New York’s Cybersecurity Mandate: What the New Legislation Means for Municipalities and Why It Could Signal a National Shift

Written by: Robert Noble and Matthew Gross

 

In a significant move aimed at bolstering defenses against the ever-growing wave of cyberattacks, New York State has passed legislation that mandates stronger cybersecurity protocols and reporting standards for municipalities and public authorities. Signed into law on June 26, 2025, this sweeping bill (S.7672-A/A.6769-A), sponsored by Senator Monica Martinez, represents a turning point in how public entities across New York must prepare for and respond to cyber threats.[1]

As a law firm headquartered in Buffalo, New York, The Beckage Firm is uniquely positioned to understand the impact of this legislation on our clients and partners. Municipalities, school districts, and public authorities across Western New York and the rest of the state must now comply with these new requirements, or risk exposure not only to cyber threats but also to legal and operational vulnerabilities.

What the New Law Requires

The new legislation establishes mandatory reporting and transparency rules for all cybersecurity incidents affecting public entities, including ransomware attacks.

Key provisions include:

1. Mandatory Reporting of Cyber Incidents:

• All municipalities and public authorities must report cybersecurity incidents to the New York State Division of Homeland Security and Emergency Services (DHSES) within 72 hours of detection.[2]
• If a ransom payment is made, it must be reported within 24 hours of the transaction.
• Within 30 days of a ransom payment, the entity must submit a detailed report outlining the amount paid, the rationale behind the decision, alternative options considered, and compliance with federal regulations such as OFAC guidelines.

2. Confidentiality Safeguards: All reports submitted to DHSES will be exempt from disclosure under the state’s Freedom of Information Law (FOIL), helping ensure that sensitive security information does not fall into the wrong hands.[3]
3. Review and Threat Assessment: DHSES will assess all reported incidents for threats to public health, safety, and security. The agency may coordinate with state and federal law enforcement to share intelligence and offer technical support.
4. Cybersecurity Training: By January 1, 2026, annual cybersecurity awareness training will be mandatory for all employees of public entities.
5. Cybersecurity Standards: The law introduces data protection and cybersecurity standards for public systems managed by the state. Local governments will be encouraged to align with these standards to improve uniformity and preparedness.

Why This Matters to Municipalities Across New York State

From New York City to rural townships in the North Country, public entities across the state are facing increasing pressure to strengthen their cybersecurity posture. This legislation ensures that all corners of the state—regardless of size, location, or budget—must take proactive steps to prepare for and respond to cyber threats.

Schools, public utilities, transportation systems, and city and town governments are common targets for ransomware and other cyberattacks. The new law creates a unified standard for response and compliance, thereby reducing fragmentation and improving coordination among local, state, and federal agencies.

Under this law, New York municipalities and public authorities will need to:

• Develop or revise internal cyber incident response protocols.
• Train staff on best practices and compliance.
• Budget for the legal and operational resources necessary to fulfill reporting obligations.
• Coordinate more effectively with state and federal partners.

The Beckage Firm is committed to supporting public entities throughout New York State. Our team offers guidance in developing incident response plans, providing cybersecurity training, assessing current security frameworks, and ensuring full legal compliance.

Are We Seeing the Start of a National Trend?

New York’s new legislation sets a precedent for other states looking to combat cybercrime at the municipal level. While federal efforts like the 2017 Strengthening State and Local Cyber Crime Fighting Act emphasized training and resources for law enforcement, New York’s law introduces mandatory, enforceable obligations for local governments.[4]

We are beginning to see similar legislative movement elsewhere:

• California has proposed rules requiring public agencies to disclose cyberattacks and undergo third-party risk assessments.[5]
• Texas already mandates breach reporting for local governments and has invested heavily in its Department of Information Resources to support cybersecurity initiatives.[6]
• Michigan and Illinois are considering similar bills to protect public school systems from ransomware and data breaches.[7]

While not all states have implemented the same level of rigor as New York, the trajectory is clear: cybersecurity is no longer an IT-only issue. It’s a legal and operational imperative, and legislators nationwide are starting to respond accordingly.

Looking Ahead

New York’s law is more than a state mandate; it’s a model that other jurisdictions may look to replicate. For public entities and their partners, the takeaway is simple: prepare now.

Whether you represent a municipal government, a public utility, or an educational institution, your organization will need to be equipped not only with the right technology but also the right policies and legal strategies to comply with this evolving landscape.

At The Beckage Firm, we combine deep legal expertise with technological insight to help our clients stay ahead of cyber risks. From regulatory compliance to crisis response and long-term resilience planning, we are here to guide you through the complexities of cybersecurity law.

If you have questions about how this law applies to your organization or want to ensure compliance ahead of the 2026 training deadline, contact our team today.

Stay secure. Stay compliant. Stay prepared.

**Attorney Advertising: Prior results do no guarantee future outcomes**

 

[1] New York Senate Bill S7672-A, 2025-2026 Legis. Sess. (N.Y. 2025) (enacted as Chapter 177, signed June 26, 2025) (amending N.Y. Gen. Mun. Law art. 19-C, Exec. Law  § 711-c, and State Tech. Law §§ 103-f & 210 (requiring municipal cybersecurity incident and ransomware payment reporting, training, and data-protection standards). https://www.nysenate.gov/legislation/bills/2025/S7672/amendment/A
[2] Monica R. Martinez, New York Upgrades Its Firewall Against Cyberattacks (N.Y. State Senate press release Aug. 4, 2025), available at New York State Senate Newsroom https://www.nysenate.gov/newsroom/press-releases/2025/monica-r-martinez/new-york-upgrades-its-firewall-against-cyberattacks
[3] S.7672-A, supra note 1.
[4] H.R. 1616, 115^th Cong. (2017) (enacted as Pub. L. No. 115-76 Nov. 2, 2017) – Strengthening  State and Local Cyber Crime Fighting Act of 2017, which amended the Homeland Security Act of 2002 to authorize the National Computer Forensics Institute https://www.congress.gov/bill/115th-congress/house-bill/1616/text
[5] Asm. Com. On Privacy & Consumer Prot., Analysis of A.B. 325 (Aguiar-Curry) – As Amended April 24, 2025 (Apr. 2025) (hearing of May 1, 2025 – fiscal) https://apcp.assembly.ca.gov/system/files/2025-04/ab-979-irwin-apcp-analyses.pdf
[6] Tex. Dep’t of Info. Res., Statewide Cybersecurity Awareness Training, available at the DIR Information Security Website https://dir.texas.gov/information-security/statewide-cybersecurity-awareness-training
[7] Nat’l Conf. Of State Legislatures, Cybersecurity 2025 Legislation (updated Mar. 28, 2025), https://www.ncsl.org/technology-and-communication/cybersecurity-2025-legislation