| 1 | 1 | | <STYLE><!--U {color: Green}S {color: RED} I {color: DARKBLUE; background-color:yellow} P.brk {page-break-before:always}--></STYLE> <BASEFONT SIZE=3> <PRE WIDTH="99"> <FONT SIZE=5><B> STATE OF NEW YORK</B></FONT> ________________________________________________________________________ 7672--A Cal. No. 712 2025-2026 Regular Sessions <FONT SIZE=5><B> IN SENATE</B></FONT> April 28, 2025 ___________ Introduced by Sen. MARTINEZ -- read twice and ordered printed, and when printed to be committed to the Committee on Rules -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee AN ACT to amend the general municipal law and the executive law, in relation to requiring municipal cybersecurity incident reporting and exempting such reports from freedom of information requirements; and to amend the state technology law, in relation to requiring cyberse- curity awareness training for government employees, data protection standards, and cybersecurity protection <B><U>The People of the State of New York, represented in Senate and Assem-</U></B> <B><U>bly, do enact as follows:</U></B> 1 Section 1. The general municipal law is amended by adding a new arti- 2 cle 19-C to read as follows: 3 <B><U>ARTICLE 19-C</U></B> 4 <B><U>CYBERSECURITY INCIDENT REPORTING REQUIREMENTS FOR MUNICIPAL CORPORATIONS</U></B> 5 <B><U>AND PUBLIC AUTHORITIES</U></B> 6 <B><U>Section 995-a. Definitions.</U></B> 7 <B><U>995-b. Reporting of cybersecurity incidents.</U></B> 8 <B><U>995-c. Notice and explanation of ransom payment.</U></B> 9 <B><U>§ 995-a. Definitions. For the purposes of this article: 1. "Cyberse-</U></B> 10 <B><U>curity incident" means an event occurring on or conducted through a</U></B> 11 <B><U>computer network that actually or imminently jeopardizes the integrity,</U></B> 12 <B><U>confidentiality, or availability of computers, information or communi-</U></B> 13 <B><U>cations systems or networks, physical or virtual infrastructure</U></B> 14 <B><U>controlled by computers or information systems, or information resident</U></B> 15 <B><U>thereon.</U></B> 16 <B><U>2. "Cyber threat" means any circumstance or event with the potential</U></B> 17 <B><U>to adversely impact organizational operations, organizational assets, or</U></B> 18 <B><U>individuals through an information system via unauthorized access,</U></B> EXPLANATION--Matter in <B><U>italics</U></B> (underscored) is new; matter in brackets [<B><S> </S></B>] is old law to be omitted. LBD10937-06-5 </PRE><P CLASS="brk"><PRE WIDTH="99"> S. 7672--A 2 1 <B><U>destruction, disclosure, modification of information, and/or denial of</U></B> 2 <B><U>service.</U></B> 3 <B><U>3. "Cyber threat indicator" means information that is necessary to</U></B> 4 <B><U>describe or identify:</U></B> 5 <B><U>(a) malicious reconnaissance, including anomalous patterns of communi-</U></B> 6 <B><U>cations that appear to be transmitted for the purpose of gathering tech-</U></B> 7 <B><U>nical information related to a cybersecurity threat or security vulner-</U></B> 8 <B><U>ability;</U></B> 9 <B><U>(b) a method of defeating a security control or exploitation of a</U></B> 10 <B><U>security vulnerability;</U></B> 11 <B><U>(c) a security vulnerability, including anomalous activity that</U></B> 12 <B><U>appears to indicate the existence of a security vulnerability;</U></B> 13 <B><U>(d) a method of causing a user with legitimate access to an informa-</U></B> 14 <B><U>tion system or information that is stored on, processed by, or transit-</U></B> 15 <B><U>ing an information system to unwittingly enable the defeat of a security</U></B> 16 <B><U>control or exploitation of a security vulnerability;</U></B> 17 <B><U>(e) malicious cyber command and control;</U></B> 18 <B><U>(f) the actual or potential harm caused by an incident, including a</U></B> 19 <B><U>description of the information exfiltrated as a result of a particular</U></B> 20 <B><U>cybersecurity threat;</U></B> 21 <B><U>(g) any other attribute of a cybersecurity threat, if disclosure of</U></B> 22 <B><U>such attribute is not otherwise prohibited by law; or</U></B> 23 <B><U>(h) any combination thereof.