Minnesota Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Minnesota's data breach notification law requires any business that owns or licenses personal data to notify affected residents when that data is compromised. Codified at Minn. Stat. 325E.61, the law has been in effect since 2006 and applies to entities conducting business in the state, regardless of where they are headquartered.

This guide covers the full scope of Minnesota's breach notification requirements, including who must comply, what personal information triggers the law, the notification timeline, the encryption safe harbor, government entity rules under Minn. Stat. 13.055, and how the Minnesota Consumer Data Privacy Act (MCDPA) interacts with breach obligations.

Who Must Comply With Minnesota's Breach Notification Law

Minnesota's law applies to any person or business that conducts business in the state and owns or licenses data that includes personal information. This covers corporations, partnerships, sole proprietors, nonprofits, and any other entity that collects or maintains personal data belonging to Minnesota residents.

The law distinguishes between data owners and data maintainers. If a third-party service provider maintains personal information on behalf of another entity, that provider must notify the data owner immediately upon discovering a breach. The data owner then carries the obligation to notify affected consumers.

Financial institutions regulated under federal law are exempt from 325E.61 under Subdivision 4. These institutions follow federal breach notification frameworks such as those established by the Gramm-Leach-Bliley Act.

What Qualifies as a Breach Under Minnesota Law

Under Minn. Stat. 325E.61, Subd. 1(d), a breach of the security of the system means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the entity.

The term "unauthorized acquisition" is broad. It includes hacking, theft, insider misuse, and accidental exposure to unauthorized parties.

Good Faith Exception

Minnesota's law includes a good faith exception. An acquisition of personal information by an employee or agent of the entity does not count as a breach if the information was obtained for a lawful purpose and is not used or disclosed without authorization.

The Encryption Safe Harbor

Minnesota provides a clear safe harbor for encrypted data. If the personal information that was breached was encrypted or otherwise rendered unreadable, notification is not required. The critical condition is that the encryption key or password must not have been acquired along with the encrypted data.

This means businesses that encrypt personal information at rest and in transit can avoid notification obligations, but only when the keys remain secure. If both the encrypted data and the decryption key are compromised, the full notification requirements apply.

Personal Information That Triggers Notification

Minnesota's definition of personal information under Minn. Stat. 325E.61, Subd. 1(e) follows the traditional "name-plus" model. It requires an individual's first name or first initial and last name combined with one or more of the following data elements:

• Social Security number
• Driver's license number or Minnesota state identification card number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to the individual's financial account

Personal information does not include data that is lawfully obtained from publicly available sources or from federal, state, or local government records that are lawfully available to the general public.

What Minnesota's Law Does Not Cover

Compared to many states that have modernized their breach notification statutes in recent years, Minnesota's definition of personal information is notably narrow. The law does not cover:

• Biometric data (fingerprints, retina scans, voiceprints, facial geometry)
• Medical or health information
• Health insurance identification numbers
• Passport numbers
• Login credentials (usernames combined with passwords or security questions)
• Taxpayer identification numbers (other than SSNs)

This gap means a breach exposing thousands of fingerprint records or medical histories belonging to Minnesota residents would not trigger notification under 325E.61. The MCDPA classifies biometric data as sensitive personal data requiring opt-in consent before processing, but it does not extend the breach notification trigger to cover biometric data breaches.

Notification Timeline: "Without Unreasonable Delay"

Minnesota requires notification "in the most expedient time possible and without unreasonable delay" after the discovery of a breach. Unlike states such as Indiana (45 days) or Florida (30 days), Minnesota does not set a specific day count.

This standard gives businesses some flexibility to investigate the scope of a breach before sending notifications, but it also creates ambiguity. What counts as "unreasonable" depends on the circumstances, and the Attorney General may evaluate delays on a case-by-case basis.

When Delay Is Permitted

Notification may be delayed if a law enforcement agency determines that disclosure would impede a criminal investigation. Once law enforcement confirms that notification will no longer compromise the investigation, the entity must notify affected individuals promptly.

Delays to restore the integrity of the data system and determine the scope of the breach are also considered reasonable, as long as the entity acts diligently.

Who Must Be Notified

Affected Individuals

The primary obligation is to notify every Minnesota resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.

Consumer Reporting Agencies

Under Minn. Stat. 325E.61, Subd. 2, when a breach affects 500 or more people, the entity must notify the major nationwide consumer reporting agencies within 48 hours. This 48-hour window for CRA notification is notably fast compared to the general "without unreasonable delay" standard for individual notification.

The three major agencies are:

• Equifax
• Experian
• TransUnion

No General Attorney General Notification Requirement

Unlike many states, Minnesota's general breach notification statute (325E.61) does not require businesses to notify the state Attorney General when a breach occurs. However, the Minnesota Attorney General retains enforcement authority over the statute and may investigate breaches independently. Businesses should also be aware that the AG may request breach details during enforcement actions.

