An entity shall disclose to the department an identified or suspected cybersecurity incident that affects the confidentiality, integrity, or availability of information systems, data, or services.

Disclosure must be made in the most expedient time possible and without unreasonable delay.

Cybersecurity incidents required to be reported to the department include:

1.    Suspected breaches; 2.    Malware incidents that cause significant damage; 3.    Denial of service attacks that affect the availability of services; 4.    Demands for ransom related to a cybersecurity incident or unauthorized disclosure of digital records; 5.    Identity theft or identity fraud services hosted by entity information technology systems; 6.    Incidents that require response and remediation efforts that will cost more than ten thousand dollars in equipment, software, and labor; and

7.    Other incidents the entity deems worthy of communication to the department.