In Chapter 177 of the Laws 2025 the Legislature and the Governor have amended the General Municipal Law, the Executive Law and the State Technology Law in relation to municipal cybersecurity incident reporting and exempting such reports from Freedom of Information Law requirements. They also set new standards for cybersecurity awareness training for government employees, data protection standards, and cybersecurity protection. The sponsors of these new laws noted that their purpose is to have the Division of Homeland Security and Emergency Services [“DHSES”] “provide information, guidance and training on cybersecurity issues to local governments and public authorities, establish certain reporting requirements for cybersecurity incidents and ransomware attacks, and establish a framework for state agencies to respond to cybersecurity incidents.”
This is critical legislation that must be considered and implemented by local government entities that utilize information technology to serve the public. In other words, it applies to all local governments, including fire districts.
Section one of the bill adds a new Article 19-c to the General Municipal Law that requires municipal corporations and public authorities to report to the Department of Homeland Security and Emergency Services (DHSES):
- any cybersecurity incidents within seventy-two hours after such municipal corporation believes that the cybersecurity incident has occurred; and
- notice of any ransom payment made in connection with a cybersecurity incident within twenty-four hours, followed by a written description within thirty days as to why the ransom payment was necessary, alternatives considered, and all diligence preformed to find alternatives and ensure compliance with the law.
Section three of the bill amends the State Technology Law to require that all employees of the state, and a county, city, town, village, or special district who use technology as a part of their official job duties take a annual cybersecurity awareness training during compensated working hours beginning in 2026. The state Office of Information Technology Services shall be required to make a free training available for use by county, city, town, village, or special district but employees can meet the annual training requirement through other training programs and will not be required to complete the training provided by the office.
It does appear that new mandatory annual cybersecurity training requirement will be a necessary addition to your other training programs for fire district personnel. The requirement for training becomes effective on January 1, 2026. Some commentators may point out that the statutory language in the new law may raise questions on whether the training is mandatory for fire district personnel, but we would submit that the danger in not having your personnel take the annual training when it is made available by New York State is not worth the risk of opting out of the training.
[ON-LINE COURSES ARE AVAILABLE FROM MCNEIL RISK MANAGEMENT, CYBER SECURITY, WEBINAR CYBER SECURITY FOR YOUR ORGANIZATION AND DEFENSIVE COMPUTING AT: https://training.mcneilandcompany.com/Classroom.aspx OR CHECK WITH YOUR INSURANCE CARRIER TO SEE IF THEY PROVIDE CYBER SECURITY TRAINING]