</U></B> 24 <B><U>4. "Defensive measure" means an action, device, procedure, signature,</U></B> 25 <B><U>technique, or other measure applied to an information system or informa-</U></B> 26 <B><U>tion that is stored on, processed by, or transiting an information</U></B> 27 <B><U>system that detects, prevents, or mitigates a known or suspected</U></B> 28 <B><U>cybersecurity threat or security vulnerability. The term "defensive</U></B> 29 <B><U>measure" does not include a measure that destroys, renders unusable,</U></B> 30 <B><U>provides unauthorized access to, or substantially harms an information</U></B> 31 <B><U>system or information stored on, processed by, or transiting such infor-</U></B> 32 <B><U>mation system not owned by the municipal corporation or public authority</U></B> 33 <B><U>operating the measure, or federal entity that is authorized to provide</U></B> 34 <B><U>consent and has provided consent to that municipal corporation or public</U></B> 35 <B><U>authority for operation of such measure.</U></B> 36 <B><U>5. "Information system" means a discrete set of information resources</U></B> 37 <B><U>organized for the collection, processing, maintenance, use, sharing,</U></B> 38 <B><U>dissemination, or disposition of information.</U></B> 39 <B><U>6. "Municipal corporation" means:</U></B> 40 <B><U>(a) A municipal corporation as defined in section one hundred nine-</U></B> 41 <B><U>teen-n of this chapter; or</U></B> 42 <B><U>(b) A district as defined in section one hundred nineteen-n of this</U></B> 43 <B><U>chapter.</U></B> 44 <B><U>7. "Public authority" means any state authority or local authority, as</U></B> 45 <B><U>such terms are defined in section two of the public authorities law, or</U></B> 46 <B><U>any subsidiary thereof.</U></B> 47 <B><U>8. "Ransom payment" means the transmission of any money or other prop-</U></B> 48 <B><U>erty or asset, including virtual currency, or any portion thereof, which</U></B> 49 <B><U>has at any time been delivered as ransom in connection with a ransomware</U></B> 50 <B><U>attack.</U></B> 51 <B><U>9. "Ransomware attack":</U></B> 52 <B><U>(a) means an incident that includes the use or threat of use of unau-</U></B> 53 <B><U>thorized or malicious code on an information system, or the use or</U></B> 54 <B><U>threat of use of another digital mechanism such as a denial of service</U></B> 55 <B><U>attack, to interrupt or disrupt the operations of an information system</U></B> 56 <B><U>or compromise the confidentiality, availability, or integrity of elec-</U></B> </PRE><P CLASS="brk"><PRE WIDTH="99"> S. 7672--A 3 1 <B><U>tronic data stored on, processed by, or transiting an information system</U></B> 2 <B><U>to extort a demand for a ransom payment; and</U></B> 3 <B><U>(b) does not include any such event in which the demand for payment</U></B> 4 <B><U>is:</U></B> 5 <B><U>(i) not genuine; or</U></B> 6 <B><U>(ii) made in good faith by an entity in response to a specific request</U></B> 7 <B><U>by the owner or operator of the information system.</U></B> 8 <B><U>§ 995-b. Reporting of cybersecurity incidents. 1. Notwithstanding any</U></B> 9 <B><U>other provision of law to the contrary, all municipal corporations and</U></B> 10 <B><U>public authorities shall report cybersecurity incidents and when appli-</U></B> 11 <B><U>cable, the demand of a ransom payment, to the commissioner of the divi-</U></B> 12 <B><U>sion of homeland security and emergency services in the form and method</U></B> 13 <B><U>prescribed by such commissioner. Such report shall include whether the</U></B> 14 <B><U>reporting municipal corporation or public authority is requesting or</U></B> 15 <B><U>declining advice and/or technical assistance from the division of home-</U></B> 16 <B><U>land security and emergency services with respect to the reported</U></B> 17 <B><U>cybersecurity incident or demand for a ransom payment.</U></B> 18 <B><U>2. All municipal corporations and public authorities shall report</U></B> 19 <B><U>cybersecurity incidents, including demands for ransom payment, no later</U></B> 20 <B><U>than seventy-two hours after the municipal corporation or public author-</U></B> 21 <B><U>ity reasonably believes the cybersecurity incident has occurred.