New York cyber law strengths local reporting requirements
New York Gov. Kathy Hochul speaks during a previous event. Hochul recently signed legislation strengthening cyber reporting requirements for local governments. John Lamparski via Getty Images
By
Chris Teale
Local governments that are hacked now have 72 hours to tell the state, and 24 hours to disclose if they paid a ransom. The new law also mandates cyber training and sets data protection standards.
New York Gov. Kathy Hochul late last month signed legislation to strengthen local governments’ cybersecurity reporting requirements and cyber training for their employees.
Under the legislation, localities now have 72 hours to tell the New York State Division of Homeland Security and Emergency Services if they have been hacked, and 24 hours to disclose if they have paid a ransom. Employees at all local governments will be required to complete annual cybersecurity awareness training, while state information systems have new data protection standards.
“As global conflicts escalate and cyber threats evolve, so must our response, and we are taking a whole of government approach in doing so,” Hochul said in a statement. “Requiring timely incident reporting and providing annual cybersecurity training for government employees will build a stronger digital shield for every community across the State and ensure they get the support they need when it matters most.”
Hochul had initially announced the legislation during her State of the State address earlier this year. At the time, she said New York had made “progress” in enhancing its cybersecurity capabilities, but more work lay ahead, especially as local governments were not required to report cyber incidents.
The new requirements come as New York has embraced a whole-of-state approach to cybersecurity, which emphasizes information sharing between the different levels of government, collaboration with the private sector and a recognition of shared threats. Hochul had already moved in that direction last year with the establishment of a statewide cybersecurity strategy and a joint security operations center. This new law, which passed both the State Senate and Assembly with large majorities, builds on that progress.
“Since the August 2023 release of Governor Hochul’s NYS Cybersecurity Strategy, New York has steadily increased cybersecurity assistance to local governments,” Assemblymember Steve Otis, a Democrat who co-sponsored the legislation, said in a statement. “This important legislation continues that commitment by requiring prompt reporting of cyberattacks and ransom payments and cybersecurity training of government employees. Full knowledge of cyberattacks statewide will allow state cyber agencies to better advise local governments and school districts about the evolving threat environment. This new law is another example of Governor Hochul and the Legislature working together to expand our resilience to these threats.”
Training employees is also a critical part of staying prepared for cyberattacks, and can take many forms. Some states, like Maryland and New Jersey, are turning to student-run cyber ranges to grow the talent pipeline and give the next generation real-world experience. Meanwhile, states are revamping their cyber training to make it more engaging, beyond the standard curriculum that was offered previously. Ohio, for example, brought “mindfulness” to its refreshed training program, away from what a state official last year called a “one-time, annual compliance mindset.”
New York will offer standardized cyber training for free to its local government employees as part of its broad shared services program, which also includes the JSOC and a boost for various law enforcement agencies.
“The enactment of this legislation marks a critical step forward in strengthening our collective defense against digital threats to the State and its local governments,” Barbara Van Epps, executive director of the New York State Conference of Mayors, said in a statement released by Hochul’s office. “By requiring prompt incident reporting, ransomware disclosures and annual cybersecurity training, the Governor is sending a clear message: cybersecurity is not just an IT issue — it’s a core public safety priority that demands coordination, vigilance and shared responsibility.”
New York and its municipalities have struggled in the face of multiplying cyberattacks and other threats. Notably, lawmakers last year blamed a hack for a delayed budget deal, while Comptroller Thomas DiNapoli has warned of the consequences of an attack on the state’s critical infrastructure. Also last year, New York City was forced to take a city payroll website offline after a phishing attack. It makes for worrying times for state and local leaders.
“In our increasingly digital world, our data is constantly at risk,” state Sen. Kristen Gonzalez said in a statement issued by Hochul’s office. “As emerging technologies make it easier for hackers to access our data, readiness isn't just an option for our government; it's our imperative.”