Minnesota enacts new 72-hour breach reporting requirement for public schools and colleges

Blog Post

As of December 1, 2024, the State of Minnesota now requires public agencies (which includes, K-12 school districts, charter schools, intermediate districts, cooperative school units and Higher Education / Post Secondary schools) to report cybersecurity incidents. The Minnesota Legislature amended its state statute to require notice within 72 hours of reasonable detection or belief that a cybersecurity incident has occurred. The statute defines a ‘cybersecurity incident’ as “an action taken through the use of an information system or network that results in an actual or potentially adverse effect on an information system, network, or the information residing therein.”

Minnesota IT Services (MNIT) shares examples of reportable incidents on its website which include, but are not limited to:

  • Compromised accounts / passwords
  • DoS attacks
  • Website defacement
  • Malware
  • Network Attack
  • Ransomware
  • Social Engineering
  • Unauthorized Access

The full list of public agencies required to report to MNIT include:

  • Cities
  • Counties
  • Government contractors or vendors that perform work for or on behalf of a public agency with access to or hosting the public agency’s network, systems, applications, or information if impacting data belonging to a public entity
  • Higher Education (Post-Secondary)
  • K-12 school districts, charter schools, intermediate districts, and cooperative school units
  • Law enforcement agencies
  • State agencies
  • Townships

Minnesota is not the only state ramping up its efforts to protect student information and encourage schools to bolster its defenses against cyberattacks. In 2024, legislators introduced 28 K-12 cybersecurity bills across 16 states. Further, Comparitech’s 2024 ransomware roundup confirmed 116 reported ransomware attacks on K-12 and Higher Education institutions. Not to mention, the PowerSchool data breach that has affected an estimated 62 million students, making it the largest breach of American children’s personal information to date. 

With the continual rise of cyberattacks in the education space, schools need to remain vigilant and proactive in their efforts to bolster their defenses. Schools need to spend the time and resources to invest in updated technological advancements and employee cybersecurity awareness training. Schools should ensure that they not only have adequate cyber liability insurance coverage, but their third-party vendors do as well. Just as schools practice fire drills, they should test and practice for cyberattacks with their designated incident response team.

If you want to learn more about proactive cybersecurity defense for K-12 or Higher Education institutions, contact attorney Kate Furstenau on McDonald Hopkins Data Privacy and Cybersecurity team. 

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.