3. "CYBER THREAT INDICATOR" MEANS INFORMATION THAT IS NECESSARY TO
DESCRIBE OR IDENTIFY:
(A) MALICIOUS RECONNAISSANCE, INCLUDING ANOMALOUS PATTERNS OF COMMUNI-
CATIONS THAT APPEAR TO BE TRANSMITTED FOR THE PURPOSE OF GATHERING TECH-
NICAL INFORMATION RELATED TO A CYBERSECURITY THREAT OR SECURITY VULNER-
ABILITY;
(B) A METHOD OF DEFEATING A SECURITY CONTROL OR EXPLOITATION OF A
SECURITY VULNERABILITY;
(C) A SECURITY VULNERABILITY, INCLUDING ANOMALOUS ACTIVITY THAT
APPEARS TO INDICATE THE EXISTENCE OF A SECURITY VULNERABILITY;
(D) A METHOD OF CAUSING A USER WITH LEGITIMATE ACCESS TO AN INFORMA-
TION SYSTEM OR INFORMATION THAT IS STORED ON, PROCESSED BY, OR TRANSIT-
ING AN INFORMATION SYSTEM TO UNWITTINGLY ENABLE THE DEFEAT OF A SECURITY
CONTROL OR EXPLOITATION OF A SECURITY VULNERABILITY;
(E) MALICIOUS CYBER COMMAND AND CONTROL;
(F) THE ACTUAL OR POTENTIAL HARM CAUSED BY AN INCIDENT, INCLUDING A
DESCRIPTION OF THE INFORMATION EXFILTRATED AS A RESULT OF A PARTICULAR
CYBERSECURITY THREAT;
(G) ANY OTHER ATTRIBUTE OF A CYBERSECURITY THREAT, IF DISCLOSURE OF
SUCH ATTRIBUTE IS NOT OTHERWISE PROHIBITED BY LAW; OR
(H) ANY COMBINATION THEREOF.
4. "DEFENSIVE MEASURE" MEANS AN ACTION, DEVICE, PROCEDURE, SIGNATURE,
TECHNIQUE, OR OTHER MEASURE APPLIED TO AN INFORMATION SYSTEM OR INFORMA-
TION THAT IS STORED ON, PROCESSED BY, OR TRANSITING AN INFORMATION
SYSTEM THAT DETECTS, PREVENTS, OR MITIGATES A KNOWN OR SUSPECTED
CYBERSECURITY THREAT OR SECURITY VULNERABILITY. THE TERM "DEFENSIVE
MEASURE" DOES NOT INCLUDE A MEASURE THAT DESTROYS, RENDERS UNUSABLE,
PROVIDES UNAUTHORIZED ACCESS TO, OR SUBSTANTIALLY HARMS AN INFORMATION
SYSTEM OR INFORMATION STORED ON, PROCESSED BY, OR TRANSITING SUCH INFOR-
MATION SYSTEM NOT OWNED BY THE MUNICIPAL CORPORATION OR PUBLIC AUTHORITY
OPERATING THE MEASURE, OR FEDERAL ENTITY THAT IS AUTHORIZED TO PROVIDE
CONSENT AND HAS PROVIDED CONSENT TO THAT MUNICIPAL CORPORATION OR PUBLIC
AUTHORITY FOR OPERATION OF SUCH MEASURE.
5. "INFORMATION SYSTEM" MEANS A DISCRETE SET OF INFORMATION RESOURCES
ORGANIZED FOR THE COLLECTION, PROCESSING, MAINTENANCE, USE, SHARING,
DISSEMINATION, OR DISPOSITION OF INFORMATION.
6. "MUNICIPAL CORPORATION" MEANS:
(A) A MUNICIPAL CORPORATION AS DEFINED IN SECTION ONE HUNDRED NINE-
TEEN-N OF THIS CHAPTER; OR
(B) A DISTRICT AS DEFINED IN SECTION ONE HUNDRED NINETEEN-N OF THIS
CHAPTER.
