The law defines reportable incidents as those that
(1) jeopardizes or may potentially jeopardize the confidentiality, integrity, or availability of an information system, an operational system, or the information that such systems process, store, or transmit;
(2) jeopardizes or may potentially jeopardize the health and safety of the public; or
(3) violate security policies, security procedures, or acceptable use policies.