Senate Bill S2652

2021-2022 Legislative Session

Relates to requiring governmental entities to implement multifactor authentication for local and remote network access

download bill text pdf

Archive: Last Bill Status - In Senate Committee Finance Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Feb 01, 2022	reported and committed to finance
Jan 05, 2022	referred to internet and technology
Feb 01, 2021	reported and committed to finance
Jan 22, 2021	referred to internet and technology

Votes

- Jan 31, 2022 - Internet And Technology Committee Vote
  S2652
  
  Aye
  
  6
  
  Nay
  
  0
  
  Aye with Reservations
  
  1
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  
  0
  - - Internet And Technology Committee Vote: Jan 31, 2022
      
      aye (6)
      
      Mannion
      
      Oberacker
      
      Parker
      
      Ramos
      
      Savino
      
      Thomas
      
      aye wr (1)
      
      Borrello
  Feb 1, 2021 - Internet And Technology Committee Vote
  S2652
  
  Aye
  
  6
  
  Nay
  
  1
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  
  0
  - - Internet And Technology Committee Vote: Feb 1, 2021
      
      aye (6)
      
      Mannion
      
      Oberacker
      
      Parker
      
      Ramos
      
      Savino
      
      Thomas
      
      nay (1)
      
      Borrello

2021-S2652 (ACTIVE) - Details

Current Committee:: Senate Finance
Law Section:: State Technology Law
Laws Affected:: Amd §202, add §§209 & 210, St Tech L
Versions Introduced in Other Legislative Sessions:: 2023-2024: S6474
2025-2026: S1139

2021-S2652 (ACTIVE) - Summary

Requires governmental entities to implement multifactor authentication for local and remote network access.

2021-S2652 (ACTIVE) - Sponsor Memo

                                
 
BILL NUMBER: S2652

SPONSOR: SAVINO
 
TITLE OF BILL:

An act to amend the state technology law, in relation to requiring
governmental entities to implement multifactor authentication for local
and network remote access

 
PURPOSE:

Amends the State Technology Law to require all government entities in
the State to require multifactor authentication for access to the serv-
ers, email or official applications used by their employees or agents.

 
SUMMARY OF PROVISIONS:

Section 1 adds new subdivisions 9 and 10 to Section 202 of the State
Technology Law, which sets definitions of terms.

Section 2 adds new sections 209 and 210 to the state technology law.

(209) Adds multifactor authentication requirements and provides for
technical standards and waivers. (210) Adds encryption requirement for
all government websites.

Section 3. Effective date.

 
JUSTIFICATION:

Cyber-attacks on state and local agencies have grown in recent times.
Everything from city hall, to universities, libraries, courthouses,
schools, and hospitals are susceptible to these attacks. Ransomware
attacks have often led to expensive payouts and crippled systems that
provide essential public services.

Multifactor authentication can significantly reduce the vulnerability of
public systems. According to Google, multifactor can prevent 100% of
automated bots, up to 99% of bulk phishing attacks and up to 90% of
targeted attacks. According to Microsoft, an account is 99.9% less like-
ly to be compromised when using multifactor authentication.  Connected
devices and web applications have made multifactor much easier and
cheaper to implement than in past years. Requiring government agencies
to use this technology is low-cost proposition that can greatly increase
protection against cyber-attacks and save millions in public money that
goes out to hackers in ransoms.

 
LEGISLATIVE HISTORY:

New bill.

 
FISCAL IMPLICATIONS:

To be determined.

 
EFFECTIVE DATE:
This act shall take effect on year after becoming law.

2021-S2652 (ACTIVE) - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   2652
 
                        2021-2022 Regular Sessions
 
                             I N  S E N A T E
 
                             January 22, 2021
                                ___________
 
 Introduced  by  Sen.  SAVINO -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the state  technology  law,  in  relation  to  requiring
   governmental  entities  to  implement  multifactor  authentication for
   local and network remote access

   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Section  202  of  the  state technology law is amended by
 adding two new subdivisions 9 and 10 to read as follows:
   9. "GOVERNMENTAL ENTITY" SHALL MEAN ANY  STATE  OR  LOCAL  DEPARTMENT,
 BOARD,  BUREAU, DIVISION, COMMISSION, COMMITTEE, SCHOOL DISTRICT, PUBLIC
 AUTHORITY, PUBLIC BENEFIT CORPORATION, COUNCIL OR OFFICE, INCLUDING  ALL
 ENTITIES  DEFINED PURSUANT TO SECTION TWO OF THE PUBLIC AUTHORITIES LAW.
 SUCH TERM SHALL INCLUDE THE STATE UNIVERSITY OF NEW YORK  AND  THE  CITY
 UNIVERSITY  OF  NEW  YORK.  FURTHER, SUCH TERM SHALL INCLUDE ANY COUNTY,
 CITY, TOWN OR VILLAGE BUT SHALL NOT INCLUDE THE JUDICIARY OR  STATE  AND
 LOCAL LEGISLATURES.
   10.  "MULTIFACTOR AUTHENTICATION" SHALL MEAN USING TWO OR MORE DIFFER-
 ENT TYPES OF IDENTIFICATION CREDENTIALS TO ACHIEVE  AUTHENTICATION.  THE
 TYPES OF IDENTIFICATION CREDENTIALS SHALL INCLUDE:
   (A)  KNOWLEDGE-BASED CREDENTIALS, WHICH IS A KNOWLEDGE-BASED AUTHENTI-
 CATION THAT REQUIRES THE USER TO PROVIDE INFORMATION THAT THEY KNOW SUCH
 AS PASSWORDS OR PINS;
   (B)  POSSESSION-BASED  CREDENTIALS,  WHICH  IS   AUTHENTICATION   THAT
 REQUIRES  INDIVIDUALS  TO  HAVE  SOMETHING SPECIFIC IN THEIR POSSESSION,
 SUCH AS SECURITY TOKENS, KEY FOBS, SIM CARDS OR SMARTPHONE APPLICATIONS;
 AND
   (C) INHERENCE-BASED CREDENTIALS, WHICH IS AUTHENTICATION THAT REQUIRES
 USER-SPECIFIC BIOLOGICAL TRAITS TO CONFIRM IDENTITY FOR LOGIN,  SUCH  AS
 FINGERPRINTS OR FACIAL RECOGNITION.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD08845-01-1

