Legislation
SECTION 711-C
Cybersecurity incident reviews
Executive (EXC) CHAPTER 18, ARTICLE 26
* § 711-c. Cybersecurity incident reviews. 1. Definitions. As used in
this section, the terms cybersecurity incident, cyber threat, cyber
threat indicator, defensive measure, information system, municipal
corporation, public authority, ransom payment and ransomware attack
shall have the same meaning as such terms are defined in article
nineteen-C of the general municipal law.
2. The commissioner, or their designees, shall review each
cybersecurity incident report and notice and explanation of ransom
payment submitted pursuant to sections nine hundred ninety-five-b and
nine hundred ninety-five-c of the general municipal law to assess
potential impacts of cybersecurity incidents and ransom payments on the
health, safety, welfare or security of the state, or its residents.
3. The commissioner, or their designees, may work with appropriate
state agencies, federal law enforcement, and federal homeland security
agencies to provide municipal corporations and public authorities with
reports of cybersecurity incidents and trends, including but not limited
to, to the maximum extent practicable, related contextual information,
cyber threat indicators, and defensive measures. The commissioner may
coordinate and share such reported information with municipal
corporations, public authorities, state agencies, and federal law
enforcement and homeland security agencies to respond to and mitigate
cybersecurity threats.
4. Such reports, assessments, records, reviews, documents,
recommendations, guidance and any information contained or used in its
preparation shall be exempt from disclosure under article six of the
public officers law.
5. No later than forty-eight hours after receiving a cybersecurity
incident report containing a request for advice and/or technical
assistance from the division pursuant to subdivision one of section nine
hundred ninety-five-b of the general municipal law, the commissioner or
the commissioner's designees shall acknowledge receipt of such request.
As soon as possible after receiving such a request, the commissioner or
the commissioner's designees, subject to the commissioner's discretion
in prioritizing the division's response to the municipal corporation's
or public authority's cybersecurity incident report, shall provide
advice to the requesting municipal corporation or public authority and,
to the extent practicable, provide technical assistance.
* NB Effective July 26, 2025
this section, the terms cybersecurity incident, cyber threat, cyber
threat indicator, defensive measure, information system, municipal
corporation, public authority, ransom payment and ransomware attack
shall have the same meaning as such terms are defined in article
nineteen-C of the general municipal law.
2. The commissioner, or their designees, shall review each
cybersecurity incident report and notice and explanation of ransom
payment submitted pursuant to sections nine hundred ninety-five-b and
nine hundred ninety-five-c of the general municipal law to assess
potential impacts of cybersecurity incidents and ransom payments on the
health, safety, welfare or security of the state, or its residents.
3. The commissioner, or their designees, may work with appropriate
state agencies, federal law enforcement, and federal homeland security
agencies to provide municipal corporations and public authorities with
reports of cybersecurity incidents and trends, including but not limited
to, to the maximum extent practicable, related contextual information,
cyber threat indicators, and defensive measures. The commissioner may
coordinate and share such reported information with municipal
corporations, public authorities, state agencies, and federal law
enforcement and homeland security agencies to respond to and mitigate
cybersecurity threats.
4. Such reports, assessments, records, reviews, documents,
recommendations, guidance and any information contained or used in its
preparation shall be exempt from disclosure under article six of the
public officers law.
5. No later than forty-eight hours after receiving a cybersecurity
incident report containing a request for advice and/or technical
assistance from the division pursuant to subdivision one of section nine
hundred ninety-five-b of the general municipal law, the commissioner or
the commissioner's designees shall acknowledge receipt of such request.
As soon as possible after receiving such a request, the commissioner or
the commissioner's designees, subject to the commissioner's discretion
in prioritizing the division's response to the municipal corporation's
or public authority's cybersecurity incident report, shall provide
advice to the requesting municipal corporation or public authority and,
to the extent practicable, provide technical assistance.
* NB Effective July 26, 2025