This bill establishes new requirements for public-sector organizations in Minnesota regarding the reporting of cybersecurity incidents. It introduces a new section in Minnesota Statutes, chapter 16E, which defines key terms related to cybersecurity incidents, such as "cybersecurity incident," "cyber threat indicator," and "defensive measure." Starting December 1, 2024, state agencies, political subdivisions, school districts, and public postsecondary institutions must report any cybersecurity incidents to the Bureau of Criminal Apprehension within 72 hours of identification. The Bureau, in coordination with the Department of Information Technology Services, will create a cyber incident reporting system to facilitate these notifications and will also provide guidance on the types of incidents to report.

Additionally, the Bureau of Criminal Apprehension is required to submit an annual report to the governor and the legislative commission on cybersecurity, starting January 31, 2026. This report will include data on the number of notifications received, the types of incidents reported, and the categories of entities submitting notifications. The bill also ensures that submitted incident notifications are treated as security information, protecting them from civil or criminal discovery, while allowing for the anonymization and sharing of certain data to prevent future attacks. The effective date for the provisions of this bill is set for November 30, 2024.