N.Y. General Municipal Law Section 995-B
Reporting of cybersecurity incidents

1.

Notwithstanding any other provision of law to the contrary, all municipal corporations and public authorities shall report cybersecurity incidents and when applicable, the demand of a ransom payment, to the commissioner of the division of homeland security and emergency services in the form and method prescribed by such commissioner. Such report shall include whether the reporting municipal corporation or public authority is requesting or declining advice and/or technical assistance from the division of homeland security and emergency services with respect to the reported cybersecurity incident or demand for a ransom payment.

2.

All municipal corporations and public authorities shall report cybersecurity incidents, including demands for ransom payment, no later than seventy-two hours after the municipal corporation or public authority reasonably believes the cybersecurity incident has occurred.

3.

Any cybersecurity incident report and any records related to a ransom payment submitted to the commissioner of the division of homeland security and emergency services pursuant to the requirements of this article shall be exempt from disclosure under article six of the public officers law. * NB Effective July 26, 2025

Source: Section 995-B — Reporting of cybersecurity incidents, https://www.­nysenate.­gov/legislation/laws/GMU/995-B (updated Jul. 4, 2025; accessed Jul. 12, 2025).

Green check means up to date. Up to date

Verified:
Jul. 12, 2025

Last modified:
Jul. 4, 2025

§ 995-B. Reporting of cybersecurity incidents's source at nysenate​.gov

Link Style