Bill seeks more penalties for data breaches

After some high-profile breaches, legislators want to impose harsher penalties on public employees who peek at private data and force local governments to disclose more about such incidents when they occur.

At a Wednesday news conference, a DFLer and Republican joined forces on the bill, one week after the state Department of Natural Resources revealed that an employee had improperly looked at thousands of drivers license records over several years, including some politicians and journalists who later came forward -- most of them female.

In pursuing new data breach laws, bill sponsors cited a Star Tribune investigation showing that drivers license records are often misused in Minnesota.

"The time is ripe," said Rep. Mary Liz Holberg, R-Lakeville, the bill's House sponsor. "I think everybody recognizes that we don't have the proper systems and procedures in place. And those individuals that are doing these things that are obviously illegal have to know we're serious about it."

The bill would have broad implications for breaches of all government databases, but is aimed particularly at misuse of driver and vehicle services (DVS) data. That database, which is protected under state and federal law, contains photographs, addresses and driving records of Minnesotans who have a license.

A Star Tribune analysis of state records last fall showed that 160 individuals, mostly in government agencies, improperly used the DVS database over two years. Discipline ranged from reprimands to termination; criminal charges were rare.

Sen. Scott Dibble, chairman of the Transportation Committee, is sponsoring the bill in the Senate. Two female legislators whose information was breached in the DNR case joined Dibble and Holberg at the news conference.

The legislation would make it a gross misdemeanor if a public employee inappropriately accessed private data on more than one person, or on one person repeatedly, currently a misdemeanor. It also clarifies that "intent to cause harm" is not a factor in determining if misuse has occurred.

Local governments discovering misuse would have to send out data breach letters -- now only mandated for state agencies -- and publish a full report of their investigation online. Holberg said the goal is to change the "culture" in government offices, particularly since she heard that the unnamed DNR employee was a "really nice person" whose colleagues were making similar lookups.

"If this had happened one time it would be pretty bad," said Dibble, DFL-Minneapolis. "But it's happening multiple times. And it's happening at the hands of people who we invest a great deal of trust in."

The bill introduction precedes a much-anticipated report from the state's legislative auditor, which is expected to focus partly on the DVS database. That report is due in early February and could affect the proposal.

Patrick Hynes, a lobbyist with the League of Minnesota Cities, said his organization shares the goal of preventing unauthorized access of private data. But, he added, members hope to strike a balance between eliminating misuse and imposing overly onerous mandates for the 800-plus cities they represent.

But misuse can also come at a price, which many cities learned this year when former St. Paul police officer Anne Marie Rasmusson was awarded more than $1 million in settlements from local governments after suing over DVS misuse.

Learning names

The name of the DNR employee has not been released, which illustrates the difficulty breach victims can have learning just who's been looking at their data. If no discipline has been imposed, it can be nearly impossible to find out who made the breach. The bill includes a provision that could require disclosure of employees who have misused data, even if no discipline was imposed.

The DNR says the employee is no longer with the agency, but more information cannot be released because the case is not yet final. That usually means the employee is fighting the discipline in arbitration.

Rep. Sarah Anderson, one of the lawmakers whose data was breached, was disturbed that she did not know who viewed her file.

They aren't alone. Hennepin County Sheriff Rich Stanek was stonewalled by the Department of Public Safety after trying to learn the names of employees at 21 agencies who had accessed his data. The bill, however, makes no changes to an obscure section of the state's open records law that the department cited in withholding the names.

"The fun thing about this issue is it's bipartisan," Holberg said about the need for the bill. "It affects everybody. And we can solve this."