NY State Senate Bill 2025-S7672A

Current Bill Status - Passed Senate & Assembly

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
May 19, 2025	returned to senate passed assembly ordered to third reading cal.67 substituted for a6769a
May 12, 2025	referred to local governments delivered to assembly passed senate
May 05, 2025	amended on third reading 7672a
Apr 29, 2025	ordered to third reading cal.712
Apr 28, 2025	referred to rules

Votes

- May 12, 2025 - Floor Vote
  S7672A
  
  56
  
  Aye
  
  1
  
  Nay
  
  0
  
  Absent
  
  5
  
  Excused
  
  0
  
  Abstained
  - - Floor Vote: May 12, 2025
      
      aye (56)
      
      Addabbo Jr.
      
      Ashby
      
      Bailey
      
      Baskin
      
      Borrello
      
      Brisport
      
      Bynoe
      
      Canzoneri-Fitzpatrick
      
      Chan
      
      Cleare
      
      Comrie
      
      Cooney
      
      Fahy
      
      Fernandez
      
      Gallivan
      
      Gonzalez
      
      Gounardes
      
      Griffo
      
      Harckham
      
      Helming
      
      Hinchey
      
      Hoylman-Sigal
      
      Jackson
      
      Kavanagh
      
      Krueger
      
      Lanza
      
      Liu
      
      Martinez
      
      Martins
      
      Mattera
      
      May
      
      Mayer
      
      Murray
      
      O'Mara
      
      Oberacker
      
      Palumbo
      
      Parker
      
      Persaud
      
      Rhoads
      
      Rivera
      
      Rolison
      
      Ryan
      
      Ryan
      
      Salazar
      
      Sanders Jr.
      
      Scarcella-Spanton
      
      Sepúlveda
      
      Serrano
      
      Skoufis
      
      Stavisky
      
      Stec
      
      Stewart-Cousins
      
      Tedisco
      
      Webb
      
      Weber
      
      Weik
      
      nay (1)
      
      Walczyk
      
      excused (5)
      
      Brouk
      
      Gianaris
      
      Myrie
      
      Ortt
      
      Ramos
  Apr 29, 2025 - Rules Committee Vote
  S7672A
  
  16
  
  Aye
  
  0
  
  Nay
  
  5
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Rules Committee Vote: Apr 29, 2025
      
      aye (16)
      
      Addabbo Jr.
      
      Bailey
      
      Comrie
      
      Fernandez
      
      Gianaris
      
      Harckham
      
      Hoylman-Sigal
      
      Krueger
      
      Liu
      
      Mayer
      
      Myrie
      
      Ortt
      
      Parker
      
      Sepúlveda
      
      Stec
      
      Stewart-Cousins
      
      aye wr (5)
      
      Gallivan
      
      Griffo
      
      Helming
      
      Lanza
      
      Walczyk

Bill Amendments

Original

A (Active)

2025-S7672 - Details

See Assembly Version of this Bill:: A6769
Law Section:: General Municipal Law
Laws Affected:: Add Art 19-C §§995-a - 995-c, Gen Muni L; add §711-c, Exec L; add §§103-f & 210, St Tech L

2025-S7672 - Summary

Requires all municipal corporations to report cybersecurity incidents and demands of ransom payments to the division of homeland security and emergency services; defines terms; requires cybersecurity incident reviews; requires cybersecurity awareness training, cybersecurity protection and data protection standards for state maintained information systems.

2025-S7672 - Sponsor Memo

                                 
BILL NUMBER: S7672

SPONSOR: MARTINEZ
 
TITLE OF BILL:

An act to amend the general municipal law and the executive law, in
relation to requiring municipal cybersecurity incident reporting and
exempting such reports from freedom of information requirements; and to
amend the state technology law, in relation to requiring cybersecurity
awareness training for government employees, data protection standards,
and cybersecurity protection


 
SUMMARY OF PROVISIONS:

Section 1 adds a new article to the general municipal law to require the
reporting of cybersecurity incidents and demands for a ransom payment by
municipal corporations and public authorities to the Commissioner of the
Division of Homeland Security and Emergency Services (DHSES). Such
reports must include whether the reporting municipal corporation or
public authority is requesting or declining advice and/or technical
assistance from DHSES with respect to the reported cybersecurity inci-
dent or demand for a ransom payment.  Cybersecurity incidents, including

demands for ransom payment must be reported to DHSES within 72 hours
after the municipal corporation or public authority reasonably believes
the cybersecurity incident has occurred. In the event of a ransom
payment made in connection with a cybersecurity incident, the municipal
corporation or public authority must provide DHSES notice of the payment
within 24 hours and a written description of the reasons payment was
necessary, the amount of the ransom payment, the means by which the
ransom payment was made, a description of alternatives to payment
considered, and all diligence performed to find alternatives to payment
and to ensure compliance with applicable state and federal r ules and
regulations. Cybersecurity incident reports and any records related to
ransom payments submitted to the Commissioner of DHSES are exempt from
Freedom of Information Law (FOIL) disclosure.

Section 2 adds a new section to the executive law to require the Commis-
sioner of DHSES, or their designees, to review each cybersecurity inci-
dent report and notice and explanation of ransom payment submitted by
municipal corporations and public authorities to assess potential
impacts on the health, safety, welfare or security of the state, or its
residents. DHSES is authorized to work with appropriate state agencies,
federal law enforcement, and federal homeland security agencies to
provide municipal corporations and public authorities with reports of
cybersecurity incidents and trends and may coordinate and share reported
information with municipal corporations, public authorities, state agen-
cies, and federal law enforcement and homeland security agencies to
respond to and mitigate cybersecurity threats. Within 48 hours of
receiving cybersecurity incident reports that contain a request for
advice and/or technical assistance, DHSES must acknowledge receipt of
such a request and provide advice to the requesting municipal corpo-
ration or public authority and, to the extent practicable, provide tech-
nical assistance.

Section 3 adds a new section 103-f to the State Technology Law to
require employees of the state, a county, city, town, village, or a
district, who use technology as part of their official job duties to
take an annual cybersecurity awareness training starting January 1,
2026. State training shall be made available to a county, city, town,
village, or a district at no charge, however the requirement may be
satisfied by another cybersecurity awareness training. All training must
be conducted during the employee's regular working hours and employees
shall receive compensation at their regular rate of pay for any time
spent participating in the training.

Section 4 adds a new section 210 to the State Technology Law, to require
the Director of the Office of Information Services to issue policies and
standards for protection against breaches for the security of the system
information systems and for personal information used by such informa-
tion systems., data backups, information system recovery, secure saniti-
zation and deletion of data, vulnerability management and assessment,
and annual workforce training regarding protection against breaches of
security systems.  No later than two years after the effective date of
this section, each state agency must create and maintain an inventory of
its information systems.

Not later than 18 months after the effective date of this section, each
state agency shall have created an incident response plan for incidents
involving a breach of security systems that render and information
system or its data unavailable, and incidents involving a breach of the
security of the system that results in the alteration or deletion of or
unauthorized access to, personal information. Starting January 1, 2028,
and annually thereafter, each state agency shall complete at least once
exercise of its incident response plan and record the results.

 
JUSTIFICATION:

Our state's information systems are under attack daily and the emergence
of more sophisticated tools to target the state call before an update to
the state's cybersecurity procedures and standards.

 
PRIOR LEGISLATIVE HISTORY:

2025: New Bill

 
FISCAL IMPLICATIONS:

Enactment of this legislation will have minimal fiscal impact on the
State and a minimal fiscal impact on its localities. This bill would
require municipal and State employees to engage in cyber security train-
ing; and local government entities, including Public Authorities to
report certain cyber security incidents to the State. Any costs to muni-
cipalities associated with executing the mandated cyber awareness train-
ing and incident reporting can likely be absorbed within existing agency
resources. In addition, any costs to the State resulting from processing
of reports and providing advice, guidance or technical support can like-
ly be absorbed within existing agency resources.

 
EFFECTIVE DATE:
This act shall take effect immediately, provided, however, that sections
one and two of this act shall take effect on the thirtieth day after
such effective date.

