(a) "Cybersecurity incident" means a malicious or suspicious occurrence that consists of one (1) or more of the categories of attack vectors described in subsection (b) and defined on the office's website that:
- (1) jeopardizes or may potentially jeopardize the confidentiality, integrity, or availability of an information system, an operational system, or the information that such systems process, store, or transmit;
- (2) jeopardizes or may potentially jeopardize the health and safety of the public; or
- (3) violates security policies, security procedures, or acceptable use policies.
(b) A cybersecurity incident may consist of one (1) or more of the following categories of attack vectors:
- (1) Ransomware.
- (2) Business electronic mail compromise.
- (3) Vulnerability exploitation.
- (4) Zero-day exploitation.
- (5) Distributed denial of service.
- (6) Website defacement.
- (7) Other sophisticated attacks as defined by the chief information officer and that are posted on the office's website.
As added by P.L.134-2021, SEC.2. Amended by P.L.1-2025, SEC.21.