Skip to main content

Educational Agencies: Report a Data Privacy/Security Incident

Educational Agencies Must Report Unauthorized Disclosures and/or Access to data protected by state and federal laws to SED’s Chief Privacy Officer. When an educational agency needs to report erroneous or accidental accessibility or access to or disclosure of student data and/or teacher and principal APPR data and the erroneous or accidental activity that caused the accessibility or disclosure was due to the action(s) of an employee at the educational agency, the educational agency should use the following link to file the Educational Agencies Report of Erroneous or Accidental Accessibility or Disclosure.  More information about the new form can be found in the Privacy Office April 2024 newsletter.

For all other instances of unauthorized accessibility or disclosure of protected data, please use the Data Incident Reporting Form and submit your report to Privacy@nysed.gov

Where applicable, educational agencies may also be required to complete an Incident Recovery form to demonstrate that a cybersecurity incident has been addressed and agency systems have been cleaned. This is important to protect SED’s systems.

Please read the Q&A below for additional information. For questions, please email us at privacy@nysed.gov. Thank you.

Q: What is a breach?

A: Part 121 (Education law §2-d’s regulation) defines a breach as the unauthorized accessibility, acquisition, access, use, or disclosure of student data and/or teacher or principal APPR data by or to a person not authorized to acquire, access, use, or receive the student data and/or teacher or principal data.

The US Department of Education administers the Family Education Rights and Privacy Act (FERPA) and defines a data breach as any instance in which there is an unauthorized release or access of PII or other information not suitable for public release.

Q: What sorts of incidents/breaches should be reported?

A: Any cases of unauthorized accessibility, acquisition, access, use, or disclosure of student data and/or teacher or principal APPR data by or to a person not authorized to acquire, access, use, or receive it.

Q: Do we need to report an incident where data systems are accessible or accessed but no actual data is taken?

A: Yes, pursuant to Part 121, a breach occurs when either student data or teacher/principal APPR data is accessible, accessed or otherwise disclosed to a person who is not the student, the student’s parent, or does not have an educational need to know the information.

Q: How should Educational Agencies report data incidents/breaches?

A: When the data incident is an erroneous or accidental accessibility or disclosure due to the actions of an educational agency, and not a third-party contractor or a bug, vulnerability, or error in a third-party contractor's service, software or an application, educational agencies should file the Educational Agencies Report of Erroneous or Accidental Accessibility or Disclosure form available at this link.  For all other data incidents/breaches, educational agencies should complete the Data Incident Reporting Form and send it to Privacy@nysed.gov. If an educational agency is unsure which form to file, the educational agency can contact the Privacy Office at Privacy@nysed.gov

Q: What other resources are available to Educational Agencies?

A: We recommend that Educational Agencies that are infected with malware or that need assistance mitigating the impact of a cybersecurity incident contact the NYS Intelligence Center (NYSIC) at 1-844-628-2478. NYSIC is the state Fusion Center, overseen by the New York State Police. Your request for assistance will be relayed to the NYS Division of Homeland Security & Emergency Services (DHSES) Cyber Incident Response Team (CIRT), which has experienced incident response professionals and access to additional resources and partners at federal and state agencies that will assist in detection and remediation efforts.

Q: What if my agency has data reporting obligations that are impacted by a cybersecurity incident? Is there a process for submitting reports and data to Level 2 and the NYSED Business Application Portal?

A: SED has established procedures with our Board of Cooperative Educational Services (BOCES) District Superintendents and Regional Information Center (RIC) Directors to assist with required reporting for the Student Information Repository System (SIRS) and the NYS Business Application Portal (IRSP). The arrangement will provide temporary secure access to designated/approved users of Impacted districts at a RIC or BOCES location using equipment that has not been infected with malware. SED will also assist with any special reporting requirements of our P-12 program offices.

The following are the steps to utilize this alternative reporting arrangement:

  • The superintendent of each impacted district must:
  • Call their local RIC
  • Provide the RIC with a limited list of no more than 4 designated district personnel who currently have IRSP access and are responsible for submitting data via the IRSP.
  • Designated personnel must travel to the local RIC at a time agreed upon by the district and RIC to access the IRSP and applications to submit data. Additional dates can be scheduled as needed through the district’s recovery process as needed. 
  • The RIC and SED will coordinate granting temporary access to the IRSP Business Portal for data submission(s) for designated personnel at the scheduled time. 

For additional information about this alternate reporting arrangement, please contact SED’s Information Reporting Service office.