2025-S7672 - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   7672
 
                        2025-2026 Regular Sessions
 
                             I N  S E N A T E
 
                              April 28, 2025
                                ___________
 
 Introduced  by Sen. MARTINEZ -- read twice and ordered printed, and when
   printed to be committed to the Committee on Rules
 
 AN ACT to amend the general municipal law  and  the  executive  law,  in
   relation  to  requiring municipal cybersecurity incident reporting and
   exempting such reports from freedom of information  requirements;  and
   to  amend  the state technology law, in relation to requiring cyberse-
   curity awareness training for government  employees,  data  protection
   standards, and cybersecurity protection
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general municipal law is amended by adding a new  arti-
 cle 19-C to read as follows:
                               ARTICLE 19-C
 CYBERSECURITY INCIDENT REPORTING REQUIREMENTS FOR MUNICIPAL CORPORATIONS
                          AND PUBLIC AUTHORITIES
 SECTION 995-A. DEFINITIONS.
         995-B. REPORTING OF CYBERSECURITY INCIDENTS.
         995-C. NOTICE AND EXPLANATION OF RANSOM PAYMENT.
   § 995-A. DEFINITIONS.  FOR THE PURPOSES OF THIS ARTICLE:  1. "CYBERSE-
 CURITY INCIDENT" MEANS AN EVENT OCCURRING  ON  OR  CONDUCTED  THROUGH  A
 COMPUTER  NETWORK THAT ACTUALLY OR IMMINENTLY JEOPARDIZES THE INTEGRITY,
 CONFIDENTIALITY, OR AVAILABILITY OF COMPUTERS, INFORMATION  OR  COMMUNI-
 CATIONS   SYSTEMS   OR  NETWORKS,  PHYSICAL  OR  VIRTUAL  INFRASTRUCTURE
 CONTROLLED BY COMPUTERS OR INFORMATION SYSTEMS, OR INFORMATION  RESIDENT
 THEREON.
   2.  "CYBER  THREAT" MEANS ANY CIRCUMSTANCE OR EVENT WITH THE POTENTIAL
 TO ADVERSELY IMPACT ORGANIZATIONAL OPERATIONS, ORGANIZATIONAL ASSETS, OR
 INDIVIDUALS THROUGH  AN  INFORMATION  SYSTEM  VIA  UNAUTHORIZED  ACCESS,
 DESTRUCTION,  DISCLOSURE,  MODIFICATION OF INFORMATION, AND/OR DENIAL OF
 SERVICE.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD10937-03-5
 S. 7672                             2

 
   3. "CYBER THREAT INDICATOR" MEANS INFORMATION  THAT  IS  NECESSARY  TO
 DESCRIBE OR IDENTIFY:
   (A) MALICIOUS RECONNAISSANCE, INCLUDING ANOMALOUS PATTERNS OF COMMUNI-
 CATIONS THAT APPEAR TO BE TRANSMITTED FOR THE PURPOSE OF GATHERING TECH-
 NICAL  INFORMATION RELATED TO A CYBERSECURITY THREAT OR SECURITY VULNER-
 ABILITY;
   (B) A METHOD OF DEFEATING A SECURITY  CONTROL  OR  EXPLOITATION  OF  A
 SECURITY VULNERABILITY;
   (C)  A  SECURITY  VULNERABILITY,  INCLUDING  ANOMALOUS  ACTIVITY  THAT
 APPEARS TO INDICATE THE EXISTENCE OF A SECURITY VULNERABILITY;
   (D) A METHOD OF CAUSING A USER WITH LEGITIMATE ACCESS TO  AN  INFORMA-
 TION  SYSTEM OR INFORMATION THAT IS STORED ON, PROCESSED BY, OR TRANSIT-
 ING AN INFORMATION SYSTEM TO UNWITTINGLY ENABLE THE DEFEAT OF A SECURITY
 CONTROL OR EXPLOITATION OF A SECURITY VULNERABILITY;
   (E) MALICIOUS CYBER COMMAND AND CONTROL;
   (F) THE ACTUAL OR POTENTIAL HARM CAUSED BY AN  INCIDENT,  INCLUDING  A
 DESCRIPTION  OF  THE INFORMATION EXFILTRATED AS A RESULT OF A PARTICULAR
 CYBERSECURITY THREAT;
   (G) ANY OTHER ATTRIBUTE OF A CYBERSECURITY THREAT,  IF  DISCLOSURE  OF
 SUCH ATTRIBUTE IS NOT OTHERWISE PROHIBITED BY LAW; OR
   (H) ANY COMBINATION THEREOF.
   4.  "DEFENSIVE MEASURE" MEANS AN ACTION, DEVICE, PROCEDURE, SIGNATURE,
 TECHNIQUE, OR OTHER MEASURE APPLIED TO AN INFORMATION SYSTEM OR INFORMA-
 TION THAT IS STORED ON,  PROCESSED  BY,  OR  TRANSITING  AN  INFORMATION
 SYSTEM  THAT  DETECTS,  PREVENTS,  OR  MITIGATES  A  KNOWN  OR SUSPECTED
 CYBERSECURITY THREAT OR  SECURITY  VULNERABILITY.  THE  TERM  "DEFENSIVE
 MEASURE"  DOES  NOT  INCLUDE  A MEASURE THAT DESTROYS, RENDERS UNUSABLE,
 PROVIDES UNAUTHORIZED ACCESS TO, OR SUBSTANTIALLY HARMS  AN  INFORMATION
 SYSTEM OR INFORMATION STORED ON, PROCESSED BY, OR TRANSITING SUCH INFOR-
 MATION SYSTEM NOT OWNED BY THE MUNICIPAL CORPORATION OR PUBLIC AUTHORITY
 OPERATING  THE  MEASURE, OR FEDERAL ENTITY THAT IS AUTHORIZED TO PROVIDE
 CONSENT AND HAS PROVIDED CONSENT TO THAT MUNICIPAL CORPORATION OR PUBLIC
 AUTHORITY FOR OPERATION OF SUCH MEASURE.
   5. "INFORMATION SYSTEM" MEANS A DISCRETE SET OF INFORMATION  RESOURCES
 ORGANIZED  FOR  THE  COLLECTION,  PROCESSING, MAINTENANCE, USE, SHARING,
 DISSEMINATION, OR DISPOSITION OF INFORMATION.
   6. "MUNICIPAL CORPORATION" MEANS:
   (A) A MUNICIPAL CORPORATION AS DEFINED IN SECTION  ONE  HUNDRED  NINE-
 TEEN-N OF THIS CHAPTER; OR
   (B)  A  DISTRICT  AS DEFINED IN SECTION ONE HUNDRED NINETEEN-N OF THIS
 CHAPTER.
   7. "PUBLIC AUTHORITY" MEANS ANY STATE AUTHORITY OR LOCAL AUTHORITY, AS
 SUCH TERMS ARE DEFINED IN SECTION TWO OF THE PUBLIC AUTHORITIES LAW,  OR
 ANY SUBSIDIARY THEREOF.
   8. "RANSOM PAYMENT" MEANS THE TRANSMISSION OF ANY MONEY OR OTHER PROP-
 ERTY OR ASSET, INCLUDING VIRTUAL CURRENCY, OR ANY PORTION THEREOF, WHICH
 HAS AT ANY TIME BEEN DELIVERED AS RANSOM IN CONNECTION WITH A RANSOMWARE
 ATTACK.
   9. "RANSOMWARE ATTACK":
   (A)  MEANS AN INCIDENT THAT INCLUDES THE USE OR THREAT OF USE OF UNAU-
 THORIZED OR MALICIOUS CODE ON AN  INFORMATION  SYSTEM,  OR  THE  USE  OR
 THREAT  OF  USE OF ANOTHER DIGITAL MECHANISM SUCH AS A DENIAL OF SERVICE
 ATTACK, TO INTERRUPT OR DISRUPT THE OPERATIONS OF AN INFORMATION  SYSTEM
 OR  COMPROMISE  THE CONFIDENTIALITY, AVAILABILITY, OR INTEGRITY OF ELEC-
 TRONIC DATA STORED ON, PROCESSED BY, OR TRANSITING AN INFORMATION SYSTEM
 TO EXTORT A DEMAND FOR A RANSOM PAYMENT; AND
 S. 7672                             3
 
