Aaron Hall[email protected]

Minnesota Cybersecurity Attorney

Minnesota cybersecurity attorney helping businesses with data breach response, compliance obligations, and security risk management. Hall PC.

Licensed Since 2007 Thousands of Businesses Advised Super Lawyers 2018–2026
By Aaron Hall, Business Attorney Published Updated

Cybersecurity is an increasingly critical issue for businesses in Minnesota, as well as for the attorneys who advise them. The rapid evolution of technology has introduced new vulnerabilities, while the legal and regulatory frameworks governing cybersecurity have grown more complex. Minnesota businesses face unique challenges as they navigate state-specific laws alongside federal regulations, industry standards, and the ever-present risk of cyberattacks. This article explores the essential elements of cybersecurity law in Minnesota, offering a comprehensive examination of legal obligations, enforcement trends, and best practices.

Definitions and Key Concepts

Understanding key terms is essential for anyone engaging with cybersecurity issues, whether as a business leader, legal practitioner, or policymaker. These foundational concepts provide a basis for exploring the complexities of Minnesota’s legal landscape.

Cybersecurity

Cybersecurity encompasses the strategies, technologies, and practices designed to protect digital assets, including systems, networks, and data, from unauthorized access or attack. For businesses, cybersecurity involves implementing measures that reduce risk and safeguard sensitive information. In the legal realm, cybersecurity refers to the statutory and regulatory obligations imposed on entities to protect data against threats.

Data Breach

A data breach occurs when unauthorized individuals access or disclose protected data, intentionally or inadvertently. Breaches can stem from various causes, such as hacking, physical theft, system vulnerabilities, or employee negligence. Minnesota’s data breach notification statute defines a “breach of the security of the system” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information,” and requires a business that owns or licenses such data to notify affected Minnesota residents “in the most expedient time possible and without unreasonable delay.” Minn. Stat. § 325E.61, subd. 1 (available at https://www.revisor.mn.gov/statutes/cite/325E.61).

Personal Information (PI)

Personal information refers to data that can identify an individual, either alone or in combination with other data. Minnesota’s data-breach notification law defines “personal information” as an individual’s name combined with an unencrypted Social Security number, driver’s license or state ID number, or financial account or payment card number plus its access credentials. Minn. Stat. § 325E.61, subd. 1(e) (available at https://www.revisor.mn.gov/statutes/cite/325E.61). The protection of PI is a cornerstone of cybersecurity regulations.

Reasonable Security Measures

The term “reasonable security measures” is frequently used in cybersecurity laws and policies, though its meaning can vary. Generally, it refers to safeguards proportionate to the sensitivity of the data being protected, the organization’s resources, and the current threat landscape. Businesses are expected to adopt measures that align with industry standards and best practices.

Cybersecurity in Minnesota

Minnesota’s economy encompasses diverse industries, from healthcare to financial services to manufacturing, each with unique cybersecurity challenges. These sectors face persistent threats from cybercriminals seeking to exploit vulnerabilities for financial gain, espionage, or disruption. Minnesota businesses must contend with a complex interplay of state and federal regulations designed to mitigate these risks.

The Role of State Agencies

Several state agencies play critical roles in Minnesota’s cybersecurity ecosystem. For instance, the Minnesota Department of Commerce oversees consumer protection laws that may apply to data security, while Minnesota IT Services (MNIT) leads efforts to secure state government networks. These agencies provide guidance to businesses and enforce legal requirements when necessary.

Economic Impacts of Cybersecurity

Minnesota’s businesses, from small startups to large corporations, are integral to the state’s economy. A single data breach can have devastating consequences, including financial losses, legal penalties, and reputational damage. The growing frequency and sophistication of cyberattacks have highlighted the importance of proactive cybersecurity measures, both to protect businesses and to maintain consumer trust.

Federal Cybersecurity Laws and Their Impact on Minnesota

Although Minnesota has specific laws addressing cybersecurity, federal statutes also significantly influence the obligations of businesses operating in the state. These laws establish baseline requirements for data security and privacy, often tailored to specific industries.

Gramm-Leach-Bliley Act (GLBA)

The GLBA governs the financial sector, imposing requirements for protecting consumer financial information. The statute declares each financial institution’s “affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information,” and directs the relevant regulators to set administrative, technical, and physical safeguards standards. See 15 U.S.C. § 6801 (available at https://www.law.cornell.edu/uscode/text/15/6801).

