§ 209. Notification of a breach of the security of the system or a
breach of network security; shared data. 1. The office shall, within
twenty-four hours of either being notified of or receiving evidence of a
breach of the security of the system, or a breach of network security,
as defined in paragraphs (a) and (b) of subdivision three of this
section, notify the chief information officer, the chief information
security officer, and where appropriate, the cyber security coordinator
of any state entity with which it shares data, provides networked
services or shares a network connection whose data, services or
connection is reasonably suspected to be affected by any such breach.

2. The office shall provide the chief information officer, the chief
information security officer, and where appropriate, the cyber risk
coordinator of any state entity, who has been notified pursuant to
subdivision one of this section, with its plan for remediation of the
breach and future protection of such data and network.

3. For purposes of this section:

(a) "Breach of the security of the system" shall have the same meaning
as defined in paragraph (b) of subdivision one of section two hundred
eight of this article.

(b) "Breach of network security" shall mean unauthorized access to or
access without valid authorization of a computer network which
compromises the security, confidentiality, or integrity of such network.

(c) "State entity" shall have the same meaning as provided by
paragraph (c) of subdivision one of section two hundred eight of this
article.