NY S07672

Municipal corporations and public authorities must report cybersecurity incidents to the Division of Homeland Security and Emergency Services within 72 hours of discovering the incident, with reports exempt from Freedom of Information Law disclosure

Ransom payments must be reported within 24 hours of payment, followed by a written explanation within 30 days detailing the payment amount, reasons for payment, alternatives considered, and compliance with federal treasury regulations

State employees and employees of public benefit corporations who use technology in their jobs must complete annual cybersecurity awareness training beginning January 1, 2026, conducted during regular work hours at regular pay

Local government employees (counties, cities, towns, villages, districts) must also take annual cybersecurity awareness training starting January 1, 2026, with the state providing free training options they may use or substitute with equivalent training

State agencies must create incident response plans within 18 months of the law's effective date, maintain information system inventories within 2 years, and conduct annual exercises of their incident response plans beginning January 1, 2028