A state law requiring municipalities and public authorities to report cybersecurity incidents within 72 hours and ransomware payments within 24 hours compels New York governments to ensure they have protocols in place to collect and report the required information.
The law, which took effect July 28, requires municipalities and districts to report both cybersecurity incidents and ransomware payments to the New York State Division of Homeland Security and Emergency Services (DHSES). New York City is exempted from this regulation.
Governor Kathy Hochul said collecting this information will improve New York’s ability to address cybersecurity threats, safeguard critical infrastructure and tackle the scourge of ransomware.
“My top priority as governor is the security and safety of all New Yorkers, and with this legislation we’re strengthening our ability to respond to and ultimately prevent cyber threats all across our state,” she said. “As global conflicts escalate and cyber threats evolve, so must our response, and we are taking a whole of government approach in doing so. Requiring timely incident reporting and providing annual cybersecurity training for government employees will build a stronger digital shield for every community across the state and ensure they get the support they need when it matters most.”
New Law Follows Attacks Throughout the Nation
The new law is a recognition by the governor and her colleagues — the bill that eventually became law was introduced by Sen. Monica R. Martinez — that municipalities throughout the country are increasingly the target of cyber threats. Local governments handle vast amounts of personal and financial data, making them attractive targets; and many local governments lack the financing to invest in robust cybersecurity infrastructure and training.
Over the last five years several major U.S. cities, including Dallas, Baltimore and Oakland, have been the victims of large-scale ransomware attacks. In late July, St. Paul, Minnesota shut down the bulk of its computer systems and the state’s governor called on the national guard and FBI to assist with a “deliberate, coordinated digital attack, carried out by a sophisticated external actor.”
In Ohio, a cyberattack on Cleveland Municipal Court in February and a ransomware attack on Cleveland City Hall last summer resulted in the state passing CyberOhio, an initiative to provide resources and support to Ohio’s local governments, including guidance on cybersecurity standards and access to the Ohio Cyber Range Institute for training.
Ransomware is especially troublesome for governmental entities because paying the ransom ultimately uses taxpayer money to support organizations often sponsored by nation states hostile to this country. The FBI has urged all victims to decline to pay ransoms if at all avoidable.
But, for businesses, the pressure to pay is high, both from an optical standpoint and as a perceived matter of survival. Governmental entities can expect it to be ultimately known that they paid a ransom and face fallout from their constituencies., This is why the New York law has a particular focus on ransomware and seeks to capture the rationale for paying the ransom. The law also drives each governmental entity to use the resources offered by the state’s incident response team, which can be an important resource to smaller entities by offering guidance gained from more experience with cybersecurity issues.
Here in New York, a 2022 ransomware attack by the BlackCat hacker group on Suffolk County cost taxpayers $25 million. Attackers installed remote-access tools and stole sensitive files before encrypting the county’s data. This crippled core services, shut down systems for weeks and exposed the personal data of hundreds of thousands of county residents.
That attack, and others, prompted a 2023 report by the state comptroller that found cybersecurity incidents in New York rose 53 percent between 2016 and 2022, jumping from 16,426 incidents in 2016 to 25,112 in 2022. The comptroller estimated the state had experienced an estimated loss of $775 million from the attacks.
The federal government has taken notice, too. In March, it released the National Resilience Strategy, which stated “it is the policy of the United States that State and local governments and individuals play a more active and significant role in national resilience and preparedness, thereby saving American lives, securing American livelihoods, reducing taxpayer burdens through efficiency, and unleashing our collective prosperity.” And earlier this month, the U.S. Department of Homeland Security (DHS) announced a new round of funding for the State and Local Cybersecurity Grant Program (SLCGP). That program provides $1 billion over four years to state, local and tribal governments to implement cybersecurity plans that address emerging threats.
How to Report a Cybersecurity Incident
As an attorney focused on cybersecurity, I applaud these efforts. New York’s new law also mandates annual cybersecurity awareness training for government employees across the state, sets data protection standards for state-maintained information systems and requires reviews following significant incidents.
Incidents, defined as events occurring on a computer network which actually or imminently jeopardize the confidentiality, integrity or availability of computers, information, communication systems, networks or physical or virtual infrastructure, must be reported within 72 hours and the government must indicate whether it is accepting or declining assistance from DHSES.
The Division of Homeland Security and Emergency Services has established a portal to report incidents. Many districts and municipalities are pre-populated in the form and there is an option to create a new one if yours is not listed. The portal seeks information about the nature of the event and risk and drives the reporting entity to reach out to DHSES’ Cyber Incident Response team.
The form includes much of the same information one might find as a part of an incident log. It is worth reviewing the form to ensure all the information is captured by either your internal technology teams or a vendor, if cybersecurity services are outsourced. The information provided in the form is exempted from FOIL disclosure, but it is still a good idea to have an attorney review the proposed responses and rationales about ransomware decisions prior to filing.
If your municipality or district is covered by this law, you should review your incident response plan and incident log template to ensure all issues required for disclosure under this new law are addressed and the rationale for the relevant decisions are recorded and fully justified.
I’d also recommend adopting best practices, such as those outlined by the National Institute of Standards and Technology and Center for Internet Security. Prevention is, indeed, the best medicine.
Attorney Alan M. Winchester leads Harris Beach Murtha’s Cybersecurity Protection and Response Practice Group and regularly assists public and private entities with cybersecurity.
