•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video/Transcript 

A06769 Summary:

BILL NOA06769A
 
SAME ASSAME AS S07672-A
 
SPONSORJones
 
COSPNSROtis
 
MLTSPNSR
 
Add Art 19-C §§995-a - 995-c, Gen Muni L; add §711-c, Exec L; add §§103-f & 210, St Tech L
 
Requires all municipal corporations to report cybersecurity incidents and demands of ransom payments to the division of homeland security and emergency services; defines terms; requires cybersecurity incident reviews; requires cybersecurity awareness training, cybersecurity protection and data protection standards for state maintained information systems.
Go to top

A06769 Memo:

NEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A6769A
 
SPONSOR: Jones
  TITLE OF BILL: An act to amend the general municipal law and the executive law, in relation to requiring municipal cybersecurity incident reporting and exempting such reports from freedom of information requirements; and to amend the state technology law, in relation to requiring cybersecurity awareness training for government employees, data protection standards, and cybersecurity protection   PURPOSE OR GENERAL IDEA OF BILL: The purpose of this bill is to have DHSES provide information, guidance and training on cybersecurity issues to local governments and public authorities, establish certain reporting requirements for cybersecurity incidents and ransomware attacks, and establish a framework for state agencies to respond to cybersecurity incidents.   SUMMARY OF PROVISIONS: Section one of the bill adds a new Article 19-c to the General Muncipal Law that requires municipal corporations and public authorities to report to the Department of Homeland Security and Emergency Services (DHSES): *any cybersecurity incidents within seventy-two hours after such munici- pal corporation believes that the cybersecurity incident has occurred; and *notice of any ransom payment made in connection with a cybersecurity incident within twenty-four hours, followed by a written description within thirty days as to why the ransom payment was necessary, alterna- tives considered, and all diligence preformed to find alternatives and ensure compliance with the law. Section two of the bill amends the Executive Law to authorize the Commissioner of DHSES to review each cybersecurity incident report and work with local, state, and federal agencies to provide municipal corpo- rations with, reports. Further, the DHSES would be required to advise and, to the extent practicable, provide technical assistance as soon as possible to a local government or public authority that makes a request for advice and technical assistance. Section three of the bill amends the State Technology Law to require that all employees of the state, and a county, city, town, village, or special district who use technology as a part of their official job duties take a annual cybersecurity awareness training during compensated working hours beginning in 2026. The state Office of Information Tech- nology Services shall be required to make a free training available for use by county, city, town, village, or special district but employees can meet the annual training requirement through other training programs and will not be required to complete the training provided by the office. Section four of the bill amends the State Technology Law to require: *the director of office of information technology services to establish data protection policies and standards for: protection against breaches, data backups, information system recovery, sanitization and deletion of data, vulnerability management, and annual workforce training: *each state agency to establish and maintain an information system inventory no later than two years after the effective date, and: *each state agency to establish an incident response plan for cyberse- curity incidents that render information systems unavailable and test and analyze such plan at least once annually beginning in 2028. Section five of the bill relates to the severability of certain provisions of the act. Section six provides the effective date.   JUSTIFICATION: With the rapid advancement and use of technology by local governments, cybersecurity incidents and demands for ransomware represent an increas- ing threat, potentially impacting the municipality's ability to provide services to residents. There is currently no standard or uniform process among local governments for the reporting of cybersecurity incidents, including demands for ransomware payments. This bill aims to give clar- ity to municipalities that are impacted by these cybersecurity incidents and demands for ransom. This legislation also requires that any state and municipal employee who uses technology as a part of their job must take free yearly cyber security training, during compensated work hours, to ensure that they are aware of emerging threats and are aware of ways in which they'could reduce the probability of any potential cybersecuri- ty incidents. Furthermore, this bill requires state agencies to estab- lish an incident response plan and rigorous data protection policies and standards to both reduce the risk of a cybersecurity incident and to establish a comprehensive framework for state agencies to respond to cybersecurity incidents.   PRIOR LEGISLATIVE HISTORY: This is a new bill.   FISCAL IMPLICATIONS FOR STATE' AND LOCAL GOVERNMENTS: None.   EFFECTIVE DATE: This act shall take effect on the immediately; provided, however, that sections one and two shall take effect on the thirtieth day after it shall have become a law.
Go to top

A06769 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                         6769--A
                                                                 Cal. No. 67
 
                               2025-2026 Regular Sessions
 
                   IN ASSEMBLY
 
                                     March 13, 2025
                                       ___________
 
        Introduced  by M. of A. JONES -- read once and referred to the Committee
          on Local Governments -- advanced to a third reading, passed by  Assem-
          bly and delivered to the Senate, recalled from the Senate, vote recon-
          sidered,  bill  amended, ordered reprinted, retaining its place on the
          order of third reading
 
