Minnesota’s new cybersecurity incident reporting law has already boosted awareness and improved communication about rising cyber threats targeting the public sector.

The law which went into effect Dec. 1, 2024, requires public agencies, including local governments and public schools across Minnesota, to report cybersecurity incidents affecting their organizations. To comply, these agencies have started using an online tool provided by Minnesota IT Services (MNIT).

Since the tool launched on Sept. 30, public entities have submitted over 100 reports. While MNIT cannot disclose details about individual incidents, it works closely with state and federal partners to support affected organizations with information and resources.

“Active participation is vital to strengthening the State of Minnesota’s defenses,” Chief Information Security Officer John Israel said. “We appreciate the cooperation of organizations statewide as we work together to build a more secure future.”

Governor Tim Walz signed this landmark legislation in May 2024, underscoring Minnesota’s commitment to safeguarding its data, systems, and networks. The law has garnered widespread support from leaders across Minnesota, including those in K-12 education.

“Minnesota’s cybersecurity incident reporting law highlights the critical collaboration between MNIT and school districts to combat growing cyber threats,” said Eric Simmons, director of technology at Stillwater Area Public Schools, emphasized the importance of collaboration. “Schools are prime attack targets, yet many lack the resources to respond effectively. This law supports all districts by fostering partnerships, enhancing communication, and prioritizing resources to safeguard students, staff, and educational services.”

Anthony Padrnos, executive director of technology of Osseo Area Schools, echoed Simmons’ sentiment. “I applaud Minnesota’s new cyber incident reporting law as an important step in fostering collaboration among government entities to combat cyber threats in Minnesota. Ensuring our state’s critical infrastructure, including K-12 schools, can share and access vital security information is essential. This law empowers schools and agencies to act swiftly and effectively, strengthening protections against cyber threat actors and safeguarding the communities we serve.”

Enhanced cybersecurity coordination  

By establishing a clear reporting process, the law strengthens the state’s collective cybersecurity posture, improves its overall resilience against evolving cyber-attacks. MNIT and the Bureau of Criminal Apprehension (BCA) are leading the initiative, using incident data to:

• Mitigate risks and respond to cybersecurity incidents more effectively.  

• Identify trends and commonalities to anticipate and prevent future attacks.  

• Strengthen communication and collaboration with public agencies.  

Entities required to report  

The law applies to a wide range of organizations, including:

• State public agencies  

• Government contractors and vendors serving public agencies  

• Political subdivisions, such as counties, cities, and townships  

• Public school districts, charter schools, intermediate districts, cooperative units, and public post-secondary institutions  

Implementation and compliance  

Organizations are encouraged to review the law’s requirements and comply if and when an incident occurs to help protect Minnesota’s digital infrastructure. To implement the new reporting process, MNIT engaged with local governments and K-12 entities by:

• Sharing the draft form and guidelines with 500+ public entities for comment.

• Using feedback from 60+ entities to ensure the process was user-friendly and collected the required information.

• Holding two webinars attended by 200 partners.

MNIT will continue providing updates and guidance to assist entities in meeting the new reporting requirements. More information about the law can be found at https://mn.gov/mnit/cir.