Data Practices Office Infodpostatemnus We are a statewide resource Data Practices Office Informal advicetechnical assistance Commissioner of Administration advisory opinions Website and info pages ID: 1003801
Download Presentation The PPT/PDF document "Data Practices: Security and Breaches" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Data Practices: Security and BreachesData Practices OfficeInfo.dpo@state.mn.us
2. We are a statewide resourceData Practices OfficeInformal advice/technical assistanceCommissioner of Administration advisory opinionsWebsite and info pages: https://mn.gov/admin/data-practices/ Listserv and newslettersLegislative assistanceTraining
3. Today’s agenda – 10am – 10:45am10:00 a.m. – Data security under Ch. 1310:20 a.m - Breach of the security of data10:35 a.m. - Q&A
4. Data security under Ch. 13
5. General security of government dataThe Minnesota Government Data Practices Act provides limited guidance on the security of government data.Those provisions only apply to private and confidential data – data on individualsThere are no security provisions for not public data not on individuals (nonpublic or protected nonpublic data)
6. Collection of data limitedMinn. Stat. § 13.05, subd. 3Collection and storage of all data on individuals and Use and dissemination of private and confidential data on individuals, Shall be limited to that necessary for the administration and management of programs specifically authorized by the legislature or local governing body or mandated by the federal government.See also, Minn. Rules 1205.1300 – duties of the responsible authority in administering private/confidential data
7. Use and dissemination of not public dataMinn. Stat. § 13.05, subd. 4Private or confidential data shall not be collected, stored, used, or disseminated except as provided for in the Tennessen Warning notice, except:Data treated as not public and collected before the MGPDA may be used in the same way with approval of the Commissioner of Administration Private or confidential data may be used and as specifically authorized by a law enacted after collectionCommissioner of Administration grants entity’s request for a new or different use or dissemination of the dataPrivate data may be used or shared with consentMinn. Rules 1205.1400, subps. 3 and 4
8. Data protectionMinn. Stat. § 13.05, subd. 5; MN Rule 1205.0400Procedures to ensure that all data on individuals is accurate, complete, and current for the purposes for which it was collectedEstablish appropriate security safeguards for all records containing data on individuals:Procedures for ensuring that data that are not public are only accessible to persons whose work assignment reasonably requires access to the data, andOnly accessed by those persons for purposes described in the procedure
9. Data protection, continuedPolicy incorporating procedures, which may include a model policy governing access to the data if sharing of the data with other government entities is authorized by law.Destroy not public data in a way that prevents its contents from being determined.Verify identity of data subjects requesting private data
10. Example policy: Dept of AdminPolicy includes the following procedures:Including a column on data inventory for work assignment accessAdding provision in employee position descriptions, if required to use not public dataDescribes data sharing with other entitiesRecommended actions for appropriate access Assigning appropriate security roles, limiting access to appropriate shared network drives, and implementing password protections for not public electronic data Password protecting employee computers and locking computers before leaving workstations Securing not public data within locked work spaces and in locked file cabinets Notes the penalties for unlawful access to data
11. Data inventoryMinn. Stat. § 13.025, subd. 1.All government entities must have a data inventory that includes: Responsible authority's name, title, address, and a description of each category of record, file, or process relating to private or confidential data on individuals maintained by the government entity. Forms used to collect private and confidential data may be included in the inventoryUpdated annually Available to the public
12. Model policies and data inventoryhttps://mn.gov/admin/data-practices/data/rules/policies/
13. Determining security requirements/developing security proceduresAre the data “data on individuals”?If no, entity determination about how to protectIf yes, what is the classification?If public, no security requirements, BUT limitation on collectionIf the data are private or confidential:Required procedures and policy on data securityListed on the data inventoryOptional, policy on who may access data outside the entity.
14. Practical tips and considerationsReview the data inventory yearlyTraining for entity employeesPolicies and procedures are only useful if they are followedConnect with ITLegislative changes
15. Data BreachesMinn. Stat. § 13.055
16. When the following apply:A person, Views or takes private or confidential data, Without permission or statutory authority, and With the intent to use the private or confidential data for nongovernmental purposesWhen has there been a data breach?