How to Provide Notification

Minnesota law permits several methods for notifying affected individuals under Minn. Stat. 325E.61, Subd. 1(b):

• Written notice mailed to the individual's most recent address on file
• Electronic notice if email is the primary method of communication between the entity and the individual, consistent with the federal Electronic Signatures in Global and National Commerce Act (E-SIGN)

Substitute Notice

Substitute notice is available when the cost of standard notification would exceed $250,000, when the affected class exceeds 500,000 people, or when the entity lacks sufficient contact information. Substitute notice requires all three of the following:

1. Email notice to all affected individuals for whom the entity has email addresses
2. Conspicuous posting of the notice on the entity's website
3. Notification to major statewide media outlets

Payment Card Data: Section 325E.64

Minn. Stat. 325E.64 adds specific protections for payment card data. This statute prohibits businesses that accept credit or debit cards from retaining card security codes, PIN verification codes, or full magnetic stripe data after a transaction is authorized (or within 48 hours for PIN debit transactions).

If a business violates this retention prohibition and a breach occurs, the business must reimburse financial institutions for reasonable costs related to the breach. These costs include:

• Card reissuance expenses
• Account closure and reopening costs
• Consumer notification expenses
• Unauthorized transaction losses

This makes Minnesota one of the few states with a statutory right allowing financial institutions to recover breach-related costs from merchants and service providers who improperly retained card data.

Government Entity Breaches: Section 13.055

Minnesota state and local government entities follow a separate breach notification statute, Minn. Stat. 13.055. This law covers breaches of private or confidential data maintained by government agencies.

Key Differences From the Private Sector Statute

Government breach notification under 13.055 has several distinctive features:

• Investigation report required: Government entities must prepare a written report documenting the types of data accessed, the number of individuals affected, the names of responsible employees (with limited exceptions), and any disciplinary outcomes.
• CRA threshold is 1,000: Government entities must notify consumer reporting agencies when breaches affect 1,000 or more individuals, compared to the 500-person threshold for private entities under 325E.61.
• Annual security assessments: Government entities must conduct annual comprehensive security assessments of the personal information they maintain.
• Auditor access: The Legislative Auditor and State Auditor retain access to non-public data for official audit duties related to breach investigations.

The notification timeline mirrors the private-sector standard: "in the most expedient time possible and without unreasonable delay."

Enforcement and Penalties

The Minnesota Attorney General enforces the breach notification law under Minn. Stat. 325E.61, Subd. 6. There is no private right of action. Individuals cannot sue businesses directly for failing to provide breach notification under this statute.

The AG can bring enforcement actions under the state's consumer protection statutes, including seeking injunctive relief and civil penalties. Minnesota's consumer fraud statute allows the AG to pursue penalties of up to $25,000 per violation.

While Minnesota's breach notification law does not specify its own penalty schedule, the AG's enforcement authority through consumer protection law provides meaningful accountability. Businesses that fail to notify or unreasonably delay notification face investigation and potential penalties.

Waiver Prohibition

Under Minn. Stat. 325E.61, Subd. 3, any waiver of the notification requirements is void and unenforceable as contrary to public policy. Businesses cannot include contract provisions that waive or limit their breach notification obligations.

How the MCDPA Interacts With Breach Notification

The Minnesota Consumer Data Privacy Act (MCDPA), effective July 31, 2025, created a comprehensive privacy framework for Minnesota. It applies to entities that control or process personal data of 100,000 or more consumers annually, or that derive over 25% of gross revenue from selling personal data and process data of 25,000 or more consumers.

The MCDPA does not replace or amend the breach notification statute. Under Section 325O.04(b)(2), data processors must assist controllers regarding "notification of a breach of the security of the system pursuant to section 325E.61." This directly incorporates the existing breach notification framework into MCDPA processor agreements.

The MCDPA adds several obligations that affect breach preparedness:

• Data security practices: Controllers must implement reasonable administrative, technical, and physical security measures to protect personal data.
• Data minimization: Controllers must limit data collection to what is adequate, relevant, and reasonably necessary. Collecting less data reduces breach exposure.
• Sensitive data consent: Biometric data, precise geolocation, racial or ethnic origin, and other sensitive categories require explicit opt-in consent before processing.
• Data protection assessments: Controllers must conduct assessments for processing activities that present a heightened risk to consumers.

Despite these protections, the MCDPA does not expand the breach notification trigger. A breach exposing biometric data or health information still does not require notification under 325E.61 unless the breach also involves one of the three traditional data elements (SSN, driver's license number, or financial account details).

More Minnesota Laws

• Minnesota Data Privacy Laws
• Minnesota Recording Laws
• Minnesota Recording Laws
• Minnesota Hit and Run Laws
• Minnesota Car Seat Laws
• Minnesota Child Support Laws
• Minnesota Dog Bite Laws
• Minnesota Lemon Laws

Sources and References

This article draws from the following official Minnesota government sources:

• Minn. Stat. 325E.61 (Data Warehouses; Notice Required for Certain Disclosures) - Full text of Minnesota's private-sector data breach notification statute
• Minn. Stat. 325E.64 (Access Devices; Breach of Security) - Payment card data retention and financial institution reimbursement provisions
• Minn. Stat. 13.055 (Government Entity Breach Notification) - Government entity breach notification and investigation requirements
• Minnesota Consumer Data Privacy Act (HF 2309) - Comprehensive privacy law effective July 31, 2025
• Minnesota Attorney General - Enforcement authority for breach notification compliance

This article provides general legal information about Minnesota data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Minnesota for guidance specific to your situation.