7. "PUBLIC AUTHORITY" MEANS ANY STATE AUTHORITY OR LOCAL AUTHORITY, AS
SUCH TERMS ARE DEFINED IN SECTION TWO OF THE PUBLIC AUTHORITIES LAW, OR
ANY SUBSIDIARY THEREOF.
8. "RANSOM PAYMENT" MEANS THE TRANSMISSION OF ANY MONEY OR OTHER PROP-
ERTY OR ASSET, INCLUDING VIRTUAL CURRENCY, OR ANY PORTION THEREOF, WHICH
HAS AT ANY TIME BEEN DELIVERED AS RANSOM IN CONNECTION WITH A RANSOMWARE
ATTACK.
9. "RANSOMWARE ATTACK":
(A) MEANS AN INCIDENT THAT INCLUDES THE USE OR THREAT OF USE OF UNAU-
THORIZED OR MALICIOUS CODE ON AN INFORMATION SYSTEM, OR THE USE OR
THREAT OF USE OF ANOTHER DIGITAL MECHANISM SUCH AS A DENIAL OF SERVICE
ATTACK, TO INTERRUPT OR DISRUPT THE OPERATIONS OF AN INFORMATION SYSTEM
OR COMPROMISE THE CONFIDENTIALITY, AVAILABILITY, OR INTEGRITY OF ELEC-
TRONIC DATA STORED ON, PROCESSED BY, OR TRANSITING AN INFORMATION SYSTEM
TO EXTORT A DEMAND FOR A RANSOM PAYMENT; AND
S. 7672 3
(B) DOES NOT INCLUDE ANY SUCH EVENT IN WHICH THE DEMAND FOR PAYMENT
IS:
(I) NOT GENUINE; OR
(II) MADE IN GOOD FAITH BY AN ENTITY IN RESPONSE TO A SPECIFIC REQUEST
BY THE OWNER OR OPERATOR OF THE INFORMATION SYSTEM.
§ 995-B. REPORTING OF CYBERSECURITY INCIDENTS. 1. NOTWITHSTANDING ANY
OTHER PROVISION OF LAW TO THE CONTRARY, ALL MUNICIPAL CORPORATIONS AND
PUBLIC AUTHORITIES SHALL REPORT CYBERSECURITY INCIDENTS AND WHEN APPLI-
CABLE, THE DEMAND OF A RANSOM PAYMENT, TO THE COMMISSIONER OF THE DIVI-
SION OF HOMELAND SECURITY AND EMERGENCY SERVICES IN THE FORM AND METHOD
PRESCRIBED BY SUCH COMMISSIONER. SUCH REPORT SHALL INCLUDE WHETHER THE
REPORTING MUNICIPAL CORPORATION OR PUBLIC AUTHORITY IS REQUESTING OR
DECLINING ADVICE AND/OR TECHNICAL ASSISTANCE FROM THE DIVISION OF HOME-
LAND SECURITY AND EMERGENCY SERVICES WITH RESPECT TO THE REPORTED
CYBERSECURITY INCIDENT OR DEMAND FOR A RANSOM PAYMENT.
2. ALL MUNICIPAL CORPORATIONS AND PUBLIC AUTHORITIES SHALL REPORT
CYBERSECURITY INCIDENTS, INCLUDING DEMANDS FOR RANSOM PAYMENT, NO LATER
THAN SEVENTY-TWO HOURS AFTER THE MUNICIPAL CORPORATION OR PUBLIC AUTHOR-
ITY REASONABLY BELIEVES THE CYBERSECURITY INCIDENT HAS OCCURRED.
3. ANY CYBERSECURITY INCIDENT REPORT AND ANY RECORDS RELATED TO A
RANSOM PAYMENT SUBMITTED TO THE COMMISSIONER OF THE DIVISION OF HOMELAND
SECURITY AND EMERGENCY SERVICES PURSUANT TO THE REQUIREMENTS OF THIS
ARTICLE SHALL BE EXEMPT FROM DISCLOSURE UNDER ARTICLE SIX OF THE PUBLIC
OFFICERS LAW.
