DNR data breach gives rise to protection issues

Nine days after a former Department of Natural Resources employee was sentenced for inappropriately accessing thousands of driver’s license files, a conference committee began its work to hammer out differences on a bill that addresses the data privacy breach.

While HF183 is a result of last year’s DNR situation, Rep. Mary Liz Holberg (R-Lakeville) said public employee access remains an issue. During Wednesday’s conference committee, she said that as recently as last week, there were news reports about a Metro Transit employee looking at 7,000 records. “It’s pretty clear to me that we don’t have some groups taking this seriously.” 

Holberg sponsors the bill along with Sen. D. Scott Dibble (DFL-Mpls). It passed the House last session and the Senate this month. After about an hour of deliberation, the conference committee adjourned, with no date set to reconvene.

The bill would add protections to help prevent information breaches and impose stiffer penalties.

“What is apparent, in many instances, is a complete lack of oversight, and this bill is trying to get a handle on some of those issues,” Holberg said at an earlier House committee hearing.

The bill would:

• require procedures for ensuring that private data is accessible only to those whose work assignment calls for that access;
• expand current law requiring that notification of a breach of privacy to all government entities, not just state agencies as now directed; and
• establish penalties for the breach.

Entering conference committee, the primary difference between the House and Senate language — and producing the most heartburn for government entities — is a Senate provision that would permit a person to request the name of anyone who has obtained access to their private data, unless the data would identify an undercover law enforcement officer or an active case. This provision had been in the initial House bill, but was amended out on the House floor. However, it became part of the Senate language through an amendment successfully offered by Sen. Julianne Ortman (R-Chanhassen).

Rep. Debra Hilstrom (DFL-Brooklyn Center) is concerned that the provision will have unintended consequences for those who, as part of their job, need to have access to protected information.

Because their name could be made public, she said there is the potential for retaliation. “If it is your job to learn how much someone makes for a court action, that person’s name would be available.” She advocates for a distinction to be made between someone who is “breaking the rules and the person who is doing the hard job that we are asking them to do.”

Beau Berentson, representing the Association of Minnesota Counties, said that local governments may not have access to the software that would provide an audit trail of which employee is accessing information.

Holberg disputed the claim saying that, for many private businesses, this type of tracking is standard operating procedure. She acknowledged the complex requirements that would be associated with the provision’s implementation.
“Hopefully we can come up with a compromise and come up with some sort of accountability. We don’t want to create a chilling effect on people who are just trying to do their job.”