        AN ACT to amend the general municipal law  and  the  executive  law,  in
          relation  to  requiring municipal cybersecurity incident reporting and
          exempting such reports from freedom of information  requirements;  and
          to  amend  the state technology law, in relation to requiring cyberse-
          curity awareness training for government  employees,  data  protection
          standards, and cybersecurity protection
 
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
 
     1    Section 1. The general municipal law is amended by adding a new  arti-
     2  cle 19-C to read as follows:
     3                                ARTICLE 19-C
     4  CYBERSECURITY INCIDENT REPORTING REQUIREMENTS FOR MUNICIPAL CORPORATIONS
     5                           AND PUBLIC AUTHORITIES
     6  Section 995-a. Definitions.
     7          995-b. Reporting of cybersecurity incidents.
     8          995-c. Notice and explanation of ransom payment.
     9    § 995-a. Definitions.  For the purposes of this article:  1. "Cyberse-
    10  curity incident" means an event occurring  on  or  conducted  through  a
    11  computer  network that actually or imminently jeopardizes the integrity,
    12  confidentiality, or availability of computers, information  or  communi-
    13  cations   systems   or  networks,  physical  or  virtual  infrastructure
    14  controlled by computers or information systems, or information  resident
    15  thereon.
    16    2.  "Cyber  threat" means any circumstance or event with the potential
    17  to adversely impact organizational operations, organizational assets, or
    18  individuals through  an  information  system  via  unauthorized  access,
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD10937-05-5

        A. 6769--A                          2
 
     1  destruction,  disclosure,  modification of information, and/or denial of
     2  service.
     3    3.  "Cyber  threat  indicator"  means information that is necessary to
     4  describe or identify:
     5    (a) malicious reconnaissance, including anomalous patterns of communi-
     6  cations that appear to be transmitted for the purpose of gathering tech-
     7  nical information related to a cybersecurity threat or security  vulner-
     8  ability;
     9    (b)  a  method  of  defeating  a security control or exploitation of a
    10  security vulnerability;
    11    (c)  a  security  vulnerability,  including  anomalous  activity  that
    12  appears to indicate the existence of a security vulnerability;
    13    (d)  a  method of causing a user with legitimate access to an informa-
    14  tion system or information that is stored on, processed by, or  transit-
    15  ing an information system to unwittingly enable the defeat of a security
    16  control or exploitation of a security vulnerability;
    17    (e) malicious cyber command and control;
    18    (f)  the  actual  or potential harm caused by an incident, including a
    19  description of the information exfiltrated as a result of  a  particular
    20  cybersecurity threat;
    21    (g)  any  other  attribute of a cybersecurity threat, if disclosure of
    22  such attribute is not otherwise prohibited by law; or
    23    (h) any combination thereof.
    24    4. "Defensive measure" means an action, device, procedure,  signature,
    25  technique, or other measure applied to an information system or informa-
    26  tion  that  is  stored  on,  processed  by, or transiting an information
    27  system that  detects,  prevents,  or  mitigates  a  known  or  suspected
    28  cybersecurity  threat  or  security  vulnerability.  The term "defensive
    29  measure" does not include a measure  that  destroys,  renders  unusable,
    30  provides  unauthorized  access to, or substantially harms an information
    31  system or information stored on, processed by, or transiting such infor-
    32  mation system not owned by the municipal corporation or public authority
    33  operating the measure, or federal entity that is authorized  to  provide
    34  consent and has provided consent to that municipal corporation or public
    35  authority for operation of such measure.
    36    5.  "Information system" means a discrete set of information resources
    37  organized for the collection,  processing,  maintenance,  use,  sharing,
    38  dissemination, or disposition of information.
    39    6. "Municipal corporation" means:
    40    (a)  A  municipal  corporation as defined in section one hundred nine-
    41  teen-n of this chapter; or
    42    (b) A district as defined in section one hundred  nineteen-n  of  this
    43  chapter.
    44    7. "Public authority" means any state authority or local authority, as
    45  such  terms are defined in section two of the public authorities law, or
    46  any subsidiary thereof.
    47    8. "Ransom payment" means the transmission of any money or other prop-
    48  erty or asset, including virtual currency, or any portion thereof, which
    49  has at any time been delivered as ransom in connection with a ransomware
    50  attack.
    51    9. "Ransomware attack":
    52    (a) means an incident that includes the use or threat of use of  unau-
    53  thorized  or  malicious  code  on  an  information system, or the use or
    54  threat of use of another digital mechanism such as a denial  of  service
    55  attack,  to interrupt or disrupt the operations of an information system
    56  or compromise the confidentiality, availability, or integrity  of  elec-