A common misconception is that the FTC’s “GLBA Safeguards Rule” applies to every financial institution. It does not. Under the enforcement allocation in 15 U.S.C. § 6805 (available at https://www.law.cornell.edu/uscode/text/15/6805), banks and federally-insured credit unions are not governed by the FTC’s Safeguards Rule (16 C.F.R. Part 314). Banks must implement a written information security program under their federal banking regulators’ safeguards standards (the Interagency Guidelines, for example 12 C.F.R. Part 30, App. B), and federally-insured credit unions under the NCUA’s rules (12 C.F.R. Part 748, App. A). The FTC’s Safeguards Rule reaches only non-bank financial institutions under FTC jurisdiction, such as mortgage lenders and brokers, finance companies, payday lenders, check cashers, collection agencies, and tax preparers, which must “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts.” 16 C.F.R. § 314.3(a) (available at https://www.law.cornell.edu/cfr/text/16/314.3).

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA regulates the handling of protected health information (PHI) by covered entities (health plans, including insurers; health care clearinghouses; and health care providers who transmit health information electronically) and their business associates. See 45 C.F.R. § 164.502(a); 45 C.F.R. § 160.103 (defining “covered entity” and “business associate”) (available at https://www.law.cornell.edu/cfr/text/45/164.502). In Minnesota, healthcare organizations that qualify as covered entities, along with their business associates, must comply with the HIPAA Security Rule, which requires them to “[e]nsure the confidentiality, integrity, and availability of all electronic protected health information” they create, receive, maintain, or transmit, and to protect against reasonably anticipated threats and impermissible uses or disclosures. 45 C.F.R. § 164.306(a) (available at https://www.law.cornell.edu/cfr/text/45/164.306). These entities are also subject to state laws that provide additional protections for medical records.

Federal Trade Commission (FTC) Act

The Federal Trade Commission enforces data security under Section 5 of the FTC Act, which declares “unfair or deceptive acts or practices in or affecting commerce . . . unlawful” and empowers the Commission to prevent them. 15 U.S.C. § 45(a) (available at https://www.law.cornell.edu/uscode/text/15/45). The FTC does not enforce a codified set of data-security “standards”; instead, through its enforcement practice it treats a company’s failure to maintain reasonable data security as an unfair or deceptive trade practice under that prohibition, applied case by case. Federal courts have upheld this authority. FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). Businesses in Minnesota may face FTC investigations or enforcement actions if their cybersecurity practices are found inadequate or misleading, which underscores the need for transparency and diligence in safeguarding customer data.

Children’s Online Privacy Protection Act (COPPA)

COPPA governs operators of websites and online services directed to children under the age of 13, as well as any operator with actual knowledge that it is collecting personal information from a child under 13. See 15 U.S.C. § 6501(1), § 6502(a)(1) (available at https://www.law.cornell.edu/uscode/text/15/6501). Businesses collecting data from children in Minnesota must obtain verifiable parental consent and “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity” of that information. 15 U.S.C. § 6502(b)(1); see also 16 C.F.R. Part 312 (the FTC’s COPPA Rule). The FTC amended the COPPA Rule effective June 23, 2025, with a general compliance deadline of April 22, 2026, so operators must meet the updated requirements of 16 C.F.R. Part 312, as amended. Children’s Online Privacy Protection Rule, 90 Fed. Reg. 16918 (Apr. 22, 2025) (available at https://www.federalregister.gov/documents/2025/04/22/2025-05904/childrens-online-privacy-protection-rule). Compliance with COPPA is essential for companies in the education, entertainment, and digital marketing sectors.

Minnesota-Specific Cybersecurity Laws

Minnesota has enacted laws that address cybersecurity and data privacy concerns unique to the state. These statutes complement federal regulations while introducing additional obligations for businesses operating within Minnesota’s jurisdiction.

Data Breach Notification Law

Minnesota Statutes Section 325E.61 requires any person or business that conducts business in Minnesota and that owns or licenses data including personal information to notify affected Minnesota residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Minn. Stat. § 325E.61, subd. 1(a) (available at https://www.revisor.mn.gov/statutes/cite/325E.61).

Unlike many other states, Minnesota does not statutorily prescribe the content of the notice. The statute requires that notice be given “in the most expedient time possible and without unreasonable delay,” but it does not require the notification to describe the nature of the breach, the type of information compromised, or steps individuals can take to protect themselves. Minn. Stat. § 325E.61, subd. 1(a). If a single breach requires notifying more than 500 persons at once, the business must also notify the nationwide consumer reporting agencies, within 48 hours, of the timing, distribution, and content of the notices. Minn. Stat. § 325E.61, subd. 2.

