Body
Cyber-incident Notification
Contacts and Procedures
STEP 1 – Assess the Cyber-incident
Does the incident meet any of the following criteria?
- Involves the potential exposure of PII, HIPAA, or FERPA data
- Significantly impact or puts at risk campus operations
- A compromise where the extent of the incident cannot be ascertained and additional resources are needed
- Data loss that raises to the level outlined in the NYS Information Security Breach and Notification Act
STEP 2 – Report the Incident
In the event of a cyber security incident that meets the above criteria contact the following until you reach someone:
1st Call |
SUNY Assistant Chief Information Officer, Richard Borden |
518-429-1633 (Call or Text) |
CyberIncidentResponse@suny.edu |
If no answer, 2nd Call |
SUNY Chief Information Security Officer, Jesse Sloman |
518-971-1729 (Call or Text) |
CyberIncidentResponse@suny.edu |
If no answer, 3rd Call |
SUNY Chief Technology Officer, Kevin Stillman |
518-281-6095 (Call or Text) |
CyberIncidentResponse@suny.edu |
If no answer, 4th Call |
SUNY Director of Cybersecurity Services, Tishawn Smith |
347-348-6376 (Call or Text) |
CyberIncidentResponse@suny.edu |
STEP 3 – Complete and submit SUNY Cyberincident Reporting form
After notification has been given, complete this online form: SUNY Cyberincident Information Collection Form
If you have trouble with the online form, you may complete this fillable PDF and email it to: CyberIncidentResponse@suny.edu
Guidance related to Additional Reporting Responsibilities:
- In the event an incident rises to the level of a data breach these additional steps must be taken under section 208 of the State Technology Law, notify:
- The NYS Attorney General (AG)
- The Department of State’s Division of Consumer Protection
- A State entity must notify affected NYS residents and non-residents if their private information was exposed
- Based on the nature of the incident additional offices should be notified in the event of a serious incident or a data breach:
- Counsel’s Office – Must be notified immediately in the event of a suspected data breach
- Press & Communications – Will coordinate messaging
- Senior Leaders (as necessary) - This will be based on individual campus protocols