Focus on New Laws: Cybersecurity Incident Reporting Requirements
Local governments should be aware of the expanded reporting requirements for cybersecurity incidents beginning Dec. 1, 2024.
A new law passed during the 2024 legislative session creates new requirements for public agencies, including local governments, to report cybersecurity incidents to the Bureau of Criminal Apprehension (BCA). The new reporting requirements begin Dec. 1, 2024.
The language, included in Chapter 123, specifies that any cybersecurity incident that causes actual or potential adverse effects to an information system, network, or its data must be reported to the BCA within 72 hours of when the public agency identifies the incident.
Examples of cybersecurity incidents that must be reported under the new law include:
- Compromised accounts/passwords where a bad actor gains access.
- Data breaches of confidential, private, protected, or sensitive information.
- Defacement in which an attacker alters website content.
- Denial of Service (DoS) attacks.
- Accidental exposure of sensitive information due to novel or atypical factors.
- Successful attack that averted security defenses involving malware.
- Network attacks.
For a full list of proposed cybersecurity incidents that must be reported, cities can review current drafts of the Cybersecurity Incident Reporting Form (pdf) and Cybersecurity Incident Reporting Instructions (pdf). These drafts must be finalized by Minnesota IT Services by Sept. 30, 2024.