   (B) DOES NOT INCLUDE ANY SUCH EVENT IN WHICH THE  DEMAND  FOR  PAYMENT
 IS:
   (I) NOT GENUINE; OR
   (II) MADE IN GOOD FAITH BY AN ENTITY IN RESPONSE TO A SPECIFIC REQUEST
 BY THE OWNER OR OPERATOR OF THE INFORMATION SYSTEM.
   §  995-B. REPORTING OF CYBERSECURITY INCIDENTS. 1. NOTWITHSTANDING ANY
 OTHER PROVISION OF LAW TO THE CONTRARY, ALL MUNICIPAL  CORPORATIONS  AND
 PUBLIC  AUTHORITIES SHALL REPORT CYBERSECURITY INCIDENTS AND WHEN APPLI-
 CABLE, THE DEMAND OF A RANSOM PAYMENT, TO THE COMMISSIONER OF THE  DIVI-
 SION  OF HOMELAND SECURITY AND EMERGENCY SERVICES IN THE FORM AND METHOD
 PRESCRIBED BY SUCH COMMISSIONER. SUCH REPORT SHALL INCLUDE  WHETHER  THE
 REPORTING  MUNICIPAL  CORPORATION  OR  PUBLIC AUTHORITY IS REQUESTING OR
 DECLINING ADVICE AND/OR TECHNICAL ASSISTANCE FROM THE DIVISION OF  HOME-
 LAND  SECURITY  AND  EMERGENCY  SERVICES  WITH  RESPECT  TO THE REPORTED
 CYBERSECURITY INCIDENT OR DEMAND FOR A RANSOM PAYMENT.
   2. ALL MUNICIPAL CORPORATIONS  AND  PUBLIC  AUTHORITIES  SHALL  REPORT
 CYBERSECURITY  INCIDENTS, INCLUDING DEMANDS FOR RANSOM PAYMENT, NO LATER
 THAN SEVENTY-TWO HOURS AFTER THE MUNICIPAL CORPORATION OR PUBLIC AUTHOR-
 ITY REASONABLY BELIEVES THE CYBERSECURITY INCIDENT HAS OCCURRED.
   3. ANY CYBERSECURITY INCIDENT REPORT AND  ANY  RECORDS  RELATED  TO  A
 RANSOM PAYMENT SUBMITTED TO THE COMMISSIONER OF THE DIVISION OF HOMELAND
 SECURITY  AND  EMERGENCY  SERVICES  PURSUANT TO THE REQUIREMENTS OF THIS
 ARTICLE SHALL BE EXEMPT FROM DISCLOSURE UNDER ARTICLE SIX OF THE  PUBLIC
 OFFICERS LAW.
   § 995-C. NOTICE AND EXPLANATION OF RANSOM PAYMENT. NOTWITHSTANDING ANY
 OTHER  PROVISION  OF  LAW TO THE CONTRARY, EACH MUNICIPAL CORPORATION OR
 PUBLIC AUTHORITY SHALL, IN  THE  EVENT  OF  A  RANSOM  PAYMENT  MADE  IN
 CONNECTION  WITH A CYBERSECURITY INCIDENT INVOLVING THE MUNICIPAL CORPO-
 RATION OR PUBLIC AUTHORITY, PROVIDE THE COMMISSIONER OF THE DIVISION  OF
 HOMELAND  SECURITY  AND  EMERGENCY  SERVICES THROUGH MEANS PRESCRIBED BY
 SUCH COMMISSIONER WITH THE FOLLOWING:
   (A) WITHIN TWENTY-FOUR HOURS OF THE  RANSOM  PAYMENT,  NOTICE  OF  THE
 PAYMENT; AND
   (B) WITHIN THIRTY DAYS OF THE RANSOM PAYMENT, A WRITTEN DESCRIPTION OF
 THE REASONS PAYMENT WAS NECESSARY, THE AMOUNT OF THE RANSOM PAYMENT, THE
 MEANS  BY  WHICH  THE RANSOM PAYMENT WAS MADE, A DESCRIPTION OF ALTERNA-
 TIVES TO PAYMENT CONSIDERED, ALL DILIGENCE PERFORMED  TO  FIND  ALTERNA-
 TIVES  TO  PAYMENT AND ALL DILIGENCE PERFORMED TO ENSURE COMPLIANCE WITH
 APPLICABLE STATE AND FEDERAL RULES AND REGULATIONS  INCLUDING  THOSE  OF
 THE  UNITED  STATES  DEPARTMENT  OF  TREASURY'S OFFICE OF FOREIGN ASSETS
 CONTROL.
   § 2. The executive law is amended by adding a  new  section  711-c  to
 read as follows:
   §  711-C.  CYBERSECURITY  INCIDENT REVIEWS. 1. DEFINITIONS. AS USED IN
 THIS SECTION, THE TERMS  CYBERSECURITY  INCIDENT,  CYBER  THREAT,  CYBER
 THREAT  INDICATOR,  DEFENSIVE  MEASURE,  INFORMATION  SYSTEM,  MUNICIPAL
 CORPORATION, PUBLIC AUTHORITY,  RANSOM  PAYMENT  AND  RANSOMWARE  ATTACK
 SHALL  HAVE  THE SAME MEANING AS SUCH TERMS ARE DEFINED IN ARTICLE NINE-
 TEEN-C OF THE GENERAL MUNICIPAL LAW.
   2. THE COMMISSIONER, OR THEIR DESIGNEES, SHALL REVIEW EACH CYBERSECUR-
 ITY INCIDENT REPORT AND NOTICE AND EXPLANATION OF RANSOM PAYMENT SUBMIT-
 TED PURSUANT TO SECTIONS NINE HUNDRED  NINETY-FIVE-B  AND  NINE  HUNDRED
 NINETY-FIVE-C  OF  THE GENERAL MUNICIPAL LAW TO ASSESS POTENTIAL IMPACTS
 OF CYBERSECURITY INCIDENTS AND RANSOM PAYMENTS ON  THE  HEALTH,  SAFETY,
 WELFARE OR SECURITY OF THE STATE, OR ITS RESIDENTS.
 S. 7672                             4
 
   3.  THE  COMMISSIONER,  OR  THEIR DESIGNEES, MAY WORK WITH APPROPRIATE
 STATE AGENCIES, FEDERAL LAW ENFORCEMENT, AND FEDERAL  HOMELAND  SECURITY
 AGENCIES  TO  PROVIDE MUNICIPAL CORPORATIONS AND PUBLIC AUTHORITIES WITH
 REPORTS OF CYBERSECURITY INCIDENTS AND TRENDS, INCLUDING BUT NOT LIMITED
 TO,  TO  THE MAXIMUM EXTENT PRACTICABLE, RELATED CONTEXTUAL INFORMATION,
 CYBER THREAT INDICATORS, AND DEFENSIVE MEASURES.  THE  COMMISSIONER  MAY
 COORDINATE  AND  SHARE  SUCH  REPORTED INFORMATION WITH MUNICIPAL CORPO-
 RATIONS, PUBLIC AUTHORITIES, STATE AGENCIES, AND FEDERAL LAW ENFORCEMENT
 AND HOMELAND SECURITY AGENCIES TO RESPOND TO AND MITIGATE  CYBERSECURITY
 THREATS.
   4. SUCH REPORTS, ASSESSMENTS, RECORDS, REVIEWS, DOCUMENTS, RECOMMENDA-
 TIONS, GUIDANCE AND ANY INFORMATION CONTAINED OR USED IN ITS PREPARATION
 SHALL BE EXEMPT FROM DISCLOSURE UNDER ARTICLE SIX OF THE PUBLIC OFFICERS
 LAW.
   5.  NO  LATER  THAN  FORTY-EIGHT HOURS AFTER RECEIVING A CYBERSECURITY
 INCIDENT REPORT CONTAINING A REQUEST FOR ADVICE AND/OR TECHNICAL ASSIST-
 ANCE FROM THE DIVISION PURSUANT  TO  SUBDIVISION  ONE  OF  SECTION  NINE
 HUNDRED  NINETY-FIVE-B OF THE GENERAL MUNICIPAL LAW, THE COMMISSIONER OR
 THE COMMISSIONER'S DESIGNEES SHALL ACKNOWLEDGE RECEIPT OF SUCH  REQUEST.
 AS  SOON AS POSSIBLE AFTER RECEIVING SUCH A REQUEST, THE COMMISSIONER OR
 THE COMMISSIONER'S DESIGNEES, SUBJECT TO THE  COMMISSIONER'S  DISCRETION
 IN  PRIORITIZING  THE DIVISION'S RESPONSE TO THE MUNICIPAL CORPORATION'S
 OR PUBLIC  AUTHORITY'S  CYBERSECURITY  INCIDENT  REPORT,  SHALL  PROVIDE
 ADVICE TO THE REQUESTING MUNICIPAL CORPORATION OR PUBLIC AUTHORITY  AND,
 TO THE EXTENT PRACTICABLE, PROVIDE TECHNICAL ASSISTANCE.
   § 3. The state technology law is amended by adding a new section 103-f
 to read as follows:
   §  103-F.  CYBERSECURITY AWARENESS TRAINING.  1. (A)  EMPLOYEES OF THE
 STATE WHO USE TECHNOLOGY AS A PART OF THEIR OFFICIAL  JOB  DUTIES  SHALL
 TAKE  ANNUAL  CYBERSECURITY  AWARENESS TRAINING BEGINNING JANUARY FIRST,
 TWO THOUSAND TWENTY-SIX.  EMPLOYEES OF THE STATE SHALL  BE  REQUIRED  TO
 COMPLETE THE TRAINING PROVIDED BY THE OFFICE.
   (B)  FOR  PURPOSES  OF  THIS  SECTION,  "EMPLOYEES OF THE STATE" SHALL
 INCLUDE EMPLOYEES OF ALL STATE AGENCIES AND ALL  PUBLIC  BENEFIT  CORPO-
 RATIONS, THE HEADS OF WHICH ARE APPOINTED BY THE GOVERNOR.
   2.  EMPLOYEES OF A COUNTY, A CITY, A TOWN, A VILLAGE, OR A DISTRICT AS
 DEFINED  IN SECTION ONE HUNDRED NINETEEN-N OF THE GENERAL MUNICIPAL LAW,
 WHO USE TECHNOLOGY AS A PART OF THEIR OFFICIAL  JOB  DUTIES  SHALL  TAKE
 ANNUAL  CYBERSECURITY  AWARENESS  TRAINING  BEGINNING JANUARY FIRST, TWO
 THOUSAND TWENTY-SIX. THE OFFICE  SHALL  MAKE  A  CYBERSECURITY  TRAINING
 AVAILABLE  FOR USE BY A COUNTY, A CITY, A TOWN, A VILLAGE, OR A DISTRICT
 AS DEFINED IN SECTION ONE HUNDRED NINETEEN-N OF  THE  GENERAL  MUNICIPAL
 LAW,  AT NO CHARGE, PROVIDED HOWEVER, NO EMPLOYEE OF A COUNTY, A CITY, A
 TOWN, A VILLAGE, OR A DISTRICT AS DEFINED IN SECTION ONE  HUNDRED  NINE-
 TEEN-N  OF  THE GENERAL MUNICIPAL LAW SHALL BE REQUIRED TO COMPLETE SUCH
 TRAINING PROVIDED BY THE OFFICE AND THE CYBERSECURITY AWARENESS TRAINING
 REQUIREMENTS OF THIS SECTION MAY BE SATISFIED BY THE COMPLETION OF OTHER
 CYBERSECURITY AWARENESS TRAINING.
   3. ALL TRAINING MANDATED BY THIS SECTION SHALL BE CONDUCTED DURING THE
 EMPLOYEE'S REGULAR WORKING HOURS AND  EMPLOYEES  SHALL  RECEIVE  COMPEN-
 SATION  AT THEIR REGULAR RATE OF PAY FOR ANY TIME SPENT PARTICIPATING IN
 SUCH TRAINING.
   § 4. The state technology law is amended by adding a new  section  210
 to read as follows:
   §  210. CYBERSECURITY PROTECTION. 1. DEFINITIONS. FOR PURPOSES OF THIS
 SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING MEANINGS:
 S. 7672                             5
 
