Recommendation Would Require Cities to Provide More Data Breach Notifications

A recommendation of the Data Practices Legislative Commission would require cities to provide notification of data breaches, regardless of intent.
(Published Jan 7, 2019)

Under current law, governmental entities have to provide notification of data breaches only if the intent is to use the data for nongovernmental purposes. A recommendation from the Legislative Commission on Data Practices and Personal Data Privacy would require notification for all instances of unauthorized access to data, regardless of the intent.

The commission, chaired by Rep. Peggy Scott (R-Andover), adopted the recommendation on Dec. 7, along with two others that don’t impact cities. The Legislature is expected to consider the recommendations during the 2019 legislative session.

—Read the recommendations (pdf)

Creating consistency with private-sector requirements

Deputy Legislative Auditor Chris Buse testified to the commission that the current data breach statute for government entities is different from the statute for the private sector. Therefore, he suggested removing the intent requirement for “unauthorized acquisition.” If this proposed change is passed into law, cities may need to provide more notifications of data breaches.

—Read the draft language (pdf)

Requirements of current law

Current law requires that government entities provide notice to an individual upon the discovery or notification of a “breach of the security of the data” related to that person.

A breach of the security of the data requires “unauthorized acquisition,” which Minnesota Statutes, section 13.055 defines as when (1) a person has obtained, accessed, or viewed government data without the informed consent of the individuals who are the subjects of the data or without statutory authority, and (2) that person intends to use the data for nongovernmental purposes.

Next steps

The recommendations by the Legislative Commission will go to the House and Senate committees with jurisdiction over data practices issues. The League will monitor this issue throughout the session.

Legislative Commission pre-session activity

The Legislative Commission met four times between legislative sessions, spending a majority of its time on patient privacy and medical data. It wasn’t until the final meeting on Dec. 7 that anything city-related was discussed.

—See video, audio, and materials from these meetings

Background on Legislative Commission

The Legislative Commission on Data Practices is comprised of eight legislative members, equally representing the House and Senate, as well as Republicans and Democrats. Many of the commission members are also members of committees that hear issues related to data practices.

Read the current issue of the Cities Bulletin

* By posting you are agreeing to the LMC Comment Policy.