 S. 2652                             2
 
   §  2.  The  state technology law is amended by adding two new sections
 209 and 210 to read as follows:
   §  209.  MULTIFACTOR  AUTHENTICATION.  1.  MULTIFACTOR  AUTHENTICATION
 REQUIREMENT.  EVERY  GOVERNMENTAL  ENTITY  SHALL  IMPLEMENT  MULTIFACTOR
 AUTHENTICATION  FOR  LOCAL  AND  REMOTE  NETWORK  ACCESS  TO  ANY  EMAIL
 ACCOUNTS, CLOUD STORAGE ACCOUNTS, WEB APPLICATIONS, NETWORKS, DATABASES,
 OR SERVERS, MAINTAINED BY SUCH ENTITY OR ON BEHALF OF SUCH  ENTITY,  FOR
 THE  EMPLOYEES  AND OFFICERS OF SUCH ENTITY OR FOR ANY OTHER INDIVIDUALS
 PROVIDING SERVICES TO OR ON BEHALF OF SUCH ENTITY.
   2. TECHNICAL STANDARD. THE OFFICE SHALL PROMULGATE RULES TO  ESTABLISH
 STANDARD  TECHNICAL REQUIREMENTS FOR GOVERNMENTAL ENTITIES FOR COMPLYING
 WITH  SUBDIVISION  ONE  OF  THIS  SECTION.  SUCH  RULES  SHALL   INCLUDE
 PROVISIONS  REGARDING  COMPLIANCE  FOR  INDIVIDUALS WITH DISABILITIES OR
 SPECIAL NEEDS.  FOR THE PURPOSES OF THIS SUBDIVISION, THE OFFICE MAY USE
 AND REFER TO THE GUIDELINES PROVIDED BY THE NATIONAL INSTITUTE OF STAND-
 ARDS AND TECHNOLOGY,  THE  FEDERAL  RISK  AND  AUTHORIZATION  MANAGEMENT
 PROGRAM  (FEDRAMP),  THE  FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF
 2002 (FISMA) AND THE DEFENSE FEDERAL ACQUISITION  REGULATION  SUPPLEMENT
 (DFARS).
   3. WAIVERS. THE OFFICE, UPON APPLICATION BY A GOVERNMENTAL ENTITY, MAY
 COMPLETELY  OR PARTIALLY WAIVE THE REQUIREMENTS OF THIS SECTION FOR SUCH
 GOVERNMENTAL ENTITY. SUCH WAIVER SHALL BE VALID FOR NO LONGER  THAN  TWO
 YEARS AND SHALL BE REAPPROVED AFTER EXPIRATION. THE OFFICE SHALL PROMUL-
 GATE  RULES  TO  ESTABLISH THE APPLICATION PROCESS AND CRITERIA FOR SUCH
 WAIVERS.
   § 210. PUBLIC WEBSITE ENCRYPTION. EVERY WEBSITE MAINTAINED  BY  OR  ON
 BEHALF  OF  A GOVERNMENTAL ENTITY SHALL ENCRYPT ALL EXCHANGES AND TRANS-
 FERS BETWEEN A WEB SERVER, MAINTAINED BY OR ON BEHALF OF A  GOVERNMENTAL
 ENTITY, AND A WEB BROWSER OF HYPERTEXT OR OF ELECTRONIC INFORMATION, AND
 REQUIRE  WEB  BROWSERS TO REQUEST SUCH ENCRYPTED EXCHANGE OR TRANSFER AT
 ALL TIMES FOR SUCH WEBSITES, PROVIDED THAT SUCH ENCRYPTION SHALL NOT  BE
 REQUIRED  IF  SUCH EXCHANGES OR TRANSFERS ARE CONDUCTED IN A MANNER THAT
 PROVIDES AT LEAST AN EQUIVALENT LEVEL OF CONFIDENTIALITY, DATA INTEGRITY
 AND AUTHENTICATION.
   § 3. This act shall take effect one year after it shall have become  a
 law.  Effective  immediately,  the addition, amendment, and/or repeal of
 any rule or regulation necessary for the implementation of this  act  on
 its  effective date are authorized to be made and completed on or before
 such effective date.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S2652

Sponsored By

Archive: Last Bill Status - In Senate Committee Finance Committee

Actions

Votes

Jan 31, 2022 - Internet And Technology Committee Vote

Internet And Technology Committee Vote: Jan 31, 2022

Feb 1, 2021 - Internet And Technology Committee Vote

Internet And Technology Committee Vote: Feb 1, 2021

2021-S2652 (ACTIVE) - Details

2021-S2652 (ACTIVE) - Summary

2021-S2652 (ACTIVE) - Sponsor Memo

2021-S2652 (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2021-S2652

Senate Bill S2652

Share this bill

Sponsored By

Diane J. Savino

Archive: Last Bill Status - In Senate Committee Finance Committee

Actions

Votes

2021-S2652 (ACTIVE) - Details

2021-S2652 (ACTIVE) - Summary

2021-S2652 (ACTIVE) - Sponsor Memo

2021-S2652 (ACTIVE) - Bill Text download pdf

Comments