Recently enacted General Municipal Law Article 19-c requires all New York State public school districts to report to the New York State Division of Homeland Security and Emergency Services:

1.  Any cybersecurity incident and/or any demand for ransom within 72 hours after reasonably identifying a cybersecurity incident has occurred.
2.  A ransom payment within 24 hours of payment.
3.  A ransom payment explanation within 30 days of payment. 



For more information about this new requirement, visit the DHSES website on Cybersecurity Incident and Ransom Payment Reporting. 

Educational agencies must continue to report data incidents pursuant to Education Law § 2-d. Data incident reporting to NYSED remains unchanged.

SDPC Resource Registry Updates and Reminder

A data privacy agreement (DPA) is a contract between two parties that states the rights and obligations of each party concerning the protection of sensitive data. In accordance with Education Law § 2-d, education agencies in New York State enter into DPAs with vendors and third-party contractors to support the protection of student data and certain staff data (such as protected APPR data). 

One tool to alleviate the burden of entering DPAs with vendors is the SDPC Resource Registry. The Registry streamlines the DPA process. 

There are currently 12 RICS, 37 BOCES, and 615 School District actively represented within the registry which allows 1,400 users access to NYS Standardized DPAs.

There are currently 1,260 Vendors representing over 2,084 DPAs that are available to NYS educational entities.

If your school district would like to learn more about the Resource Registry, please contact your local RIC. Charter schools can contact RICDPAsupport@ricone.org.  

Save the Date

RIC One Data Privacy and Security Service (DPSS) 5th Annual Statewide Conference

March 24 & 25, 2026

Turning Stone Resort Casino

Verona, NY

Questions?

You can contact us at privacy@nysed.gov.