MN HF4749

Beginning December 1, 2024, state agencies, political subdivisions, school districts, charter schools, intermediate districts, cooperative units, and public postsecondary education institutions must report cybersecurity incidents to the Bureau of Criminal Apprehension within 72 hours of identification.

Cybersecurity incidents impacting third-party vendors and contractors utilized by reporting entities must also be reported.

By September 30, 2024, the Bureau of Criminal Apprehension in coordination with the Department of Information Technology Services must establish a secure cyber incident reporting system and post instructions on its website.

Cybersecurity incident notifications are classified as security information, are not discoverable in civil or criminal actions without court order or search warrant, and are not subject to subpoena.

The Bureau of Criminal Apprehension may anonymize and share cyber threat indicators and defensive measures with law enforcement authorities and must submit annual reports to the governor and legislative commission on cybersecurity beginning January 31, 2026.