1.2relating to data practices; enhancing certain penalties and procedures related
1.3to unauthorized access to data by a public employee; amending Minnesota
1.4Statutes 2012, sections 13.04, subdivision 3; 13.05, subdivision 5; 13.055; 13.09;
1.5299C.40, subdivision 4.
1.6BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

1.7    Section 1. Minnesota Statutes 2012, section 13.04, subdivision 3, is amended to read:
1.8    Subd. 3. Access to data by individual. (a) Upon request to a responsible authority
1.9or designee, an individual shall be informed whether the individual is the subject of
1.10stored data on individuals, and whether it is classified as public, private or confidential.
1.11Upon further request, an individual who is the subject of stored private or public data
1.12on individuals shall be shown the data without any charge and, if desired, shall be
1.13informed of the content and meaning of that data. After an individual has been shown
1.14the private data and informed of its meaning, the data need not be disclosed to that
1.15individual for six months thereafter unless a dispute or action pursuant to this section is
1.16pending or additional data on the individual has been collected or created. The responsible
1.17authority or designee shall provide copies of the private or public data upon request by
1.18the individual subject of the data. The responsible authority or designee may require the
1.19requesting person to pay the actual costs of making and certifying the copies.
1.20(b) Notwithstanding section 13.15 or 13.43, or other law to the contrary, upon
1.21request, an individual has access to the name of persons who have obtained access
1.22to private data on the individual, unless the data would identify an undercover law
1.23enforcement officer or are active investigative data.
2.1    (c) The responsible authority or designee shall comply immediately, if possible, with
2.2any request made pursuant to this subdivision, or within ten days of the date of the request,
2.3excluding Saturdays, Sundays and legal holidays, if immediate compliance is not possible.

2.4    Sec. 2. Minnesota Statutes 2012, section 13.05, subdivision 5, is amended to read:
2.5    Subd. 5. Data protection. (a) The responsible authority shall:
2.6 (1) establish procedures to assure that all data on individuals is accurate, complete,
2.7and current for the purposes for which it was collected; and
2.8 (2) establish appropriate security safeguards for all records containing data on
2.9individuals, including procedures for ensuring that data that are not public are only
2.10accessible to persons whose work assignment reasonably requires access to the data, and
2.11is only being accessed by those persons for purposes described in the procedure; and
2.12(3) develop a policy incorporating these procedures, which may include a model
2.13policy governing access to the data if sharing of the data with other government entities is
2.14authorized by law.
2.15(b) When not public data is being disposed of, the data must be destroyed in a way
2.16that prevents its contents from being determined.