</U></B> 22 <B><U>3. Any cybersecurity incident report and any records related to a</U></B> 23 <B><U>ransom payment submitted to the commissioner of the division of homeland</U></B> 24 <B><U>security and emergency services pursuant to the requirements of this</U></B> 25 <B><U>article shall be exempt from disclosure under article six of the public</U></B> 26 <B><U>officers law.</U></B> 27 <B><U>§ 995-c. Notice and explanation of ransom payment. Notwithstanding any</U></B> 28 <B><U>other provision of law to the contrary, each municipal corporation or</U></B> 29 <B><U>public authority shall, in the event of a ransom payment made in</U></B> 30 <B><U>connection with a cybersecurity incident involving the municipal corpo-</U></B> 31 <B><U>ration or public authority, provide the commissioner of the division of</U></B> 32 <B><U>homeland security and emergency services through means prescribed by</U></B> 33 <B><U>such commissioner with the following:</U></B> 34 <B><U>1. within twenty-four hours of the ransom payment, notice of the</U></B> 35 <B><U>payment; and</U></B> 36 <B><U>2. within thirty days of the ransom payment, a written description of</U></B> 37 <B><U>the reasons payment was necessary, the amount of the ransom payment, the</U></B> 38 <B><U>means by which the ransom payment was made, a description of alterna-</U></B> 39 <B><U>tives to payment considered, all diligence performed to find alterna-</U></B> 40 <B><U>tives to payment and all diligence performed to ensure compliance with</U></B> 41 <B><U>applicable state and federal rules and regulations including those of</U></B> 42 <B><U>the United States department of the treasury's office of foreign assets</U></B> 43 <B><U>control.</U></B> 44 § 2. The executive law is amended by adding a new section 711-c to 45 read as follows: 46 <B><U>§ 711-c. Cybersecurity incident reviews. 1. Definitions. As used in</U></B> 47 <B><U>this section, the terms cybersecurity incident, cyber threat, cyber</U></B> 48 <B><U>threat indicator, defensive measure, information system, municipal</U></B> 49 <B><U>corporation, public authority, ransom payment and ransomware attack</U></B> 50 <B><U>shall have the same meaning as such terms are defined in article nine-</U></B> 51 <B><U>teen-C of the general municipal law.</U></B> 52 <B><U>2. The commissioner, or their designees, shall review each cybersecur-</U></B> 53 <B><U>ity incident report and notice and explanation of ransom payment submit-</U></B> 54 <B><U>ted pursuant to sections nine hundred ninety-five-b and nine hundred</U></B> 55 <B><U>ninety-five-c of the general municipal law to assess potential impacts</U></B> </PRE><P CLASS="brk"><PRE WIDTH="99"> S. 7672--A 4 1 <B><U>of cybersecurity incidents and ransom payments on the health, safety,</U></B> 2 <B><U>welfare or security of the state, or its residents.</U></B> 3 <B><U>3. The commissioner, or their designees, may work with appropriate</U></B> 4 <B><U>state agencies, federal law enforcement, and federal homeland security</U></B> 5 <B><U>agencies to provide municipal corporations and public authorities with</U></B> 6 <B><U>reports of cybersecurity incidents and trends, including but not limited</U></B> 7 <B><U>to, to the maximum extent practicable, related contextual information,</U></B> 8 <B><U>cyber threat indicators, and defensive measures. The commissioner may</U></B> 9 <B><U>coordinate and share such reported information with municipal corpo-</U></B> 10 <B><U>rations, public authorities, state agencies, and federal law enforcement</U></B> 11 <B><U>and homeland security agencies to respond to and mitigate cybersecurity</U></B> 12 <B><U>threats.</U></B> 13 <B><U>4. Such reports, assessments, records, reviews, documents, recommenda-</U></B> 14 <B><U>tions, guidance and any information contained or used in its preparation</U></B> 15 <B><U>shall be exempt from disclosure under article six of the public officers</U></B> 16 <B><U>law.</U></B> 17 <B><U>5. No later than forty-eight hours after receiving a cybersecurity</U></B> 18 <B><U>incident report containing a request for advice and/or technical assist-</U></B> 19 <B><U>ance from the division pursuant to subdivision one of section nine</U></B> 20 <B><U>hundred ninety-five-b of the general municipal law, the commissioner or</U></B> 21 <B><U>the commissioner's designees shall acknowledge receipt of such request.