The Minnesota House of Representatives introduced a bill in late February to strengthen Minnesota’s current data breach notification law, Minnesota Statutes Section 325E.61. The bill, House File No. 2253, was authored by Representative Dan Schoen. It would require notification within 48 hours to all individuals whose unencrypted personal information has been breached. The current statute requires notification only in the most expedient time possible and without unreasonable delay. The proposed amendments also expand the notification requirement to “any individual” instead of “any resident of this state” who is affected. Other amendments include a requirement to provide credit monitoring and a unique provision that states that if the business required to give notice is a retailer or wholesaler of consumer goods or services, the business must provide a $100 gift card to each individual whose unencrypted personal information was breached. The amendment would also require a business required to give notice to reimburse affected individuals for any charges or fees incurred as a result of the breach.
Minnesota was the epicenter for one of the largest retailer-based data breaches at the beginning of this year. The Minnesota Senate has yet to take action on the bill, and the current session is scheduled to end in late May, so passage is still up in the air. If the Minnesota law is amended, we will update you here.