Plastic Card Security Act

The Plastic Card Security Act, codified at Minn. Stat. § 325E.64 (official heading “Access Devices; Breach of Security”), prohibits any person or entity conducting business in Minnesota that accepts a payment card from retaining the card security code, the PIN verification code, or the full contents of any magnetic stripe track after the transaction is authorized (or, for PIN debit transactions, beyond 48 hours after authorization). Minn. Stat. § 325E.64, subd. 2 (available at https://www.revisor.mn.gov/statutes/cite/325E.64). A company that violates these retention requirements and then suffers a breach must reimburse the issuing financial institution for the reasonable costs of responding to the breach and is also liable for damages the financial institution paid to cardholders injured by the breach. Minn. Stat. § 325E.64, subd. 3. This liability runs to the affected financial institution, not directly to cardholders.

Government Data Practices Act (MGDPA)

The Minnesota Government Data Practices Act (MGDPA) regulates how government entities collect, store, maintain, disseminate, and provide access to government data; a “government entity” means a state agency, statewide system, or political subdivision (such as a county, city, or school district). See Minn. Stat. §§ 13.01, 13.02, subd. 7a. When a government entity contracts with a private person to perform any of its functions, all data the private person handles in performing those functions is subject to the Act, and the private person must comply with the Act’s requirements (including the duty to establish appropriate security safeguards) as if it were a government entity. Minn. Stat. § 13.05, subd. 11 (available at https://www.revisor.mn.gov/statutes/cite/13.05); see also id. subd. 5.

Minnesota Consumer Data Privacy Act (MCDPA)

Minnesota has adopted a comprehensive consumer privacy law comparable to California’s. The Minnesota Consumer Data Privacy Act (MCDPA), codified at Minn. Stat. §§ 325M.10 to 325M.21, may be cited by that name and took effect July 31, 2025 (postsecondary institutions regulated by the Office of Higher Education are not required to comply until July 31, 2029). Minn. Stat. § 325M.10 (available at https://www.revisor.mn.gov/statutes/cite/325M.10). The Act grants consumers rights to confirm and access their personal data, to correct inaccurate personal data, to delete personal data, to obtain it in a portable and readily usable format, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Minn. Stat. § 325M.14 (available at https://www.revisor.mn.gov/statutes/cite/325M.14). The Act applies to controllers that conduct business in Minnesota, or target products or services to Minnesota residents, and that during a calendar year either control or process the personal data of 100,000 or more consumers (excluding data processed solely to complete a payment transaction), or control or process the personal data of 25,000 or more consumers while deriving over 25 percent of gross revenue from the sale of personal data. The Attorney General has exclusive enforcement authority, with no private right of action and civil penalties up to $7,500 per violation. Minn. Stat. § 325M.20 (available at https://www.revisor.mn.gov/statutes/cite/325M.20).

Data Privacy and Breach Notification in Practice

Minnesota’s legal framework for data privacy and breach notification aims to protect individuals from the harmful consequences of data breaches. These laws establish clear expectations for businesses and provide affected individuals with the information needed to mitigate potential harm.

Types of Data Covered

Minnesota law focuses on safeguarding personal information, including names combined with Social Security numbers, driver’s license numbers, or financial account details. Minn. Stat. § 325E.61, subd. 1(e) (available at https://www.revisor.mn.gov/statutes/cite/325E.61). Healthcare data, biometric information, and other sensitive data types may also fall under legal protections, depending on the context.

Breach Notification Requirements

When a breach exposes the unencrypted personal information of Minnesota residents, a business that owns or licenses that data must notify the affected residents “in the most expedient time possible and without unreasonable delay,” subject to the legitimate needs of law enforcement and of investigating and restoring the data system. Minn. Stat. § 325E.61, subd. 1(a) (available at https://www.revisor.mn.gov/statutes/cite/325E.61). Timing is critical; delays in notification can exacerbate harm and result in legal penalties.

Consequences of Non-Compliance

Failing to comply with Minnesota’s breach notification requirements can lead to enforcement actions by the state attorney general, because the statute directs that “[t]he attorney general shall enforce this section and section 13.055, subdivision 6, under section 8.31.” Minn. Stat. § 325E.61, subd. 6 (available at https://www.revisor.mn.gov/statutes/cite/325E.61). Section 8.31 in turn supplies civil penalties up to $25,000 and injunctive relief. Minn. Stat. § 8.31, subds. 1, 3 (available at https://www.revisor.mn.gov/statutes/cite/8.31). Whether an affected individual may bring a private lawsuit for a breach-notification violation is unsettled. Section 8.31’s private remedy (subdivision 3a) runs only to a person injured “by a violation of any of the laws referred to in subdivision 1,” and § 325E.61 is not among the laws enumerated in subdivision 1, so the private-attorney-general remedy does not clearly reach a § 325E.61 violation. Note also that the statute imposes no duty to notify the Attorney General of a breach; the Attorney General’s only statutory role is enforcement.

