← All US breach laws·MN

Minnesota data breach notification law

Minnesota's data breach notification requirements under Minn. Stat. §§325E.61, 325E.64 (Plastic Card Security Act). Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
Minn. Stat. §§325E.61
Enforcer
Minnesota Attorney General
AG notification
Required
Private right of action
Yes — residents can sue

Notification deadlines

Notify affected residents
In the most expedient time possible and without unreasonable delay, but no later than 30 days for credit-card data breaches under the Plastic Card Security Act
Notify the state regulator
Yes — if more than 500 Minnesota residents are affected, written notice to the AG within 48 hours of notifying residents (effective 2025)
Notify consumer reporting agencies
Yes — if more than 500 residents, notify nationwide CRAs

When is notification required?

Trigger / harm threshold
Minnesota is largely a no-harm-threshold state — notification required on unauthorized acquisition unless the encryption safe harbor applies
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under Minnesota law

First name/initial + last name with SSN, DL/state ID, financial account + access code, health records; AND credit/debit card data under the Plastic Card Security Act

Penalties and enforcement

Plastic Card Security Act: card issuers may recover from the breached entity reasonable costs of card cancellation/reissuance + customer notification + refunds; AG civil enforcement separately
Enforced by: Minnesota Attorney General. Official regulator page →

Common pitfalls

Plastic Card Security Act lets banks/issuers sue the breached merchant directly for reissuance + notification costs — uncommon among state breach laws
The 30-day deadline for card data is shorter than the general breach deadline

Frequently asked questions

How long do I have to notify Minnesota residents after a data breach?
In the most expedient time possible and without unreasonable delay, but no later than 30 days for credit-card data breaches under the Plastic Card Security Act
Do I have to notify the Minnesota Attorney General?
Yes — if more than 500 Minnesota residents are affected, written notice to the AG within 48 hours of notifying residents (effective 2025)
Does Minnesota require notification to nationwide consumer reporting agencies?
Yes — if more than 500 residents, notify nationwide CRAs
Is encrypted data exempt from Minnesota's breach notification requirement?
Yes — Minnesota has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can Minnesota residents sue me directly for a data breach?
Yes — Minnesota allows a private right of action. Affected residents may sue for actual damages and, in some cases, statutory damages or attorneys' fees. Class actions are common.
What counts as 'personal information' under Minnesota law?
First name/initial + last name with SSN, DL/state ID, financial account + access code, health records; AND credit/debit card data under the Plastic Card Security Act
What are the penalties for failing to comply with Minnesota's breach notification law?
Plastic Card Security Act: card issuers may recover from the breached entity reasonable costs of card cancellation/reissuance + customer notification + refunds; AG civil enforcement separately

Related state breach laws

Massachusetts (MA)
Mass. Gen. Laws ch. 93H §§1–6 + 201 CMR 17.00
Michigan (MI)
Mich. Comp. Laws §§445.63
Mississippi (MS)
Miss. Code §75-24-29
Missouri (MO)
Mo. Rev. Stat. §407.1500

Pre-empt the Minnesota breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against Minnesota's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit