Recent Amendments to the General Municipal Law Impose New Cybersecurity Incident Reporting Requirements on School Districts

Effective June 26, 2025, Sections 995-b and 995-c of the New York State General Municipal Law require that any school district or BOCES that experiences a cybersecurity incident and/or demand for ransom payment file certain reports with the New York State Division of Homeland Security and Emergency Services. (“DHSES”)

The reporting forms may be found at www.dhses.ny.gov/cybersecurity-incident-and-ransom-payment-reporting.

Such reports shall include whether the reporting school district or BOCES is requesting or declining advice and/or technical assistance from DHSES with respect to the reported cybersecurity incident or demand for a ransom payment. These new mandated reports must be made no later than seventy-two hours after a school district or BOCES has a reasonable basis to believe that a cybersecurity incident has occurred.

In addition, where there is a demand for a ransom payment in relation to the cybersecurity incident, and the school district or BOCES pays the ransom, DHSES must be notified as follows:

1. Within twenty-four hours of the ransom payment, notice of the payment; and

2. Within thirty days of the ransom payment, a written description of the reasons payment was necessary, the amount of the ransom payment, the means by which the ransom payment was made, a description of alternatives to payment considered, all diligence performed to find alternatives to payment and all diligence performed to ensure compliance with applicable state and federal rules and regulations including those of the United States department of the treasury's office of foreign assets control.

Any cybersecurity incident report, and any records related to a ransom payment, submitted to DHSES in accordance with these new requirements shall be exempt from disclosure under the Freedom of Information Law.

The new reporting requirements do not replace but rather supplement existing mandatory reporting requirements relating to cybersecurity incidents, including those involving the disclosure of confidential information. In addition to reporting cybersecurity incidents as required by law, school districts and BOCES should always notify their insurance carriers when such incidents occur and reach out to legal counsel for guidance.

Please contact us if you have questions about the legal requirements relating to cybersecurity incidents.