Legislation
SECTION 210
Cybersecurity protection
State Technology (STT) CHAPTER 57-A, ARTICLE 2
§ 210. Cybersecurity protection. 1. Definitions. For purposes of this
section, the following terms shall have the following meanings:
(a) "Breach of the security of the system" shall have the same meaning
as such term is defined in section two hundred eight of this article.
(b) "Data subject" means any natural person about whom personal
information has been collected by a state agency.
(c) "Information system" means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information.
(d) "State agency-maintained personal information" means personal
information stored by a state agency that was generated by a state
agency or provided to the state agency by the data subject, a state
agency, a federal governmental entity, or any other third-party source.
Such term shall also include personal information provided by an adverse
party in the course of litigation or other adversarial proceeding.
(e) "State agency" shall have the same meaning as such term is defined
in section one hundred one of this chapter.
2. Data protection standards. The director shall issue policies and
standards for:
(a) protection against breaches of the security of the information
systems and for personal information used by such information systems;
(b) data backup;
(c) information system recovery;
(d) secure sanitization and deletion of data;
(e) vulnerability management and assessment; and
(f) annual workforce training regarding protection against breaches of
the security of the system, as well as processes and procedures that
should be followed in the event of a breach of the security of the
system.
3. Information system inventory. (a) No later than two years after the
effective date of this section, each state agency shall create, then
maintain, an inventory of its information systems.
(b) Upon written request from the office, a state agency shall provide
the office with the state agency-maintained information systems
inventories required to be created or updated pursuant to this
subdivision.
(c) Notwithstanding paragraph (a) of this subdivision, the state
agency-maintained information systems inventories required to be created
or updated pursuant to this subdivision shall be kept confidential, as
disclosure of such information would jeopardize the security of a state
agency's information systems and information technology assets and,
further, shall not be made available for disclosure or inspection under
the state freedom of information law.
4. Incident management and recovery. (a) No later than eighteen months
after the effective date of this section, each state agency shall have
created an incident response plan for incidents involving a breach of
the security of the system that render an information system or its data
unavailable, and incidents involving a breach of the security of the
system that result in the alteration or deletion of or unauthorized
access to, personal information.
(b) Such incident response plan shall include, but not be limited to,
a procedure for situations where information systems have been adversely
affected by a breach of the security of the system, as well as a
procedure for the recovery of personal information and information
systems.
(c) Beginning January first, two thousand twenty-eight and on an
annual basis thereafter, each state agency shall complete at least one
exercise of its incident response plan. Upon completion of such
exercise, the state agency shall document the incident response plan's
successes and shortcomings in an incident response plan exercise report.
The incident response plan and any incident response plan exercise
reports shall be kept confidential, as disclosure of such information
would jeopardize the security of a state agency's information systems
and information technology assets, and, further, shall not be made
available for disclosure or inspection under the state freedom of
information law.
5. No private right of action. Nothing set forth in this section shall
be construed as creating or establishing a private cause of action.
section, the following terms shall have the following meanings:
(a) "Breach of the security of the system" shall have the same meaning
as such term is defined in section two hundred eight of this article.
(b) "Data subject" means any natural person about whom personal
information has been collected by a state agency.
(c) "Information system" means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information.
(d) "State agency-maintained personal information" means personal
information stored by a state agency that was generated by a state
agency or provided to the state agency by the data subject, a state
agency, a federal governmental entity, or any other third-party source.
Such term shall also include personal information provided by an adverse
party in the course of litigation or other adversarial proceeding.
(e) "State agency" shall have the same meaning as such term is defined
in section one hundred one of this chapter.
2. Data protection standards. The director shall issue policies and
standards for:
(a) protection against breaches of the security of the information
systems and for personal information used by such information systems;
(b) data backup;
(c) information system recovery;
(d) secure sanitization and deletion of data;
(e) vulnerability management and assessment; and
(f) annual workforce training regarding protection against breaches of
the security of the system, as well as processes and procedures that
should be followed in the event of a breach of the security of the
system.
3. Information system inventory. (a) No later than two years after the
effective date of this section, each state agency shall create, then
maintain, an inventory of its information systems.
(b) Upon written request from the office, a state agency shall provide
the office with the state agency-maintained information systems
inventories required to be created or updated pursuant to this
subdivision.
(c) Notwithstanding paragraph (a) of this subdivision, the state
agency-maintained information systems inventories required to be created
or updated pursuant to this subdivision shall be kept confidential, as
disclosure of such information would jeopardize the security of a state
agency's information systems and information technology assets and,
further, shall not be made available for disclosure or inspection under
the state freedom of information law.
4. Incident management and recovery. (a) No later than eighteen months
after the effective date of this section, each state agency shall have
created an incident response plan for incidents involving a breach of
the security of the system that render an information system or its data
unavailable, and incidents involving a breach of the security of the
system that result in the alteration or deletion of or unauthorized
access to, personal information.
(b) Such incident response plan shall include, but not be limited to,
a procedure for situations where information systems have been adversely
affected by a breach of the security of the system, as well as a
procedure for the recovery of personal information and information
systems.
(c) Beginning January first, two thousand twenty-eight and on an
annual basis thereafter, each state agency shall complete at least one
exercise of its incident response plan. Upon completion of such
exercise, the state agency shall document the incident response plan's
successes and shortcomings in an incident response plan exercise report.
The incident response plan and any incident response plan exercise
reports shall be kept confidential, as disclosure of such information
would jeopardize the security of a state agency's information systems
and information technology assets, and, further, shall not be made
available for disclosure or inspection under the state freedom of
information law.
5. No private right of action. Nothing set forth in this section shall
be construed as creating or establishing a private cause of action.