   (A) "BREACH OF THE SECURITY OF THE SYSTEM" SHALL HAVE THE SAME MEANING
 AS SUCH TERM IS DEFINED IN SECTION TWO HUNDRED EIGHT OF THIS ARTICLE.
   (B) "DATA SUBJECT" MEANS ANY NATURAL PERSON ABOUT WHOM PERSONAL INFOR-
 MATION HAS BEEN COLLECTED BY A STATE AGENCY.
   (C) "INFORMATION SYSTEM" MEANS A DISCRETE SET OF INFORMATION RESOURCES
 ORGANIZED  FOR  THE  COLLECTION,  PROCESSING, MAINTENANCE, USE, SHARING,
 DISSEMINATION, OR DISPOSITION OF INFORMATION.
   (D) "STATE  AGENCY-MAINTAINED  PERSONAL  INFORMATION"  MEANS  PERSONAL
 INFORMATION STORED BY A STATE AGENCY THAT WAS GENERATED BY A STATE AGEN-
 CY  OR PROVIDED TO THE STATE AGENCY BY THE DATA SUBJECT, A STATE AGENCY,
 A FEDERAL GOVERNMENTAL ENTITY, OR ANY OTHER THIRD-PARTY  SOURCE.    SUCH
 TERM  SHALL  ALSO  INCLUDE  PERSONAL  INFORMATION PROVIDED BY AN ADVERSE
 PARTY IN THE COURSE OF LITIGATION OR OTHER ADVERSARIAL PROCEEDING.
   (E) "STATE AGENCY" SHALL HAVE THE SAME MEANING AS SUCH TERM IS DEFINED
 IN SECTION ONE HUNDRED ONE OF THIS CHAPTER.
   2. DATA PROTECTION STANDARDS. THE DIRECTOR SHALL  ISSUE  POLICIES  AND
 STANDARDS FOR:
   (A) PROTECTION AGAINST BREACHES OF THE SECURITY OF THE SYSTEM INFORMA-
 TION  SYSTEMS  AND  FOR  PERSONAL  INFORMATION  USED BY SUCH INFORMATION
 SYSTEMS;
   (B) DATA BACKUP;
   (C) INFORMATION SYSTEM RECOVERY;
   (D) SECURE SANITIZATION AND DELETION OF DATA;
   (E) VULNERABILITY MANAGEMENT AND ASSESSMENT; AND
   (F) ANNUAL WORKFORCE TRAINING REGARDING PROTECTION AGAINST BREACHES OF
 THE SECURITY OF THE SYSTEM, AS WELL AS  PROCESSES  AND  PROCEDURES  THAT
 SHOULD  BE  FOLLOWED  IN  THE  EVENT  OF A BREACH OF THE SECURITY OF THE
 SYSTEM.
   3. INFORMATION SYSTEM INVENTORY. (A) NO LATER THAN TWO YEARS AFTER THE
 EFFECTIVE DATE OF THIS SECTION, EACH STATE  AGENCY  SHALL  CREATE,  THEN
 MAINTAIN, AN INVENTORY OF ITS INFORMATION SYSTEMS.
   (B) UPON WRITTEN REQUEST FROM THE OFFICE, A STATE AGENCY SHALL PROVIDE
 THE OFFICE WITH THE STATE AGENCY-MAINTAINED INFORMATION SYSTEMS INVENTO-
 RIES REQUIRED TO BE CREATED OR UPDATED PURSUANT TO THIS SUBDIVISION.
   (C) NOTWITHSTANDING PARAGRAPH (A) OF THIS SUBDIVISION, THE STATE AGEN-
 CY-MAINTAINED  INFORMATION SYSTEMS INVENTORIES REQUIRED TO BE CREATED OR
 UPDATED PURSUANT TO THIS SUBDIVISION  SHALL  BE  KEPT  CONFIDENTIAL,  AS
 DISCLOSURE  OF SUCH INFORMATION WOULD JEOPARDIZE THE SECURITY OF A STATE
 AGENCY'S INFORMATION SYSTEMS  AND  INFORMATION  TECHNOLOGY  ASSETS  AND,
 FURTHER,  SHALL NOT BE MADE AVAILABLE FOR DISCLOSURE OR INSPECTION UNDER
 THE STATE FREEDOM OF INFORMATION LAW.
   4. INCIDENT MANAGEMENT AND RECOVERY. (A) NO LATER THAN EIGHTEEN MONTHS
 AFTER THE EFFECTIVE DATE OF THIS SECTION, EACH STATE AGENCY  SHALL  HAVE
 CREATED  AN  INCIDENT  RESPONSE PLAN FOR INCIDENTS INVOLVING A BREACH OF
 THE SECURITY OF THE SYSTEM THAT RENDER AN INFORMATION SYSTEM OR ITS DATA
 UNAVAILABLE, AND INCIDENTS INVOLVING A BREACH OF  THE  SECURITY  OF  THE
 SYSTEM  THAT  RESULT  IN  THE  ALTERATION OR DELETION OF OR UNAUTHORIZED
 ACCESS TO, PERSONAL INFORMATION.
   (B) SUCH INCIDENT RESPONSE PLAN SHALL INCLUDE, BUT NOT BE LIMITED  TO,
 A PROCEDURE FOR SITUATIONS WHERE INFORMATION SYSTEMS HAVE BEEN ADVERSELY
 AFFECTED  BY A BREACH OF THE SECURITY OF THE SYSTEM, AS WELL AS A PROCE-
 DURE FOR THE RECOVERY OF PERSONAL INFORMATION AND INFORMATION SYSTEMS.
   (C) BEGINNING JANUARY FIRST, TWO THOUSAND TWENTY-EIGHT AND ON AN ANNU-
 AL BASIS THEREAFTER, EACH STATE AGENCY SHALL COMPLETE AT LEAST ONE EXER-
 CISE OF ITS INCIDENT RESPONSE PLAN. UPON COMPLETION  OF  SUCH  EXERCISE,
 THE  STATE  AGENCY SHALL DOCUMENT THE INCIDENT RESPONSE PLAN'S SUCCESSES
 S. 7672                             6
 
 AND SHORTCOMINGS IN AN INCIDENT RESPONSE PLAN EXERCISE REPORT. THE INCI-
 DENT RESPONSE PLAN AND ANY INCIDENT RESPONSE PLAN EXERCISE REPORTS SHALL
 BE KEPT CONFIDENTIAL, AS DISCLOSURE OF SUCH INFORMATION WOULD JEOPARDIZE
 THE  SECURITY  OF  A  STATE AGENCY'S INFORMATION SYSTEMS AND INFORMATION
 TECHNOLOGY ASSETS, AND, FURTHER, SHALL NOT BE MADE AVAILABLE FOR DISCLO-
 SURE OR INSPECTION UNDER THE STATE FREEDOM OF INFORMATION LAW.
   5. NO PRIVATE RIGHT OF ACTION. NOTHING SET FORTH IN THIS SECTION SHALL
 BE CONSTRUED AS CREATING OR ESTABLISHING A PRIVATE CAUSE OF ACTION.
   § 5. Severability. The provisions of this act shall be  severable  and
 if  any  portion  thereof  or the applicability thereof to any person or
 circumstances shall be held to be invalid, the remainder of this act and
 the application thereof shall not be affected thereby.
   § 6. This act shall take effect immediately; provided,  however,  that
 sections  one and two of this act shall take effect on the thirtieth day
 after such effective date.

