NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
BILL NUMBER: A8793
SPONSOR: Otis TITLE OF BILL:
An act to amend the state technology law, in relation to the notifica-
tion of certain agencies of a breach of the security system or a breach
of the security network
PURPOSE OR GENERAL IDEA OF BILL:
The purpose of this bill is to amend Chapter 796 of the Laws of 2021.
SUMMARY OF PROVISIONS:
This chapter amendment makes changes to the procedure for notification
of a data breach and brings the chapters definitions into uniformity
with the State Technology Law standards.
JUSTIFICATION:
The Office of Information Technology Services (Office) has, since its
creation in 2002, assumed an interactive role with state entities by
sharing data and providing support serves to these entities. The Office
has access to an unprecedented amount of information and shared
information/data.
It is imperative that such data be protected and yet, occurrences of
breach occur. In January of 2020 such a breach occurred and the Office
failed to inform the state entities with which it shares data that the
breach had occurred thereby putting other systems at risk.
Though the Office became aware of the breach in late January, the issue
went unreported until April when it was disclosed in the Wall Street
Journal.
This bill would address this failure by requiring notification by the
Office when a breach occurs. Additionally, the bill requires the Office
to inform the entities of its plan for remediation of the breach.
PRIOR LEGISLATIVE HISTORY:
New bill.
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
None.
EFFECTIVE DATE:
This act shall take effect on the same date and in the same manner as a
chapter of the laws of 2021 amending the state technology law relating
to the notification of certain state agencies of a data breach or
network security breach, as proposed in legislative bills numbers S.7019
and A.7612, takes effect.
STATE OF NEW YORK
________________________________________________________________________
8793
IN ASSEMBLY
January 12, 2022
___________
Introduced by M. of A. OTIS -- read once and referred to the Committee
on Governmental Operations
AN ACT to amend the state technology law, in relation to the notifica-
tion of certain agencies of a breach of the security system or a
breach of the security network
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Section 209 of the state technology law, as added by a
2 chapter of the laws of 2021 amending the state technology law relating
3 to the notification of certain state agencies of a data breach or
4 network security breach, as proposed in legislative bills numbers S.
5 7019 and A. 7612, is amended to read as follows:
6 § 209. Notification of [data] a breach [or network] of the security of
7 the system or a breach of network security; shared data. 1. The office
8 shall, within twenty-four hours [following the discovery of a data
9 breach or network security breach or receiving notice of a data breach
10 or network security breach] of either being notified of or receiving
11 evidence of a breach of the security of the system, or a breach of
12 network security, as defined in paragraphs (a) and (b) of subdivision
13 three of this section, notify the chief information officer, [and where
14 appropriate,] the chief information security officer, and where appro-
15 priate, the cyber security coordinator of any state entity with which it
16 shares data, provides networked services or shares a network connection
17 whose data, services or connection is [or may have been the subject of]
18 reasonably suspected to be affected by any such breach [whether or not
19 such data was, or is reasonably believed to have been, acquired or used
20 by an unauthorized person].
21 2. The office shall[, in addition to the provisions of subdivision one
22 of this section, notify] provide the chief information officer, [and
23 where appropriate,] the chief information security officer, and where
24 appropriate, the cyber risk coordinator of [such] any state entity [with
25 which it shares data, provides networked services or shares a network
26 connection and whose data is or may have been the subject of such
27 breach, of], who has been notified pursuant to subdivision one of this
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD10523-02-2
A. 8793 2
1 section, with its plan for remediation of the breach and future
2 protection of such data and network.
3 3. For purposes of this section:
4 (a) ["Data breach" shall mean an intentional or unintentional incident
5 where data is disclosed, released, stolen, or taken without the know-
6 ledge or authorization of the data's owner or steward] "Breach of the
7 security of the system" shall have the same meaning as defined in para-
8 graph (b) of subdivision one of section two hundred eight of this arti-
9 cle.
10 (b) ["Network security breach" shall mean an intentional or uninten-
11 tional incident where an unauthorized party has gained access to an
12 organization's network without the knowledge or authorization of the
13 network owner or steward] "Breach of network security" shall mean unau-
14 thorized access to or access without valid authorization of a computer
15 network which compromises the security, confidentiality, or integrity of
16 such network.
17 (c) "State entity" shall [mean any state board, bureau, division,
18 committee, commission, council, department, public authority, public
19 benefit corporation, office or other governmental entity performing a
20 governmental or proprietary function for the state of New York, includ-
21 ing the state legislature and the judiciary] have the same meaning as
22 provided by paragraph (c) of subdivision one of section two hundred
23 eight of this article.
24 § 2. This act shall take effect on the same date and in the same
25 manner as a chapter of the laws of 2021 amending the state technology
26 law relating to the notification of certain state agencies of a data
27 breach or network security breach, as proposed in legislative bills
28 numbers S. 7019 and A. 7612, takes effect.