Regulatory Enforcement and Penalties

Minnesota’s enforcement landscape reflects a strong commitment to holding businesses accountable for cybersecurity lapses. Regulatory agencies and courts play pivotal roles in ensuring compliance with state and federal laws.

Role of the Minnesota Attorney General

The Minnesota Attorney General’s Office has broad civil authority to investigate and enforce Minnesota’s data-security and data-breach law. The breach notification statute directs that “the attorney general shall enforce this section . . . under section 8.31” (Minn. Stat. § 325E.61, subd. 6), and Section 8.31 supplies the remedies: civil penalties up to $25,000 and injunctive relief. Minn. Stat. § 8.31, subds. 1, 3 (available at https://www.revisor.mn.gov/statutes/cite/8.31). Minnesota’s newer Consumer Data Privacy Act is separately enforced exclusively by the Attorney General, with civil penalties up to $7,500 per violation and no private right of action. Minn. Stat. § 325M.20. Businesses facing enforcement actions should work closely with legal counsel to address compliance gaps and negotiate favorable outcomes.

Private Rights of Action

Minnesota’s breach-notification statute is enforced “under section 8.31” (Minn. Stat. § 325E.61, subd. 6), which gives the Attorney General investigative and enforcement authority, including civil penalties and injunctive relief. Whether that cross-reference also gives a private party a right to sue is unsettled: § 8.31’s private remedy (subdivision 3a) extends only to a person injured “by a violation of any of the laws referred to in subdivision 1,” and § 325E.61 is not among the laws enumerated in subdivision 1. The Minnesota Consumer Data Privacy Act, by contrast, expressly reserves enforcement to the attorney general with no private right of action. Businesses should document their cybersecurity efforts to defend against potential litigation.

Criminal Penalties

In rare cases, cybersecurity violations involving willful misconduct or fraud can result in criminal charges. Under the federal Computer Fraud and Abuse Act, it is a crime to access a protected computer “knowingly and with intent to defraud,” punishable by “a fine under this title or imprisonment for not more than five years, or both.” 18 U.S.C. § 1030(a)(4), (c)(3)(A) (available at https://www.law.cornell.edu/uscode/text/18/1030). While criminal enforcement is less common, the possibility underscores the importance of maintaining robust and compliant security practices.

Common Cybersecurity Threats in Minnesota

Businesses in Minnesota face a wide array of cybersecurity threats, each requiring tailored defenses. Understanding these threats is the first step toward mitigating risk and protecting sensitive data.

Phishing and Social Engineering

Phishing attacks exploit human vulnerabilities by tricking employees into revealing sensitive information. Training programs that teach employees to recognize phishing attempts are essential for reducing this risk.

Ransomware

Ransomware attacks can cripple business operations by encrypting critical data and demanding payment for its release. Robust backup systems and incident response plans are critical defenses against this growing threat.

Insider Threats

Insider threats may involve malicious actions by disgruntled employees or accidental security breaches by well-meaning staff. Implementing access controls and monitoring systems can help businesses detect and prevent such incidents.

Cybersecurity Governance in Businesses

Effective cybersecurity governance is a cornerstone of a strong defense against threats. Governance encompasses the policies, processes, and leadership structures that guide an organization’s cybersecurity practices. Minnesota businesses, regardless of size or industry, must establish clear governance frameworks to mitigate risks and ensure compliance with applicable laws.

Leadership and Accountability

The responsibility for cybersecurity begins at the top. Boards of directors and executive leaders are increasingly held accountable for their organization’s cybersecurity posture. Leaders must ensure that adequate resources are allocated to cybersecurity efforts and that risk assessments are regularly conducted. Assigning clear roles, such as appointing a Chief Information Security Officer (CISO), can centralize responsibility and improve strategic decision-making.

Policies and Procedures

Comprehensive cybersecurity policies outline the rules and expectations for employees, contractors, and third-party partners. These policies may include:

  • Acceptable Use Policies (AUPs): Define how employees can use company resources and systems.
  • Data Classification Policies: Categorize data based on sensitivity and assign appropriate protection levels.
  • Incident Response Procedures: Detail the steps to be taken in the event of a cybersecurity incident, including escalation protocols and external notifications.

Regularly reviewing and updating these policies ensures they remain relevant as threats and regulations evolve.