2.17    Sec. 3. Minnesota Statutes 2012, section 13.055, is amended to read:
2.1813.055 STATE AGENCIES; DISCLOSURE OF BREACH IN SECURITY;
2.19NOTIFICATION AND INVESTIGATION REPORT REQUIRED.
2.20    Subdivision 1. Definitions. For purposes of this section, the following terms have
2.21the meanings given to them.
2.22(a) "Breach of the security of the data" means unauthorized acquisition of or access
2.23to data maintained by a state agency government entity that compromises the security and
2.24classification of the data. Good faith acquisition of or access to government data by an
2.25employee, contractor, or agent of a state agency government entity for the purposes of
2.26the state agency entity is not a breach of the security of the data, if the government data
2.27is not provided to or viewable by an unauthorized person, or accessed for a purpose not
2.28described in the procedures required by section 13.05, subdivision 5. For purposes of this
2.29paragraph, data maintained by a government entity includes data maintained by a person
2.30under a contract with the government entity that provides for the acquisition of or access
2.31to the data by an employee, contractor, or agent of the government entity.
2.32(b) "Contact information" means either name and mailing address or name and
2.33e-mail address for each individual who is the subject of data maintained by the state
2.34agency government entity.
3.1(c) "Unauthorized acquisition" means that a person has obtained or viewed
3.2 government data without the informed consent of the individuals who are the subjects of the
3.3data or statutory authority and with the intent to use the data for nongovernmental purposes.
3.4(d) "Unauthorized person" means any person who accesses government data without
3.5permission or without a work assignment that reasonably requires the person to have
3.6 access to the data, or regardless of the person's work assignment, for a purpose not
3.7described in the procedures required by section 13.05, subdivision 5.
3.8    Subd. 2. Notice to individuals; investigation report. (a) A state agency
3.9 government entity that collects, creates, receives, maintains, or disseminates private or
3.10confidential data on individuals must disclose any breach of the security of the data
3.11following discovery or notification of the breach. Notification must be made to any
3.12individual who is the subject of the data and whose private or confidential data was, or is
3.13reasonably believed to have been, acquired by an unauthorized person and must inform
3.14the individual that a report will be prepared under paragraph (b), how the individual may
3.15obtain access to the report, and that the individual may request delivery of the report by
3.16mail or e-mail. The disclosure must be made in the most expedient time possible and
3.17without unreasonable delay, consistent with (1) the legitimate needs of a law enforcement
3.18agency as provided in subdivision 3; or (2) any measures necessary to determine the scope
3.19of the breach and restore the reasonable security of the data.
3.20(b) Upon completion of an investigation into any breach in the security of data,
3.21including exhaustion of all rights of appeal under any applicable collective bargaining
3.22agreement or other law, the responsible authority shall prepare a report on the facts and
3.23results of the investigation. If the breach involves unauthorized access to or acquisition of
3.24data by an employee, contractor, or agent of the government entity, the report must at a
3.25minimum include:
3.26(1) a description of the data that were accessed or acquired; and
3.27(2) if disciplinary action was taken against an employee:
3.28(i) the number of individuals whose data was improperly accessed or acquired;
3.29(ii) the name of each employee determined responsible for the unauthorized access
3.30or acquisition; and
3.31(iii) the final disposition of the disciplinary action taken against the employee in
3.32response.
3.33The report must not include data that are not public under other law. The report is
3.34public and must be posted on the government entity's Web site, if the government entity
3.35maintains a Web site, and provided to an individual who received the notification under
3.36paragraph (a) and requested delivery of the report. If the government entity does not
4.1maintain a Web site, the report must be posted on the principal bulletin board of the
4.2government entity or, if the government entity does not have a principal bulletin board, on
4.3the door of its usual meeting room.
4.4    Subd. 3. Delayed notice. The notification required by this section may be delayed if
4.5a law enforcement agency determines that the notification will impede an active criminal
4.6investigation. The notification required by this section must be made after the law
4.7enforcement agency determines that it will not compromise the investigation.
4.8    Subd. 4. Method of notice. Notice under this section may be provided by one of
4.9the following methods:
4.10(a) written notice by first class mail to each affected individual;
4.11(b) electronic notice to each affected individual, if the notice provided is consistent
4.12with the provisions regarding electronic records and signatures as set forth in United
4.13States Code, title 15, section 7001; or
4.14(c) substitute notice, if the state agency government entity demonstrates that the cost
4.15of providing the written notice required by paragraph (a) would exceed $250,000, or
4.16that the affected class of individuals to be notified exceeds 500,000, or the state agency
4.17 government entity does not have sufficient contact information. Substitute notice consists
4.18of all of the following:
4.19(i) e-mail notice if the state agency government entity has an e-mail address for
4.20the affected individuals;
4.21(ii) conspicuous posting of the notice on the Web site page of the state agency
4.22 government entity, if the state agency government entity maintains a Web site; and
4.23(iii) notification to major media outlets that reach the general public within the
4.24government entity's jurisdiction.
4.25    Subd. 5. Coordination with consumer reporting agencies. If the state agency
4.26 government entity discovers circumstances requiring notification under this section of
4.27more than 1,000 individuals at one time, the state agency government entity must also
4.28notify, without unreasonable delay, all consumer reporting agencies that compile and
4.29maintain files on consumers on a nationwide basis, as defined in United States Code, title
4.3015, section 1681a, of the timing, distribution, and content of the notices.
4.31    Subd. 6. Security assessments. At least annually, each government entity shall
4.32conduct a comprehensive security assessment of any personal information maintained
4.33by the government entity. For the purposes of this subdivision, personal information is
4.34defined under section 325E.61, subdivision 1, paragraphs (e) and (f).
4.35EFFECTIVE DATE.This section is effective August 1, 2013, and applies to
4.36security breaches occurring on or after that date.

