Until a cybersecurity incident is resolved, an entity shall disclose clarifying details regarding a cybersecurity incident to the department, including: 1. The number of potentially exposed records; 2. The type of records potentially exposed, including health insurance information, medical information, criminal justice information, regulated information, financial information, and personal information; 3. Efforts the entity is undertaking to mitigate and remediate the damage of the incident to the entity and other affected entities; and 4. The expected impact of the incident, including: a. The disruption of the entity services; b. The effect on customers and employees that experienced data or service losses;
c. The effect on entities receiving wide area network services from the department; and d. Other concerns that could potentially disrupt or degrade the confidentiality, integrity, or availability of information systems, data, or services that may affect the state.