Agencies: Report a Data Privacy/Security Incident
Information about Data Privacy/Security/Cyber-incident Reporting
Educational Agencies Must Report Unauthorized Disclosures and/or access to data protected by state and federal laws to SED’s Chief Privacy Officer at firstname.lastname@example.org. Please use the Data Incident Reporting Form to submit your report.
Where applicable, educational agencies may also be required to complete an Incident Recovery form to demonstrate that a cybersecurity incident has been addressed and agency systems have been cleaned. This is important to protect SED’s systems.
Please read the Q&A below for additional information. For questions, please email us at email@example.com. Thank you.
Q: What is a breach?
A: Proposed Part 121 (Education law §2-d’s regulation) defines a breach as the unauthorized acquisition, access, use, or disclosure of student data and/or teacher or principal APPR data by or to a person not authorized to acquire, access, use, or receive the student data and/or teacher or principal data.
The US Department of Education administers the Family Education Rights and Privacy Act (FERPA) and defines a data breach as any instance in which there is an unauthorized release or access of PII or other information not suitable for public release.
Q: What sorts of incidents/breaches should be reported?
A: Any cases of unauthorized acquisition, access, use, or disclosure of student data and/or teacher or principal APPR data by or to a person not authorized to acquire, access, use, or receive it.
Q: Do we need to report an incident where data systems are accessed but no actual data is taken?
A: Yes, because when an infiltration of a data system or application has occurred by someone not authorized to access it, a breach has occurred.
Q: How should Educational Agencies report data incidents/breaches?
Q: What other resources are available to Educational Agencies?
A: We recommend that Educational Agencies that are infected with malware or that need assistance mitigating the impact of a cybersecurity incident contact the NYS Intelligence Center (NYSIC) at 1-844-628-2478. NYSIC is a counter terrorism unit within NYS Division of Homeland Security & Emergency Services (DHSES) that collaborates with a team that includes the NYS Chief Information Security Officer and the Multi-State Information Sharing and Analysis Center (MS-ISAC). They have experienced investigators and additional resources that will assist in detection and remediation efforts.
Q: What if my agency has data reporting obligations that are impacted by a cybersecurity incident? Is there a process for submitting reports and data to Level 2 and the NYSED Business Application Portal?
A: SED has established procedures with our Board of Cooperative Educational Services (BOCES) District Superintendents and Regional Information Center (RIC) Directors to assist with required reporting for the Student Information Repository System (SIRS) and the NYS Business Application Portal (IRSP). The arrangement will provide temporary secure access to designated/approved users of Impacted districts at a RIC or BOCES location using equipment that has not been infected with malware. SED will also assist with any special reporting requirements of our P-12 program offices.
The following are the steps to utilize this alternative reporting arrangement:
- The superintendent of each impacted district must:
- Call their local RIC
- Provide the RIC with a limited list of no more than 4 designated district personnel who currently have IRSP access and are responsible for submitting data via the IRSP.
- Designated personnel must travel to the local RIC at a time agreed upon by the district and RIC to access the IRSP and applications to submit data. Additional dates can be scheduled as needed through the district’s recovery process as needed.
- The RIC and SED will coordinate granting temporary access to the IRSP Business Portal for data submission(s) for designated personnel at the scheduled time.
For additional information about this alternate reporting arrangement, please contact SED’s Information Reporting Service office.