NY State Senate Bill 2021-S6806A

Senate Bill S6806A

2021-2022 Legislative Session

Relates to the payment of ransom in the event of a cyber incident or a cyber ransom or ransomware attack

download bill text pdf

Archive: Last Bill Status - In Senate Committee Veterans, Homeland Security And Military Affairs Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Feb 01, 2022	reported and committed to veterans, homeland security and military affairs
Jan 05, 2022	referred to internet and technology
Jun 03, 2021	print number 6806a
Jun 03, 2021	amend and recommit to internet and technology
May 18, 2021	referred to internet and technology

Votes

- Jan 31, 2022 - Internet And Technology Committee Vote
  S6806A
  
  5
  
  Aye
  
  2
  
  Nay
  
  0
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Internet And Technology Committee Vote: Jan 31, 2022
      
      aye (5)
      
      Mannion
      
      Parker
      
      Ramos
      
      Savino
      
      Thomas
      
      nay (2)
      
      Borrello
      
      Oberacker

Bill Amendments

Original

A (Active)

2021-S6806 - Details

Current Committee:: Senate Veterans, Homeland Security And Military Affairs
Law Section:: State Technology Law
Laws Affected:: Add Art 4 §401, St Tech L

2021-S6806 - Summary

Prohibits governmental entities, business entities and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.

2021-S6806 - Sponsor Memo

                                 
BILL NUMBER: S6806

SPONSOR: SAVINO
 
TITLE OF BILL:

An act to amend the state technology law, in relation to the payment of
ransom in the event of a cyber incident or a cyber ransom or ransomware
attack

 
PURPOSE:

Bans the payments of ransom in cyber-incidents by government entities,
business entities or healthcare entitles or by another entity on their
behalf. Requires reporting of such incidents against government entities
to the NYS Division of Homeland Security and Emergency Services.

 
SUMMARY OF PROVISIONS:

Creates and New Article IV of the State Technology Law relating to cyber
security incidents. Bans the payments of ransom in cyber-incidents by
government entities, business entities or healthcare entitles or by
another entity on their behalf.  Requires reporting of such incidents

against government entities to the NYS Division of Homeland Security and
Emergency Services.  Provides for up to a $10,000 fine.

 
EXISTING LAW:

While payments of ransoms in cyber security incidents is not a direct
violation law, a case can be made that these payments are assisting
criminal enterprises. Which is why The U.S. Department of the Treasury's
Office of Foreign Assets Control (OFAC) announced that paying ransom to
cybercriminals is now illegal.
 
 HTTPS://HOME.TREASURY.GOV/SYSTEM/FILES/126/OFAC_RANSOMWARE_
ADVISORY_10012020_1.PDF

 
JUSTIFICATION:

The thinking on how best to react to these attacks is to cut off the
reward and stop paying the ransoms demanded for these hack, breaches and
attacks.

This bill is a first step in preventing these attacks in New York State.
Government, business and healthcare funding would be better-used secur-
ing sensitive data, encrypting and backing up data, conducting regular
cyber-security audits, and training staff to avoid exposing networks.

"This threat is not imminent," said Secretary of Homeland Security
Alejandro Mayorkas on Tuesday. "It is upon us." Stated at a press brief-
ing on May 11, 2021 on the Colonial Pipeline hack.

The title from the March 23, 2016 Scientific American article "The Most
Vulnerable Ransomware Targets Are the Institutions We Rely On Most"
states what has become reality. What began as attacks on individuals
computers has advanced to large scale, high priced attacks on govern-
ments and other institutions and entities we rely on every day.
 
(HTTPS://WWW.SCIENTIFICAMERICAN.COM/ARTICLE/THE-MOST-
VULNERABLE-RANSOMWARE-TARGETS-ARE-THEINSTITUTIONS-WE-RELY-ON- MOST/).


The NYS Department of Financial Services in Insurance Circular Letter
No. 2 (2021) recommends against making ransom payments.
 
HTTPS://WWW.DFS.NY.GOV/INDUSTRY GUIDANCE/CIRCULAR LETTERS/C12021_02

In 2019, The United States Conference of Mayor adopted a resolution
opposing payments t o Ransomware Attack Perpetrators. The resolution
states that at least 170 county, city or state governments have experi-
enced a ransomware attack since 2013, with 22 in 2019 alone including
NYS Capital City, Albany.
 
