Minnesota Data Breach Notification Letter Package
(Compliant with Minn. Stat. § 325E.61 (2024) and all applicable federal and state privacy requirements)
[// GUIDANCE: This package contains two coordinated templates—one for the Minnesota Attorney General (“AG Notice”) and one for affected Minnesota residents (“Consumer Notice”). Both letters track the timing and content elements required under Minnesota’s data-breach statute, consumer-protection guidance issued by the Office of the Minnesota Attorney General, and industry best practices. Insert the identical factual narrative in both letters to ensure consistency and reduce litigation exposure.]
TABLE OF CONTENTS
-
AG NOTICE – MINNESOTA ATTORNEY GENERAL
1.1 Document Header
1.2 Definitions (for internal drafting consistency – DO NOT INCLUDE IN FINAL TRANSMITTAL)
1.3 Required Statutory Elements
1.4 Optional Discretionary Disclosures
1.5 Execution Block -
CONSUMER NOTICE – MINNESOTA RESIDENTS
2.1 Document Header
2.2 Required Statutory Elements
2.3 Recommended Supplemental Consumer-Protection Language
2.4 Execution Block -
APPENDICES (Optional)
A. Incident Chronology Table
B. Sample FAQ Sheet
C. Credit-Monitoring Enrollment Instructions
1. AG NOTICE – MINNESOTA ATTORNEY GENERAL
1.1 DOCUMENT HEADER
[COMPANY LETTERHEAD]
VIA [METHOD: CERTIFIED MAIL / COURIER / SECURE EMAIL]
Date: [DATE]
Office of the Minnesota Attorney General
Attn: Data Breach Notification Coordinator
445 Minnesota Street, Suite 1400
St. Paul, MN 55101
Re: Notice of Data Security Incident Affecting Minnesota Residents – [COMPANY LEGAL NAME]
1.2 DEFINITIONS [// GUIDANCE: Omit when sending]
“Company” – [COMPANY LEGAL NAME, STATE OF INCORPORATION]
“Incident” – The data-security event discovered on [DISCOVERY DATE].
“Personal Information” – Information as defined in Minn. Stat. § 325E.61, subd. 1.
1.3 REQUIRED STATUTORY ELEMENTS
-
Incident Overview
1.1 Date(s) of Incident: [START DATE] – [END DATE]
1.2 Date of Discovery: [DISCOVERY DATE]
1.3 Method of Discovery: [E.G., INTERNAL ALERT / THIRD-PARTY FORENSICS] -
Types of Personal Information Involved
• [E.G., FULL NAME]
• [E.G., SOCIAL SECURITY NUMBER (last four if full number not exposed)]
• [E.G., DRIVER’S LICENSE / STATE ID]
• [OTHER DATA ELEMENTS AS APPLICABLE] -
Scope of Impact
• Total Individuals Affected: [TOTAL #]
• Minnesota Residents Affected: [MN #]
• States/Regions Impacted: [LIST] -
Notification Actions
• Consumer Notice Mailing Commenced: [DATE]
• Estimated Completion: [DATE]
• Consumer Credit-Reporting Agency Notice (≥5,000 affected nationwide): [DATE / N/A] -
Remediation Measures Implemented
• [BRIEF DESCRIPTION OF TECHNICAL, OPERATIONAL, AND ORGANIZATIONAL SAFEGUARDS DEPLOYED]
• Third-party forensic investigation commenced on [DATE] (provider: [NAME]).
• Law-enforcement engagement: [YES / NO] – If “YES,” agency and date notified. -
Point of Contact
• Primary Contact: [NAME, TITLE]
• Direct Line: [PHONE]
• Email: [EMAIL]
• Mailing Address: [ADDRESS]
1.4 OPTIONAL DISCRETIONARY DISCLOSURES
[// GUIDANCE: Consider providing these to demonstrate good faith and cooperation.]
• Root-cause analysis status and projected completion date.
• Planned long-term security enhancements.
• Evidence of lack of consumer harm (if determined).
