Minnesota and Wisconsin Law Require Notice to Customers in the Event of a Data Breach

These days we hear more about data breaches at large companies such as Target, Home Depot, and Yahoo. In part, this stems from businesses increasing retention of customer information. Information as simple as a person’s name, address, or email can be valuable to those who would, for example, compile hundreds or thousands of email addresses and sell them to someone else who will blast them full of offers for a free “Caribbean Cruise.” The risk of identity theft also exists as consumers are increasingly required to disclose more sensitive personal information when buying or selling things online.

Because businesses are retaining more customer information, and because of the greater risk that such information could be compromised, every business (not just behemoths like Yahoo and Home Depot) should be aware of the legally-required steps to take in the event of a data breach. (Of course businesses should take serious steps to minimize the possibility of a data breach in the first place, but that topic is beyond the scope of this article.) This article focuses on the customer-notice requirements under Minnesota and Wisconsin law a business must take after an unauthorized acquisition of information occurs.

Minnesota Statutes section 325E.61 and Wisconsin Statutes section 134.98 provide the customer-notice steps businesses must take in the event of a data security breach resulting in the unauthorized acquisition of personal information. Here is a closer look at the main requirements of each law:

Who is subject to the laws?

Minnesota

• Any person or business that conducts business in Minnesota and (a) owns or licenses data that includes personal information, or (b) maintains data that includes personal information that the person or business does not own.
• The law does not cover financial institutions, which are governed by federal laws and regulations regarding data security.

Wisconsin

• Any entity whose principal place of business is located in Wisconsin, or that maintains or licenses personal information in Wisconsin, or certain entities that maintain depositary accounts in or lend money to residents of Wisconsin.
• The law does not cover certain financial institutions that are governed by federal laws and regulations regarding data security.
• It also does not cover any health plan, health care clearinghouse, or any health care provider that is covered by HIPAA.

What kind of “personal information” is covered?

Minnesota

• An individual’s last name and first name or first initial in combination with any one or more of the individual’s non-encrypted (a) social security number, (b) driver’s license number or Minnesota identification card number, or (c) account number or credit or debit card number, in combination with any required security or access code or password that would permit access to the individual’s financial account.
• “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Wisconsin

• An individual’s last name and first name or first initial, in combination with any one or more of the individual’s non-encrypted (a) social security number, (b) driver’s license number or state identification number, (c) account number or credit or debit card number, in combination with any required security or access code or password that would permit access to the individual’s financial account, (d) DNA profile, or (e) unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
• “Personal information” does not include publicly available information that the entity reasonably believes is (a) lawfully made widely available through any media, or (b) lawfully made available to the general public from federal, state, or local government records or disclosures to the general public that are required by federal, state, or local law.

What is required in the event of an unauthorized acquisition of personal information?

Minnesota

• The business must notify the individual whose personal information was acquired that the unauthorized acquisition occurred.

Wisconsin

• The business must notify the individual whose personal information was acquired that the unauthorized acquisition occurred.
• Upon written request by the individual who has received the notice, the covered entity must identify what personal information was acquired.
• Notice is not required if (a) the unauthorized acquisition does not create a material risk of identity theft or fraud to the individual, or (b) the personal information was acquired in good faith by an employee or agent of the entity who used it for a lawful purpose of the entity.

How must the notice be transmitted?

Minnesota

• One of three methods:
• written notice to the individual’s most recent address in the business’s records; or
• electronic notice, of the business’s primary method of communicating with the individual is by electronic means or if the individual consented to electronic notice of a data breach; or
• if the business shows that the cost of providing notice would exceed $250,000, or that the number of affected individuals exceeds 500,000, or that the business does not have sufficient contact information, substitute notice by all of: (1) email notice when the business has the individual’s email address, (2) conspicuous posting of the notice on the business’s website, if the business has one, and (3) notification to major statewide media.

Wisconsin

• By mail or a method that the business has previously used to communicate with the individual.
• If the business cannot determine with reasonable diligence the individual’s mailing address and has not previously communicated with the individual, the business may give notice by any method reasonably calculated to provide actual notice.

When must the notice be given?

Minnesota

• When the business owns or licenses the personal information, notice of the unauthorized acquisition must be given as soon as possible and without reasonable delay, subject to (a) the legitimate needs of law enforcement (which may require delaying notice), or (b) the business taking measures necessary to determine the scope of the data breach, identify the individuals affected, and restore the reasonable integrity of its data system.
• When the business only maintains personal information it does not own, notice of the unauthorized acquisition must be given immediately after the business discovers it.

Wisconsin

• Unless directed by law enforcement, notice must be given within a reasonable time after the business learns of the unauthorized acquisition, not to exceed 45 days.

How are these laws enforced?

Minnesota

• The Minnesota attorney general is authorized to investigate suspected violations of Minn. Stat. § 325E.61 and prosecute persons or entities for violations. Criminal penalties for violation may include monetary fines.
• Although no Minnesota state appellate court appears to have decided whether an individual may file a civil lawsuit for an alleged violation of the Minnesota statute, in a federal lawsuit filed against Target, the Federal District Court for the District of Minnesota decided that an individual cannot do so.

Wisconsin

• Unlike the Minnesota statute, the Wisconsin statute does not does not limit who may enforce the statute’s provisions. In fact, the statute implies that an individual may file a civil lawsuit for an alleged violation—it provides that failure to comply with the statute “is not negligence or a breach of any duty, but may be evidence of negligence or breach of a legal duty.”
• In the same federal lawsuit against Target, the court allowed the individuals’ claims against Target under the Wisconsin statute to proceed.

Conclusion

A breach of a business’s data system will never be a simple issue to address. But, by understanding the notice requirements in the event of a breach, businesses can minimize the possibility of legal liability.

Eric Johnson is an attorney with Fryberger, Buchanan, Smith & Frederick, P.A. practicing in the areas of Business Litigation, Appeals, and Banking/Lending Services. This article is not intended to provide legal advice. You should always consult an attorney regarding your specific circumstances.