Back to the Sep-Oct 2023 issue

How Minnesota’s Data Practices Law Relates to Cybersecurity

By Christian Torkelson and Kara Coustry

October is Cybersecurity Awareness Month, and it’s a good reminder for cities to develop or evaluate their cybersecurity plans.

Where to start? The Minnesota Government Data Practices Act (MGDPA), Minnesota Statutes 13, is a state law that controls how government data are collected, created, stored, used, and released. By complying with the MGDPA, your city will be on its way to building a cybersecurity response plan.

The MGDPA requires that:

  • Government data must be kept in a condition that is easily accessible for convenient use.
  • Cities must implement appropriate security safeguards protecting records containing data on individuals.
  • Cities must restrict access to nonpublic data only to those whose job role requires access.
  • Cities must implement a policy that documents security requirements and access procedures.

The MGDPA also requires that cities take the following actions in the event of a cybersecurity breach:

  • Investigate and expediently notify data subjects of data breaches containing unencrypted (or usable) private or confidential data.
  • Report to consumer reporting agencies private or confidential data breaches affecting greater than 1,000 individuals.

Conduct a data inventory to meet MGDPA compliance

The MGDPA says that each city is the responsible authority for ensuring data practices requirements are met, and part of that requirement involves conducting a data inventory. A typical list of data-related items in an inventory might include:

  • Payroll information.
  • Social Security numbers.
  • Training records.
  • The names of children who signed up for activities.
  • The identity of persons reporting code enforcement issues.
  • Certain law enforcement data.
  • Credit card numbers.
  • Bank account numbers.

A thorough data inventory will indicate who, what, and where — who has access, what is stored, and where it is stored. This is vital information to know, should your city experience a cybersecurity incident.

Data inventory and your cybersecurity game plan

While creating a data inventory is a requirement of the MGDPA, that inventory is also a fundamental first step to creating your city’s cybersecurity incident response plan — or a “game plan” for responding to a cyberbreach.

Following is an example of how a data inventory can play a key role in your city’s cybersecurity response. Let’s say a city employee receives a phishing email and is tricked into providing remote access to his computer. Several hours later when his computer goes black with a ransomware notice, the employee realizes his mistake. That’s when the city activates its cybersecurity incident response plan.

Step one: Reference the data inventory to determine what, if any, nonpublic data was compromised from the breach of the city employee’s computer. Because the data inventory is updated annually (a requirement of MGDPA), it is a great resource to identify sensitive data that may have been accessed without authorization. Thankfully, the city in this example was prepared with an updated data inventory, which allowed the city to quickly determine the scope of the data breach and facilitate an appropriate and timely response plan. If you believe your city has already experienced a data breach or other cybersecurity loss, contact the League of Minnesota Cities Insurance Trust (LMCIT) claims staff immediately at (800) 925-1122.

For more information

Following the requirements of the MGDPA serves as a baseline for your city’s cybersecurity response plan. Read more about your city’s responsibilities under the MGDPA in the LMC information memo at lmc.org/data-practices. LMCIT provides members with free access to the eRisk Hub, a web-based portal containing information and technical resources that can help with prevention of network, cyber, or privacy losses. Learn more at lmc.org/eriskhub and find other guidance and support available for your city at lmc.org/cybersecurity.

Christian Torkelson is cybersecurity loss control consultant for the League of Minnesota Cities Insurance Trust. Contact: [email protected] or (651) 281-1296. Kara Coustry is data compliance specialist/paralegal for the League of Minnesota Cities. Contact: [email protected] or (651) 215-4046.