§ 995-C. NOTICE AND EXPLANATION OF RANSOM PAYMENT. NOTWITHSTANDING ANY
OTHER PROVISION OF LAW TO THE CONTRARY, EACH MUNICIPAL CORPORATION OR
PUBLIC AUTHORITY SHALL, IN THE EVENT OF A RANSOM PAYMENT MADE IN
CONNECTION WITH A CYBERSECURITY INCIDENT INVOLVING THE MUNICIPAL CORPO-
RATION OR PUBLIC AUTHORITY, PROVIDE THE COMMISSIONER OF THE DIVISION OF
HOMELAND SECURITY AND EMERGENCY SERVICES THROUGH MEANS PRESCRIBED BY
SUCH COMMISSIONER WITH THE FOLLOWING:
(A) WITHIN TWENTY-FOUR HOURS OF THE RANSOM PAYMENT, NOTICE OF THE
PAYMENT; AND
(B) WITHIN THIRTY DAYS OF THE RANSOM PAYMENT, A WRITTEN DESCRIPTION OF
THE REASONS PAYMENT WAS NECESSARY, THE AMOUNT OF THE RANSOM PAYMENT, THE
MEANS BY WHICH THE RANSOM PAYMENT WAS MADE, A DESCRIPTION OF ALTERNA-
TIVES TO PAYMENT CONSIDERED, ALL DILIGENCE PERFORMED TO FIND ALTERNA-
TIVES TO PAYMENT AND ALL DILIGENCE PERFORMED TO ENSURE COMPLIANCE WITH
APPLICABLE STATE AND FEDERAL RULES AND REGULATIONS INCLUDING THOSE OF
THE UNITED STATES DEPARTMENT OF TREASURY'S OFFICE OF FOREIGN ASSETS
CONTROL.
§ 2. The executive law is amended by adding a new section 711-c to
read as follows:
§ 711-C. CYBERSECURITY INCIDENT REVIEWS. 1. DEFINITIONS. AS USED IN
THIS SECTION, THE TERMS CYBERSECURITY INCIDENT, CYBER THREAT, CYBER
THREAT INDICATOR, DEFENSIVE MEASURE, INFORMATION SYSTEM, MUNICIPAL
CORPORATION, PUBLIC AUTHORITY, RANSOM PAYMENT AND RANSOMWARE ATTACK
SHALL HAVE THE SAME MEANING AS SUCH TERMS ARE DEFINED IN ARTICLE NINE-
TEEN-C OF THE GENERAL MUNICIPAL LAW.
2. THE COMMISSIONER, OR THEIR DESIGNEES, SHALL REVIEW EACH CYBERSECUR-
ITY INCIDENT REPORT AND NOTICE AND EXPLANATION OF RANSOM PAYMENT SUBMIT-
TED PURSUANT TO SECTIONS NINE HUNDRED NINETY-FIVE-B AND NINE HUNDRED
NINETY-FIVE-C OF THE GENERAL MUNICIPAL LAW TO ASSESS POTENTIAL IMPACTS
OF CYBERSECURITY INCIDENTS AND RANSOM PAYMENTS ON THE HEALTH, SAFETY,
WELFARE OR SECURITY OF THE STATE, OR ITS RESIDENTS.
S. 7672 4
3. THE COMMISSIONER, OR THEIR DESIGNEES, MAY WORK WITH APPROPRIATE
STATE AGENCIES, FEDERAL LAW ENFORCEMENT, AND FEDERAL HOMELAND SECURITY
AGENCIES TO PROVIDE MUNICIPAL CORPORATIONS AND PUBLIC AUTHORITIES WITH
REPORTS OF CYBERSECURITY INCIDENTS AND TRENDS, INCLUDING BUT NOT LIMITED
TO, TO THE MAXIMUM EXTENT PRACTICABLE, RELATED CONTEXTUAL INFORMATION,
CYBER THREAT INDICATORS, AND DEFENSIVE MEASURES. THE COMMISSIONER MAY
COORDINATE AND SHARE SUCH REPORTED INFORMATION WITH MUNICIPAL CORPO-
RATIONS, PUBLIC AUTHORITIES, STATE AGENCIES, AND FEDERAL LAW ENFORCEMENT
AND HOMELAND SECURITY AGENCIES TO RESPOND TO AND MITIGATE CYBERSECURITY
THREATS.