2025-S7672A (ACTIVE) - Details

See Assembly Version of this Bill:: A6769
Law Section:: General Municipal Law
Laws Affected:: Add Art 19-C §§995-a - 995-c, Gen Muni L; add §711-c, Exec L; add §§103-f & 210, St Tech L

2025-S7672A (ACTIVE) - Summary

2025-S7672A (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S7672A

SPONSOR: MARTINEZ
 
TITLE OF BILL:

An act to amend the general municipal law and the executive law, in
relation to requiring municipal cybersecurity incident reporting and
exempting such reports from freedom of information requirements; and to
amend the state technology law, in relation to requiring cybersecurity
awareness training for government employees, data protection standards,
and cybersecurity protection

 
SUMMARY OF PROVISIONS:

Section 1 adds a new article to the general municipal law to require the
reporting of cybersecurity incidents and demands for a ransom payment by
municipal corporations and public authorities to the Commissioner of the
Division of Homeland Security and Emergency Services (DHSES). Such
reports must include whether the reporting municipal corporation or
public authority is requesting or declining advice and/or technical
assistance from DHSES with respect to the reported cybersecurity inci-
dent or demand for a ransom payment.  Cybersecurity incidents, including
demands for ransom payment must be reported to DHSES within 72 hours

after the municipal corporation or public authority reasonably believes
the cybersecurity incident has occurred. In the event of a ransom
payment made in connection with a cybersecurity incident, the municipal
corporation or public authority must provide DHSES notice of the payment
within 24 hours and a written description of the reasons payment was
necessary, the amount of the ransom payment, the means by which the
ransom payment was made, a description of alternatives to payment
considered, and all diligence performed to find alternatives to payment
and to ensure compliance with applicable state and federal r ules and
regulations. Cybersecurity incident reports and any records related to
ransom payments submitted to the Commissioner of DHSES are exempt from
Freedom of Information Law (FOIL) disclosure.

Section 2 adds a new section to the executive law to require the Commis-
sioner of DHSES, or their designees, to review each cybersecurity inci-
dent report and notice and explanation of ransom payment submitted by
municipal corporations and public authorities to assess potential
impacts on the health, safety, welfare or security of the state, or its
residents. DHSES is authorized to work with appropriate state agencies,
federal law enforcement, and federal homeland security agencies to
provide municipal corporations and public authorities with reports of
cybersecurity incidents and trends and may coordinate and share reported
information with municipal corporations, public authorities, state agen-
cies, and federal law enforcement and homeland security agencies to
respond to and mitigate cybersecurity threats. Within 48 hours of
receiving cybersecurity incident reports that contain a request for
advice and/or technical assistance, DHSES must acknowledge receipt of
such a request and provide advice to the requesting municipal corpo-
ration or public authority and, to the extent practicable, provide tech-
nical assistance.

Section 3 adds a new section 103-f to the State Technology Law to
require employees of the state, a county, city, town, village, or a
district, who use technology as part of their official job duties to
take an annual cybersecurity awareness training starting January 1,
2026. State training shall be made available to a county, city, town,
village, or a district at no charge, however the requirement may be
satisfied by another cybersecurity awareness training. All training must
be conducted during the employee's regular working hours and employees
shall receive compensation at their regular rate of pay for any time
spent participating in the training.

Section 4 adds a new section 210 to the State Technology Law, to require
the Director of the Office of Information Services to issue policies and
standards for protection against breaches for the security of the infor-
mation systems and for personal information used by such information
systems, data backups, information system recovery, secure sanitization
and deletion of data, vulnerability management and assessment, and annu-
al workforce training regarding protection against breaches of security
systems. No later than two years after the effective date of this
section, each state agency must create and maintain an inventory of its
information systems.

Not later than 18 months after the effective date of this section, each
state agency shall have created an incident response plan for incidents
involving a breach of security systems that render and information
system or its data unavailable, and incidents involving a breach of the
security of the system that results in the alteration or deletion of or
unauthorized access to, personal information.  Starting January 1, 2028,
and annually thereafter, each state agency shall complete at least once
exercise of its incident response plan and record the results.

 
JUSTIFICATION:

Our state's information systems are under attack daily and the emergence
of more sophisticated tools to target the state call before an update to
the state's cybersecurity procedures and standards.

 
PRIOR LEGISLATIVE HISTORY:

2025: New Bill

 
FISCAL IMPLICATIONS:

Enactment of this legislation will have minimal fiscal impact on the
State and a minimal fiscal impact on its localities. This bill would
require municipal and State employees to engage in cyber security train-
ing; and local government entities, including Public Authorities to
report certain cyber security incidents to the State. Any costs to muni-
cipalities associated with executing the mandated cyber awareness train-
ing and incident reporting can likely be absorbed within existing agency
resources. In addition, any costs to the State resulting from processing
of reports and providing advice, guidance or technical support can like-
ly be absorbed within existing agency resources.

 
EFFECTIVE DATE:
This act shall take effect immediately, provided, however, that sections
one and two of this act shall take effect on the thirtieth day after
such effective date.

2025-S7672A (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  7672--A
     Cal. No. 712
 
                        2025-2026 Regular Sessions
 
                             I N  S E N A T E
 
                              April 28, 2025
                                ___________
 
 Introduced  by Sen. MARTINEZ -- read twice and ordered printed, and when
   printed to be  committed  to  the  Committee  on  Rules  --  committee
   discharged, bill amended, ordered reprinted as amended and recommitted
   to said committee
 
 AN  ACT  to  amend  the  general municipal law and the executive law, in
   relation to requiring municipal cybersecurity incident  reporting  and
   exempting  such  reports from freedom of information requirements; and
   to amend the state technology law, in relation to  requiring  cyberse-
   curity  awareness  training  for government employees, data protection
   standards, and cybersecurity protection
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1. The general municipal law is amended by adding a new arti-
 cle 19-C to read as follows:
                               ARTICLE 19-C
 CYBERSECURITY INCIDENT REPORTING REQUIREMENTS FOR MUNICIPAL CORPORATIONS
                          AND PUBLIC AUTHORITIES
 SECTION 995-A. DEFINITIONS.
         995-B. REPORTING OF CYBERSECURITY INCIDENTS.
         995-C. NOTICE AND EXPLANATION OF RANSOM PAYMENT.
   § 995-A. DEFINITIONS. FOR THE PURPOSES OF THIS ARTICLE:  1.  "CYBERSE-
 CURITY  INCIDENT"  MEANS  AN  EVENT  OCCURRING ON OR CONDUCTED THROUGH A
 COMPUTER NETWORK THAT ACTUALLY OR IMMINENTLY JEOPARDIZES THE  INTEGRITY,
 CONFIDENTIALITY,  OR  AVAILABILITY OF COMPUTERS, INFORMATION OR COMMUNI-
 CATIONS  SYSTEMS  OR  NETWORKS,  PHYSICAL  OR   VIRTUAL   INFRASTRUCTURE
 CONTROLLED  BY COMPUTERS OR INFORMATION SYSTEMS, OR INFORMATION RESIDENT
 THEREON.
   2. "CYBER THREAT" MEANS ANY CIRCUMSTANCE OR EVENT WITH  THE  POTENTIAL
 TO ADVERSELY IMPACT ORGANIZATIONAL OPERATIONS, ORGANIZATIONAL ASSETS, OR
 INDIVIDUALS  THROUGH  AN  INFORMATION  SYSTEM  VIA  UNAUTHORIZED ACCESS,

