This week the U.S. state of Minnesota enacted a new law requiring its public agencies to report cybersecurity incidents to state IT officials. We look at what this new piece of legislation means for cybersecurity professionals in the region.
Cybersecurity laws in the U.S. exist at both federal and state levels, allowing individual state legislatures the ability to add localized requirements alongside national cybersecurity regulation. The most recent example of this is in the start of Minnesota, which has brought into force a new state-wise requirement for cybersecurity incident reporting.
The new state law mandates that public agencies and affiliated entities report cybersecurity incidents to Minnesota IT Services (MNIT), the central IT organization for Minnesota, with the intention of enhancing the state’s ability to detect, respond to, and mitigate cyber threats. While the requirement was signed into law in May 2024, it officially came into effect on December 1st, 2024.
What Minnesota’s Legislation Means for Cybersecurity Professionals
The law applies to a wide range of organizations and state supply chains, including all state public agencies, government contractors and vendors serving public agencies, political subdivisions, such as counties, cities, and townships, school districts, charter schools, intermediate districts, cooperative units, and public post-secondary institutions. The legislation is not mandating any new cybersecurity countermeasures or minimum standards but is requiring a greater degree of transparency across a wider range of state agencies and affiliated bodies when an incident occurs. Many state agencies were already required to disclose cybersecurity incidents prior to the law coming into force.
Disclosure must take place within 24 hours if criminal justice information or systems have been compromised or otherwise involved. All other instances must be reported within 72 hours of the agency or organization becoming aware of the cybersecurity incident taking place.
The law is illustrative of how a reporting requirement can extend beyond a developed state agency to apply to a body or organization that may not have extensive cybersecurity or IT skills or personnel resources, such as K-12 schools.
However, the reporting process is arguably straightforward, with a single web form provided for affected agencies and organizations to report an incident, backed up with phone and email options if a person filing a report has questions or encounters an incident the form does not cover. MNIT will anonymize and combine the information received through the form to ensure the names and details of impacted organizations remain confidential.
How Minnesota’s Law Compares with Other Reporting Requirements
Other notable regulation around the world, such as the Digital Operational Resilience Act (DORA) and the General Data Protection Regulation (GDPR) also mandates disclosure requirements for cybersecurity incidents. DORA requires similar reporting to that of Minnesota, with 24 hours for “major” incidents, 72 hours for a more detailed intermediate report and a final report within one month of the intermediate notification.
In comparison, GDPR requires organizations to report data breaches to the nominated regulator in their country of origin within the EU or U.K within 72 hours of becoming aware of the incident.
The Minnesota reporting law is an example of what could become more prevalent across the U.S., increasing the requirement for a number of state organizations to be more vigilant and more transparent about cybersecurity incidents than they have previously been required to do. While the reporting overhead is modest, it does highlight a need for training and awareness to ensure compliance and accurate reporting.
Related Insights
- ISC2 Security Administration and Operations Certificate - Responding to a Breach
- Incident Management: Preparation and Response Certificate
- New Guidance from DOJ and FBI on SEC Incident Disclosure Rules
- The Challenge of Securing Educational Platforms