This bill establishes a new requirement for public-sector organizations in Minnesota to report cybersecurity incidents. It introduces a new section in Minnesota Statutes, chapter 16E, titled "Cybersecurity Incidents," which defines key terms such as "cybersecurity incident," "government contractor," and "public agency." Starting December 1, 2024, heads of public agencies must report any cybersecurity incidents to the commissioner within 72 hours of identification. Additionally, government contractors must report incidents that impact the public agency they serve. The commissioner, in coordination with the Bureau of Criminal Apprehension, is tasked with creating a cyber incident reporting system by September 30, 2024, to facilitate secure and confidential notifications.

Furthermore, the bill mandates that the commissioner submit an annual report to the governor and the legislative commission on cybersecurity, beginning January 31, 2026. This report will include data on the number of notifications received, types of incidents, and categories of reporting entities. The bill also ensures that submitted reports are considered security information and are not discoverable in civil or criminal actions, although the commissioner may share anonymized data to prevent future attacks. Overall, the legislation aims to enhance the cybersecurity posture of public-sector organizations in Minnesota by establishing clear reporting protocols and accountability measures.