5.1    Sec. 4. Minnesota Statutes 2012, section 13.09, is amended to read:
5.213.09 PENALTIES.
5.3(a) Any person who willfully violates the provisions of this chapter or any rules
5.4adopted under this chapter or whose conduct constitutes the knowing unauthorized
5.5acquisition of not public data, as defined in section 13.055, subdivision 1, is guilty of a
5.6misdemeanor.
5.7(b) Willful violation of this chapter by, including any action subject to a criminal
5.8penalty under paragraph (a), by any public employee constitutes just cause for suspension
5.9without pay or dismissal of the public employee.
5.10EFFECTIVE DATE.This section is effective August 1, 2013, and applies to crimes
5.11committed on or after that date.

5.12    Sec. 5. Minnesota Statutes 2012, section 299C.40, subdivision 4, is amended to read:
5.13    Subd. 4. Data classification; general rule; changes in classification; audit trail.
5.14(a) The classification of data in the law enforcement agency does not change after the data
5.15is submitted to CIBRS. If CIBRS is the only source of data made public by section 13.82,
5.16subdivisions 2, 3, 6, and 7 , data described in those subdivisions must be downloaded and
5.17made available to the public as required by section 13.03.
5.18(b) Data on individuals created, collected, received, maintained, or disseminated
5.19by CIBRS is classified as confidential data on individuals as defined in section 13.02,
5.20subdivision 3 , and becomes private data on individuals as defined in section 13.02,
5.21subdivision 12 , as provided by this section.
5.22(c) Data not on individuals created, collected, received, maintained, or disseminated
5.23by CIBRS is classified as protected nonpublic data as defined in section 13.02, subdivision
5.2413 , and becomes nonpublic data as defined in section 13.02, subdivision 9, as provided
5.25by this section.
5.26(d) Confidential or protected nonpublic data created, collected, received, maintained,
5.27or disseminated by CIBRS must automatically change classification from confidential
5.28data to private data or from protected nonpublic data to nonpublic data on the earlier of
5.29the following dates:
5.30(1) upon receipt by CIBRS of notice from a law enforcement agency that an
5.31investigation has become inactive; or
5.32(2) when the data has not been updated by the law enforcement agency that
5.33submitted it for a period of 120 days.
6.1(e) For the purposes of this section, an investigation becomes inactive upon the
6.2occurrence of any of the events listed in section 13.82, subdivision 7, clauses (a) to (c).
6.3(f) Ten days before making a data classification change because data has not been
6.4updated, CIBRS must notify the law enforcement agency that submitted the data that a
6.5classification change will be made on the 120th day. The notification must inform the law
6.6enforcement agency that the data will retain its classification as confidential or protected
6.7nonpublic data if the law enforcement agency updates the data or notifies CIBRS that the
6.8investigation is still active before the 120th day. A new 120-day period begins if the data
6.9is updated or if a law enforcement agency notifies CIBRS that an active investigation
6.10is continuing.
6.11(g) A law enforcement agency that submits data to CIBRS must notify CIBRS if an
6.12investigation has become inactive so that the data is classified as private data or nonpublic
6.13data. The law enforcement agency must provide this notice to CIBRS within ten days
6.14after an investigation becomes inactive.
6.15(h) All queries and responses and all actions in which data is submitted to CIBRS,
6.16changes classification, or is disseminated by CIBRS to any law enforcement agency
6.17must be recorded in the CIBRS audit trail.
6.18(i) Notwithstanding paragraphs (b) and (c), the name of each law enforcement
6.19agency that submits data to CIBRS, and a general description of the types of data
6.20submitted by the agency, are public.