4. SUCH REPORTS, ASSESSMENTS, RECORDS, REVIEWS, DOCUMENTS, RECOMMENDA-
TIONS, GUIDANCE AND ANY INFORMATION CONTAINED OR USED IN ITS PREPARATION
SHALL BE EXEMPT FROM DISCLOSURE UNDER ARTICLE SIX OF THE PUBLIC OFFICERS
LAW.
5. NO LATER THAN FORTY-EIGHT HOURS AFTER RECEIVING A CYBERSECURITY
INCIDENT REPORT CONTAINING A REQUEST FOR ADVICE AND/OR TECHNICAL ASSIST-
ANCE FROM THE DIVISION PURSUANT TO SUBDIVISION ONE OF SECTION NINE
HUNDRED NINETY-FIVE-B OF THE GENERAL MUNICIPAL LAW, THE COMMISSIONER OR
THE COMMISSIONER'S DESIGNEES SHALL ACKNOWLEDGE RECEIPT OF SUCH REQUEST.
AS SOON AS POSSIBLE AFTER RECEIVING SUCH A REQUEST, THE COMMISSIONER OR
THE COMMISSIONER'S DESIGNEES, SUBJECT TO THE COMMISSIONER'S DISCRETION
IN PRIORITIZING THE DIVISION'S RESPONSE TO THE MUNICIPAL CORPORATION'S
OR PUBLIC AUTHORITY'S CYBERSECURITY INCIDENT REPORT, SHALL PROVIDE
ADVICE TO THE REQUESTING MUNICIPAL CORPORATION OR PUBLIC AUTHORITY AND,
TO THE EXTENT PRACTICABLE, PROVIDE TECHNICAL ASSISTANCE.
§ 3. The state technology law is amended by adding a new section 103-f
to read as follows:
§ 103-F. CYBERSECURITY AWARENESS TRAINING. 1. (A) EMPLOYEES OF THE
STATE WHO USE TECHNOLOGY AS A PART OF THEIR OFFICIAL JOB DUTIES SHALL
TAKE ANNUAL CYBERSECURITY AWARENESS TRAINING BEGINNING JANUARY FIRST,
TWO THOUSAND TWENTY-SIX. EMPLOYEES OF THE STATE SHALL BE REQUIRED TO
COMPLETE THE TRAINING PROVIDED BY THE OFFICE.
(B) FOR PURPOSES OF THIS SECTION, "EMPLOYEES OF THE STATE" SHALL
INCLUDE EMPLOYEES OF ALL STATE AGENCIES AND ALL PUBLIC BENEFIT CORPO-
RATIONS, THE HEADS OF WHICH ARE APPOINTED BY THE GOVERNOR.
2. EMPLOYEES OF A COUNTY, A CITY, A TOWN, A VILLAGE, OR A DISTRICT AS
DEFINED IN SECTION ONE HUNDRED NINETEEN-N OF THE GENERAL MUNICIPAL LAW,
WHO USE TECHNOLOGY AS A PART OF THEIR OFFICIAL JOB DUTIES SHALL TAKE
ANNUAL CYBERSECURITY AWARENESS TRAINING BEGINNING JANUARY FIRST, TWO
THOUSAND TWENTY-SIX. THE OFFICE SHALL MAKE A CYBERSECURITY TRAINING
AVAILABLE FOR USE BY A COUNTY, A CITY, A TOWN, A VILLAGE, OR A DISTRICT
AS DEFINED IN SECTION ONE HUNDRED NINETEEN-N OF THE GENERAL MUNICIPAL
LAW, AT NO CHARGE, PROVIDED HOWEVER, NO EMPLOYEE OF A COUNTY, A CITY, A
TOWN, A VILLAGE, OR A DISTRICT AS DEFINED IN SECTION ONE HUNDRED NINE-
TEEN-N OF THE GENERAL MUNICIPAL LAW SHALL BE REQUIRED TO COMPLETE SUCH
TRAINING PROVIDED BY THE OFFICE AND THE CYBERSECURITY AWARENESS TRAINING
REQUIREMENTS OF THIS SECTION MAY BE SATISFIED BY THE COMPLETION OF OTHER
CYBERSECURITY AWARENESS TRAINING.
