Minnesota Legislature
SF 4874
1st Engrossment - 93rd Legislature (2023 - 2024) Posted on 04/19/2024 09:52am
1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 2.32 2.33 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25
A bill for an act
relating to cybersecurity; requiring reporting of cybersecurity incidents impacting
public-sector organizations in Minnesota; proposing coding for new law in
Minnesota Statutes, chapter 16E.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
new text begin
[16E.36] CYBERSECURITY INCIDENTS.
new text end
new text begin Subdivision 1. new text end
new text begin Definitions. new text end
new text begin
(a) For purposes of this section, the following terms have
the meanings given.
new text end
new text begin
(b) "Bureau" means the Bureau of Criminal Apprehension.
new text end
new text begin
(c) "Cybersecurity incident" means an action taken through the use of an information
system or network that results in an actual or potentially adverse effect on an information
system, network, and the information residing therein.
new text end
new text begin
(d) "Cyber threat indicator" means information that is necessary to describe or identify:
new text end
new text begin
(1) malicious reconnaissance, including but not limited to anomalous patterns of
communication that appear to be transmitted for the purpose of gathering technical
information related to a cybersecurity threat or vulnerability;
new text end
new text begin
(2) a method of defeating a security control or exploitation of a security vulnerability;
new text end
new text begin
(3) a security vulnerability, including but not limited to anomalous activity that appears
to indicate the existence of a security vulnerability;
new text end
new text begin
(4) a method of causing a user with legitimate access to an information system or
information that is stored on, processed by, or transiting an information system to unwittingly
enable the defeat of a security control or exploitation of a security vulnerability;
new text end
new text begin
(5) malicious cyber command and control;
new text end
new text begin
(6) the actual or potential harm caused by an incident, including but not limited to a
description of the data exfiltrated as a result of a particular cyber threat; and
new text end
new text begin
(7) any other attribute of a cyber threat, if disclosure of such attribute is not otherwise
prohibited by law.
new text end
new text begin
(e) "Defensive measure" means an action, device, procedure, signature, technique, or
other measure applied to an information system or information that is stored on, processed
by, or transiting an information system that detects, prevents, or mitigates a known or
suspected cyber threat or security vulnerability, but does not include a measure that destroys,
renders unusable, provides unauthorized access to, or substantially harms an information
system or information stored on, processed by, or transiting such information system not
owned by the entity operating the measure, or another entity that is authorized to provide
consent and has provided consent to that private entity for operation of such measure.
new text end
new text begin
(f) "Government contractor" means an individual or entity that performs work for or on
behalf of a public agency on a contract basis with access to or hosting of the public agency's
network, systems, applications, or information.
new text end
new text begin
(g) "Information resource" means information and related resources, such as personnel,
equipment, funds, and information technology.
new text end
new text begin
(h) "Information system" means a discrete set of information resources organized for
collecting, processing, maintaining, using, sharing, disseminating, or disposing of
information.
new text end
new text begin
(i) "Information technology" means any equipment or interconnected system or subsystem
of equipment that is used in automatic acquisition, storage, manipulation, management,
movement, control, display, switching, interchange, transmission, or reception of data or
information used by a public agency or a government contractor under contract with a public
agency which requires the use of such equipment or requires the use, to a significant extent,
of such equipment in the performance of a service or the furnishing of a product. The term
information technology also has the meaning described to information and
telecommunications technology systems and services in section 16E.03, subdivision 1,
paragraph (b).
new text end
new text begin
(j) "Private entity" means any individual, corporation, company, partnership, firm,
association, or other entity, but does not include a public agency, or a foreign government,
or any component thereof.
new text end
new text begin
(k) "Public agency" means any public agency of the state or any political subdivision,
school districts, charter schools, intermediate districts, cooperative units under section
123A.24, subdivision 2, and public postsecondary education institutions.
new text end
new text begin
(l) "Superintendent" means the superintendent of the Bureau of Criminal Apprehension.
new text end
new text begin Subd. 2. new text end
new text begin Report on cybersecurity incidents. new text end
new text begin
(a) Beginning December 1, 2024, the head
of or the decision making body for a public agency must report a cybersecurity incident
that impacts the public agency to the commissioner. A government contractor or vendor
that provides goods or services to a public agency must report a cybersecurity incident to
the public agency if the incident impacts the public agency.
new text end
new text begin
(b) The report must be made within 72 hours of when the public agency or government
contractor reasonably identifies or believes that a cybersecurity incident has occurred.
new text end
new text begin
(c) The commissioner must coordinate with the superintendent to promptly share reported
cybersecurity incidents.
new text end
new text begin
(d) By September 30, 2024, the commissioner, in coordination with the superintendent,
must establish a cyber incident reporting system having capabilities to facilitate submission
of timely, secure, and confidential cybersecurity incident notifications from public agencies,
government contractors, and private entities to the office.
new text end
new text begin
(e) By September 30, 2024, the commissioner must develop, in coordination with the
superintendent, and prominently post instructions for submitting cybersecurity incident
reports on the websites for the department and for the bureau. The instructions must include,
at a minimum, the types of cybersecurity incidents to be reported and a list of other
information to be included in the report made through the cyber incident reporting system.
new text end
new text begin
(f) The cyber incident reporting system must permit the commissioner, in coordination
with the superintendent, to:
new text end
new text begin
(1) securely accept a cybersecurity incident notification from any individual or private
entity, regardless of whether the entity is a public agency or government contractor;
new text end
new text begin
(2) track and identify trends in cybersecurity incidents reported through the cyber incident
reporting system; and
new text end
new text begin
(3) produce reports on the types of incidents, cyber threat, indicators, defensive measures,
and entities reported through the cyber incident reporting system.
new text end
new text begin
(g) Any cybersecurity incident report submitted to the commissioner is security
information pursuant to section 13.37 and is not discoverable in a civil or criminal action
absent a court or a search warrant, and is not subject to subpoena.
new text end
new text begin
(h) Notwithstanding the provisions of paragraph (g), the commissioner may anonymize
and share cyber threat indicators and relevant defensive measures to help prevent attacks
and share cybersecurity incident notifications with potentially impacted parties through
cybersecurity threat bulletins or relevant law enforcement authorities.
new text end
new text begin
(i) Information submitted to the commissioner through the cyber incident reporting
system shall be subject to privacy and protection procedures developed and implemented
by the office, which shall be based on the comparable privacy protection procedures
developed for information received and shared pursuant to the federal Cybersecurity
Information Sharing Act of 2015, United States Code, title 6, section 1501, et seq.
new text end
new text begin Subd. 3. new text end
new text begin Annual report to the governor and legislature. new text end
new text begin
Beginning January 31, 2026,
and annually thereafter, the commissioner, in coordination with the superintendent, must
submit a report on its cyber security incident report collection and resolution activities to
the governor and to the legislative commission on cybersecurity. The report must include,
at a minimum:
new text end
new text begin
(1) information on the number of notifications received and a description of the
cybersecurity incident types during the one-year period preceding the publication of the
report;
new text end
new text begin
(2) the categories of reporting entities that submitted cybersecurity reports; and
new text end
new text begin
(3) any other information required in the submission of a cybersecurity incident report,
noting any changes from the report published in the previous year.
new text end