HTTPS ://WWW.USMAYORS.ORG/THE-CONFERENCE/RESOLUTIONS/?
CATEGORY=A0D4N00000FCB3LUAT&MEETING=87TH%20ANNUAL %20MEETING

 
LEGISLATIVE HISTORY:

2021 Session - new legislation

 
FISCAL IMPLICATIONS:

To be determined

 
EFFECTIVE DATE:
Immediately

2021-S6806 - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   6806
 
                        2021-2022 Regular Sessions
 
                             I N  S E N A T E
 
                               May 18, 2021
                                ___________
 
 Introduced  by  Sen.  SAVINO -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the state technology law, in relation to the payment  of
   ransom  in  the event of a cyber incident or a cyber ransom or ransom-
   ware attack

   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The state technology law is amended by adding a new article
 4 to read as follows:
                                 ARTICLE IV
                         CYBER SECURITY INCIDENTS
 
 SECTION 401. PAYMENT  OF RANSOM; CYBER INCIDENT, CYBER RANSOM OR RANSOM-
                WARE.
 
   § 401. PAYMENT OF RANSOM; CYBER INCIDENT, CYBER RANSOM OR  RANSOMWARE.
 1. FOR THE PURPOSE OF THIS SECTION:
   A.  "CYBER  INCIDENT"  MEANS THE COMPROMISE OF THE SECURITY, CONFIDEN-
 TIALITY, OR INTEGRITY OF COMPUTERIZED  DATA  DUE  TO  THE  EXFILTRATION,
 MODIFICATION,  OR  DELETION THAT RESULTS IN THE UNAUTHORIZED ACQUISITION
 OF AND ACCESS TO INFORMATION MAINTAINED BY A GOVERNMENTAL ENTITY,  BUSI-
 NESS ENTITY, OR HEALTH CARE ENTITY.
   B.  "CYBER RANSOM OR RANSOMWARE" MEANS A TYPE OF MALWARE THAT ENCRYPTS
 OR LOCKS VALUABLE DIGITAL FILES AND DEMANDS  A  RANSOM  TO  RELEASE  THE
 FILES.
   C.  "GOVERNMENTAL  ENTITY" SHALL MEAN ANY STATE, CITY, TOWN OR VILLAGE
 OR LOCAL DEPARTMENT, BOARD,  BUREAU,  DIVISION,  COMMISSION,  COMMITTEE,
 SCHOOL  DISTRICT,  PUBLIC AUTHORITY, PUBLIC BENEFIT CORPORATION, COUNCIL
 OR OFFICE, INCLUDING ALL ENTITIES DEFINED PURSUANT TO SECTION TWO OF THE
 PUBLIC AUTHORITIES LAW. SUCH TERM SHALL INCLUDE THE STATE UNIVERSITY  OF
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD11518-01-1

 S. 6806                             2
 
 NEW YORK AND THE CITY UNIVERSITY OF NEW YORK AS WELL AS THE STATE LEGIS-
 LATURE, THE JUDICIARY OR STATE AND LOCAL LEGISLATURES.
   D.  "BUSINESS  ENTITY" SHALL MEAN ANY LEGAL ENTITY THAT CONDUCTS BUSI-
 NESS IN THE STATE OF NEW YORK.
   E. "HEALTH CARE ENTITY" SHALL  MEAN  HOSPITALS,  NURSING  HOMES,  HOME
 CARE,  HOSPICE  AND  ANY  OTHER  HEALTH CARE FACILITIES REGULATED BY THE
 DEPARTMENT OF HEALTH.
   2. NO GOVERNMENTAL ENTITY, BUSINESS ENTITY OR HEALTH CARE ENTITY WITH-
 IN THE STATE SHALL PAY, OR HAVE ANOTHER  ENTITY  PAY  ON  THEIR  BEHALF,
 RANSOM  IN THE EVENT OF A CYBER INCIDENT OR A CYBER RANSOM OR RANSOMWARE
 ATTACK.
   3. ALL GOVERNMENTAL ENTITIES SHALL  REPORT  ANY  CYBER  INCIDENTS  AND
 CYBER  RANSOM  OR  RANSOMWARE  ATTACKS TO THE NEW YORK STATE DIVISION OF
 HOMELAND SECURITY AND EMERGENCY SERVICES.
   4. A FINE OF UP TO TEN THOUSAND DOLLARS FOR EACH  AFFECTED  PARTY  PER
 INCIDENT  MAY  BE  ISSUED  FOR  ANY VIOLATION OF SUBDIVISION TWO OF THIS
 SECTION.
   § 2. This act shall take effect immediately.

