HackFirstAidEducation
Regulatory grid

State overlay · NY

New York

NY Education Law 2-d + Part 121

Districts (LEAs) must have a Data Protection Officer, sign Supplementary Data Privacy Agreements with every covered vendor, and publish a Parents Bill of Rights.

Notification window

Notify NYSED and affected families 'as expeditiously as possible' and no later than 60 calendar days from discovery.

Regulators

NYSED Chief Privacy Officer

privacy@nysed.gov, online incident report form.

NYS Attorney General

If 500+ NY residents affected, file the AG breach notice.

NY DFS (if covered)

Some district vendors are DFS-regulated; check the contract.

Unique gotchas

  • Vendor breaches still trigger LEA notification — the district owes the families.
  • BOCES centers often hold shared services contracts; coordinate notification with the BOCES privacy officer.

Testing authority

NYSED Office of State Assessment