Starting July 26, 2025, school districts and BOCES across New York have new responsibilities when it comes to reporting cybersecurity incidents. In the past, districts mainly had to report when student or staff personal data was exposed under Education Law §2-d. Now, under a new section of the General Municipal Law, districts must also alert the Division of Homeland Security and Emergency Services (DHSES) whenever there’s a cybersecurity incident — even if no personal data was involved. This covers things like ransomware attacks, hacking attempts, or disruptions to your district’s IT systems. Reports must be made within 72 hours, and within 24 hours if a ransom payment is made.
What does this mean for your district? It’s time to double-check that your team knows the reporting rules, has clear steps in place for what to do if an incident happens, and understands who will make the official report. A quick review of your policies and some staff training can go a long way in helping you stay compliant — and more importantly, in keeping your systems and community safe.
Quick Reference: Reporting Requirements
Action Checklist for District Leaders
- Review policies – Make sure your incident response plan reflects the new reporting timelines and includes both DHSES and SED requirements.
- Train staff – Provide quick refreshers so employees know how to spot, report, and escalate potential cybersecurity issues.
- Assign reporting roles – Identify who is responsible for filing reports and ensure backups are in place in case that person is unavailable.
Adam Brigandi, CPA, MBA
Supervisor
Adam is a Supervisor who works with both nonprofit and education clients. His auditing experience allows him to assist in vital audit functions such as systems testing and analysis.