2021-S6806A (ACTIVE) - Details

Current Committee:: Senate Veterans, Homeland Security And Military Affairs
Law Section:: State Technology Law
Laws Affected:: Add Art 4 §401, St Tech L

2021-S6806A (ACTIVE) - Summary

Prohibits governmental entities, business entities and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.

2021-S6806A (ACTIVE) - Sponsor Memo

                                
 
BILL NUMBER: S6806A

SPONSOR: SAVINO
 
TITLE OF BILL:

An act to amend the state technology law, in relation to the payment of
ransom in the event of a cyber incident or a cyber ransom or ransomware
attack

 
PURPOSE:

Bans the payments of ransom in cyber-incidents by government entities,
business entities or healthcare entitles or by another entity on their
behalf. Requires reporting of such incidents against government entities
to the NYS Division of Homeland Security and Emergency Services.

 
SUMMARY OF PROVISIONS:

Creates and New Article IV of the State Technology Law relating to cyber
security incidents. Bans the payments of ransom in cyber-incidents by
government entities, business entities or healthcare entitles or by

another entity on their behalf.  Requires reporting of such incidents
against government entities to the NYS Division of Homeland Security and
Emergency Services.  Provides for up to a $10,000 fine.

 
EXISTING LAW:

While payments of ransoms in cyber security incidents is not a direct
violation law, a case can be made that these payments are assisting
criminal enterprises. Which is why The U.S. Department of the Treasury's
Office of Foreign Assets Control (OFAC) announced that paying ransom to
cybercriminals is now illegal.
https://home.treasury.govisystem/files/126/ ofacransomwareadvisory
100120201.pdf

 
JUSTIFICATION:

The thinking on how best to react to these attacks is to cut off the
reward and stop paying the ransoms demanded for these hack, breaches and
attacks.

This bill is a first step in preventing these attacks in New York State.
Government, business and healthcare funding would be better-used secur-
ing sensitive data, encrypting and backing up data, conducting regular
cyber-security audits, and training staff to avoid exposing networks.

"This threat is not imminent," said Secretary of Homeland Security
Alejandro Mayorkas on Tuesday. "It is upon us." Stated at a press brief-
ing on May 11, 2021 on the Colonial Pipeline hack.

The title from the March 23, 2016 Scientific American article "The Most
Vulnerable Ransomware Targets Are the Institutions We Rely On Most"
states what has become reality. What began as attacks on individuals
computers has advanced to large scale, high priced attacks on govern-
ments and other institutions and entities we rely on every day.
(https://vvww.scientificamerican.com/ article/the-most-vulnerable-
ransomw are-targets-are-theinstitutions-we- rely-on-most/).


The NYS Depatinent of Financial Services in Insurance Circular Letter
No. 2 (2021) recommends against making ransom payments.
https://www.dfs.ny.gov/industry_guidance/ circular letters/c12021 02

In 2019, The United States Conference of Mayor adopted a resolution
opposing payments t o Ransomware Attack Perpetrators. The resolution
states that at least 170 county, city or state governments have experi-
enced a ransomware attack since 2013, with 22 in 2019 alone including
NYS Capital City, Albany.
haps ://www.usmayors.org/the-
conference/resolutions/?category=a0D4N00000
FCb3LUAT&meeting=87th%20Annual%20Meeting

 
LEGISLATIVE HISTORY:

2021 Session - new legislation

 
FISCAL IMPLICATIONS:

To be determined

 
EFFECTIVE DATE:
Immediately

2021-S6806A (ACTIVE) - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  6806--A
 
                        2021-2022 Regular Sessions
 
                             I N  S E N A T E
 
                               May 18, 2021
                                ___________
 
 Introduced  by  Sen.  SAVINO -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology --
   committee discharged, bill amended, ordered reprinted as  amended  and
   recommitted to said committee
 
 AN  ACT to amend the state technology law, in relation to the payment of
   ransom in the event of a cyber incident or a cyber ransom  or  ransom-
   ware attack
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The state technology law is amended by adding a new article
 4 to read as follows:
                                 ARTICLE IV
                         CYBER SECURITY INCIDENTS
 
 SECTION 401. PAYMENT OF RANSOM; CYBER INCIDENT, CYBER RANSOM OR  RANSOM-
                WARE.
 
