**Where you aware?
The Law for NYS Fire Districts
Under New York State law (Article 19-c of the General Municipal Law), fire districts are legally classified as “municipal corporations”. This law mandates strict reporting and training guidelines that directly shape a district’s disaster recovery and incident response protocols:
- Mandatory 72-Hour Incident Reporting: Fire districts must report any cybersecurity incident or ransom demand to the New York State Division of Homeland Security and Emergency Services (DHSES) within 72 hours of discovery. [1]
- Ransomware Deadlines: If a district decides to make an extortion or ransom payment, they must notify DHSES within 24 hours. A full written explanation detailing the amount, the reasoning, and compliance steps must follow within 30 days. [1, 2]
- Annual Cybersecurity Training: All fire district employees and officials must complete annual cybersecurity awareness training. [1]
Building a Compliant Plan for a Fire District
While you do not need to follow the dense NY Department of Financial Services financial framework, your district’s cyber disaster recovery plan should be built around the NYS DHSES Reporting Portal. A resilient local government plan should emphasize:
- Low Materiality Thresholds: Because state law requires reporting any incident without a minimum size threshold, your internal plan must define “incident” broadly enough to catch minor compromises (like a single phished email or a lost device) before the 72-hour window closes.
- State Assistance Triggers: The DHSES is required to provide advice and technical support following an incident. Your recovery plan should include clear steps on how and when to request this state-level emergency assistance.
Cybersecurity Training Requirement (State Technology Law § 103-f)
- Starting January 1, 2026, local government employees who use technology as part of their official job duties must take annual cybersecurity awareness training
- The state will make training available at no cost
- Equivalent cybersecurity awareness training may also be provided by other sources
- Training must take place during compensated regular work hours
Consult with your municipal/fire district insurance provider for the availability of training, AMSURE, ESIP and VFIS all offer cybersecurity on-line training for employees.