17. What happens after a data breach?InvestigationNotification to data subjectsPublic reportNotification to credit reporting companies
18. In writing Inform the individual that a report will be prepared about the breach investigation State that an individual may request a copy of the report by mail or email Sent without unreasonable delaySample notice: https://mn.gov/admin/data-practices/data/warnings/breaches/ What should a breach notice look like?
19. First class mail or electronic noticeSubstitute notice is an option if:Cost of written notice exceeds $250,000 or the group exceeds 500,000, orEntity does not have sufficient contact informationSubstitute notice must include:Email notice if the entity has an email address for affected individuals ANDPost the notice on the website of the entity, if the entity maintains a website ANDProvide notification to major media outlets within the entity’s jurisdictionEntity must notify consumer reporting agencies if a breach requires notification to more than 1,000 individualsHow must an entity provide notice?
20. Entity must complete an investigation and prepare a report, including facts and the results of the investigationIf the breach involved unauthorized access by an employee, the report must include:Description of the data that were accessed or acquiredNumber of individuals affected If there is a final disposition of disciplinary action against an employee, the report must include:Name of each responsible employeeFinal disposition of discipline taken in responseWhat type of report is required following a breach investigation?
21. Yearly security assessment of any “personal information” entity maintains“Personal information” is an individual's first name or first initial and last name in combination with one or more of these elements when unencrypted:Social security numberDriver's license number or Minnesota ID card numberAccount number or credit/debit card number in combination with the security code, access code, or passwordSecurity assessment will vary depending on personal information maintainedAnnual security assessmentMinn. Stat. § 325E.61, subd. 1(e)
22. Agencies subject to audit by the Office of the Legislative Auditor must notify OLA when:Not public government data may have been Accessed orProvided to a person,Without lawful authorizationBroader reporting obligation than required by § 13.055OLA reportingMinn. Stat. § 3.971, subd. 9
23. Scenarios
24. At the end of the day, an administrative assistant at the County sees copies at the copier. After glancing at it, they realize that it contains private data about a personnel investigation in another program at the County. They put the copies in the confidential shredding bin. Has there been a breach under § 13.055?Does the County have to notify the Office of the Legislative Auditor?Breach or no breachNo. 1
25. No. 1: No breachThere is no intent to use for nongovernmental purposesGood faith acquisition by government employee, who disposed of private data appropriately and did not further disclose or provide access.No reporting to OLA, because the County is not subject to OLA audit.
26. A records technician at a City police department has a work assignment to access the DVS database. When reviewing a file, they note that an adult driver’s license photo looks like someone they work with. The tech calls the co-worker over to look at the photo.Has there been a § 13.055 breach? Does the City have to notify the Office of the Legislative Auditor?Breach or no breachNo. 2
27. No. 2: BreachInitial employee has a work assignment to access the databaseEmployee accessed appropriately BUTSecond employee looking at the photograph for a nongovernmental purpose = breach.No reporting to OLA, because the City is not subject to OLA audit.
28. BlackHat13 has hacked into an entity’s staffing records system. They have accessed all of the files, including private personnel data.Has there been a § 13.055 breach? Does the entity have to notify the Office of the Legislative Auditor?Breach or no breachNo. 3
29. No. 3: BreachPrivate data on individuals access AND Intent to use data for nongovernmental purposeAccess by a hacker compromises the security and classification of the dataOLA reporting – depend on if the entity is subject to OLA audit.
30. Breach or no breachNo. 4An employee at a state licensing board took a copy of the test questions and scoring key of the licensing examination home and showed it to their roommate.Has there been a breach under § 13.055?Does the school district have to notify the Office of the Legislative Auditor?
31. No. 4: No breachSection 13.055 requirements do not apply to data not on individuals.Test questions and scoring keys are nonpublic data under section 13.34. Data not on individualsBoard is subject to OLA audit and will need to report to OLA.
32. Send us your questions Type your questions in the Q&A PanelIf we don’t get to your question, we will follow up afterwardsSlides are available: https://mn.gov/admin/data-practices/news/events/webinars/ A recording of this webinar will be available at: https://www.youtube.com/user/INFOIPAD Please fill out the evaluation in the Polling Panel
33. Stay in touch!Phone: 651-296-6733Email: info.dpo@state.mn.us Website: mn.gov/admin/data-practices Twitter: @MNgovdata YouTube: https://www.youtube.com/user/INFOIPAD