Responding to a number of high-profile data breaches, state lawmakers announced legislation Wednesday that would impose stiffer penalties on public employees who misuse data and force local governments to disclose more information about the cases.
The legislation comes a week after the Department of Natural Resources announced that an employee had breached thousands of drivers license records over several years. Lawmakers cited Star Tribune reports showing that misuse of drivers license records is common in Minnesota.
"The time is ripe," said Rep. Mary Liz Holberg, R-Lakeville, the bill's House author. "I think everybody recognizes that we don't have the proper systems and procedures in place. And those individuals that are doing these things that are obviously illegal have to know we're serious about it."
The bill would have broad implications for breaches of state databases, but is targeted toward misuse of driver and vehicle services (DVS) data. That database, which is protected under state and federal law, contains photographs, addresses and driving records on nearly every Minnesotan.
A Star Tribune analysis of state records last fall showed that 160 individuals, mostly in government agencies, had improperly used the DVS database over a span of two years. Discipline ranged from reprimands to termination, but it very rarely lead to criminal charges.
Pushing for the bill in the Senate is Sen. Scott Dibble, who chairs the Transportation Committee. He and Holberg were joined at the press conference by several female lawmakers whose data was breached in the DNR case.
Specifically, the legislation would make it a gross misdemeanor if a public employee inappropriately accesses private data on multiple people or one person several times.
Local governments who discover misuse would have to send out data breach letters -- currently only mandated for state agencies -- and then publish their full investigations online. Holberg said the goal is to change the "culture" in government offices, particularly since hearing that the DNR employee was a "really nice person" whose actions mirrored his co-workers.
"If this had happened one time it would be pretty bad," Dibble said. "But it's happening multiple times. And it's happening at the hands of people who we invest a great deal of trust in."
The bill introduction precedes a much-anticipated report from the state's legislative auditor, which is expected to focus partly on the driver and vehicle services database. That report is due out in early February.
Patrick Hynes, a lobbyist with the League of Minnesota Cities, said they share the goal of preventing unauthorized access of private data. But, he added, some portions of the bill could potentially impose onerous mandates on the 800-plus cities they represent.
“We don’t really know what… the impact and the cost will be, especially on smaller cities," Hynes said.