Minnesota Administrative Rules
Agency 120 - Commerce Department
Chapter 2876 - REGULATING SECURITIES
Part 2876.3055 - PROTECTION OF PURCHASER INFORMATION

Universal Citation: MN Rules 2876.3055

Current through Register Vol. 49, No. 13, September 23, 2024

Subpart 1. Cybersecurity policy.

A. Portal operators and MNvest issuers must take reasonable steps to ensure that purchasers' financial and personal information is properly secured. Reasonable steps include, at a minimum, a written cyber-security policy that outlines the MNvest issuer's or portal operator's policies and procedures for:
(1) preventing cybersecurity attacks that result in the disclosure, or potential disclosure, of purchasers' confidential or personally identifiable information;

(2) preventing data breaches that result in the disclosure, or potential disclosure, of purchasers' confidential or personally identifiable information;

(3) responding to a cybersecurity attack or data breach that occurs; and

(4) demonstrating the issuer's implementation of the written cybersecurity policy.

B. The cybersecurity policy required in item A must specifically include the MNvest issuer's or portal operator's procedures to establish compliance with Minnesota Statutes, section 325E.61.

C. MNvest issuers and portal operators must publish the cybersecurity policy required by this subpart on the portal operator's or MNvest issuer's Web site, with a prominent link to the cybersecurity policy on the Web site's homepage.

Subp. 2. Reporting of a cybersecurity attack or data breach.

MNvest issuers and portal operators must report to the administrator any action taken by the MNvest issuer or portal operator to meet the reporting requirements of Minnesota Statutes, section 325E.61.

A. The report sent to the administrator must not include any confidential or personally identifiable information of those individuals whose data were improperly accessed or acquired, unless the information is requested by the administrator. The report must include:
(1) a general description of the type of data that were accessed or acquired;

(2) the number of individuals whose data were improperly accessed or acquired; and

(3) a description of the steps taken by the MNvest issuer or portal operator to notify the individuals whose data were improperly accessed or acquired.

B. The report must be mailed or sent electronically to the administrator within 60 days of the MNvest issuer's or portal operator's discovery of the cybersecurity attack or data breach.

Disclaimer: These regulations may not be the most recent version. Minnesota may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.