There are specific considerations when determining if a breach is reportable.

Consumers must be notified without unreasonable delay. If notification by an organization for more than 500 persons at one time is required, consumer reporting agencies must be notified within 48 hours with specific information. If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Organizations may be fined or penalized for Vendor violations. The Attorney General can investigate violations and take steps to enforce compliance and to recover a civil penalty of up to $25,000 from violators.

Internet service providers must take reasonable steps to maintain the security and privacy of a consumer’s personally identifiable information.

No person or entity conducting business in Minnesota accepting an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.

Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications.