NY State Senate Bill 2025-S8169

Senate Bill S8169

2025-2026 Legislative Session

Requires all state entities to notify affected individuals in the event of a data breach where information is compromised

download bill text pdf

Current Bill Status - In Assembly Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jun 10, 2025	referred to governmental operations delivered to assembly passed senate
Jun 04, 2025	ordered to third reading cal.1569 committee discharged and committed to rules
May 29, 2025	reported and committed to finance
May 16, 2025	referred to internet and technology

Votes

- Jun 10, 2025 - Floor Vote
  S8169
  
  58
  
  Aye
  
  0
  
  Nay
  
  0
  
  Absent
  
  5
  
  Excused
  
  0
  
  Abstained
  - - Floor Vote: Jun 10, 2025
      
      aye (58)
      
      Ashby
      
      Bailey
      
      Baskin
      
      Borrello
      
      Brisport
      
      Brouk
      
      Bynoe
      
      Canzoneri-Fitzpatrick
      
      Chan
      
      Cleare
      
      Comrie
      
      Cooney
      
      Fahy
      
      Fernandez
      
      Gallivan
      
      Gianaris
      
      Gonzalez
      
      Gounardes
      
      Griffo
      
      Harckham
      
      Helming
      
      Hinchey
      
      Hoylman-Sigal
      
      Jackson
      
      Kavanagh
      
      Krueger
      
      Lanza
      
      Liu
      
      Martinez
      
      Martins
      
      Mattera
      
      May
      
      Mayer
      
      O'Mara
      
      Oberacker
      
      Ortt
      
      Palumbo
      
      Parker
      
      Persaud
      
      Rhoads
      
      Rivera
      
      Rolison
      
      Ryan
      
      Ryan
      
      Salazar
      
      Sanders Jr.
      
      Scarcella-Spanton
      
      Sepúlveda
      
      Serrano
      
      Skoufis
      
      Stavisky
      
      Stec
      
      Stewart-Cousins
      
      Tedisco
      
      Walczyk
      
      Webb
      
      Weber
      
      Weik
      
      excused (5)
      
      Addabbo Jr.
      
      Murray
      
      Myrie
      
      Ramos
      
      Sutton
      
      The following Member(s) participated via videoconferencing: Brouk Scarcella-Spanton
  Jun 4, 2025 - Rules Committee Vote
  S8169
  
  19
  
  Aye
  
  0
  
  Nay
  
  1
  
  Aye with Reservations
  
  0
  
  Absent
  
  1
  
  Excused
  
  0
  
  Abstained
  - - Rules Committee Vote: Jun 4, 2025
      
      aye (19)
      
      Addabbo Jr.
      
      Bailey
      
      Comrie
      
      Fernandez
      
      Gallivan
      
      Gianaris
      
      Griffo
      
      Harckham
      
      Helming
      
      Hoylman-Sigal
      
      Krueger
      
      Lanza
      
      Liu
      
      Mayer
      
      Ortt
      
      Parker
      
      Sepúlveda
      
      Stec
      
      Stewart-Cousins
      
      aye wr (1)
      
      O'Mara
      
      excused (1)
      
      Myrie
  May 27, 2025 - Internet And Technology Committee Vote
  S8169
  
  7
  
  Aye
  
  0
  
  Nay
  
  0
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Internet And Technology Committee Vote: May 27, 2025
      
      aye (7)
      
      Gonzalez
      
      Gounardes
      
      Hinchey
      
      Parker
      
      Ryan
      
      Stec
      
      Walczyk

2025-S8169 (ACTIVE) - Details

See Assembly Version of this Bill:: A8614
Current Committee:: Assembly Governmental Operations
Law Section:: State Technology Law
Laws Affected:: Amd §208, St Tech L

2025-S8169 (ACTIVE) - Summary

Requires all state entities, including local governments, to notify affected individuals in the event of a data breach where information is compromised; defines "cybersecurity incident".

2025-S8169 (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S8169

SPONSOR: BYNOE
 
TITLE OF BILL:

An act to amend the state technology law, in relation to prompt notifi-
cation to affected individuals in the event of a data breach within
certain state entities

 
PURPOSE:

Relates to the prompt notification to affected individuals in the event
of a data breach within certain state entities.

 
SUMMARY OF PROVISIONS:

Section 1. Paragraphs (b) and (c) of subdivision 1 of section 208 of 2
the state technology law are amended to provide that a breach of a secu-
rity system shall also include the unauthorized utilization of computer-
ized data by either person or entity without proper authorization,
repeals subsection (2) of subsection (c), and provides that such review
of unauthorized utilization shall include the occurrence of a cyberse-

curity incident, as defined by new paragraph (e).

Section 2. Amends subdivision 2 of section 208 of the state technology
law, as amended by chapter 117 of the laws of 2019, to provide that any
state entity that owns, licenses, or maintains computerized data that
includes personal information shall be included in the requirements of
this new section when private information is believed to have been
accessed or acquired by a person or entity without valid authorization.

Section 3. Amends subdivision 3 of section 208 of the state technology
law, as 6 amended by chapter 117 of the laws of 2019 to provide that
such provision will apply to any person or entity without valid authori-
zation.

Section 4. Effective Date.

 
JUSTIFICATION:

Between September and December of 2021, Nassau County suffered a signif-
icant internal data breach that compromised the confidential records of
past, current, and prospective employees, including their medical histo-
ry and social security numbers. The affected individuals were not noti-
fied until February of 2022. This incident revealed the larger gap in
current data breach disclosure requirements which effectively exempt
local municipalities from having to notify affected individuals when
their personal information is compromised.