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD10937-06-5

 S. 7672--A                          2
 
 DESTRUCTION, DISCLOSURE, MODIFICATION OF INFORMATION, AND/OR  DENIAL  OF
 SERVICE.
   3.  "CYBER  THREAT  INDICATOR"  MEANS INFORMATION THAT IS NECESSARY TO
 DESCRIBE OR IDENTIFY:
   (A) MALICIOUS RECONNAISSANCE, INCLUDING ANOMALOUS PATTERNS OF COMMUNI-
 CATIONS THAT APPEAR TO BE TRANSMITTED FOR THE PURPOSE OF GATHERING TECH-
 NICAL INFORMATION RELATED TO A CYBERSECURITY THREAT OR SECURITY  VULNER-
 ABILITY;
   (B)  A  METHOD  OF  DEFEATING  A SECURITY CONTROL OR EXPLOITATION OF A
 SECURITY VULNERABILITY;
   (C)  A  SECURITY  VULNERABILITY,  INCLUDING  ANOMALOUS  ACTIVITY  THAT
 APPEARS TO INDICATE THE EXISTENCE OF A SECURITY VULNERABILITY;
   (D)  A  METHOD OF CAUSING A USER WITH LEGITIMATE ACCESS TO AN INFORMA-
 TION SYSTEM OR INFORMATION THAT IS STORED ON, PROCESSED BY, OR  TRANSIT-
 ING AN INFORMATION SYSTEM TO UNWITTINGLY ENABLE THE DEFEAT OF A SECURITY
 CONTROL OR EXPLOITATION OF A SECURITY VULNERABILITY;
   (E) MALICIOUS CYBER COMMAND AND CONTROL;
   (F)  THE  ACTUAL  OR POTENTIAL HARM CAUSED BY AN INCIDENT, INCLUDING A
 DESCRIPTION OF THE INFORMATION EXFILTRATED AS A RESULT OF  A  PARTICULAR
 CYBERSECURITY THREAT;
   (G)  ANY  OTHER  ATTRIBUTE OF A CYBERSECURITY THREAT, IF DISCLOSURE OF
 SUCH ATTRIBUTE IS NOT OTHERWISE PROHIBITED BY LAW; OR
   (H) ANY COMBINATION THEREOF.
   4. "DEFENSIVE MEASURE" MEANS AN ACTION, DEVICE, PROCEDURE,  SIGNATURE,
 TECHNIQUE, OR OTHER MEASURE APPLIED TO AN INFORMATION SYSTEM OR INFORMA-
 TION  THAT  IS  STORED  ON,  PROCESSED  BY, OR TRANSITING AN INFORMATION
 SYSTEM THAT  DETECTS,  PREVENTS,  OR  MITIGATES  A  KNOWN  OR  SUSPECTED
 CYBERSECURITY  THREAT  OR  SECURITY  VULNERABILITY.  THE TERM "DEFENSIVE
 MEASURE" DOES NOT INCLUDE A MEASURE  THAT  DESTROYS,  RENDERS  UNUSABLE,
 PROVIDES  UNAUTHORIZED  ACCESS TO, OR SUBSTANTIALLY HARMS AN INFORMATION
 SYSTEM OR INFORMATION STORED ON, PROCESSED BY, OR TRANSITING SUCH INFOR-
 MATION SYSTEM NOT OWNED BY THE MUNICIPAL CORPORATION OR PUBLIC AUTHORITY
 OPERATING THE MEASURE, OR FEDERAL ENTITY THAT IS AUTHORIZED  TO  PROVIDE
 CONSENT AND HAS PROVIDED CONSENT TO THAT MUNICIPAL CORPORATION OR PUBLIC
 AUTHORITY FOR OPERATION OF SUCH MEASURE.
   5.  "INFORMATION SYSTEM" MEANS A DISCRETE SET OF INFORMATION RESOURCES
 ORGANIZED FOR THE COLLECTION,  PROCESSING,  MAINTENANCE,  USE,  SHARING,
 DISSEMINATION, OR DISPOSITION OF INFORMATION.
   6. "MUNICIPAL CORPORATION" MEANS:
   (A)  A  MUNICIPAL  CORPORATION AS DEFINED IN SECTION ONE HUNDRED NINE-
 TEEN-N OF THIS CHAPTER; OR
   (B) A DISTRICT AS DEFINED IN SECTION ONE HUNDRED  NINETEEN-N  OF  THIS
 CHAPTER.
   7. "PUBLIC AUTHORITY" MEANS ANY STATE AUTHORITY OR LOCAL AUTHORITY, AS
 SUCH  TERMS ARE DEFINED IN SECTION TWO OF THE PUBLIC AUTHORITIES LAW, OR
 ANY SUBSIDIARY THEREOF.
   8. "RANSOM PAYMENT" MEANS THE TRANSMISSION OF ANY MONEY OR OTHER PROP-
 ERTY OR ASSET, INCLUDING VIRTUAL CURRENCY, OR ANY PORTION THEREOF, WHICH
 HAS AT ANY TIME BEEN DELIVERED AS RANSOM IN CONNECTION WITH A RANSOMWARE
 ATTACK.
   9. "RANSOMWARE ATTACK":
   (A) MEANS AN INCIDENT THAT INCLUDES THE USE OR THREAT OF USE OF  UNAU-
 THORIZED  OR  MALICIOUS  CODE  ON  AN  INFORMATION SYSTEM, OR THE USE OR
 THREAT OF USE OF ANOTHER DIGITAL MECHANISM SUCH AS A DENIAL  OF  SERVICE
 ATTACK,  TO INTERRUPT OR DISRUPT THE OPERATIONS OF AN INFORMATION SYSTEM
 OR COMPROMISE THE CONFIDENTIALITY, AVAILABILITY, OR INTEGRITY  OF  ELEC-
 S. 7672--A                          3
 
 TRONIC DATA STORED ON, PROCESSED BY, OR TRANSITING AN INFORMATION SYSTEM
 TO EXTORT A DEMAND FOR A RANSOM PAYMENT; AND
   (B)  DOES  NOT  INCLUDE ANY SUCH EVENT IN WHICH THE DEMAND FOR PAYMENT
 IS:
   (I) NOT GENUINE; OR
   (II) MADE IN GOOD FAITH BY AN ENTITY IN RESPONSE TO A SPECIFIC REQUEST
 BY THE OWNER OR OPERATOR OF THE INFORMATION SYSTEM.
   § 995-B. REPORTING OF CYBERSECURITY INCIDENTS. 1. NOTWITHSTANDING  ANY
 OTHER  PROVISION  OF LAW TO THE CONTRARY, ALL MUNICIPAL CORPORATIONS AND
 PUBLIC AUTHORITIES SHALL REPORT CYBERSECURITY INCIDENTS AND WHEN  APPLI-
 CABLE,  THE DEMAND OF A RANSOM PAYMENT, TO THE COMMISSIONER OF THE DIVI-
 SION OF HOMELAND SECURITY AND EMERGENCY SERVICES IN THE FORM AND  METHOD
 PRESCRIBED  BY  SUCH COMMISSIONER. SUCH REPORT SHALL INCLUDE WHETHER THE
 REPORTING MUNICIPAL CORPORATION OR PUBLIC  AUTHORITY  IS  REQUESTING  OR
 DECLINING  ADVICE AND/OR TECHNICAL ASSISTANCE FROM THE DIVISION OF HOME-
 LAND SECURITY AND  EMERGENCY  SERVICES  WITH  RESPECT  TO  THE  REPORTED
 CYBERSECURITY INCIDENT OR DEMAND FOR A RANSOM PAYMENT.
   2.  ALL  MUNICIPAL  CORPORATIONS  AND  PUBLIC AUTHORITIES SHALL REPORT
 CYBERSECURITY INCIDENTS, INCLUDING DEMANDS FOR RANSOM PAYMENT, NO  LATER
 THAN SEVENTY-TWO HOURS AFTER THE MUNICIPAL CORPORATION OR PUBLIC AUTHOR-
 ITY REASONABLY BELIEVES THE CYBERSECURITY INCIDENT HAS OCCURRED.
   3.  ANY  CYBERSECURITY  INCIDENT  REPORT  AND ANY RECORDS RELATED TO A
 RANSOM PAYMENT SUBMITTED TO THE COMMISSIONER OF THE DIVISION OF HOMELAND
 SECURITY AND EMERGENCY SERVICES PURSUANT TO  THE  REQUIREMENTS  OF  THIS
 ARTICLE  SHALL BE EXEMPT FROM DISCLOSURE UNDER ARTICLE SIX OF THE PUBLIC
 OFFICERS LAW.
   § 995-C. NOTICE AND EXPLANATION OF RANSOM PAYMENT. NOTWITHSTANDING ANY
 OTHER PROVISION OF LAW TO THE CONTRARY, EACH  MUNICIPAL  CORPORATION  OR
 PUBLIC  AUTHORITY  SHALL,  IN  THE  EVENT  OF  A  RANSOM PAYMENT MADE IN
 CONNECTION WITH A CYBERSECURITY INCIDENT INVOLVING THE MUNICIPAL  CORPO-
 RATION  OR PUBLIC AUTHORITY, PROVIDE THE COMMISSIONER OF THE DIVISION OF
 HOMELAND SECURITY AND EMERGENCY SERVICES  THROUGH  MEANS  PRESCRIBED  BY
 SUCH COMMISSIONER WITH THE FOLLOWING:
   1.  WITHIN  TWENTY-FOUR  HOURS  OF  THE  RANSOM PAYMENT, NOTICE OF THE
 PAYMENT; AND
   2. WITHIN THIRTY DAYS OF THE RANSOM PAYMENT, A WRITTEN DESCRIPTION  OF
 THE REASONS PAYMENT WAS NECESSARY, THE AMOUNT OF THE RANSOM PAYMENT, THE
 MEANS  BY  WHICH  THE RANSOM PAYMENT WAS MADE, A DESCRIPTION OF ALTERNA-
 TIVES TO PAYMENT CONSIDERED, ALL DILIGENCE PERFORMED  TO  FIND  ALTERNA-
 TIVES  TO  PAYMENT AND ALL DILIGENCE PERFORMED TO ENSURE COMPLIANCE WITH
 APPLICABLE STATE AND FEDERAL RULES AND REGULATIONS  INCLUDING  THOSE  OF
 THE  UNITED STATES DEPARTMENT OF THE TREASURY'S OFFICE OF FOREIGN ASSETS
 CONTROL.
   § 2. The executive law is amended by adding a  new  section  711-c  to
 read as follows:
   §  711-C.  CYBERSECURITY  INCIDENT REVIEWS. 1. DEFINITIONS. AS USED IN
 THIS SECTION, THE TERMS  CYBERSECURITY  INCIDENT,  CYBER  THREAT,  CYBER
 THREAT  INDICATOR,  DEFENSIVE  MEASURE,  INFORMATION  SYSTEM,  MUNICIPAL
 CORPORATION, PUBLIC AUTHORITY,  RANSOM  PAYMENT  AND  RANSOMWARE  ATTACK
 SHALL  HAVE  THE SAME MEANING AS SUCH TERMS ARE DEFINED IN ARTICLE NINE-
 TEEN-C OF THE GENERAL MUNICIPAL LAW.
   2. THE COMMISSIONER, OR THEIR DESIGNEES, SHALL REVIEW EACH CYBERSECUR-
 ITY INCIDENT REPORT AND NOTICE AND EXPLANATION OF RANSOM PAYMENT SUBMIT-
 TED PURSUANT TO SECTIONS NINE HUNDRED  NINETY-FIVE-B  AND  NINE  HUNDRED
 NINETY-FIVE-C  OF  THE GENERAL MUNICIPAL LAW TO ASSESS POTENTIAL IMPACTS
 S. 7672--A                          4
 