Security Awareness Training

Employees are often the weakest link in an organization’s cybersecurity defenses. Regular training sessions educate staff on recognizing threats such as phishing, malware, and social engineering. Training should be dynamic and include:

  • Real-world examples of common attacks.
  • Updates on emerging threats.
  • Simulated phishing exercises to test and reinforce awareness.

By fostering a culture of security, organizations can significantly reduce their risk exposure.

Incident Response and Breach Management

A well-prepared incident response plan (IRP) is crucial for mitigating the damage caused by cybersecurity incidents. Minnesota businesses must have clear, actionable strategies in place to detect, contain, and recover from breaches. Effective breach management also helps ensure compliance with legal obligations and preserves stakeholder trust.

Key Components of an Incident Response Plan

An IRP outlines the procedures for responding to cybersecurity incidents. Key elements include:

  • Identification: Establish mechanisms, such as intrusion detection systems, to identify potential incidents quickly.
  • Containment: Define steps to isolate affected systems and prevent further damage.
  • Eradication: Remove malicious software or unauthorized access points from systems.
  • Recovery: Restore systems and data to normal operations while verifying the security of restored environments.
  • Post-Incident Analysis: Conduct reviews to determine the root cause of the incident and implement measures to prevent recurrence.

IRPs should be tested regularly through tabletop exercises and simulations to ensure their effectiveness under real-world conditions.

Communication Protocols During a Breach

Effective communication is critical during a cybersecurity incident. Businesses must:

  • Notify Internal Teams: Quickly inform IT, legal, and executive teams about the incident.
  • Engage External Stakeholders: Notify regulators, law enforcement, and affected individuals as required by Minnesota’s breach notification law.
  • Manage Public Relations: Develop a clear and transparent messaging strategy to address concerns and maintain public trust.

Timely and coordinated communication can minimize reputational harm and demonstrate the organization’s commitment to addressing the issue.

Forensic Investigations and Lessons Learned

Following a breach, forensic investigations help determine how the incident occurred, what data was affected, and whether vulnerabilities remain. Engaging third-party experts can provide valuable insights and ensure objectivity. The findings should inform updates to security policies, training programs, and technical defenses.

Litigation Considerations and Defenses

When a cybersecurity incident occurs, businesses may face lawsuits from affected individuals, regulatory enforcement actions, or both. Understanding the potential legal consequences and preparing effective defenses is essential for managing risk.

Businesses that experience a data breach may face a range of claims, including:

  • Negligence: Plaintiffs may argue that the organization failed to implement reasonable security measures, leading to the breach.
  • Breach of Contract: Affected parties may allege that the organization violated contractual obligations to protect their data.
  • Violations of State or Federal Law: Non-compliance with Minnesota’s data breach notification law or federal regulations can result in both civil and regulatory actions.

These claims often hinge on whether the organization acted reasonably and complied with recognized cybersecurity standards.

Defenses Against Claims

Businesses can employ several defenses to mitigate liability:

  • Reasonable Security Practices: Demonstrating that your written cybersecurity program reasonably conforms to a recognized framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, can strengthen a defense. In “safe harbor” states, framework conformance provides a statutory affirmative defense: under the Ohio Data Protection Act, for example, a covered entity whose program reasonably conforms to a named framework “is entitled to an affirmative defense to any cause of action sounding in tort . . . that alleges that the failure to implement reasonable information security controls resulted in a data breach.” Ohio Rev. Code Ann. § 1354.02(D); id. § 1354.03(A)(1)(a) (available at https://codes.ohio.gov/ohio-revised-code/section-1354.02). Minnesota has not enacted a comparable safe-harbor statute, so for a Minnesota matter NIST conformance functions as evidence of reasonable care rather than a codified defense.
  • Lack of Standing: A plaintiff must establish standing by showing a concrete and particularized injury in fact that is actual or imminent, not conjectural or hypothetical. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992) (available at https://www.law.cornell.edu/supremecourt/text/504/555). Federal courts routinely dismiss data-breach damages claims that rest only on a speculative risk of future misuse, because the Supreme Court held in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), that “the mere risk of future harm, standing alone, cannot qualify as a concrete harm” for a damages claim “unless the exposure to the risk of future harm itself causes a separate concrete harm” (available at https://www.law.cornell.edu/supremecourt/text/20-297). A plaintiff who pleads a present, concrete injury caused by the breach (out-of-pocket mitigation costs, lost time reasonably spent on protective measures, or a harm bearing a close relationship to a traditional common-law tort) can satisfy injury-in-fact, and the circuits remain split on which alleged injuries clear the TransUnion bar.
  • Acts of Third Parties: If a breach was caused by a sophisticated cybercriminal or a vendor’s failure, the organization may argue that the blame lies elsewhere.

