Minnesota Cybersecurity Laws You Should Know (2025)

Mitch Wolverton

Cyber threats are growing more advanced every year, and Minnesota businesses are not immune. From healthcare organizations to manufacturers, companies across the state must protect sensitive data and comply with cybersecurity regulations. Understanding Minnesota cybersecurity laws is key to avoiding penalties, safeguarding customer trust, and building a resilient digital foundation. Below, we’ll explore the major cybersecurity laws affecting Minnesota businesses.

Minnesota Cybersecurity Laws

Minnesota Data Breach Notification Law (Minn. Stat. § 325E.61)

The Minnesota Data Breach Notification Law requires businesses and state agencies to notify affected individuals without unreasonable delay after discovering that personal information has been accessed by an unauthorized party. If a breach impacts more than 500 residents, the business must also notify the Minnesota Attorney General and all nationwide consumer reporting agencies.

Notifications must describe the nature of the breach, the types of information compromised, and any steps being taken to mitigate further harm.

Minnesota Government Data Practices Act (Minn. Stat. § 13.01 et seq.)

The Government Data Practices Act (MGDPA) governs how public agencies in Minnesota collect, store, and share data. It ensures transparency while mandating strong safeguards to protect private and confidential information. Any state agency or contractor handling government data must follow these security protocols.

Minnesota Deceptive Trade Practices Act (Minn. Stat. § 325D.43 et seq.)

This law prohibits businesses from engaging in deceptive or misleading practices, including false statements about cybersecurity or data privacy policies. Companies that fail to maintain reasonable security measures can face enforcement actions from the Minnesota Attorney General’s Office.

Minnesota Computer Crime Law (Minn. Stat. § 609.87–609.891)

This statute criminalizes unauthorized access, hacking, and data tampering. It also covers the creation and distribution of malware or ransomware, with penalties ranging from fines to imprisonment depending on the offense.

Minnesota Electronic Signatures in Global and National Commerce Act (Minn. Stat. § 325L.01 et seq.)

This law validates electronic signatures and records in Minnesota. Businesses must use secure authentication methods and protect digital records from unauthorized alterations.

Federal and Industry-Specific Cybersecurity Regulations That Affect Minnesota Businesses

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS applies to all Minnesota businesses that accept or store credit card data. Compliance involves encryption, network monitoring, and regular security audits.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to Minnesota healthcare providers and business associates that handle personal health information (PHI). It requires strict administrative, technical, and physical safeguards.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions in Minnesota must comply with GLBA, which requires written information security programs, staff training, and consumer privacy disclosures.

General Data Protection Regulation (GDPR)

Although a European Union regulation, GDPR applies to Minnesota businesses that collect or process data from EU residents. It requires explicit consent, the right to access or delete data, and transparent privacy practices.

Cybersecurity Requirements for Financial Services Companies (NYDFS 23 NYCRR 500)

Minnesota financial institutions operating in New York must comply with NYDFS cybersecurity rules, including encryption, incident reporting, and multifactor authentication.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework is widely used across Minnesota industries, particularly in healthcare, finance, and manufacturing, to identify, protect, detect, respond to, and recover from cybersecurity threats.

Federal Trade Commission (FTC) Act

Under the FTC Act, Minnesota businesses must use reasonable data protection measures. The FTC enforces penalties for companies that mislead consumers or fail to protect personal information.

Children’s Online Privacy Protection Act (COPPA)

If your Minnesota business collects personal data from children under 13, COPPA applies. It requires verified parental consent and restricts the use of children’s personal information.

Sarbanes-Oxley Act (SOX)

Publicly traded companies in Minnesota must comply with SOX, which mandates data integrity controls and secure recordkeeping for financial systems.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student educational records. It applies to Minnesota schools and educational vendors that handle student data.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

CIRCIA requires Minnesota critical infrastructure operators, such as those in energy, healthcare, and transportation, to report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.

CAN-SPAM Act

The CAN-SPAM Act governs commercial emails nationwide. Minnesota businesses must include accurate sender details, truthful subject lines, and an easy unsubscribe option.

Defense Federal Acquisition Regulation Supplement (DFARS)

Minnesota defense contractors must comply with DFARS cybersecurity standards based on NIST SP 800-171 to protect controlled unclassified information.

Section 5 of the FTC Act (Unfair or Deceptive Practices)

Section 5 prohibits deceptive or negligent cybersecurity practices, requiring Minnesota businesses to implement fair and accurate data protection measures.

More Minnesota Cybersecurity Laws to Be Aware Of

Minnesota has strengthened its cybersecurity readiness through the Minnesota Cybersecurity Task Force and initiatives led by the Minnesota IT Services (MNIT) agency. These organizations work together to enhance state and local cyber resilience and support small businesses through cybersecurity awareness programs.

Businesses are encouraged to adopt frameworks like NIST or ISO 27001, conduct annual risk assessments, and maintain written incident response and data protection plans.

Conclusion

Staying compliant with Minnesota cybersecurity laws helps businesses protect sensitive information, reduce risk, and maintain customer confidence. By following both state and federal regulations, organizations can avoid penalties and build a stronger cybersecurity posture.

If your company needs help achieving cybersecurity compliance in Minnesota, we offer solutions to strengthen your defenses and ensure full legal compliance.

Frequently Asked Questions About Minnesota Cybersecurity Laws

  1. What is Minnesota’s main cybersecurity law?
    The Minnesota Data Breach Notification Law (Minn. Stat. § 325E.61) is the state’s primary cybersecurity regulation, requiring prompt notification to affected individuals and the Attorney General.
  2. Who enforces cybersecurity laws in Minnesota?
    The Minnesota Attorney General’s Office enforces consumer protection and data privacy laws, while MNIT oversees cybersecurity for state systems.
  3. How quickly must businesses report a data breach in Minnesota?
    Businesses must notify affected individuals without unreasonable delay once a breach has been discovered and verified.
  4. Do small businesses in Minnesota have to comply with cybersecurity laws?
    Yes. Any business that collects or maintains personal information about Minnesota residents must comply, regardless of size.
  5. Does Minnesota have any public-sector cybersecurity requirements?
    Yes. Under the Government Data Practices Act, all public agencies and contractors managing government data must follow strict cybersecurity and privacy standards.

Read More Cybersecurity Laws by State:

Florida Cybersecurity Laws You Should Know (2025)

Ohio Cybersecurity Laws You Should Know (2025)

Virginia Cybersecurity Laws You Should Know (2025)

North Carolina Cybersecurity Laws You Should Know (2025)

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice specific to their organization or situation.

Mitch Wolverton

Mitch, Marketing Manager at PivIT Strategy, brings over many years of marketing and content creation experience to the company. He began his career as a content writer and strategist, honing his skills on some of the industry’s largest websites, before advancing to specialize in SEO and digital marketing at PivIT Strategy.