•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video/Transcript 

A08793 Summary:

BILL NOA08793
 
SAME ASSAME AS S07786
 
SPONSOROtis
 
COSPNSR
 
MLTSPNSR
 
Amd 209, St Tech L (as proposed in S.7019 & A.7612)
 
Relates to the notification of certain state agencies of a breach of the security system or a breach of the security network.
Go to top    

A08793 Actions:

BILL NOA08793
 
01/12/2022referred to governmental operations
01/25/2022reported
01/27/2022advanced to third reading cal.343
01/31/2022substituted by s7786
 S07786 AMEND= KRUEGER
 01/11/2022REFERRED TO RULES
 01/18/2022ORDERED TO THIRD READING CAL.155
 01/24/2022PASSED SENATE
 01/24/2022DELIVERED TO ASSEMBLY
 01/24/2022referred to governmental operations
 01/31/2022substituted for a8793
 01/31/2022ordered to third reading cal.343
 01/31/2022passed assembly
 01/31/2022returned to senate
 02/24/2022DELIVERED TO GOVERNOR
 02/24/2022SIGNED CHAP.107
Go to top

A08793 Memo:

NEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A8793
 
SPONSOR: Otis
  TITLE OF BILL: An act to amend the state technology law, in relation to the notifica- tion of certain agencies of a breach of the security system or a breach of the security network   PURPOSE OR GENERAL IDEA OF BILL: The purpose of this bill is to amend Chapter 796 of the Laws of 2021.   SUMMARY OF PROVISIONS: This chapter amendment makes changes to the procedure for notification of a data breach and brings the chapters definitions into uniformity with the State Technology Law standards.   JUSTIFICATION: The Office of Information Technology Services (Office) has, since its creation in 2002, assumed an interactive role with state entities by sharing data and providing support serves to these entities. The Office has access to an unprecedented amount of information and shared information/data. It is imperative that such data be protected and yet, occurrences of breach occur. In January of 2020 such a breach occurred and the Office failed to inform the state entities with which it shares data that the breach had occurred thereby putting other systems at risk. Though the Office became aware of the breach in late January, the issue went unreported until April when it was disclosed in the Wall Street Journal. This bill would address this failure by requiring notification by the Office when a breach occurs. Additionally, the bill requires the Office to inform the entities of its plan for remediation of the breach.   PRIOR LEGISLATIVE HISTORY: New bill.   FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS: None.   EFFECTIVE DATE: This act shall take effect on the same date and in the same manner as a chapter of the laws of 2021 amending the state technology law relating to the notification of certain state agencies of a data breach or network security breach, as proposed in legislative bills numbers S.7019 and A.7612, takes effect.
Go to top

A08793 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          8793
 
                   IN ASSEMBLY
 
                                    January 12, 2022
                                       ___________
 
        Introduced  by  M. of A. OTIS -- read once and referred to the Committee
          on Governmental Operations
 
        AN ACT to amend the state technology law, in relation to  the  notifica-
          tion  of  certain  agencies  of  a  breach of the security system or a
          breach of the security network
 
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:

     1    Section  1.  Section  209  of  the state technology law, as added by a
     2  chapter of the laws of 2021 amending the state technology  law  relating
     3  to  the  notification  of  certain  state  agencies  of a data breach or
     4  network security breach, as proposed in  legislative  bills  numbers  S.
     5  7019 and A.  7612, is amended to read as follows:
     6    § 209. Notification of [data] a breach [or network] of the security of
     7  the  system  or a breach of network security; shared data. 1. The office
     8  shall, within twenty-four hours  [following  the  discovery  of  a  data
     9  breach  or  network security breach or receiving notice of a data breach
    10  or network security breach] of either being  notified  of  or  receiving
    11  evidence  of  a  breach  of  the  security of the system, or a breach of
    12  network security, as defined in paragraphs (a) and  (b)  of  subdivision
    13  three  of this section, notify the chief information officer, [and where
    14  appropriate,] the chief information security officer, and  where  appro-
    15  priate, the cyber security coordinator of any state entity with which it
    16  shares  data, provides networked services or shares a network connection
    17  whose data, services or connection is [or may have been the subject  of]
    18  reasonably  suspected  to be affected by any such breach [whether or not
    19  such data was, or is reasonably believed to have been, acquired or  used
    20  by an unauthorized person].
    21    2. The office shall[, in addition to the provisions of subdivision one
    22  of  this  section,  notify]  provide the chief information officer, [and
    23  where appropriate,] the chief information security  officer,  and  where
    24  appropriate, the cyber risk coordinator of [such] any state entity [with
    25  which  it  shares  data, provides networked services or shares a network
    26  connection and whose data is or  may  have  been  the  subject  of  such
    27  breach,  of],  who has been notified pursuant to subdivision one of this
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD10523-02-2

        A. 8793                             2
 
     1  section, with  its  plan  for  remediation  of  the  breach  and  future
     2  protection of such data and network.
     3    3. For purposes of this section:
     4    (a) ["Data breach" shall mean an intentional or unintentional incident
     5  where  data  is  disclosed, released, stolen, or taken without the know-
     6  ledge or authorization of the data's owner or steward]  "Breach  of  the
     7  security  of the system" shall have the same meaning as defined in para-
     8  graph (b) of subdivision one of section two hundred eight of this  arti-
     9  cle.
    10    (b)  ["Network  security breach" shall mean an intentional or uninten-
    11  tional incident where an unauthorized party  has  gained  access  to  an
    12  organization's  network  without  the  knowledge or authorization of the
    13  network owner or steward] "Breach of network security" shall mean  unau-
    14  thorized  access  to or access without valid authorization of a computer
    15  network which compromises the security, confidentiality, or integrity of
    16  such network.
    17    (c) "State entity" shall [mean  any  state  board,  bureau,  division,
    18  committee,  commission,  council,  department,  public authority, public
    19  benefit corporation, office or other governmental  entity  performing  a
    20  governmental  or proprietary function for the state of New York, includ-
    21  ing the state legislature and the judiciary] have the  same  meaning  as
    22  provided  by  paragraph  (c)  of  subdivision one of section two hundred
    23  eight of this article.
    24    § 2. This act shall take effect on the  same  date  and  in  the  same
    25  manner  as  a  chapter of the laws of 2021 amending the state technology
    26  law relating to the notification of certain state  agencies  of  a  data
    27  breach  or  network  security  breach,  as proposed in legislative bills
    28  numbers S.  7019 and A. 7612, takes effect.
Go to top