Documenting cybersecurity efforts, including risk assessments and policy updates, is critical for mounting a strong defense.

Class Action Risks

Data breaches often lead to class action lawsuits, particularly when a large number of individuals are affected. These cases can result in significant settlements or judgments. Proactive measures, such as encryption and timely notifications, can reduce the likelihood of litigation and limit exposure if a lawsuit is filed.

Cyber Insurance and Risk Management

Cyber insurance has become an essential tool for mitigating the financial impact of cybersecurity incidents. However, businesses must carefully evaluate their policies to ensure adequate coverage and avoid surprises when filing claims.

Types of Cyber Insurance

Cyber insurance policies typically fall into two categories:

  • First-Party Coverage: Covers direct costs incurred by the policyholder, such as data recovery, business interruption, and crisis management expenses.
  • Third-Party Coverage: Addresses liability claims from customers, partners, or regulators resulting from a data breach.

Minnesota businesses should consider a combination of both types to address their specific risks.

Policy Exclusions and Limitations

Insurance policies often include exclusions or sub-limits for certain types of incidents, such as ransomware payments or social engineering attacks. Businesses must thoroughly review their policies to understand what is covered and ensure alignment with their risk profile.

Cyber Insurance as Part of a Broader Strategy

While cyber insurance provides financial protection, it should complement, not replace, other risk management efforts. Organizations should prioritize robust technical defenses, regular employee training, and comprehensive incident response planning. Together, these measures create a layered approach to cybersecurity.

Best Practices for Cybersecurity Compliance

Compliance with cybersecurity laws and regulations requires a proactive, systematic approach. Minnesota businesses must align their practices with legal obligations while addressing industry standards and evolving threats. Following best practices can help organizations mitigate risk, demonstrate due diligence, and avoid legal consequences.

Aligning with Established Frameworks

Adopting recognized cybersecurity frameworks provides a strong foundation for compliance. Popular frameworks include:

  • NIST Cybersecurity Framework (CSF): A widely used guideline for managing and reducing cybersecurity risks. The current version, CSF 2.0, provides a structured approach through six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. The Govern function was added in CSF 2.0 (released February 2024) and addresses organizational cybersecurity risk-management strategy, expectations, and policy; the prior framework (CSF 1.1) used only the five functions Identify, Protect, Detect, Respond, and Recover. NIST, The NIST Cybersecurity Framework (CSF) 2.0, NIST CSWP 29 (Feb. 26, 2024), available at https://doi.org/10.6028/NIST.CSWP.29.
  • ISO/IEC 27001: An international standard, published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). The current edition is ISO/IEC 27001:2022.
  • CIS Controls: A prioritized set of actions to mitigate the most common and significant cyber threats.

These frameworks offer actionable steps that can be tailored to an organization’s size, complexity, and resources.

Conducting Regular Risk Assessments

Cybersecurity risk assessments identify vulnerabilities, evaluate potential threats, and prioritize remediation efforts. Key steps in conducting a risk assessment include:

  • Asset Inventory: Catalog all digital and physical assets, including hardware, software, and data.
  • Threat Analysis: Identify potential cyber threats, such as ransomware, insider threats, or phishing attacks.
  • Vulnerability Identification: Assess systems and processes to uncover weaknesses, such as outdated software or misconfigured settings.
  • Risk Prioritization: Rank risks based on their likelihood and potential impact to focus resources on the most critical areas.

Regular assessments, conducted annually or after significant changes, ensure that businesses remain prepared for emerging threats.

Vendor Management and Third-Party Risk

Third-party vendors and contractors often have access to sensitive data or systems, creating additional risk. Businesses must implement vendor management practices, including:

  • Due Diligence: Evaluate vendors’ cybersecurity practices before entering into agreements. Request certifications, security audits, and references.
  • Contractual Obligations: Include clauses in contracts that require vendors to adhere to specific security standards, notify the business of breaches, and assume liability for certain incidents.
  • Continuous Monitoring: Regularly review vendor performance and conduct periodic audits to ensure compliance.

Strong vendor management reduces the likelihood of supply chain attacks and ensures accountability for third-party risks.

Data Minimization and Retention Policies

Collecting and retaining unnecessary data increases exposure during a breach. Businesses should adopt data minimization principles, which involve:

  • Collecting only the data necessary to achieve specific business objectives.
  • Limiting access to sensitive data based on employee roles and responsibilities.
  • Establishing retention schedules to securely delete data no longer required for business or legal purposes.

