(a) Qualified cybersecurity incidents shall be reported to the Cybersecurity Office before any citizen notification, but no later than 10 days following a determination that the entity experienced a qualifying cybersecurity incident.
(b) A qualified cybersecurity incident meets at least one of the following criteria:
(1) State or federal law requires the reporting of the incident to regulatory or law- enforcement agencies or affected citizens;