New laws in focus: obligation to report cybersecurity incidents

Local governments should be aware of the enhanced reporting requirements for cybersecurity incidents starting December 1, 2024.

A new law passed during the 2024 legislative session creates new requirements for public entities, including local governments, to report cybersecurity incidents to the Bureau of Criminal Apprehension (BCA). The new reporting requirements will take effect on December 1, 2024.

The language contained in Chapter 123 specifies that any cybersecurity incident that has an actual or potential adverse impact on an information system, network, or its data must be reported to the BCA within 72 hours of the agency's discovery of the incident.

Examples of cybersecurity incidents that must be reported under the new law include:

• Compromised accounts/passwords that a malicious actor gains access to.
• Data breaches involving confidential, private, proprietary or sensitive information.
• Defacement, in which an attacker changes the content of a website.
• Denial-of-Service attacks (DoS).
• Inadvertent disclosure of confidential information due to novel or atypical factors.
• Successful attack that bypassed security measures with malware.
• Network attacks.

For a complete list of proposed cybersecurity incidents that must be reported, see the current drafts of the Cybersecurity Incident Reporting Form (pdf) and Cybersecurity Incident Reporting Instructions (pdf). These drafts must be completed by Minnesota IT Services by September 30, 2024.

Read more news articles.