1.5 EXECUTION BLOCK
Respectfully submitted,
[AUTHORIZED SIGNATORY NAME]
[Title]
[Company Legal Name]
Cc: Minnesota Department of Public Safety (if law-enforcement referral)
Outside Counsel: [LAW FIRM]
2. CONSUMER NOTICE – MINNESOTA RESIDENTS
2.1 DOCUMENT HEADER
[COMPANY LETTERHEAD]
Date: [DATE]
[INDIVIDUAL NAME]
[ADDRESS]
[CITY], MN [ZIP]
Re: Important Notice of Data Security Incident
Dear [INDIVIDUAL NAME]:
2.2 REQUIRED STATUTORY ELEMENTS
-
What Happened
On [DISCOVERY DATE], we determined that unauthorized access to our computer network occurred between [START DATE] and [END DATE]. We completed a comprehensive investigation on [INVESTIGATION CLOSE DATE] confirming that certain files containing your personal information were accessed without authorization. -
What Information Was Involved
The information involved may have included your:
• [DATA ELEMENT]
• [DATA ELEMENT]
• [DATA ELEMENT]
We have no evidence that your information has been misused; however, we are notifying you out of abundance of caution and in accordance with Minnesota law.
-
What We Are Doing
• Immediately secured the environment and engaged a leading cybersecurity firm to assist.
• Notified the Office of the Minnesota Attorney General on [DATE].
• Offering you [XX] months of complimentary credit monitoring and identity-theft protection services through [VENDOR], which includes $[AMOUNT] in identity-theft insurance. Instructions to enroll are enclosed in Appendix C. -
What You Can Do
We encourage you to:
a. Review the “Steps You Can Take to Protect Your Information” in Appendix B.
b. Remain vigilant by monitoring account statements and credit reports.
c. Consider placing a fraud alert or security freeze on your credit file.
d. Contact us with any questions using the information below. -
For More Information
If you have questions, please contact our dedicated incident response line at [TOLL-FREE NUMBER], Monday through Friday, [HOURS], or email us at [EMAIL]. Written inquiries may be sent to:
[COMPANY ADDRESS].
2.3 RECOMMENDED SUPPLEMENTAL CONSUMER-PROTECTION LANGUAGE
[// GUIDANCE: The following paragraphs are not expressly required by Minnesota law but are considered best practice and help limit post-breach liability.]
• Federal Trade Commission Guidance: You may obtain additional identity-theft information from the FTC at www.IdentityTheft.gov or 1-877-438-4338.
• State-Specific Rights: Minnesota residents have the right to obtain a police report and request a security freeze free of charge. Contact the consumer reporting agencies listed in Appendix B for details.
2.4 EXECUTION BLOCK
Sincerely,
[AUTHORIZED SIGNATORY NAME]
[Title]
[Company Legal Name]
3. APPENDICES
APPENDIX A – INCIDENT CHRONOLOGY TABLE
| Date | Milestone | Description |
|---|---|---|
| [DATE] | Discovery | [DETAIL] |
| [DATE] | Containment | [DETAIL] |
| [DATE] | Forensic Engagement | [DETAIL] |
| [DATE] | Consumer Notice Mailing | [DETAIL] |
APPENDIX B – SAMPLE FAQ / CONSUMER RESOURCES
[// GUIDANCE: Supply addresses and phone numbers for Experian, Equifax, TransUnion, FTC, and MN AG.]
APPENDIX C – CREDIT-MONITORING ENROLLMENT INSTRUCTIONS
[// GUIDANCE: Insert vendor-provided language verbatim to preserve enforceability of coverage terms.]
KEY DRAFTING NOTES
[// GUIDANCE: Delete this section before issuance.]
-
Timing Compliance
• Minnesota requires notification “in the most expedient time possible and without unreasonable delay.”
• If >500 Minnesota residents are affected, AG notice should be dispatched concurrent with or prior to the first consumer mailing. -
Content Compliance
• The statute mandates disclosure of (i) incident timing, (ii) types of information, and (iii) contact methods. This template satisfies all three.
• Substitute notice (press release, website, etc.) is permissible only if written notice cost exceeds $250,000 or ≥500,000 individuals lack sufficient contact data. -
Documentation & Preservation
• Maintain copies of all notices, mailing lists, and proof of dispatch for at least seven (7) years to defend against future regulatory inquiries or civil claims. -
Multi-Jurisdiction Breaches
• If non-MN residents are impacted, adapt companion letters to each state’s statutory requirements—especially encryption safe-harbor variances and AG-notice thresholds.
END OF TEMPLATE