3. ALL TRAINING MANDATED BY THIS SECTION SHALL BE CONDUCTED DURING THE
EMPLOYEE'S REGULAR WORKING HOURS AND EMPLOYEES SHALL RECEIVE COMPEN-
SATION AT THEIR REGULAR RATE OF PAY FOR ANY TIME SPENT PARTICIPATING IN
SUCH TRAINING.
§ 4. The state technology law is amended by adding a new section 210
to read as follows:
§ 210. CYBERSECURITY PROTECTION. 1. DEFINITIONS. FOR PURPOSES OF THIS
SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING MEANINGS:
S. 7672 5
(A) "BREACH OF THE SECURITY OF THE SYSTEM" SHALL HAVE THE SAME MEANING
AS SUCH TERM IS DEFINED IN SECTION TWO HUNDRED EIGHT OF THIS ARTICLE.
(B) "DATA SUBJECT" MEANS ANY NATURAL PERSON ABOUT WHOM PERSONAL INFOR-
MATION HAS BEEN COLLECTED BY A STATE AGENCY.
(C) "INFORMATION SYSTEM" MEANS A DISCRETE SET OF INFORMATION RESOURCES
ORGANIZED FOR THE COLLECTION, PROCESSING, MAINTENANCE, USE, SHARING,
DISSEMINATION, OR DISPOSITION OF INFORMATION.
(D) "STATE AGENCY-MAINTAINED PERSONAL INFORMATION" MEANS PERSONAL
INFORMATION STORED BY A STATE AGENCY THAT WAS GENERATED BY A STATE AGEN-
CY OR PROVIDED TO THE STATE AGENCY BY THE DATA SUBJECT, A STATE AGENCY,
A FEDERAL GOVERNMENTAL ENTITY, OR ANY OTHER THIRD-PARTY SOURCE. SUCH
TERM SHALL ALSO INCLUDE PERSONAL INFORMATION PROVIDED BY AN ADVERSE
PARTY IN THE COURSE OF LITIGATION OR OTHER ADVERSARIAL PROCEEDING.
(E) "STATE AGENCY" SHALL HAVE THE SAME MEANING AS SUCH TERM IS DEFINED
IN SECTION ONE HUNDRED ONE OF THIS CHAPTER.
2. DATA PROTECTION STANDARDS. THE DIRECTOR SHALL ISSUE POLICIES AND
STANDARDS FOR:
(A) PROTECTION AGAINST BREACHES OF THE SECURITY OF THE SYSTEM INFORMA-
TION SYSTEMS AND FOR PERSONAL INFORMATION USED BY SUCH INFORMATION
SYSTEMS;
(B) DATA BACKUP;
(C) INFORMATION SYSTEM RECOVERY;
(D) SECURE SANITIZATION AND DELETION OF DATA;
(E) VULNERABILITY MANAGEMENT AND ASSESSMENT; AND
(F) ANNUAL WORKFORCE TRAINING REGARDING PROTECTION AGAINST BREACHES OF
THE SECURITY OF THE SYSTEM, AS WELL AS PROCESSES AND PROCEDURES THAT
SHOULD BE FOLLOWED IN THE EVENT OF A BREACH OF THE SECURITY OF THE
SYSTEM.
3. INFORMATION SYSTEM INVENTORY. (A) NO LATER THAN TWO YEARS AFTER THE
EFFECTIVE DATE OF THIS SECTION, EACH STATE AGENCY SHALL CREATE, THEN
MAINTAIN, AN INVENTORY OF ITS INFORMATION SYSTEMS.
