On the national level, it was Edward Snowden and the NSA. In Minnesota, it was the Target credit-card breach and the revelation that local and state government officials had snooped on thousands of driver’s licenses.
Minnesota lawmakers, reaching the tipping point of state and national problems with mass surveillance and personal information breaches, have made data privacy and protections one of the top issues of the 2014 session.
From private businesses to law enforcement and state agencies, lawmakers have introduced more than a dozen bills this year to curtail growing concerns over surveillance and personal data privacy. Some aim to tackle a growing list of law enforcement tools that, while helping to solve crimes, can also store loads of data about innocent people’s whereabouts. Others want to improve data privacy at the state level by tracking who’s peeping at state databases and by creating data experts in the legislative ranks.
“Unfortunately for legislators, until it hits the front page of a paper a lot of times they can’t be bothered with the issue,” said Rep. Mary Liz Holberg, R-Lakeville, a longtime stalwart of data privacy issues in the Legislature. “I think we are beginning to get to a critical mass where maybe the Legislature may finally be in a position where you could actually have some attention paid to these issues.”
The issue has attracted bipartisan support. The recent Minnesota Poll conducted by the Star Tribune found more than 60 percent of adults said they worry about the data being collected by law enforcement and maintaining their personal privacy.
Legislators will hold a slew of hearings on the issue this week in the House Public Safety Committee and the Civil Law Committee.
“We have technology that is directly impacting us in real time and the technology itself has outpaced the policy that would normally be in place to regulate it,” DFL Rep. John Lesch, who chairs the House Civil Law Committee, said. “At the Legislature, this is the most pervasive push I’ve seen on this issue.”
Law enforcement biggest target
The data collected by law enforcement agencies — in everything from cell-phone tracking devices to drones and license-plate readers — are a major target for lawmakers this year.
In a pre-session hearing, lawmakers questioned members of the Minnesota Department of Public Safety, which had been quietly using cellphone-tracking devices for years to follow possible criminals or victims in real time. The so-called cell-phone exploitation devices, better known by model names Kingfish and Stingray, work by impersonating a cell-phone tower and tricking a phone to connect to it using its own antenna. As officials testified, the technology has quickly helped catch numerous criminals over the years who simply didn’t turn their cell phone off.
But while a criminal is being tracked, so are whereabouts of potentially thousands of innocent citizens. Hennepin County also uses the device.
Bills have been introduced to require law enforcement agencies to obtain a warrant to use cell-phone tracking. Currently only a court order is needed. But Lesch, who felt his questions were inadequately addressed at the last hearing, wants to take a different approach.
He’s introducing a bill that bans any law enforcement agency but the Bureau of Criminal Apprehension (BCA) to own cell-phone tracking devices. If a county law-enforcement agency wants to use the device, it must go through the BCA. The state-run organization is subject to Minnesota’s data practices laws, meaning the law would set up a one-stop shop for tracking all uses of technology.
“Because there was a resistance of answering questions about it, the Legislature is forced into the position of a ham-handed approach,” Lesch said. “I’m not interested in playing games. I don’t drop a bill I don’t intend it to pass.”
Limiting use of drones
No Minnesota law enforcement agencies are known to currently use drones — unmanned aerial devices armed with a camera — but several bills in the Legislature this year aim to get ahead of the issue. One proposal from Rep. Brian Johnson, R-Cambridge, would require law enforcement agencies to get a warrant or meet tests of “imminent” danger before they can use drones.
Johnson, a former sheriff’s deputy, said a data request found there have been at least 20 military drone flyovers in Minnesota. The bill only covers law enforcement agencies, despite the fact that the flying devices might one day be used by companies like Amazon to deliver goods. Johnson said regulations are imminent from the Federal Aviation Administration on commercial uses of drones.
“As an officer, when you’re driving down the street, you can see the front yard. There’s no expectation of privacy, but we can’t stop and walk behind their house and look to see what’s going on without a warrant,” Johnson said. “In your backyard, you do have some expectation of privacy.”
Another bill, authored by Holberg, would require data collected from law enforcement’s License Plate Recognition (LPR) systems to be destroyed within 24 hours of collection, unless the vehicle is part of an ongoing investigation. LPR systems, used in many law enforcement agencies in Minnesota, can capture highly detailed movement records for a vehicle.
Last year Arkansas, Utah and Vermont put strict limits on license plate readers. Legislators in Wisconsin, Missouri, New Jersey and Ohio have proposed limiting or banning police use of the technology.
“If you are the government you shouldn’t be able to track someone electronically unless you get a warrant from a judge. We think the Fourth Amendment of the Constitution is pretty clear on that,” Chuck Samuelson, executive director of the American Civil Liberties Union of Minnesota, said. “Yes, if a car has been stolen, collect that data and only that data. The rest of the data you throw out.”
Target breach turns attention on business
California was the first state in 2002 to pass an online “breach notification” law. Since then, 46 states, including Minnesota, have followed their lead by requiring businesses and public agencies to notify people if their data have been breached.
That reached a whole new level in mid-December, when Minnesota’s own Target Corp. reported that financial information from up to 40 million shoppers was compromised during the middle of the holiday shopping season. In January, the company disclosed that additional information may have been taken from up to 70 million other customers. It’s the largest data breach on record at a retailer.
A bill from freshman Rep. Dan Schoen, DFL-St. Paul Park, would tighten the bill and require notifying individuals whose information appears to have been stolen within 48 hours of the discovery. Victims would also be offered free credit monitoring for one year, and if those responsible for the breach are the retailers, they must shell out for a $100 gift card that is valid for at least one year.
Rep. Greg Davids, R-Preston, says there are “serious problems” with the bill. As a small business owner himself, he said he could have to pay up to $50,000 under the bill for having his computer hacked. Davids thinks it should be up to the businesses to fix the error.
“I think Target acted very responsibly and very quickly,” Davids said. “If you’re going to be attacked by somebody and have to pay the penalty for being attacked, that’s wrong,”
Schoen acknowledges that the gift card portion of the bill was more about getting attention for his proposal, but in general, he thinks businesses get far less scrutiny on data privacy issues than state agencies.
“People around here are so excited to jump down the government’s throat about an issue. When government agencies have a breach, rightfully so, it needs to be rectified, fixed and dealt with, but that needs to happen in the private sector too,” Schoen said. “When it’s a government issue bash government but don’t bash business.”
Lawmakers want more state remedies
In her final session serving at the Legislature, Holberg has a few parting ideas about how to improve state government’s handling of private data.
The longtime legislative champion of data privacy issues has introduced more than a half a dozen bills this year, including one that would allow data breach victims to go to court and potentially recoup their lawyer’s fees. She also wants to equip all state-run databases to track, within each individual record, who is accessing the data and when they accessed it. In the most recent high profile case of state record snooping, former state employee John Hunt was charged with breaching thousands of driver’s license files — of mostly high-profile women — while he worked for the Department of Natural Resources.
Holberg also wants to create a standing Legislative Commission on Data Practices and Personal Data Protection to provide oversight on these issues. The hope for the commission, which is modeled after the state’s Pension Commission, is to foster data privacy experts in the Legislature.
“I think it’s just a baby step. When you look at what other states have done — they have whole administrative departments — we are so far behind the curve,” she said. “I don’t think these issues are going away. I think they are going to become more and more complex.”