 OF CYBERSECURITY INCIDENTS AND RANSOM PAYMENTS ON  THE  HEALTH,  SAFETY,
 WELFARE OR SECURITY OF THE STATE, OR ITS RESIDENTS.
   3.  THE  COMMISSIONER,  OR  THEIR DESIGNEES, MAY WORK WITH APPROPRIATE
 STATE AGENCIES, FEDERAL LAW ENFORCEMENT, AND FEDERAL  HOMELAND  SECURITY
 AGENCIES  TO  PROVIDE MUNICIPAL CORPORATIONS AND PUBLIC AUTHORITIES WITH
 REPORTS OF CYBERSECURITY INCIDENTS AND TRENDS, INCLUDING BUT NOT LIMITED
 TO, TO THE MAXIMUM EXTENT PRACTICABLE, RELATED  CONTEXTUAL  INFORMATION,
 CYBER  THREAT  INDICATORS,  AND DEFENSIVE MEASURES. THE COMMISSIONER MAY
 COORDINATE AND SHARE SUCH REPORTED  INFORMATION  WITH  MUNICIPAL  CORPO-
 RATIONS, PUBLIC AUTHORITIES, STATE AGENCIES, AND FEDERAL LAW ENFORCEMENT
 AND  HOMELAND SECURITY AGENCIES TO RESPOND TO AND MITIGATE CYBERSECURITY
 THREATS.
   4. SUCH REPORTS, ASSESSMENTS, RECORDS, REVIEWS, DOCUMENTS, RECOMMENDA-
 TIONS, GUIDANCE AND ANY INFORMATION CONTAINED OR USED IN ITS PREPARATION
 SHALL BE EXEMPT FROM DISCLOSURE UNDER ARTICLE SIX OF THE PUBLIC OFFICERS
 LAW.
   5. NO LATER THAN FORTY-EIGHT HOURS  AFTER  RECEIVING  A  CYBERSECURITY
 INCIDENT REPORT CONTAINING A REQUEST FOR ADVICE AND/OR TECHNICAL ASSIST-
 ANCE  FROM  THE  DIVISION  PURSUANT  TO  SUBDIVISION ONE OF SECTION NINE
 HUNDRED NINETY-FIVE-B OF THE GENERAL MUNICIPAL LAW, THE COMMISSIONER  OR
 THE  COMMISSIONER'S DESIGNEES SHALL ACKNOWLEDGE RECEIPT OF SUCH REQUEST.
 AS SOON AS POSSIBLE AFTER RECEIVING SUCH A REQUEST, THE COMMISSIONER  OR
 THE  COMMISSIONER'S  DESIGNEES, SUBJECT TO THE COMMISSIONER'S DISCRETION
 IN PRIORITIZING THE DIVISION'S RESPONSE TO THE  MUNICIPAL  CORPORATION'S
 OR  PUBLIC  AUTHORITY'S  CYBERSECURITY  INCIDENT  REPORT,  SHALL PROVIDE
 ADVICE TO THE REQUESTING MUNICIPAL CORPORATION OR PUBLIC AUTHORITY  AND,
 TO THE EXTENT PRACTICABLE, PROVIDE TECHNICAL ASSISTANCE.
   § 3. The state technology law is amended by adding a new section 103-f
 to read as follows:
   § 103-F.  CYBERSECURITY AWARENESS TRAINING.  1. (A)  EMPLOYEES OF  THE
 STATE  WHO  USE  TECHNOLOGY AS A PART OF THEIR OFFICIAL JOB DUTIES SHALL
 TAKE ANNUAL CYBERSECURITY AWARENESS TRAINING  BEGINNING  JANUARY  FIRST,
 TWO  THOUSAND  TWENTY-SIX.   EMPLOYEES OF THE STATE SHALL BE REQUIRED TO
 COMPLETE THE TRAINING PROVIDED BY THE OFFICE.
   (B) FOR PURPOSES OF THIS  SECTION,  "EMPLOYEES  OF  THE  STATE"  SHALL
 INCLUDE  EMPLOYEES  OF  ALL STATE AGENCIES AND ALL PUBLIC BENEFIT CORPO-
 RATIONS, THE HEADS OF WHICH ARE APPOINTED BY THE GOVERNOR.
   2.  EMPLOYEES OF A COUNTY, A CITY, A TOWN, A VILLAGE, OR A DISTRICT AS
 DEFINED IN SECTION ONE HUNDRED NINETEEN-N OF THE GENERAL MUNICIPAL  LAW,
 WHO  USE  TECHNOLOGY  AS  A PART OF THEIR OFFICIAL JOB DUTIES SHALL TAKE
 ANNUAL CYBERSECURITY AWARENESS TRAINING  BEGINNING  JANUARY  FIRST,  TWO
 THOUSAND  TWENTY-SIX.  THE  OFFICE  SHALL  MAKE A CYBERSECURITY TRAINING
 AVAILABLE FOR USE BY A COUNTY, A CITY, A TOWN, A VILLAGE, OR A  DISTRICT
 AS  DEFINED  IN  SECTION ONE HUNDRED NINETEEN-N OF THE GENERAL MUNICIPAL
 LAW, AT NO CHARGE, PROVIDED HOWEVER, NO EMPLOYEE OF A COUNTY, A CITY,  A
 TOWN,  A  VILLAGE, OR A DISTRICT AS DEFINED IN SECTION ONE HUNDRED NINE-
 TEEN-N OF THE GENERAL MUNICIPAL LAW SHALL BE REQUIRED TO  COMPLETE  SUCH
 TRAINING PROVIDED BY THE OFFICE AND THE CYBERSECURITY AWARENESS TRAINING
 REQUIREMENTS OF THIS SECTION MAY BE SATISFIED BY THE COMPLETION OF OTHER
 CYBERSECURITY AWARENESS TRAINING.
   3. ALL TRAINING MANDATED BY THIS SECTION SHALL BE CONDUCTED DURING THE
 EMPLOYEE'S  REGULAR  WORKING  HOURS  AND EMPLOYEES SHALL RECEIVE COMPEN-
 SATION AT THEIR REGULAR RATE OF PAY FOR ANY TIME SPENT PARTICIPATING  IN
 SUCH TRAINING.
   §  4.  The state technology law is amended by adding a new section 210
 to read as follows:
 S. 7672--A                          5
 
