BILL NUMBER: S1961
SPONSOR: GONZALEZ
TITLE OF BILL:
An act to amend the state technology law, in relation to establishing
the "secure our data act"
SUMMARY OF PROVISIONS:
Section one of this bill provides the title, which is the "secure our
data act." Section two of this bill provides the legislative intent.
Section three of this bill amends the State Technology Law by adding a
new section 210. New subdivision 210:
(1) provides definitions that will be used in this section. These defi-
nitions include "breach of the security of the system," "data vali-
dation," "immutable," and "information system."
(2) requires the Office of Information Technology Services to promulgate
regulations that include standards for:
* protection against breaches of the security of the system for mission
critical information systems and personal information,
* data backup,
* information system recovery *data retention policies, and
* workforce training regarding protection against breaches of the secu-
rity of the system. These regulations may be promulgated on an emergency
basis after at least one public hearing has been held.
(3) requires state entities to engage in vulnerability testing of their
critical information systems and to annually have their entire informa-
tion system network subjected to vulnerability testing.
(4) requires each state entity to create an, or update an existing,
inventory of the personal information and information systems maintained
by the state entity.
(5) requires each state entity to develop an incident response plan for
breaches of the security of the system. On an annual basis, each state
entity shall complete one exercise of its incident response plan.
(6) provides that this bill does not create a private cause of action.
Section 4 of this bill contains the severability clause.
Section 5 of this bill provides that this act shall take effect imme-
diately.
JUSTIFICATION:
Our state's information systems are under attack every day. The emer-
gence of generative Al tools has enabled these attacks to grow in
sophistication. While we cannot eradicate all cyberattacks or halt the
behavior of all bad actors, we must fortify defense of New York's infor-
mation systems and the personal information stored therein.
Personal information about New York residents is stored in each govern-
mental entity's information systems. In fact, these governmental enti-
ties need the collected and maintained personal information to properly
function and provide services to New York residents. In its rote as
protector, government must take affirmative steps to protect the
personal information that it has collected and maintains from cyberat-
tacks.
This legislation is an important step in ensuring that the government is
taking steps to protect the personal information that it has collected
and maintains. New Yorkers trust that their government is protecting
their personal information. We need to ensure that this trust is not
misplaced.
PRIOR LEGISLATIVE HISTORY:
2024: S5007B - Passed in Senate
2024: S5007A - Committed to Finance
2024: S5007A - Referred to Internet and Technology
2023: S5007A - Passed in Senate
2023: S5007A - Committed to Rules
2023: S5007 - Committed to Finance
2023: S5007 -Referred to Internet and Technology
FISCAL IMPLICATIONS:
To be determined.
EFFECTIVE DATE:
This act shall take effect immediately.