- Campuses :
- Twin Cities
- Crookston
- Duluth
- Morris
- Rochester
- Other Locations
December, 2005
To: Deans, Directors, and Dept. Heads
Fr: Steve Cawley, Associate Vice President & Chief Information Officer
Re: New Minnesota state law
I write to inform you of an amendment to the Minnesota Data Practices Act--effective August, 2005 state agencies and the University now have a new responsibility. Section 21 of the Act requires notification of individuals if there is a breach of security (defined term) of certain private or sensitive data. I'm sure we all hope this situation will not occur in our areas of responsibility, but nonetheless I think it is prudent to make you aware of this new law and how to avoid having to deal with it.
As the Chief Information Officer, I have been delegated responsibility to ensure that units complete appropriate notifications under this new provision of the Data Practices law. Units should know that they will need to be able to marshal resources to send these notifications expeditiously if such a breach occurs and that considerable inconvenience and expense will be necessary to complete mailings if the number of people to be notified is large.
The number one way to avoid having to deal with the new law is to store as little legally protected information as possible, centralize the private data that is needed as much as possible, and maintain a high level of security for the private data. Social security numbers, patient information, private student data, etc should be stored on servers that are well-secured, with as little private information as possible on personal computers and portable devices. It is easier to concentrate limited resources on securing a few servers as opposed to many computers throughout your unit(s).
If your unit does need to store legally private information, by policy it must be stored on a computer that is protected to the level of the Securing Private Data Standard at: http://www.umn.edu/oit/security/privatedata.html
Appendix-A of the Securing Private Data Standard lists examples of legally private data. Note that legally private information stored on computers or electronic devices--whether it be a server, personal computer, laptop, or Personal Digital Assistant (PDA)--needs to have continuing review and support. What you don't know can hurt you, so please review with staff in your unit(s) the type and volume of data you are storing and identify the staff with the responsibility for the ongoing review and support.
Should a breach or suspected breach come to your attention, contact OIT Security & Assurance by sending email to abuse@umn.edu or in more urgent situations, call 612-301-4357 and ask that the security on-call person be paged. The Office of Information Technology will review suspected breaches with the Office of the General Counsel and other University officers and will coordinate with your unit administrators should a notification to individuals be required.
If you have any questions, feel free to contact me at cawley@umn.edu.
Thank you for your assistance.