   § 210. CYBERSECURITY PROTECTION. 1. DEFINITIONS. FOR PURPOSES OF  THIS
 SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING MEANINGS:
   (A) "BREACH OF THE SECURITY OF THE SYSTEM" SHALL HAVE THE SAME MEANING
 AS SUCH TERM IS DEFINED IN SECTION TWO HUNDRED EIGHT OF THIS ARTICLE.
   (B) "DATA SUBJECT" MEANS ANY NATURAL PERSON ABOUT WHOM PERSONAL INFOR-
 MATION HAS BEEN COLLECTED BY A STATE AGENCY.
   (C) "INFORMATION SYSTEM" MEANS A DISCRETE SET OF INFORMATION RESOURCES
 ORGANIZED  FOR  THE  COLLECTION,  PROCESSING, MAINTENANCE, USE, SHARING,
 DISSEMINATION, OR DISPOSITION OF INFORMATION.
   (D) "STATE  AGENCY-MAINTAINED  PERSONAL  INFORMATION"  MEANS  PERSONAL
 INFORMATION STORED BY A STATE AGENCY THAT WAS GENERATED BY A STATE AGEN-
 CY  OR PROVIDED TO THE STATE AGENCY BY THE DATA SUBJECT, A STATE AGENCY,
 A FEDERAL GOVERNMENTAL ENTITY, OR ANY OTHER THIRD-PARTY  SOURCE.    SUCH
 TERM  SHALL  ALSO  INCLUDE  PERSONAL  INFORMATION PROVIDED BY AN ADVERSE
 PARTY IN THE COURSE OF LITIGATION OR OTHER ADVERSARIAL PROCEEDING.
   (E) "STATE AGENCY" SHALL HAVE THE SAME MEANING AS SUCH TERM IS DEFINED
 IN SECTION ONE HUNDRED ONE OF THIS CHAPTER.
   2. DATA PROTECTION STANDARDS. THE DIRECTOR SHALL  ISSUE  POLICIES  AND
 STANDARDS FOR:
   (A)  PROTECTION  AGAINST  BREACHES  OF THE SECURITY OF THE INFORMATION
 SYSTEMS AND FOR PERSONAL INFORMATION USED BY SUCH INFORMATION SYSTEMS;
   (B) DATA BACKUP;
   (C) INFORMATION SYSTEM RECOVERY;
   (D) SECURE SANITIZATION AND DELETION OF DATA;
   (E) VULNERABILITY MANAGEMENT AND ASSESSMENT; AND
   (F) ANNUAL WORKFORCE TRAINING REGARDING PROTECTION AGAINST BREACHES OF
 THE SECURITY OF THE SYSTEM, AS WELL AS  PROCESSES  AND  PROCEDURES  THAT
 SHOULD  BE  FOLLOWED  IN  THE  EVENT  OF A BREACH OF THE SECURITY OF THE
 SYSTEM.
   3. INFORMATION SYSTEM INVENTORY. (A) NO LATER THAN TWO YEARS AFTER THE
 EFFECTIVE DATE OF THIS SECTION, EACH STATE  AGENCY  SHALL  CREATE,  THEN
 MAINTAIN, AN INVENTORY OF ITS INFORMATION SYSTEMS.
   (B) UPON WRITTEN REQUEST FROM THE OFFICE, A STATE AGENCY SHALL PROVIDE
 THE OFFICE WITH THE STATE AGENCY-MAINTAINED INFORMATION SYSTEMS INVENTO-
 RIES REQUIRED TO BE CREATED OR UPDATED PURSUANT TO THIS SUBDIVISION.
   (C) NOTWITHSTANDING PARAGRAPH (A) OF THIS SUBDIVISION, THE STATE AGEN-
 CY-MAINTAINED  INFORMATION SYSTEMS INVENTORIES REQUIRED TO BE CREATED OR
 UPDATED PURSUANT TO THIS SUBDIVISION  SHALL  BE  KEPT  CONFIDENTIAL,  AS
 DISCLOSURE  OF SUCH INFORMATION WOULD JEOPARDIZE THE SECURITY OF A STATE
 AGENCY'S INFORMATION SYSTEMS  AND  INFORMATION  TECHNOLOGY  ASSETS  AND,
 FURTHER,  SHALL NOT BE MADE AVAILABLE FOR DISCLOSURE OR INSPECTION UNDER
 THE STATE FREEDOM OF INFORMATION LAW.
   4. INCIDENT MANAGEMENT AND RECOVERY. (A) NO LATER THAN EIGHTEEN MONTHS
 AFTER THE EFFECTIVE DATE OF THIS SECTION, EACH STATE AGENCY  SHALL  HAVE
 CREATED  AN  INCIDENT  RESPONSE PLAN FOR INCIDENTS INVOLVING A BREACH OF
 THE SECURITY OF THE SYSTEM THAT RENDER AN INFORMATION SYSTEM OR ITS DATA
 UNAVAILABLE, AND INCIDENTS INVOLVING A BREACH OF  THE  SECURITY  OF  THE
 SYSTEM  THAT  RESULT  IN  THE  ALTERATION OR DELETION OF OR UNAUTHORIZED
 ACCESS TO, PERSONAL INFORMATION.
   (B) SUCH INCIDENT RESPONSE PLAN SHALL INCLUDE, BUT NOT BE LIMITED  TO,
 A PROCEDURE FOR SITUATIONS WHERE INFORMATION SYSTEMS HAVE BEEN ADVERSELY
 AFFECTED  BY A BREACH OF THE SECURITY OF THE SYSTEM, AS WELL AS A PROCE-
 DURE FOR THE RECOVERY OF PERSONAL INFORMATION AND INFORMATION SYSTEMS.
   (C) BEGINNING JANUARY FIRST, TWO THOUSAND TWENTY-EIGHT AND ON AN ANNU-
 AL BASIS THEREAFTER, EACH STATE AGENCY SHALL COMPLETE AT LEAST ONE EXER-
 CISE OF ITS INCIDENT RESPONSE PLAN. UPON COMPLETION  OF  SUCH  EXERCISE,
 S. 7672--A                          6
 
 THE  STATE  AGENCY SHALL DOCUMENT THE INCIDENT RESPONSE PLAN'S SUCCESSES
 AND SHORTCOMINGS IN AN INCIDENT RESPONSE PLAN EXERCISE REPORT. THE INCI-
 DENT RESPONSE PLAN AND ANY INCIDENT RESPONSE PLAN EXERCISE REPORTS SHALL
 BE KEPT CONFIDENTIAL, AS DISCLOSURE OF SUCH INFORMATION WOULD JEOPARDIZE
 THE  SECURITY  OF  A  STATE AGENCY'S INFORMATION SYSTEMS AND INFORMATION
 TECHNOLOGY ASSETS, AND, FURTHER, SHALL NOT BE MADE AVAILABLE FOR DISCLO-
 SURE OR INSPECTION UNDER THE STATE FREEDOM OF INFORMATION LAW.
   5. NO PRIVATE RIGHT OF ACTION. NOTHING SET FORTH IN THIS SECTION SHALL
 BE CONSTRUED AS CREATING OR ESTABLISHING A PRIVATE CAUSE OF ACTION.
   § 5. Severability. The provisions of this act shall be  severable  and
 if  any  portion  thereof  or the applicability thereof to any person or
 circumstances shall be held to be invalid, the remainder of this act and
 the application thereof shall not be affected thereby.
   § 6. This act shall take effect immediately; provided,  however,  that
 sections  one and two of this act shall take effect on the thirtieth day
 after such effective date.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Senate Bill S7672A

Sponsored By

Current Bill Status - Passed Senate & Assembly

May 12, 2025 - Floor Vote

Floor Vote: May 12, 2025

Apr 29, 2025 - Rules Committee Vote

Rules Committee Vote: Apr 29, 2025

Bill Amendments

2025-S7672 - Details

2025-S7672 - Summary

2025-S7672 - Sponsor Memo

2025-S7672 - Bill Text download pdf

2025-S7672A (ACTIVE) - Details

2025-S7672A (ACTIVE) - Summary

2025-S7672A (ACTIVE) - Sponsor Memo

2025-S7672A (ACTIVE) - Bill Text download pdf

Comments

Senate Bill S7672A

Share this bill

Sponsored By

Monica R. Martinez

Current Bill Status - Passed Senate & Assembly

Bill Amendments

2025-S7672 - Details

2025-S7672 - Summary

2025-S7672 - Sponsor Memo

2025-S7672 - Bill Text download pdf

2025-S7672A (ACTIVE) - Details

2025-S7672A (ACTIVE) - Summary

2025-S7672A (ACTIVE) - Sponsor Memo

2025-S7672A (ACTIVE) - Bill Text download pdf

Comments