Minnesota Data Breach Notification Requirements

What counts as a data breach under Minnesota law?

A data breach under Minnesota law is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information held by a business. Minnesota’s statute defines “breach of the security of the system” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” (Minn. Stat. § 325E.61, subd. 1(d).) Two words in that definition do real work. First, the trigger is acquisition, not mere access. An employee who briefly views a record without taking it is in a different posture than an outsider who copies a file. Second, the statute reaches computerized data, so the breach analysis is built around electronic systems. Good-faith acquisition of personal information by an employee or agent of the business, for the business’s own purposes, is excluded from the definition, which keeps routine internal handling from counting as a reportable breach. The practical task after an incident is to determine whether unauthorized acquisition actually occurred, because that question, more than the label on the incident, decides whether the duty is triggered.

What information triggers Minnesota’s breach notification law?

The notification law is triggered only when the exposed data is “personal information,” a defined term that is narrower than most business owners assume. Minnesota defines personal information as an individual’s first name or first initial and last name in combination with one or more of three data elements: a Social Security number; a driver’s license number or Minnesota identification card number; or an account number or credit or debit card number combined with any required security code, access code, or password that would permit access to the financial account. (Minn. Stat. § 325E.61, subd. 1(e).) The element must be unencrypted, or the data must have been encrypted but the key, password, or other means necessary to read it was also acquired. A spreadsheet of names and email addresses alone is generally not personal information under this statute. A spreadsheet of names paired with Social Security numbers is. The statute also excludes “publicly available information that is lawfully made available to the general public from federal, state, or local government records.” (Minn. Stat. § 325E.61, subd. 1(f).) Because the definition is element-specific, the first job in any incident is a clear inventory of exactly which fields were exposed, since that determines whether the law applies at all. Related data-exposure questions show up in our analysis of Minnesota privacy-law exposure in the employment-monitoring context.

Who has to send breach notices in Minnesota?

Any person or business that conducts business in Minnesota and owns or licenses data containing personal information must notify affected Minnesota residents after a breach. The statute requires that such a business “disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” (Minn. Stat. § 325E.61, subd. 1(a).) A separate rule covers vendors and service providers. A business that “maintains data that includes personal information that the person or business does not own” must notify the owner or licensee of that data “immediately following discovery” of a breach. (Minn. Stat. § 325E.61, subd. 1(b).) That two-track structure matters because most modern breaches happen at a processor, a hosting provider, or a software vendor rather than at the company whose customers are affected. The vendor owes you fast notice; you owe the residents notice. Allocating cost between the companies is a contract question, but the obligation to the residents follows ownership of the data. This is one reason how customer data exposure creates liability is worth understanding before an incident, not after.

When does Minnesota require breach notification?

Minnesota requires notice to affected residents in the most expedient time possible and without unreasonable delay. The statute states that disclosure “must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement . . . or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.” (Minn. Stat. § 325E.61, subd. 1(a).) Minnesota does not set a fixed number of days for notice to individuals. The standard is a reasonableness standard tied to the legitimate needs of investigating and containing the incident, which means a documented, diligent timeline is the protection, not a calendar date. The one defined basis for slowing notice is law enforcement: notice “may be delayed to a date certain if a law enforcement agency affirmatively determines that the notification will impede a criminal investigation.” (Minn. Stat. § 325E.61, subd. 1(c).) That delay is not self-declared. It requires an affirmative determination by the agency, to a date certain. In my experience, the businesses that get this right treat the investigation clock as running from discovery and keep contemporaneous notes on why each day of delay was reasonable, because that record is what a regulator looks at later.

How must a Minnesota breach notice be delivered?

Minnesota allows three delivery methods, and the right one depends on the size of the affected group and the contact information you have. Under the statute, notice may be provided by:

• Written notice to the most recent available address the business has in its records.
• Electronic notice, if the business’s primary method of communication with the individual is by electronic means, or where the notice is consistent with the federal electronic-records-and-signatures law.
• Substitute notice, available only if the business demonstrates that the cost of notice would exceed $250,000, that the affected class exceeds 500,000 people, or that the business lacks sufficient contact information.

Substitute notice is not a shortcut. The statute requires that it consist of all of three things together: email notice where the business has email addresses, conspicuous posting on the business’s website, and notification to major statewide media. (Minn. Stat. § 325E.61, subd. 1(g).) Most Minnesota businesses will use written or electronic notice. Substitute notice is reserved for large incidents or for situations where individual contact simply is not possible, and even then it carries a public-facing media component that most companies would rather not trigger. The delivery method should be decided early, because it shapes the cost and the public profile of the response.

What additional notices does a Minnesota breach trigger?