</U></B> 22 <B><U>As soon as possible after receiving such a request, the commissioner or</U></B> 23 <B><U>the commissioner's designees, subject to the commissioner's discretion</U></B> 24 <B><U>in prioritizing the division's response to the municipal corporation's</U></B> 25 <B><U>or public authority's cybersecurity incident report, shall provide</U></B> 26 <B><U>advice to the requesting municipal corporation or public authority and,</U></B> 27 <B><U>to the extent practicable, provide technical assistance.</U></B> 28 § 3. The state technology law is amended by adding a new section 103-f 29 to read as follows: 30 <B><U>§ 103-f. Cybersecurity awareness training. 1. (a) Employees of the</U></B> 31 <B><U>state who use technology as a part of their official job duties shall</U></B> 32 <B><U>take annual cybersecurity awareness training beginning January first,</U></B> 33 <B><U>two thousand twenty-six. Employees of the state shall be required to</U></B> 34 <B><U>complete the training provided by the office.</U></B> 35 <B><U>(b) For purposes of this section, "employees of the state" shall</U></B> 36 <B><U>include employees of all state agencies and all public benefit corpo-</U></B> 37 <B><U>rations, the heads of which are appointed by the governor.</U></B> 38 <B><U>2. Employees of a county, a city, a town, a village, or a district as</U></B> 39 <B><U>defined in section one hundred nineteen-n of the general municipal law,</U></B> 40 <B><U>who use technology as a part of their official job duties shall take</U></B> 41 <B><U>annual cybersecurity awareness training beginning January first, two</U></B> 42 <B><U>thousand twenty-six. The office shall make a cybersecurity training</U></B> 43 <B><U>available for use by a county, a city, a town, a village, or a district</U></B> 44 <B><U>as defined in section one hundred nineteen-n of the general municipal</U></B> 45 <B><U>law, at no charge, provided however, no employee of a county, a city, a</U></B> 46 <B><U>town, a village, or a district as defined in section one hundred nine-</U></B> 47 <B><U>teen-n of the general municipal law shall be required to complete such</U></B> 48 <B><U>training provided by the office and the cybersecurity awareness training</U></B> 49 <B><U>requirements of this section may be satisfied by the completion of other</U></B> 50 <B><U>cybersecurity awareness training.</U></B> 51 <B><U>3. All training mandated by this section shall be conducted during the</U></B> 52 <B><U>employee's regular working hours and employees shall receive compen-</U></B> 53 <B><U>sation at their regular rate of pay for any time spent participating in</U></B> 54 <B><U>such training.</U></B> 55 § 4. The state technology law is amended by adding a new section 210 56 to read as follows: </PRE><P CLASS="brk"><PRE WIDTH="99"> S. 7672--A 5 1 <B><U>§ 210. Cybersecurity protection. 1. Definitions. For purposes of this</U></B> 2 <B><U>section, the following terms shall have the following meanings:</U></B> 3 <B><U>(a) "Breach of the security of the system" shall have the same meaning</U></B> 4 <B><U>as such term is defined in section two hundred eight of this article.</U></B> 5 <B><U>(b) "Data subject" means any natural person about whom personal infor-</U></B> 6 <B><U>mation has been collected by a state agency.</U></B> 7 <B><U>(c) "Information system" means a discrete set of information resources</U></B> 8 <B><U>organized for the collection, processing, maintenance, use, sharing,</U></B> 9 <B><U>dissemination, or disposition of information.</U></B> 10 <B><U>(d) "State agency-maintained personal information" means personal</U></B> 11 <B><U>information stored by a state agency that was generated by a state agen-</U></B> 12 <B><U>cy or provided to the state agency by the data subject, a state agency,</U></B> 13 <B><U>a federal governmental entity, or any other third-party source. Such</U></B> 14 <B><U>term shall also include personal information provided by an adverse</U></B> 15 <B><U>party in the course of litigation or other adversarial proceeding.</U></B> 16 <B><U>(e) "State agency" shall have the same meaning as such term is defined</U></B> 17 <B><U>in section one hundred one of this chapter.