February 11, 2019 05:28 PM
It might come as a surprise to many Minnesotans, but state and local governments aren't always required by law to report data breaches involving private information of citizens.
"Current law...says a breach does not occur unless there was unauthorized acquisition of the data with intent to use the data for non-governmental purposes," Sen. Warren Limmer testified at a Senate Judiciary Committee hearing. "That means the public isn't always knowledgeable when a breach occurs."
That's because many data breaches aren't the result of hackers going after data for unlawful purposes.
"Most security incidents that happen where data is breached are actually caused by employee mistakes," says Chris Buse from the Office of Legislative Auditor. His office supports a bill authored by Sen. Limmer that would require notification no matter how the information is "breached."
However, organizations ranging from the Minnesota Office of Management and Budget (MMB) to Hennepin County says inadvertent release of data doesn't always put people's information in jeopardy. If every organization has to notify people when mail is delivered to the wrong office or data is accidentally disseminated without harm, they say it would be a major burden.
"We do think the bill will have some unintended consequences," says Kristyn Anderson, general counsel for MMB. "Good faith mistakes do happen within an organization for legitimate purposes. These situations should not be considered data breaches."
No vote was taken on the bill Monday and Limmer says he's willing to refine the language. However, his primary concern is the security of data and letting citizens know how it's being used.
"If we release citizens private data we may unintentionally make their lives more difficult, more costly," Limmer says.
Updated: February 11, 2019 05:28 PM
Created: February 11, 2019 04:52 PM
Copyright 2019 - KSTP-TV, LLC A Hubbard Broadcasting Company