Educational agencies shall report every discovery or report of a breach or unauthorized release of student, teacher or principal data to the Chief Privacy Officer and notify impacted stakeholders. To learn more about this requirement, agencies can review Part 121.10 of the Regulations. 

REPORTING REQUIREMENTS 

10 DAYS TO REPORT TO NYSED The agency must report every discovery or report of a breach or unauthorized release of student, teacher or principal data to the Chief Privacy Officer no more than 10 calendar days after such discovery. 

NOTIFICATION REQUIREMENTS 60 DAYS TO NOTIFY AFFECTED INDIVIDUALS The agency must notify affected parents, eligible students, teachers and/ or principals no more than 60 calendar days after the discovery of a breach or unauthorized release. 

LAW ENFORCEMENT OR VULNERABILITY DELAY Where notification is delayed, the agency must notify affected individuals within 7 calendar days after the security vulnerability has been remedied or the risk of interference with the law enforcement investigation ends. 

THIRD-PARTY REIMBURSEMENT REQUIREMENT Where a breach or unauthorized release is attributed to a third-party contractor, the contractor must pay for or reimburse the agency for the full cost of notification. 

METHOD OF NOTIFICATION Notification must be directly provided to the affected individuals by first-class mail to their last known address; by email; or by telephone. 

CONTENTS OF NOTIFICATION Notifications must be clear, concise, use language that is plain and easy to understand, and to the extent available, include: • a brief description of the unauthorized release • the dates of the incident and date of discovery • a description of the types of PII affected • the number of records affected • a brief description of the agency’s investigation • contact information for representatives who can assist parents.