This bill amends the current law to extend existing notification
requirements in the event of a data break to local municipalities, who
are just as susceptible to these types of vulnerabilities and who are
often charged with managing highly sensitive, confidential information
for thousands of individuals. This bill further amends the law to better
address the full scope of threats that state entities may face, whether
from individuals or otherwise, and takes steps to address instances
where confidential information may still have been mishandled or compro-
mised even if improper disclosure had not occurred. With proper notifi-
cation, pursuant to the law, individuals will also receive information
on resources for dealing with data breaches and identity theft
prevention. With these adjustments, individuals will be made more fully
aware of when their data may be compromised and given greater opportu-
nity to take corrective action. At a time when cyberthreats are on the
rise, particularly among local governments, this legislation will better
protect those who rely on secure systems to keep their information safe.

 
PRIOR LEGISLATIVE HISTORY:

New bill.

 
FISCAL IMPLICATIONS:

To be determined.

 
EFFECTIVE DATE:
90 days after it shall have become a law.

2025-S8169 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   8169
 
                        2025-2026 Regular Sessions
 
                             I N  S E N A T E
 
                               May 16, 2025
                                ___________
 
 Introduced  by  Sen.  BYNOE  -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the state technology law, in relation to prompt  notifi-
   cation  to  affected  individuals in the event of a data breach within
   certain state entities

   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Paragraphs (b) and (c) of subdivision 1 of section 208 of
 the state technology law, paragraph (b) of subdivision 1 as  amended  by
 chapter  491  of  the laws of 2005 and paragraph (c) of subdivision 1 as
 added by chapter 442 of the laws of 2005, are amended and  a  new  para-
 graph (e) is added to read as follows:
   (b)  "Breach  of  the  security of the system" shall mean unauthorized
 acquisition [or], acquisition without valid authorization, OR  UNAUTHOR-
 IZED  UTILIZATION  of  computerized data which compromises the security,
 confidentiality, or integrity of personal information  maintained  by  a
 state  entity.  Good  faith  acquisition  of  personal information by an
 employee or agent of a state entity for the purposes of  the  agency  is
 not  a  breach  of the security of the system, provided that the private
 information is not used or subject to unauthorized disclosure.
   In determining whether information has been acquired OR  UTILIZED,  or
 is  reasonably  believed  to have been acquired OR UTILIZED, by an unau-
 thorized person [or a], person without valid authorization OR  UNAUTHOR-
 IZED ENTITY, such state entity may consider the following factors, among
 others:
   (1) indications that the information is in the physical possession and
 control  of an unauthorized person, such as a lost or stolen computer or
 other device containing information; or
   (2) indications that the information has been downloaded or copied; or

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD13104-03-5
 S. 8169                             2

   (3) indications that the  information  was  used  by  an  unauthorized
 person,  such  as  fraudulent  accounts  opened or instances of identity
 theft reported[.]; OR
   (4) INDICATIONS THAT A CYBERSECURITY INCIDENT, AS DEFINED IN PARAGRAPH
 (E) OF THIS SUBDIVISION, AS OCCURRED.
   (c)  "State  entity"  shall  mean  any  state board, bureau, division,
 committee, commission, council,  department,  public  authority,  public
 benefit  corporation,  office  or other governmental entity performing a
 governmental or proprietary function for the state of New York, except[:
   (1)] the judiciary; [and
   (2)] BUT SHALL INCLUDE all cities, counties, municipalities, villages,
 towns, and other local agencies.
   (E) "CYBERSECURITY INCIDENT" SHALL  MEAN  AN  EVENT  OCCURRING  ON  OR
 CONDUCTED  THROUGH  A COMPUTER NETWORK THAT ACTUALLY OR IMMINENTLY JEOP-
 ARDIZES THE INTEGRITY, CONFIDENTIALITY, OR  AVAILABILITY  OF  COMPUTERS,
 INFORMATION OR COMMUNICATIONS SYSTEMS OR NETWORKS, PHYSICAL  OR   VIRTU-
 AL  INFRASTRUCTURE  CONTROLLED   BY COMPUTERS OR INFORMATION SYSTEMS, OR
 INFORMATION RESIDENT THEREON.
   § 2. The opening paragraph of subdivision 2  of  section  208  of  the
 state  technology law, as amended by chapter 117 of the laws of 2019, is
 amended to read as follows:
   Any state entity that owns [or], licenses, OR  MAINTAINS  computerized
 data  that includes private information shall disclose any breach of the
 security of the system following discovery or notification of the breach
 in the security of the system to any resident of New  York  state  whose
 private  information  was,  or  is  reasonably  believed  to  have been,
 accessed or acquired by a person OR ENTITY without valid  authorization.
 The  disclosure  shall  be  made in the most expedient time possible and
 without unreasonable delay, consistent with the legitimate needs of  law
 enforcement,  as  provided  in  subdivision four of this section, or any
 measures necessary to determine the scope of the breach and restore  the
 integrity  of  the  data system. The state entity shall consult with the
 state office of information technology services to determine  the  scope
 of the breach and restoration measures. Within ninety days of the notice
 of  the  breach,  the  office  of  information technology services shall
 deliver a report on the scope  of  the  breach  and  recommendations  to
 restore and improve the security of the system to the state entity.
   §  3.  Subdivision  3  of  section 208 of the state technology law, as
 amended by chapter 117 of the laws  of  2019,  is  amended  to  read  as
 follows:
   3.  Any  state  entity  that maintains computerized data that includes
 private information which such agency does  not  own  shall  notify  the
 owner  or  licensee  of the information of any breach of the security of
 the system immediately following discovery, if the  private  information
 was, or is reasonably believed to have been, accessed [or], acquired, OR
 UTILIZED by [a] ANY person OR ENTITY without valid authorization.
   §  4.  This  act shall take effect on the ninetieth day after it shall
 have become a law.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.