While Minnesota IT Services (MNIT) has long recorded security metrics for the state by keeping a tally of security events investigated by the agency for all of the state’s government partners, it wasn’t until December of 2024 that public agencies became legally required to report security breaches to the agency.
A new law, passed by the state Legislature, demanded an incident reporting system for timely, secure and confidential reports for cyber attacks or security incidents impacting public agencies. It requires cities, counties, certain government contractors or vendors, higher education and K-12 school districts, as well as law enforcement agencies, state agencies and townships, to report incidents that impact services, systems or people to the state. In the past, only state agencies were required to report.
According to MNIT, since the law went into effect in December, the department has seen a significant increase in the number of reported events.
“We feel fortunate that it’s really working,” said Tarek Tomes, commissioner of Minnesota IT Services.
Government Technology analyzed security metrics from MNIT from 2019 to 2024, and found the annual count of reported incidents had risen dramatically. According to a MNIT spokesperson, the increase in incidents is also due to automated reporting from the agency’s endpoint detection and response tool, which may have a broader classification for malware than manual classification from a security operations center would use.
“We’ve had over 100 incidents reported by organizations that we would not have had visibility on before, and that allows us to at times use funding — like for our whole-of-state security program — in more specific ways to target some of the things that we’re actually seeing across the state,” said Tomes. “That ability to look at threats, be able to categorize these types of events and then put funding, opportunities and programs in place to help organizations protect themselves is really efficient.”
The law includes a time limit for reporting: 24 hours if criminal justice systems are impacted, and 72 hours from the point any other government entity or public agency reasonably believes an incident has occurred. According to Tomes, that information could be vital in warning other agencies of ongoing threats.
“One of the biggest drivers, certainly for us behind the reporting, is just an ability to warn other organizations and public-sector organizations of suspicious or cyber events that are happening in one space that other organizations should be aware of should they have similar or the same types of technologies,” said Tomes. “If there’s a cyber event in a school district, to immediately be able to warn other school districts of the type of event that’s happening, sharing few details, just kind of giving that early warning opportunity to organizations is really important.”
“No one wants to be in the news,” he said. “Assuring organizations that their organizational reputation is protected in this process, that the process is really just geared towards understanding at a high level the type of threat. Being able to warn others has really made organizations feel comfortable that they can share when they have an event that it isn’t an adverse impact as it just relates to the [publicity] that may come with it.”
Minnesota is not the only state to enact a cyber reporting requirement. In 2019, the North Carolina General Assembly enacted a law requiring local governments to report certain incidents. In 2023, Texas began requiring state and local governments to report security incidents.
Editor's note: This story has been updated to reflect the impact of automated reporting from MNIT’s endpoint detection and response tool on the agency’s annual cybersecurity incident numbers.
