NY Law Shields Cyberattack, Ransom Payment Details | The Locally Times

A New York State law signed in June 2025 exempts municipal cybersecurity incident and ransom payment reports from public disclosure under the Public Officers Law.

New York State Governor Kathy Hochul signed a law on June 26, 2025, establishing cybersecurity incident reporting requirements for municipal corporations and public authorities. This legislation, Article 19-c of the General Municipal Law, mandates that local governments and public authorities report cyber incidents and ransom demands to the New York State Division of Homeland Security and Emergency Services (DHSES). While the law creates a reporting mechanism for cyber threats, it also shields these reports from public scrutiny, creating a transparency gap for residents. If a ransom payment is made, the entity must report the payment within 24 hours of its execution and provide a detailed explanation of the payment within 30 days. The DHSES Cyber Incident Response Team (CIRT) also provides assistance with cyber incident response and offers proactive cybersecurity services to local governments, non-Executive state agencies, and public authorities. ## Public Disclosure Exemption Established A significant provision within the new legislation ensures that these mandated reports remain confidential. General Municipal Law Section 995-b(3) explicitly exempts any cybersecurity incident report and any records related to a ransom payment submitted to DHSES from disclosure. This exemption applies under Article 6 of the Public Officers Law, which governs public access to government records. This means that the details of cyberattacks, including the nature of incidents and any payments made to cybercriminals, are not accessible to the public through standard freedom of information requests. The records do not specify the rationale state officials cited for including this exemption from public disclosure within the General Municipal Law. The legislative process leading to this specific exemption is not detailed in the provided materials. Consequently, the public lacks information about the justifications presented for withholding these records, which typically would be available for public review. This provision effectively removes a layer of public oversight from how local governments manage and respond to significant digital security breaches and financial demands. The law creates a framework where reporting is mandatory to a state agency, but public access to the outcomes of these reports is explicitly denied. ## Unanswered Questions and Accountability Concerns for Taxpayers Since the law took effect on June 26, 2025, the number of cybersecurity incidents or ransom payments reported to DHSES remains unknown to the public. The records do not provide any data on how many New York State municipal corporations or public authorities have experienced cyberattacks, nor do they indicate the frequency of ransom demands or payments. This absence of data prevents a public understanding of the scale of cyber threats impacting local government services, from utilities to public safety and administrative functions. Furthermore, the financial impact of these incidents and any subsequent ransom payments on municipal budgets and, by extension, taxpayers, is not publicly documented. Local residents cannot determine how much public money may be spent to resolve cyber incidents or pay ransoms, as these financial details are shielded by the law. The records do not specify how municipalities and public authorities are absorbing these costs, nor do they outline the long-term budget implications for local communities. This lack of transparency means that the public cannot assess the economic burden of cyber vulnerabilities or hold officials accountable for cybersecurity preparedness and the responsible use of funds. The specific types of data or services most frequently targeted in these attacks also remain unaddressed in publicly available information. The current reporting framework ensures that the full scope of cyber vulnerabilities and their financial consequences for New York's local governments remain outside public oversight, leaving residents without a clear picture of how their communities are managing these growing digital threats.