(B) UPON WRITTEN REQUEST FROM THE OFFICE, A STATE AGENCY SHALL PROVIDE
THE OFFICE WITH THE STATE AGENCY-MAINTAINED INFORMATION SYSTEMS INVENTO-
RIES REQUIRED TO BE CREATED OR UPDATED PURSUANT TO THIS SUBDIVISION.
(C) NOTWITHSTANDING PARAGRAPH (A) OF THIS SUBDIVISION, THE STATE AGEN-
CY-MAINTAINED INFORMATION SYSTEMS INVENTORIES REQUIRED TO BE CREATED OR
UPDATED PURSUANT TO THIS SUBDIVISION SHALL BE KEPT CONFIDENTIAL, AS
DISCLOSURE OF SUCH INFORMATION WOULD JEOPARDIZE THE SECURITY OF A STATE
AGENCY'S INFORMATION SYSTEMS AND INFORMATION TECHNOLOGY ASSETS AND,
FURTHER, SHALL NOT BE MADE AVAILABLE FOR DISCLOSURE OR INSPECTION UNDER
THE STATE FREEDOM OF INFORMATION LAW.
4. INCIDENT MANAGEMENT AND RECOVERY. (A) NO LATER THAN EIGHTEEN MONTHS
AFTER THE EFFECTIVE DATE OF THIS SECTION, EACH STATE AGENCY SHALL HAVE
CREATED AN INCIDENT RESPONSE PLAN FOR INCIDENTS INVOLVING A BREACH OF
THE SECURITY OF THE SYSTEM THAT RENDER AN INFORMATION SYSTEM OR ITS DATA
UNAVAILABLE, AND INCIDENTS INVOLVING A BREACH OF THE SECURITY OF THE
SYSTEM THAT RESULT IN THE ALTERATION OR DELETION OF OR UNAUTHORIZED
ACCESS TO, PERSONAL INFORMATION.
(B) SUCH INCIDENT RESPONSE PLAN SHALL INCLUDE, BUT NOT BE LIMITED TO,
A PROCEDURE FOR SITUATIONS WHERE INFORMATION SYSTEMS HAVE BEEN ADVERSELY
AFFECTED BY A BREACH OF THE SECURITY OF THE SYSTEM, AS WELL AS A PROCE-
DURE FOR THE RECOVERY OF PERSONAL INFORMATION AND INFORMATION SYSTEMS.
(C) BEGINNING JANUARY FIRST, TWO THOUSAND TWENTY-EIGHT AND ON AN ANNU-
AL BASIS THEREAFTER, EACH STATE AGENCY SHALL COMPLETE AT LEAST ONE EXER-
CISE OF ITS INCIDENT RESPONSE PLAN. UPON COMPLETION OF SUCH EXERCISE,
THE STATE AGENCY SHALL DOCUMENT THE INCIDENT RESPONSE PLAN'S SUCCESSES
S. 7672 6
AND SHORTCOMINGS IN AN INCIDENT RESPONSE PLAN EXERCISE REPORT. THE INCI-
DENT RESPONSE PLAN AND ANY INCIDENT RESPONSE PLAN EXERCISE REPORTS SHALL
BE KEPT CONFIDENTIAL, AS DISCLOSURE OF SUCH INFORMATION WOULD JEOPARDIZE
THE SECURITY OF A STATE AGENCY'S INFORMATION SYSTEMS AND INFORMATION
TECHNOLOGY ASSETS, AND, FURTHER, SHALL NOT BE MADE AVAILABLE FOR DISCLO-
SURE OR INSPECTION UNDER THE STATE FREEDOM OF INFORMATION LAW.
5. NO PRIVATE RIGHT OF ACTION. NOTHING SET FORTH IN THIS SECTION SHALL
BE CONSTRUED AS CREATING OR ESTABLISHING A PRIVATE CAUSE OF ACTION.
§ 5. Severability. The provisions of this act shall be severable and
if any portion thereof or the applicability thereof to any person or
circumstances shall be held to be invalid, the remainder of this act and
the application thereof shall not be affected thereby.
§ 6. This act shall take effect immediately; provided, however, that
sections one and two of this act shall take effect on the thirtieth day
after such effective date.
