A bill for an act
relating to cybersecurity; requiring reporting of cybersecurity incidents impacting
public-sector organizations in Minnesota; proposing coding for new law in
Minnesota Statutes, chapter 16E.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
new text begin
(a) For purposes of this section, the following terms have
the meanings given.
new text end
new text begin
(b) "Cybersecurity incident" means actions taken through the use of an information
system or network that result in an actual or potentially adverse effect on an information
system, network, and the information residing therein.
new text end
new text begin
(c) "Cyber threat indicator" means information that is necessary to describe or identify:
new text end
new text begin
(1) malicious reconnaissance, including but not limited to anomalous patterns of
communication that appear to be transmitted for the purpose of gathering technical
information related to a cybersecurity threat or vulnerability;
new text end
new text begin
(2) a method of defeating a security control or exploitation of a security vulnerability;
new text end
new text begin
(3) a security vulnerability, including but not limited to anomalous activity that appears
to indicate the existence of a security vulnerability;
new text end
new text begin
(4) a method of causing a user with legitimate access to an information system or
information that is stored on, processed by, or transiting an information system to unwittingly
enable the defeat of a security control or exploitation of a security vulnerability;
new text end
new text begin
(5) malicious cyber command and control;
new text end
new text begin
(6) the actual or potential harm caused by an incident, including but not limited to a
description of the data exfiltrated as a result of a particular cyber threat; and
new text end
new text begin
(7) any other attribute of a cyber threat, if disclosure of such attribute is not otherwise
prohibited by law.
new text end
new text begin
(d) "Defensive measure" means an action, device, procedure, signature, technique, or
other measure applied to an information system or information that is stored on, processed
by, or transiting an information system that detects, prevents, or mitigates a known or
suspected cyber threat or security vulnerability, but does not include a measure that destroys,
renders unusable, provides unauthorized access to, or substantially harms an information
system or information stored on, processed by, or transiting such information system not
owned by the entity operating the measure, or another entity that is authorized to provide
consent and has provided consent to that private entity for operation of such measure.
new text end
new text begin
(e) "Government contractor" means an individual or entity that performs work for or on
behalf of a public agency on a contract basis with access to or hosting of the public agency's
network, systems, applications, or information.
new text end
new text begin
(f) "Information resource" means information and related resources, such as personnel,
equipment, funds, and information technology.
new text end
new text begin
(g) "Information system" means a discrete set of information resources organized for
collecting, processing, maintaining, using, sharing, disseminating, or disposing of
information.
new text end
new text begin
(h) "Information technology" means any equipment or interconnected system or
subsystem of equipment that is used in automatic acquisition, storage, manipulation,
management, movement, control, display, switching, interchange, transmission, or reception
of data or information used by a public agency or a government contractor under contract
with a public agency which requires the use of such equipment or requires the use, to a
significant extent, of such equipment in the performance of a service or the furnishing of a
product.
new text end
new text begin
The term information technology also has the meaning described to information and
telecommunications technology systems and services in section 16E.03, subdivision 1,
paragraph (b).
new text end
new text begin
(i) "Private entity" means any individual, corporation, company, partnership, firm,
association, or other entity, but does not include a public agency, or a foreign government,
or any component thereof.
new text end
new text begin
(j) "Public agency" means any public agency of the state or any political subdivision,
school districts, charter schools, intermediate districts, and cooperative units under section
123A.24, subdivision 2.
new text end
new text begin
(a) Beginning December 1, 2024, cybersecurity incidents that impact state
agencies; political subdivisions; school districts, charter schools, intermediate districts,
cooperative units and public postsecondary education institutions shall report cybersecurity
incidents to the Bureau of Criminal Apprehension in coordination with the Department of
Information Technology Services. Cybersecurity incidents that impact third-party vendors
and contractors utilized by reporting entities must also be reported.
new text end
new text begin
(b) The report must be made within 72 hours of when the public agency or government
contractor reasonably identifies or believes that a cybersecurity incident has occurred.
new text end
new text begin
(c) By September 30, 2024, the Superintendent of the Bureau of Criminal Apprehension
in coordination with the Department of Information Technology Services shall establish
cyber incident reporting capabilities to facilitate submission of timely, secure, and
confidential cybersecurity incident notifications from public agencies, government
contractors, and private entities to the office.
new text end
new text begin
(d) By September 30, 2024, the Superintendent of the Bureau of Criminal Apprehension
shall prominently post instructions for submitting cybersecurity incident notifications on
its website. The instructions shall include, at a minimum, the types of cybersecurity incidents
to be reported and any other information to be included in the notifications made through
the established cyber incident reporting system.
new text end
new text begin
(e) The cyber incident reporting system shall permit the Bureau of Criminal Apprehension
in coordination with the Department of Information Technology Services to:
new text end
new text begin
(1) securely accept a cybersecurity incident notification from any individual or private
entity, regardless of whether the entity is a public agency or government contractor;
new text end
new text begin
(2) track and identify trends in cybersecurity incidents reported through the cyber incident
reporting system; and
new text end
new text begin
(3) produce reports on the types of incidents, indicators, defensive measures, and entities
reported through the cyber incident reporting system.
new text end
new text begin
(f) Any cybersecurity incident notification submitted to the Bureau of Criminal
Apprehension is security information pursuant to section 13.37 and is not discoverable in
a civil or criminal action absent a court or a search warrant, and is not subject to subpoena.
new text end
new text begin
(g) Notwithstanding the provisions of paragraph (f), the Bureau of Criminal Apprehension
may anonymize and share cyber threat indicators and relevant defensive measures to help
prevent additional or future attacks and share cybersecurity incident notifications with
relevant law enforcement authorities.
new text end
new text begin
(h) Information submitted to the Bureau of Criminal Apprehension through the cyber
incident reporting system shall be subject to privacy and protection procedures developed
and implemented by the office, which shall be based on the comparable privacy protection
procedures developed for information received and shared pursuant to the federal