Data minimization not only reduces risk but also aligns with legal requirements for safeguarding personal information.

Patch Management and System Updates

Unpatched software is one of the most common entry points for cyberattacks. Businesses should implement a patch management program that:

  • Regularly monitors for available updates to operating systems, software, and firmware.
  • Tests patches in a controlled environment to identify potential compatibility issues.
  • Deploys patches promptly, prioritizing those that address critical vulnerabilities.

Automating patch management can streamline the process and reduce the risk of human error.

Tabletop Exercises

Tabletop exercises simulate cybersecurity incidents to test the effectiveness of an organization’s policies, procedures, and incident response plan. These exercises:

  • Provide a safe environment to identify gaps in existing plans.
  • Improve coordination among internal teams, such as IT, legal, and public relations.
  • Familiarize employees with their roles during a real incident.

Conducting these exercises regularly ensures that the organization can respond quickly and effectively to cyber threats.

Special Considerations for Specific Industries

Different industries face unique cybersecurity challenges due to the nature of their operations and the data they handle. Minnesota businesses must tailor their strategies to meet the specific legal and regulatory requirements of their sectors.

Healthcare

The healthcare industry is one of the most heavily regulated sectors for data security, with both federal and state laws imposing stringent requirements.

  • HIPAA Compliance: Healthcare providers, insurers, and clearinghouses must comply with the Security and Privacy Rules under HIPAA. These rules govern the protection of electronic protected health information (ePHI) and require a regular risk analysis and access controls (both Required implementation specifications). Encryption of ePHI is an “Addressable” implementation specification, meaning the entity must implement it where reasonable and appropriate, or document why not and adopt an equivalent alternative. 45 C.F.R. §§ 164.306(a), 164.308(a)(1)(ii)(A), 164.312(a)(1), (a)(2)(iv) (available at https://www.law.cornell.edu/cfr/text/45/164.306). HHS published a proposed rule in January 2025 that would make encryption mandatory, but no final rule has issued, so it is not yet a current requirement.
  • Minnesota-Specific Requirements: State laws may impose additional obligations, such as securing patient medical records and adhering to strict breach notification timelines.

The integration of medical devices and telehealth services introduces new risks, making ongoing monitoring and secure device management essential.

Financial Services

Financial institutions are prime targets for cybercriminals due to the value of the data they possess. Compliance frameworks in this sector include:

  • GLBA Requirements: The GLBA directs each relevant regulatory agency to establish standards for the financial institutions under its jurisdiction relating to administrative, technical, and physical safeguards for customer information. 15 U.S.C. § 6801(b) (available at https://www.law.cornell.edu/uscode/text/15/6801). For non-bank financial institutions under FTC jurisdiction, the implementing FTC Safeguards Rule requires a comprehensive written information security program. 16 C.F.R. § 314.3(a). Under that Rule, the program must be based on a written risk assessment performed periodically, must provide security awareness training updated as necessary to reflect identified risks, and must designate a Qualified Individual who reports at least annually to the institution’s board or a senior officer. 16 C.F.R. § 314.4(b), (e), (i) (available at https://www.law.cornell.edu/cfr/text/16/314.4). The amended Safeguards Rule (with the prescriptive technical provisions enforceable June 9, 2023) further requires encryption of customer information in transit and at rest, 16 C.F.R. § 314.4(c)(3), and multi-factor authentication for anyone accessing an information system, 16 C.F.R. § 314.4(c)(5); a later amendment requires notifying the FTC of a notification event involving the unencrypted customer information of 500 or more consumers, no later than 30 days after discovery, 16 C.F.R. § 314.4(j) (effective May 13, 2024).
  • PCI DSS Standards: Businesses that store, process, or transmit credit card data must adhere to the Payment Card Industry Data Security Standard (PCI DSS), a private industry standard maintained by the PCI Security Standards Council and enforced contractually by the card brands rather than by statute. The current version is PCI DSS v4.0.1 (published June 2024); the prior v3.2.1 was retired and the v4.0 future-dated requirements became mandatory March 31, 2025. See https://www.pcisecuritystandards.org/standards/pci-dss/.

Minnesota’s Plastic Card Security Act further strengthens protections for payment card information by restricting data retention practices. Minn. Stat. § 325E.64.

Retail and E-Commerce

The retail sector faces significant risks related to point-of-sale (POS) systems and online transactions.

  • Transaction Security: Retailers must secure payment systems against malware and unauthorized access. Encryption and tokenization are commonly used methods.
  • Data Privacy Laws: Retail businesses must comply with both state and federal laws regarding consumer privacy and breach notification. Maintaining transparency in data collection practices can also build customer trust.