        A. 6769--A                          3
 
     1  tronic data stored on, processed by, or transiting an information system
     2  to extort a demand for a ransom payment; and
     3    (b)  does  not  include any such event in which the demand for payment
     4  is:
     5    (i) not genuine; or
     6    (ii) made in good faith by an entity in response to a specific request
     7  by the owner or operator of the information system.
     8    § 995-b. Reporting of cybersecurity incidents. 1. Notwithstanding  any
     9  other  provision  of law to the contrary, all municipal corporations and
    10  public authorities shall report cybersecurity incidents and when  appli-
    11  cable,  the demand of a ransom payment, to the commissioner of the divi-
    12  sion of homeland security and emergency services in the form and  method
    13  prescribed  by  such commissioner. Such report shall include whether the
    14  reporting municipal corporation or public  authority  is  requesting  or
    15  declining  advice and/or technical assistance from the division of home-
    16  land security and  emergency  services  with  respect  to  the  reported
    17  cybersecurity incident or demand for a ransom payment.
    18    2.  All  municipal  corporations  and  public authorities shall report
    19  cybersecurity incidents, including demands for ransom payment, no  later
    20  than seventy-two hours after the municipal corporation or public author-
    21  ity reasonably believes the cybersecurity incident has occurred.
    22    3.  Any  cybersecurity  incident  report  and any records related to a
    23  ransom payment submitted to the commissioner of the division of homeland
    24  security and emergency services pursuant to  the  requirements  of  this
    25  article  shall be exempt from disclosure under article six of the public
    26  officers law.
    27    § 995-c. Notice and explanation of ransom payment. Notwithstanding any
    28  other provision of law to the contrary, each  municipal  corporation  or
    29  public  authority  shall,  in  the  event  of  a  ransom payment made in
    30  connection with a cybersecurity incident involving the municipal  corpo-
    31  ration  or public authority, provide the commissioner of the division of
    32  homeland security and emergency services  through  means  prescribed  by
    33  such commissioner with the following:
    34    1.  within  twenty-four  hours  of  the  ransom payment, notice of the
    35  payment; and
    36    2. within thirty days of the ransom payment, a written description  of
    37  the reasons payment was necessary, the amount of the ransom payment, the
    38  means  by  which  the ransom payment was made, a description of alterna-
    39  tives to payment considered, all diligence performed  to  find  alterna-
    40  tives  to  payment and all diligence performed to ensure compliance with
    41  applicable state and federal rules and regulations  including  those  of
    42  the  United States department of the treasury's office of foreign assets
    43  control.
    44    § 2. The executive law is amended by adding a  new  section  711-c  to
    45  read as follows:
    46    §  711-c.  Cybersecurity  incident reviews. 1. Definitions. As used in
    47  this section, the terms  cybersecurity  incident,  cyber  threat,  cyber
    48  threat  indicator,  defensive  measure,  information  system,  municipal
    49  corporation, public authority,  ransom  payment  and  ransomware  attack
    50  shall  have  the same meaning as such terms are defined in article nine-
    51  teen-C of the general municipal law.
    52    2. The commissioner, or their designees, shall review each cybersecur-
    53  ity incident report and notice and explanation of ransom payment submit-
    54  ted pursuant to sections nine hundred  ninety-five-b  and  nine  hundred
    55  ninety-five-c  of  the general municipal law to assess potential impacts