</U></B> 18 <B><U>2. Data protection standards. The director shall issue policies and</U></B> 19 <B><U>standards for:</U></B> 20 <B><U>(a) protection against breaches of the security of the information</U></B> 21 <B><U>systems and for personal information used by such information systems;</U></B> 22 <B><U>(b) data backup;</U></B> 23 <B><U>(c) information system recovery;</U></B> 24 <B><U>(d) secure sanitization and deletion of data;</U></B> 25 <B><U>(e) vulnerability management and assessment; and</U></B> 26 <B><U>(f) annual workforce training regarding protection against breaches of</U></B> 27 <B><U>the security of the system, as well as processes and procedures that</U></B> 28 <B><U>should be followed in the event of a breach of the security of the</U></B> 29 <B><U>system.</U></B> 30 <B><U>3. Information system inventory. (a) No later than two years after the</U></B> 31 <B><U>effective date of this section, each state agency shall create, then</U></B> 32 <B><U>maintain, an inventory of its information systems.</U></B> 33 <B><U>(b) Upon written request from the office, a state agency shall provide</U></B> 34 <B><U>the office with the state agency-maintained information systems invento-</U></B> 35 <B><U>ries required to be created or updated pursuant to this subdivision.</U></B> 36 <B><U>(c) Notwithstanding paragraph (a) of this subdivision, the state agen-</U></B> 37 <B><U>cy-maintained information systems inventories required to be created or</U></B> 38 <B><U>updated pursuant to this subdivision shall be kept confidential, as</U></B> 39 <B><U>disclosure of such information would jeopardize the security of a state</U></B> 40 <B><U>agency's information systems and information technology assets and,</U></B> 41 <B><U>further, shall not be made available for disclosure or inspection under</U></B> 42 <B><U>the state freedom of information law.</U></B> 43 <B><U>4. Incident management and recovery. (a) No later than eighteen months</U></B> 44 <B><U>after the effective date of this section, each state agency shall have</U></B> 45 <B><U>created an incident response plan for incidents involving a breach of</U></B> 46 <B><U>the security of the system that render an information system or its data</U></B> 47 <B><U>unavailable, and incidents involving a breach of the security of the</U></B> 48 <B><U>system that result in the alteration or deletion of or unauthorized</U></B> 49 <B><U>access to, personal information.</U></B> 50 <B><U>(b) Such incident response plan shall include, but not be limited to,</U></B> 51 <B><U>a procedure for situations where information systems have been adversely</U></B> 52 <B><U>affected by a breach of the security of the system, as well as a proce-</U></B> 53 <B><U>dure for the recovery of personal information and information systems.</U></B> 54 <B><U>(c) Beginning January first, two thousand twenty-eight and on an annu-</U></B> 55 <B><U>al basis thereafter, each state agency shall complete at least one exer-</U></B> 56 <B><U>cise of its incident response plan. Upon completion of such exercise,</U></B> </PRE><P CLASS="brk"><PRE WIDTH="99"> S. 7672--A 6 1 <B><U>the state agency shall document the incident response plan's successes</U></B> 2 <B><U>and shortcomings in an incident response plan exercise report. The inci-</U></B> 3 <B><U>dent response plan and any incident response plan exercise reports shall</U></B> 4 <B><U>be kept confidential, as disclosure of such information would jeopardize</U></B> 5 <B><U>the security of a state agency's information systems and information</U></B> 6 <B><U>technology assets, and, further, shall not be made available for disclo-</U></B> 7 <B><U>sure or inspection under the state freedom of information law.</U></B> 8 <B><U>5. No private right of action. Nothing set forth in this section shall</U></B> 9 <B><U>be construed as creating or establishing a private cause of action.</U></B> 10 § 5. Severability. The provisions of this act shall be severable and 11 if any portion thereof or the applicability thereof to any person or 12 circumstances shall be held to be invalid, the remainder of this act and 13 the application thereof shall not be affected thereby. 14 § 6. This act shall take effect immediately; provided, however, that 15 sections one and two of this act shall take effect on the thirtieth day 16 after such effective date. |
|---|