What is a Security Incident?
What Cybersecurity Incidents are required to be reported?
- Suspected breaches.
- Malware incidents that cause significant damage.
"Significant damage" means:
- A degradation in or loss of mission capability to an extent and duration that the entity is not able to perform one or more of its primary functions;
- Damages of ten thousand dollars ($10,000) or more to entity assets as estimated by the entity;
- A financial loss of ten thousand dollars ($10,000) or more as estimated by the entity; or
- Harm to individuals involving loss of life or serious life - threatening injuries.
- Denial of Service (DoS) attacks that affect the availability of services.
- Demands for ransom related to a cybersecurity incident or unauthorized disclosure of digital records.
- Identity theft or identity fraud services hosted by entity information technology systems.
- Incidents that require response and remediation efforts that will cost more than ten thousand dollars ($10,000) dollars in equipment, software, and labor.
- Other incidents the entity deems worthy of communication to the department.
The new law is effective as of Aug. 1, 2021.
Frequently Asked Questions
Yes. According to the law, "disclosure must be made in the most expedient time possible and without unreasonable delay".
The Cybersecurity Incident Reporting form has a response field that asks if you would like assistance.
If yes, an NDIT cybersecurity analyst will contact you. If you require immediate assistance, please contact the Service Desk at 701-328-4470 after completing this form.
Yes. Under the new law, ALL cybersecurity incidents meeting the above criteria must be reported to NDIT, even if no assistance is required or if the incident has already been resolved.
If you requested assistance when you completed the form, a cybersecurity analyst will be contacting you. If you did not request assistance, a cybersecurity analyst will follow up with you only if additional details are needed.
It depends. Until a cybersecurity incident is resolved, an entity shall disclose clarifying details regarding a cybersecurity incident to NDIT, including:
- The number of potentially exposed records, potentially affected victims;
- The type of records potentially exposed, including (but not limited to) health insurance information, medical information, criminal justice information, regulated information, financial information, and personal information;
- Efforts the entity is undertaking to mitigate and remediate the damage of the incident to the entity and other affected entities; and
- The expected impact of the incident, including:
- The disruption of the entity services;
- The effect on customers and employees that experienced data or service losses;
- The effect on entities receiving wide area network services from NDIT; and
- Other concerns that could potentially disrupt or degrade the confidentiality, integrity, or availability of information systems, data, or services that may affect the state.
NDIT is required to report all cybersecurity incidents to Legislative Management. This report includes the status of the cybersecurity incident and any response or remediation to mitigate the cybersecurity incident.
However, NDIT will ensure all reports of disclosed cybersecurity incidents are communicated in a manner that protects victims of cybersecurity incidents, prevents unauthorized disclosure of cybersecurity plans and strategies, and adheres to federal and state laws regarding protection of cybersecurity information.