Requires all municipal corporations to report cybersecurity incidents and demands of ransom payments to the division of homeland security and emergency services; defines terms; requires cybersecurity incident reviews; requires cybersecurity awareness training, cybersecurity protection and data protection standards for state maintained information systems.
Impact
The bill introduces significant changes to existing municipal laws by requiring public authorities to maintain detailed records of cybersecurity incidents, which are to be kept confidential and exempt from public disclosure under the state's freedom of information laws. This provision aims to protect sensitive information regarding the state's response to cyber threats. Furthermore, the legislation emphasizes the necessity of developing incident response plans within eighteen months of its enactment, thereby standardizing how municipal corporations manage and recover from cybersecurity breaches.
Summary
Bill S07672 aims to enhance cybersecurity measures across municipal corporations and public authorities in New York State. It establishes a framework that requires these entities to report any cybersecurity incidents, particularly those involving ransom demands, to the Division of Homeland Security and Emergency Services within 72 hours. The bill intends to improve incident response capabilities and protect state-maintained information systems from potential vulnerabilities. It also mandates annual cybersecurity awareness training for government employees starting in 2026, ensuring that personnel are well-equipped to handle cyber threats.
Contention
Notably, the bill has sparked discussions regarding privacy and transparency. Critics argue that exempting incident reports from public scrutiny could hinder accountability and oversight of municipal data management. There are concerns that, while aiming to fortify cybersecurity, the legislation could potentially create a lack of transparency about how effectively these municipalities handle cyber threats and ransom situations. Proponents defend the bill, asserting that the confidentiality of these reports is essential to safeguard sensitive operational details and minimize risks of further attacks.
Same As
Requires all municipal corporations to report cybersecurity incidents and demands of ransom payments to the division of homeland security and emergency services; defines terms; requires cybersecurity incident reviews; requires cybersecurity awareness training, cybersecurity protection and data protection standards for state maintained information systems.
Directs that state agencies require that procurement of personal computing goods, services and solutions meet the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Directs that state agencies require that procurement of personal computing goods, services and solutions meet the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Requires law enforcement officers to conduct a lethality assessment as part of the standardized domestic incident report form when responding to incidents of domestic violence.
Requires law enforcement officers to conduct a lethality assessment as part of the standardized domestic incident report form when responding to incidents of domestic violence.
Directs the division of homeland security and emergency services to conduct a review and analysis of security measures at rail yards and to issue related reports and recommendations.
Directs the division of homeland security and emergency services to conduct a review and analysis of security measures at rail yards and to issue related reports and recommendations.
In organization of departmental administrative boards and commissions and of advisory boards and commissions, providing for Cybersecurity Coordination Board.
Amends the statutory provisions regarding domestic and foreign insurers and insurer examinations to provide provisions with regard to cybersecurity events involving Rhode Island consumers.
Amends the statutory provisions regarding domestic and foreign insurers and insurer examinations to provide provisions with regard to cybersecurity events involving Rhode Island consumers.