is defined as a person’s name kept in combination with a social security number, driver’s license number, or account numbers with passwords or access codes.

Additionally, local units of government will now be required to follow the data breach laws that currently apply only to state agencies. Under those laws, if a city discovers a data breach, it must disclose that breach to the person who is the subject of the data. The person must also be informed that the entity will perform an investigation of the data breach, and instructions on how the report can be accessed after completion. If a government entity finds that there has been unauthorized access of data, it must issue a report that contains, at a minimum:

  • A description of the type of data that was accessed or acquired.
  • The number of individuals whose data was improperly accessed or acquired.
  • The names of each employee responsible for the unauthorized access, if there has been final disposition of disciplinary actions.
  • The final disposition of any disciplinary action taken as a result.

The bill clarifies that existing penalties for violation of the Minnesota Government Data Practices Act (MGDPA) apply to unauthorized access of data.

Notable omissions
The legislation is also notable for what it does not contain. The Senate version of the bill contained a provision that would have given any person the right to know the name of any employee who accessed his or her private data, even if the access was lawful. The conference committee also considered amendments that would have allowed individuals who suspected a breach to demand an investigation into any employee access to their private data, even if the access was lawful.

Ultimately, these provisions were not approved, but if they had been included, they would have created an enormous administrative burden on cities. The League of Minnesota Cities and other groups worked with legislators to try to balance the need to protect private data and the potentially high cost of doing so.

Data security in the future
During the legislative process, legislators of both parties have expressed their extreme frustration with reports of public employees accessing private data without proper authorization, and they made it clear that this legislation may be only the first step in dealing with the issue. This session, the Legislature created a Legislative Commission on Data Practices and Personal Data Privacy in order to devote more attention to data security and the MGDPA. The commission will meet in the interim and will likely discuss whether the Legislature should require government entities to adopt additional security measures to ensure that private data is not improperly accessed.

It is imperative that cities adopt the required security policies and protocols. Local units of government have already spent significant financial resources litigating data breach claims and data security, and compliance with the MGDPA needs to continue to be a high priority for all cities.

Read the current issue of the Cities Bulletin

* By posting you are agreeing to the LMC Comment Policy.