Dive Brief:
- Minnesota public school districts, charter schools and colleges must now report cybersecurity incidents such as ransomware or network attacks under a newly enacted state law.
- The information that schools report to Minnesota will not be shared publicly, unlike with similar statewide data breach reporting requirements in California and Maine.
- Instead, the information will be anonymized and shared with “appropriate organizations” — with the goal of helping officials understand how security controls are bypassed and providing support for network protection.
Dive Insight:
Minnesota’s approach to shoring up cybersecurity protections through mandated reporting comes as schools are increasingly vulnerable to ransomware attacks. The new law, which took effect Dec. 1, also applies to local governments and state agencies.
Minnesota faced challenges with K-12 cybersecurity when a ransomware gang claimed responsibility for a 2023 cyberattack on Minneapolis Public Schools. The cybercriminals in that case publicly leaked sensitive files that they claimed to belong to the 35,000-student district.
But schools are hardly alone in dealing with these threats.
Other critical sectors that face higher cybersecurity risks include automobile manufacturers and suppliers, finance companies, mass transit, ports, and oil and gas companies, according to a November report by Moody’s Ratings, a global credit rating provider.
In that same Moody’s report, the global cyber risk scores for the education and nonprofit sectors — measured together — rose from “moderate” to “high” between 2022 and 2024. The highest score is the “very high” level.
Additionally, cybersecurity was the top technology priority this year among state leaders, according to a September report by the State Educational Technology Directors Association. The report also flagged concerns that states aren’t providing enough resources, with only 8% of surveyed ed tech leaders across 46 states saying their state provides “sufficient” funds to support cybersecurity efforts.
While the Minnesota law does not publicly disclose any specific details of cybersecurity incidents, it adds to a bigger question among top officials: Should schools and other government entities be required to publicly share when they are the victims of a cyberattack?
That question remains unanswered at the federal level, as a proposed Biden administration rule on national cybersecurity incident reporting requirements is still being finalized by the Cybersecurity and Infrastructure Security Agency. As drafted, school districts with 1,000 or more students and all state education agencies would be required to report a disruptive cyber incident within 72 hours — or within 24 hours of paying a ransom to cybercriminals.
CISA’s rule to implement reporting requirements is part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA. The agency, however, has said it’s likely that reporting won’t begin until 2026 due to regulatory delays.
