Skip to main content

Agencies: Report a Data Privacy/Security Incident

Information about Data Privacy/Security/Cyber-incident Reporting

Educational Agencies Must Report Unauthorized Disclosures and/or access to data protected by state and federal laws to SED’s Chief Privacy Officer at privacy@nysed.gov. Please use the Data Incident Reporting Form to submit your report.

Where applicable, educational agencies may also be required to complete an Incident Recovery form to demonstrate that a cybersecurity incident has been addressed and agency systems have been cleaned. This is important to protect SED’s systems.

Please read the Q&A below for additional information. For questions, please email us at privacy@nysed.gov. Thank you.

Q: What is a breach?

A: Part 121 (Education law §2-d’s regulation) defines a breach as the unauthorized acquisition, access, use, or disclosure of student data and/or teacher or principal APPR data by or to a person not authorized to acquire, access, use, or receive the student data and/or teacher or principal data.

The US Department of Education administers the Family Education Rights and Privacy Act (FERPA) and defines a data breach as any instance in which there is an unauthorized release or access of PII or other information not suitable for public release.

Q: What sorts of incidents/breaches should be reported?

A: Any cases of unauthorized acquisition, access, use, or disclosure of student data and/or teacher or principal APPR data by or to a person not authorized to acquire, access, use, or receive it.

Q: Do we need to report an incident where data systems are accessed but no actual data is taken?

A: Yes, because when an infiltration of a data system or application has occurred by someone not authorized to access it, a breach has occurred.

Q: How should Educational Agencies report data incidents/breaches?

A: By completing the Data Incident Reporting Form or by emailing Privacy@nysed.gov to request a form.

Q: What other resources are available to Educational Agencies?

A: We recommend that Educational Agencies that are infected with malware or that need assistance mitigating the impact of a cybersecurity incident contact the NYS Intelligence Center (NYSIC) at 1-844-628-2478. NYSIC is a the state Fusion Center, overseen by the New York State Police. Your request for assistance will be relayed to the NYS Division of Homeland Security & Emergency Services (DHSES) Cyber Incident Response Team (CIRT), which has experienced incident response professionals and access to additional resources and partners at federal and state agencies that will assist in detection and remediation efforts.

Q: What if my agency has data reporting obligations that are impacted by a cybersecurity incident? Is there a process for submitting reports and data to Level 2 and the NYSED Business Application Portal?

A: SED has established procedures with our Board of Cooperative Educational Services (BOCES) District Superintendents and Regional Information Center (RIC) Directors to assist with required reporting for the Student Information Repository System (SIRS) and the NYS Business Application Portal (IRSP). The arrangement will provide temporary secure access to designated/approved users of Impacted districts at a RIC or BOCES location using equipment that has not been infected with malware. SED will also assist with any special reporting requirements of our P-12 program offices.

The following are the steps to utilize this alternative reporting arrangement:

  • The superintendent of each impacted district must:
  • Call their local RIC
  • Provide the RIC with a limited list of no more than 4 designated district personnel who currently have IRSP access and are responsible for submitting data via the IRSP.
  • Designated personnel must travel to the local RIC at a time agreed upon by the district and RIC to access the IRSP and applications to submit data. Additional dates can be scheduled as needed through the district’s recovery process as needed. 
  • The RIC and SED will coordinate granting temporary access to the IRSP Business Portal for data submission(s) for designated personnel at the scheduled time. 

For additional information about this alternate reporting arrangement, please contact SED’s Information Reporting Service office.