BILL NUMBER: S7672A
SPONSOR: MARTINEZ
TITLE OF BILL:
An act to amend the general municipal law and the executive law, in
relation to requiring municipal cybersecurity incident reporting and
exempting such reports from freedom of information requirements; and to
amend the state technology law, in relation to requiring cybersecurity
awareness training for government employees, data protection standards,
and cybersecurity protection
SUMMARY OF PROVISIONS:
Section 1 adds a new article to the general municipal law to require the
reporting of cybersecurity incidents and demands for a ransom payment by
municipal corporations and public authorities to the Commissioner of the
Division of Homeland Security and Emergency Services (DHSES). Such
reports must include whether the reporting municipal corporation or
public authority is requesting or declining advice and/or technical
assistance from DHSES with respect to the reported cybersecurity inci-
dent or demand for a ransom payment. Cybersecurity incidents, including
demands for ransom payment must be reported to DHSES within 72 hours
after the municipal corporation or public authority reasonably believes
the cybersecurity incident has occurred. In the event of a ransom
payment made in connection with a cybersecurity incident, the municipal
corporation or public authority must provide DHSES notice of the payment
within 24 hours and a written description of the reasons payment was
necessary, the amount of the ransom payment, the means by which the
ransom payment was made, a description of alternatives to payment
considered, and all diligence performed to find alternatives to payment
and to ensure compliance with applicable state and federal r ules and
regulations. Cybersecurity incident reports and any records related to
ransom payments submitted to the Commissioner of DHSES are exempt from
Freedom of Information Law (FOIL) disclosure.
Section 2 adds a new section to the executive law to require the Commis-
sioner of DHSES, or their designees, to review each cybersecurity inci-
dent report and notice and explanation of ransom payment submitted by
municipal corporations and public authorities to assess potential
impacts on the health, safety, welfare or security of the state, or its
residents. DHSES is authorized to work with appropriate state agencies,
federal law enforcement, and federal homeland security agencies to
provide municipal corporations and public authorities with reports of
cybersecurity incidents and trends and may coordinate and share reported
information with municipal corporations, public authorities, state agen-
cies, and federal law enforcement and homeland security agencies to
respond to and mitigate cybersecurity threats. Within 48 hours of
receiving cybersecurity incident reports that contain a request for
advice and/or technical assistance, DHSES must acknowledge receipt of
such a request and provide advice to the requesting municipal corpo-
ration or public authority and, to the extent practicable, provide tech-
nical assistance.
Section 3 adds a new section 103-f to the State Technology Law to
require employees of the state, a county, city, town, village, or a
district, who use technology as part of their official job duties to
take an annual cybersecurity awareness training starting January 1,
2026. State training shall be made available to a county, city, town,
village, or a district at no charge, however the requirement may be
satisfied by another cybersecurity awareness training. All training must
be conducted during the employee's regular working hours and employees
shall receive compensation at their regular rate of pay for any time
spent participating in the training.
Section 4 adds a new section 210 to the State Technology Law, to require
the Director of the Office of Information Services to issue policies and
standards for protection against breaches for the security of the infor-
mation systems and for personal information used by such information
systems, data backups, information system recovery, secure sanitization
and deletion of data, vulnerability management and assessment, and annu-
al workforce training regarding protection against breaches of security
systems. No later than two years after the effective date of this
section, each state agency must create and maintain an inventory of its
information systems.
Not later than 18 months after the effective date of this section, each
state agency shall have created an incident response plan for incidents
involving a breach of security systems that render and information
system or its data unavailable, and incidents involving a breach of the
security of the system that results in the alteration or deletion of or
unauthorized access to, personal information. Starting January 1, 2028,
and annually thereafter, each state agency shall complete at least once
exercise of its incident response plan and record the results.
JUSTIFICATION:
Our state's information systems are under attack daily and the emergence
of more sophisticated tools to target the state call before an update to
the state's cybersecurity procedures and standards.
PRIOR LEGISLATIVE HISTORY:
2025: New Bill
FISCAL IMPLICATIONS:
Enactment of this legislation will have minimal fiscal impact on the
State and a minimal fiscal impact on its localities. This bill would
require municipal and State employees to engage in cyber security train-
ing; and local government entities, including Public Authorities to
report certain cyber security incidents to the State. Any costs to muni-
cipalities associated with executing the mandated cyber awareness train-
ing and incident reporting can likely be absorbed within existing agency
resources. In addition, any costs to the State resulting from processing
of reports and providing advice, guidance or technical support can like-
ly be absorbed within existing agency resources.
EFFECTIVE DATE:
This act shall take effect immediately, provided, however, that sections
one and two of this act shall take effect on the thirtieth day after
such effective date.