MN SF4874

Requires public agencies and government contractors to report cybersecurity incidents to the commissioner within 72 hours of identification, beginning December 1, 2024.

Mandates the commissioner establish a cyber incident reporting system by September 30, 2024, to securely receive and track cybersecurity incident notifications from public agencies, government contractors, and private entities.

Classifies cybersecurity incident reports as security information under section 13.37, making them protected from discovery in civil or criminal actions absent a court order or search warrant, and not subject to subpoena.

Permits the commissioner to anonymize and share cyber threat indicators and defensive measures with potentially impacted parties and law enforcement authorities to prevent future attacks.

Requires annual reports beginning January 31, 2026, to the governor and legislative commission on cybersecurity documenting the number of notifications received, incident types, categories of reporting entities, and any changes from previous years.