New Minnesota Law Aims to Enhance Cyber Defenses

There were more than 1,000 cybersecurity incidents, including data breaches and ransomware attacks, in Minnesota in 2023 — hitting schools, universities, and government offices, according to a WCCO news story. As cyber threats continue to increase and evolve, many state and local governments are implementing cybersecurity plans, like Minnesota’s Cybersecurity Plan from Minnesota IT Services (MNIT), and strengthening their cyber defenses.  

A state new law, effective Jan. 1, 2025, aims to enhance cyber defenses by collecting information about cybersecurity incidents in Minnesota. Cities, including law enforcement agencies, are subject to these requirements. A cybersecurity incident is defined by law as an action taken using an information system or network that results in an actual or potentially adverse effect on an information system, network, or the information it contains.  

The law requires public agencies, including cities, counties, higher education, school and related intermediate districts, law enforcement agencies, state agencies, and townships to report cybersecurity incidents beginning Dec. 1, 2024. Also, if a cybersecurity incident affects a public agency, contractors or vendors working with the government must inform the agency about the incident. The goal is to collect information that can help all agencies understand how security controls are bypassed and assist other organizations in defending IT resources and data. 

Required entities should report cybersecurity incidents that impact services, systems, or people. This includes successful cyber events that compromise agency accounts, systems, data, or that bypass security controls and target government systems. Examples include compromised accounts and passwords, defacement, denial of service (DoS), network attack, potential data exposure, ransomware, social engineering, unauthorized access, web application attack, or attacks targeting systems that control industrial processes, such as factories and utilities.  

The report must be made within 24 hours if criminal justice information and systems are impacted and within 72 hours of the government entity, public agency or the contractor discovering the incident or reasonably identifies or believes that a cybersecurity incident has occurred. Cybersecurity incident reporting is in addition to other reporting requirements, like those for the Office of the Legislative Auditor and data breach reports required by Minnesota law. 

How to file a cyber incident report

The required report can be completed online through MNIT’s Cybersecurity Incident Reporting webpage. Cyber incidents reports can also be made over the phone or via email at the contact information listed below:   

• MNIT Enterprise Service Desk: 651-297-1111 or 1-888-717-6638; cn.mnit@state.mn.us
• Minnesota Fusion Center: 651-793-3730 or 1-800-422-0798; mn.fc@state.mn.us
• Bureau of Criminal Apprehension – Information Security Office: 651-793-2500 or email emergent criminal justice information and system issues to bca.servicedesk@state.mn.us and bca.iso@state.mn.us
• Emergent election issues can also be sent to MNOSS.cybersecurity@state.mn.us

Before sharing threat reports with local entities, the reports will be anonymized to ensure the names and details of impacted organizations remain confidential.

If you have any comments or need further guidance, contact me at tstille@lmc.org or (651) 215-4051. 

In the meantime, stay safe!    

Tracy