On Board Online • September 1, 2025
By Jeff Mongelli
Senior Staff Counsel
A new law requires school districts and BOCES to report cybersecurity incidents and any demands for ransom to the state Division of Homeland Security and Emergency Services (DHSES). This reporting requirement under a new section of law (Article 19-C of the General Municipal Law) is in addition to reporting requirements applicable to school districts under Education Law section 2-d and regulations of the commissioner of education.
"Our state's information systems are under attack daily," notes the sponsor's memo.
The new law took effect on July 26, 2025. The following FAQ is intended to provide a summary of the new reporting requirements. It also reviews school district reporting requirements under section 2-d for the purpose of comparison.
Reporting Under Article 19-C of the General Municipal Law
Q. When must a report be made?
A. School districts and BOCES must report cybersecurity incidents, including any demands for ransom payment, no later than 72 hours after the school district or BOCES reasonably believes the incident has occurred.
Q. What is a reportable cybersecurity incident under Article 19-C?
A. A cybersecurity incident is "an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon."
Q. What must be included in the Article 19-C report?
A. Public authorities and municipal corporations including school districts and BOCES must submit information in a form and method prescribed by the Department of Homeland Security and Emergency Services. The report must include whether the school district or BOCES is requesting or declining advice and/or technical assistance from DHSES with respect to the reported incident or demand for a ransom payment. Pursuant to a separate change to the N.Y. Executive Law, if such a request for advice and/or assistance is made, then the DHSES commissioner or the commissioner's designee must provide advice to the school district or BOCES and, to the extent practicable, provide technical assistance.
Q. Do special rules apply to the submission of an Article 19-C report if a ransom payment has been made in connection with a cybersecurity incident?
A. Yes. In such situation, the school district or BOCES must provide to the DHSES commissioner:
- Notice of payment within 24 hours of the ransom payment.
- A written description of the reasons that payment was necessary within 30 days of the payment. The description must include the amount of the ransom payment, the means by which the ransom payment was made, a description of considered alternatives to payment, all diligence performed to find alternatives to payment and all diligence performed to ensure compliance with state and federal rules and regulations including those of the U.S. Department of the Treasury's Office of Foreign Assets Control.
Q. Is the Article 19-C report exempt from the Freedom of Information Law (FOIL)?
A. Yes. Any cybersecurity incident report and any records related to a ransom payment submitted to the DHSES commissioner are exempt from disclosure under FOIL.
Breach of security reporting requirements under Education Law section 2-d and/or Regulations of the Commissioner of Education
Q. What is a breach under Education Law section 2-d and/or commissioner's regulations?
A. Such a breach consists of the "unauthorized acquisition, access, use, or disclosure of student data and/or teacher or principal data by or to a person not authorized to acquire, access, use, or receive the student data and/or teacher or principal data."
Q. What constitutes an unauthorized disclosure or unauthorized release under Education Law section 2-d and/or commissioner's regulations?
A. These terms mean "any disclosure or release not permitted by federal or state statute or regulation, any lawful contract or written agreement, or that does not respond to a lawful order of a court or tribunal or other lawful order."
Q. What is student data and teacher and principal data under Education Law section 2-d and/or commissioner's regulations?
A. Student data is personally identifiable information from the student records of a school district, BOCES, school or the State Education Department. Teacher or principal data is personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the Education Law.
Q. What are the basic notification/reporting requirements of school districts and BOCES under Education Law section 2-d and/or commissioner's regulations?
A. School districts and BOCES must report every discovery or report of any breach or unauthorized release of student, teacher or principal data to the State Education Department's Chief Privacy Officer. They must also notify affected parents, eligible students (those 18 or older), teachers and/or principals of a breach or an unauthorized release of personally identifiable information.
Q. When must school districts and BOCES report the discovery of a breach or unauthorized release of student, teacher or principal data to the Chief Privacy Officer?
A. The report must be made to the Chief Privacy Officer without unreasonable delay, but no more than 10 calendar days after such discovery, or no more than 10 calendar days after receiving a third-party contractor's notification of any breach or unauthorized release of personally identifiable information. For more information on reporting requirements to the Chief Privacy Officer and the appropriate forms, see NYS Education Department, Educational Agencies: Report A Data Privacy/Security Incident, at: bit.ly/3VcrdS3 .
Q. When must school districts and BOCES notify affected parents, eligible students, teachers and/or principals?
A. Notice must be given in the most expedient way possible, but no more than 60 calendar days after discovery of a breach or unauthorized release by the district or BOCES, or the receipt of a notification of a breach or unauthorized release from a third-party contractor. An exception would apply if notification would interfere with an ongoing investigation by law enforcement or cause further disclosure of personally identifiable information by disclosing an unfixed security vulnerability. When there is a delay under such circumstances, the notification must be made within seven calendar days after the security vulnerability has been remedied or the risk of interference with the law enforcement investigation ends.
Q. In what manner must that notification be made and what should it include?
A. The notification must be directly provided to the affected parent, eligible student, teacher or principal by first-class mail to their last known address; by email; or by telephone. It must be clear and concise and use language that is plain and easy to understand. To the extent available, it must include a brief description of the breach or unauthorized release, the dates of the incident and the date of discovery, if known; a description of the types of personally identifiable information affected; an estimate of the number of records affected; a brief description of the district's investigation or plan to investigate; and contact information for representatives who can assist with questions.