   §  401. PAYMENT OF RANSOM; CYBER INCIDENT, CYBER RANSOM OR RANSOMWARE.
 1. FOR THE PURPOSE OF THIS SECTION:
   A. "CYBER INCIDENT" MEANS THE COMPROMISE OF  THE  SECURITY,  CONFIDEN-
 TIALITY,  OR  INTEGRITY  OF  COMPUTERIZED  DATA DUE TO THE EXFILTRATION,
 MODIFICATION, OR DELETION THAT RESULTS IN THE  UNAUTHORIZED  ACQUISITION
 OF  AND ACCESS TO INFORMATION MAINTAINED BY A GOVERNMENTAL ENTITY, BUSI-
 NESS ENTITY, OR HEALTH CARE ENTITY.
   B. "CYBER RANSOM OR RANSOMWARE" MEANS A TYPE OF MALWARE THAT  ENCRYPTS
 OR  LOCKS  VALUABLE  DIGITAL  FILES  AND DEMANDS A RANSOM TO RELEASE THE
 FILES.
   C. "GOVERNMENTAL ENTITY" SHALL MEAN ANY STATE, CITY, TOWN  OR  VILLAGE
 OR  LOCAL  DEPARTMENT,  BOARD,  BUREAU, DIVISION, COMMISSION, COMMITTEE,
 SCHOOL DISTRICT, PUBLIC AUTHORITY, PUBLIC BENEFIT  CORPORATION,  COUNCIL
 OR OFFICE, INCLUDING ALL ENTITIES DEFINED PURSUANT TO SECTION TWO OF THE
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD11518-02-1

 S. 6806--A                          2
 
 PUBLIC  AUTHORITIES LAW. SUCH TERM SHALL INCLUDE THE STATE UNIVERSITY OF
 NEW YORK AND THE CITY UNIVERSITY OF NEW YORK AS WELL AS THE STATE LEGIS-
 LATURE, THE JUDICIARY OR STATE AND LOCAL LEGISLATURES.
   D.  "BUSINESS  ENTITY" SHALL MEAN ANY LEGAL ENTITY THAT CONDUCTS BUSI-
 NESS IN THE STATE OF NEW YORK.
   E. "HEALTH CARE ENTITY" SHALL  MEAN  HOSPITALS,  NURSING  HOMES,  HOME
 CARE,  HOSPICE  AND  ANY  OTHER  HEALTH CARE FACILITIES REGULATED BY THE
 DEPARTMENT OF HEALTH.
   2. NO GOVERNMENTAL ENTITY, BUSINESS ENTITY OR HEALTH CARE ENTITY WITH-
 IN THE STATE SHALL PAY, OR HAVE ANOTHER  ENTITY  PAY  ON  THEIR  BEHALF,
 RANSOM  IN THE EVENT OF A CYBER INCIDENT OR A CYBER RANSOM OR RANSOMWARE
 ATTACK.
   3. ALL GOVERNMENTAL ENTITIES SHALL  REPORT  ANY  CYBER  INCIDENTS  AND
 CYBER  RANSOM  OR  RANSOMWARE  ATTACKS TO THE NEW YORK STATE DIVISION OF
 HOMELAND SECURITY AND EMERGENCY SERVICES.
   4. ANY BUSINESS ENTITY THAT VIOLATES THE PROVISIONS  OF  THIS  SECTION
 SHALL  BE  SUBJECT  TO  A  CIVIL  PENALTY  OF UP TO TEN THOUSAND DOLLARS
 ASSESSED BY THE ATTORNEY GENERAL.
   § 2. This act shall take effect immediately.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.