As e-commerce continues to grow, retailers must address vulnerabilities in online platforms, such as weak authentication mechanisms and insecure APIs.

Manufacturing

Manufacturers face unique cybersecurity challenges related to intellectual property and operational technology (OT).

  • Protecting Trade Secrets: Manufacturers must secure proprietary designs, processes, and supply chain data. Data loss prevention (DLP) systems can help monitor and control sensitive information.
  • Securing OT Systems: Industrial control systems (ICS) and Internet of Things (IoT) devices often lack robust security measures, making them targets for cyberattacks. Segmenting OT networks from IT systems and implementing strong access controls can reduce risks.

Education

Educational institutions handle large volumes of personal and financial information, making them attractive targets for cybercriminals.

  • FERPA Compliance: Schools that receive federal education funds under any applicable federal program must protect the privacy of student education records under the Family Educational Rights and Privacy Act (FERPA), generally barring release of education records without parental consent and requiring reasonable methods to control access. 20 U.S.C. § 1232g; 34 C.F.R. § 99.31(a)(1)(ii) (available at https://www.law.cornell.edu/uscode/text/20/1232g). Those reasonable methods may include physical access controls, technological (digital) access controls, or effective administrative policy.
  • Remote Learning Risks: The shift to online and hybrid learning environments has increased vulnerabilities, including unauthorized access to virtual classrooms and theft of login credentials.

By adopting robust security measures and engaging in continuous education, institutions can protect their students, staff, and reputations.

The cybersecurity landscape is dynamic, with new threats, technologies, and regulations constantly reshaping the environment. Businesses and attorneys in Minnesota must stay informed to adapt effectively.

State-Level Privacy Legislation

Minnesota has now joined the states with a comprehensive consumer privacy law comparable to California’s CCPA, the Minnesota Consumer Data Privacy Act, which may be cited by that name. Minn. Stat. § 325M.10 (available at https://www.revisor.mn.gov/statutes/cite/325M.10). The Act grants consumers rights to confirm and access their data, correct it, delete it, and obtain it in a portable format, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Minn. Stat. § 325M.14 (available at https://www.revisor.mn.gov/statutes/cite/325M.14). Businesses should prepare by implementing privacy-first policies that prioritize transparency, data minimization, and user rights, and by confirming whether they meet the Act’s coverage thresholds.

Evolving Cyber Threats

Cybercriminals continue to develop sophisticated attack methods, including:

  • Advanced Persistent Threats (APTs): Long-term, targeted attacks designed to steal data or disrupt operations.
  • AI-Driven Cyberattacks: The use of artificial intelligence to automate phishing, malware deployment, and other malicious activities.

Staying ahead of these threats requires continuous investment in emerging technologies, such as AI-driven security tools and behavioral analytics.

Cybersecurity Certification and Professionalization

As cybersecurity becomes increasingly specialized, the demand for certified professionals is growing. Credentials such as Certified Information Systems Security Professional (CISSP) or Certified Ethical Hacker (CEH) can enhance an organization’s ability to address complex challenges. Businesses should consider investing in training and certifications for internal teams or hiring third-party experts.

Practical Recommendations for Businesses

To conclude, Minnesota businesses should adopt the following practices to strengthen their cybersecurity:

  • Develop a Security-First Culture: Engage leadership and employees in cybersecurity initiatives through training and communication.
  • Implement Strong Technical Defenses: Use encryption, firewalls, and intrusion detection systems to protect networks and data.
  • Plan for Incidents: Regularly update and test incident response plans to ensure readiness.
  • Partner with Experts: Work with attorneys, IT professionals, and insurers to address legal and technical aspects of cybersecurity.

By taking proactive steps, businesses can reduce their exposure to cyber threats, maintain compliance, and build resilience in the face of an ever-changing digital landscape.

What Clients Say

“Aaron may have a higher rate, but with that comes exceptional value. He looks for ways to save you money, delegates work wisely, and always keeps billing fair and transparent.”

— Mark

“If there were 6 stars, I would highlight all 6. Aaron is wonderful to work with. Knowledgeable, insightful, helpful, timely, fair and open.”

— Chris D.

“Aaron helped me negotiate critical legal decisions using expertise, good judgment and thoughtful reflection.”

— Melanie W.

Discuss Your Legal Matter

Every business situation is unique. Attorney Aaron Hall provides experienced legal counsel tailored to your specific goals and circumstances.

(612) 466-0040 [email protected] Schedule a Consultation