Section 46A.06 - NOTIFICATION EVENTSubdivision 1.Notification requirement.(a) Upon discovering a notification event as described in subdivision 2, if the notification event involves the information of at least 500 consumers, a financial institution must notify the commissioner without undue delay, but no later than 45 days after the date the event is discovered. The notice must be made (1) in a format specified by the commissioner, and (2) electronically on a form located on the department's website.(b) The notice must include: (1) the name and contact information of the reporting financial institution;(2) a description of the types of information involved in the notification event;(3) if possible to determine, the date or date range of the notification event;(4) the number of consumers affected or potentially affected by the notification event;(5) a general description of the notification event; and(6) a statement (i) disclosing whether a law enforcement official has provided the financial institution with a written determination indicating that providing notice to the public regarding the breach would impede a criminal investigation or cause damage to national security, and (ii) if a written determination described under item (i) was provided to the financial institution, providing contact information that enables the commissioner to contact the law enforcement official. A law enforcement official may request an initial delay of up to 45 days following the date that notice was provided to the commissioner. The delay may be extended for an additional period of up to 60 days if the law enforcement official seeks an extension in writing. An additional delay may be permitted only if the commissioner determines that public disclosure of a security event continues to impede a criminal investigation or cause damage to national security.Subd. 2.Notification event treated as discovered.A notification event must be treated as discovered on the first day when the event is known to a financial institution. A financial institution is deemed to have knowledge of a notification event if the event is known to any person, other than the person committing the breach, who is the financial institution's employee, officer, or other agent.
Added by 2024 Minn. Laws, ch. 114,s 2-6, eff. 8/1/2024.