Yes. When a breach is large enough, Minnesota requires notice to the national credit bureaus on a short timeline. The statute provides that if a business “discovers circumstances requiring notification under this section and section 13.055, subdivision 6, of more than 500 persons at one time, the person shall also notify, within 48 hours, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis . . . of the timing, distribution, and content of the notices.” (Minn. Stat. § 325E.61, subd. 2.) This is a separate, faster obligation that runs alongside the resident-notice duty: more than 500 affected Minnesota residents at one time pulls in a 48-hour notice to the nationwide consumer reporting agencies about the timing, distribution, and content of the notices going to individuals. It is easy to overlook in the rush of a large incident, which is why a breach response plan should flag the 500-person line as a hard checkpoint. None of this can be bargained away: any waiver of the statute’s provisions “is contrary to public policy and is void and unenforceable.” (Minn. Stat. § 325E.61, subd. 3.) A contract can shift cost and responsibility between companies, but it cannot eliminate the duty itself. Because credit-bureau notice intersects with identity-theft risk, it is worth pairing this with your identity-theft red-flag obligations.

How do federal breach rules interact with Minnesota’s law?

Federal law displaces or supplements Minnesota’s statute for two important categories of business: financial institutions and healthcare organizations. Minnesota’s statute states plainly that “the notification requirements of this section do not apply to any ‘financial institution’ as defined by United States Code, title 15, section 6809(3).” (Minn. Stat. § 325E.61, subd. 4.) The Gramm-Leach-Bliley Act defines a financial institution broadly as any institution whose business is engaging in financial activities (15 U.S.C. § 6809(3)), and those institutions follow the federal data-security and notification regime instead. For non-banking financial institutions, the Federal Trade Commission’s Safeguards Rule now requires notifying the FTC of a notification event involving the information of at least 500 consumers, as soon as possible and no later than 30 days after discovery (16 CFR 314.4(j)). Healthcare organizations face the HIPAA Breach Notification Rule, which requires a covered entity to notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery (45 CFR 164.404). The same rule also requires notice to the federal government and, for larger breaches, notice to prominent media outlets. The practical point is that “are we a financial institution or do we handle protected health information” is the first question for any Minnesota business in a regulated sector, because the answer routes the entire response. Sector-specific obligations also show up in our coverage of Minnesota-specific data and communications rules.

What are the consequences of failing to send a Minnesota breach notice?

Minnesota’s breach notification statute is enforced by the Attorney General, and an affected individual can also sue. The statute provides that “the attorney general shall enforce this section . . . under section 8.31.” (Minn. Stat. § 325E.61, subd. 6.) Section 8.31 is Minnesota’s general consumer-protection enforcement statute, and it carries a private right of action: “any person injured by a violation of any of the laws referred to in subdivision 1 may bring a civil action and recover damages, together with costs and disbursements, including costs of investigation and reasonable attorney’s fees, and receive other equitable relief as determined by the court.” (Minn. Stat. § 8.31, subd. 3a.) Exposure is therefore not only regulatory. A separate Minnesota statute adds direct financial exposure for payment-card incidents: a business that improperly retained card security codes or magnetic-stripe data and then suffered a breach must reimburse the banks that issued the affected cards for reasonable costs of card cancellation and reissuance, account closure, customer notification, and refunding unauthorized transactions (Minn. Stat. § 325E.64, subd. 3). Across the matters I see, the largest dollar consequences usually come from the response failures around a breach rather than the breach itself, which is also why preserving records after a security incident should start the moment an incident is suspected.

How do Minnesota’s breach rules apply to government entities and their contractors?

Government entities follow a separate Minnesota statute with its own notice duty and a unique reporting obligation. A government entity “that collects, creates, receives, maintains, or disseminates private or confidential data on individuals must disclose any breach of the security of the data following discovery or notification of the breach,” with written notice to each affected individual and disclosure “in the most expedient time possible and without unreasonable delay.” (Minn. Stat. § 13.055, subd. 2.) Beyond notice, the government statute requires the responsible authority to prepare a written report on the facts and results of the investigation after the investigation and any related disciplinary action conclude, and it directs that “at least annually, each government entity shall conduct a comprehensive security assessment of any personal information maintained by the government entity.” (Minn. Stat. § 13.055, subd. 6.) For a private company, the reason this matters is contractual. A business that holds or processes data for a Minnesota city, county, school district, or state agency should expect the government’s statutory duties to flow through into its contract as breach-reporting and cooperation obligations. Treating a government data contract like an ordinary commercial agreement, without accounting for these duties, is a common gap. The investigation-report requirement also makes documenting the investigation more than a best practice for public-sector work.

The throughline across Minnesota’s breach rules is that the duty turns on the data, the timeline is judged on diligence rather than a calendar date, and the response failures, not the breach alone, drive the largest exposure. A clear picture of which data elements you hold, where they live, and which vendors touch them is what makes a fast, defensible response possible. If your business is working through a suspected incident or building a breach response plan, email Aaron Hall at [email protected] with a brief description for a practical read. Contact the firm to start an intake and conflict check before sending confidential documents. Our Minnesota regulatory compliance practice covers the related obligations that often surface alongside a breach.