        A. 6769--A                          4
 
     1  of cybersecurity incidents and ransom payments on  the  health,  safety,
     2  welfare or security of the state, or its residents.
     3    3.  The  commissioner,  or  their designees, may work with appropriate
     4  state agencies, federal law enforcement, and federal  homeland  security
     5  agencies  to  provide municipal corporations and public authorities with
     6  reports of cybersecurity incidents and trends, including but not limited
     7  to, to the maximum extent practicable, related  contextual  information,
     8  cyber  threat  indicators,  and defensive measures. The commissioner may
     9  coordinate and share such reported  information  with  municipal  corpo-
    10  rations, public authorities, state agencies, and federal law enforcement
    11  and  homeland security agencies to respond to and mitigate cybersecurity
    12  threats.
    13    4. Such reports, assessments, records, reviews, documents, recommenda-
    14  tions, guidance and any information contained or used in its preparation
    15  shall be exempt from disclosure under article six of the public officers
    16  law.
    17    5. No later than forty-eight hours  after  receiving  a  cybersecurity
    18  incident report containing a request for advice and/or technical assist-
    19  ance  from  the  division  pursuant  to  subdivision one of section nine
    20  hundred ninety-five-b of the general municipal law, the commissioner  or
    21  the  commissioner's designees shall acknowledge receipt of such request.
    22  As soon as possible after receiving such a request, the commissioner  or
    23  the  commissioner's  designees, subject to the commissioner's discretion
    24  in prioritizing the division's response to the  municipal  corporation's
    25  or  public  authority's  cybersecurity  incident  report,  shall provide
    26  advice to the requesting municipal corporation or public authority  and,
    27  to the extent practicable, provide technical assistance.
    28    § 3. The state technology law is amended by adding a new section 103-f
    29  to read as follows:
    30    § 103-f.  Cybersecurity awareness training.  1. (a)  Employees of  the
    31  state  who  use  technology as a part of their official job duties shall
    32  take annual cybersecurity awareness training  beginning  January  first,
    33  two  thousand  twenty-six.   Employees of the state shall be required to
    34  complete the training provided by the office.
    35    (b) For purposes of this  section,  "employees  of  the  state"  shall
    36  include  employees  of  all state agencies and all public benefit corpo-
    37  rations, the heads of which are appointed by the governor.
    38    2.  Employees of a county, a city, a town, a village, or a district as
    39  defined in section one hundred nineteen-n of the general municipal  law,
    40  who  use  technology  as  a part of their official job duties shall take
    41  annual cybersecurity awareness training  beginning  January  first,  two
    42  thousand  twenty-six.  The  office  shall  make a cybersecurity training
    43  available for use by a county, a city, a town, a village, or a  district
    44  as  defined  in  section one hundred nineteen-n of the general municipal
    45  law, at no charge, provided however, no employee of a county, a city,  a
    46  town,  a  village, or a district as defined in section one hundred nine-
    47  teen-n of the general municipal law shall be required to  complete  such
    48  training provided by the office and the cybersecurity awareness training
    49  requirements of this section may be satisfied by the completion of other
    50  cybersecurity awareness training.
    51    3. All training mandated by this section shall be conducted during the
    52  employee's  regular  working  hours  and employees shall receive compen-
    53  sation at their regular rate of pay for any time spent participating  in
    54  such training.
    55    §  4.  The state technology law is amended by adding a new section 210
    56  to read as follows:

        A. 6769--A                          5
 
     1    § 210. Cybersecurity protection. 1. Definitions. For purposes of  this
     2  section, the following terms shall have the following meanings:
     3    (a) "Breach of the security of the system" shall have the same meaning
     4  as such term is defined in section two hundred eight of this article.
     5    (b) "Data subject" means any natural person about whom personal infor-
     6  mation has been collected by a state agency.
     7    (c) "Information system" means a discrete set of information resources
     8  organized  for  the  collection,  processing, maintenance, use, sharing,
     9  dissemination, or disposition of information.
    10    (d) "State  agency-maintained  personal  information"  means  personal
    11  information stored by a state agency that was generated by a state agen-
    12  cy  or provided to the state agency by the data subject, a state agency,
    13  a federal governmental entity, or any other third-party  source.    Such
    14  term  shall  also  include  personal  information provided by an adverse
    15  party in the course of litigation or other adversarial proceeding.
    16    (e) "State agency" shall have the same meaning as such term is defined
    17  in section one hundred one of this chapter.
    18    2. Data protection standards. The director shall  issue  policies  and
    19  standards for:
    20    (a)  protection  against  breaches  of the security of the information
    21  systems and for personal information used by such information systems;
    22    (b) data backup;
    23    (c) information system recovery;
    24    (d) secure sanitization and deletion of data;
    25    (e) vulnerability management and assessment; and
    26    (f) annual workforce training regarding protection against breaches of
    27  the security of the system, as well as  processes  and  procedures  that
    28  should  be  followed  in  the  event  of a breach of the security of the
    29  system.
    30    3. Information system inventory. (a) No later than two years after the
    31  effective date of this section, each state  agency  shall  create,  then
    32  maintain, an inventory of its information systems.
    33    (b) Upon written request from the office, a state agency shall provide
    34  the office with the state agency-maintained information systems invento-
    35  ries required to be created or updated pursuant to this subdivision.
    36    (c) Notwithstanding paragraph (a) of this subdivision, the state agen-
    37  cy-maintained  information systems inventories required to be created or
    38  updated pursuant to this subdivision  shall  be  kept  confidential,  as
    39  disclosure  of such information would jeopardize the security of a state
    40  agency's information systems  and  information  technology  assets  and,
    41  further,  shall not be made available for disclosure or inspection under
    42  the state freedom of information law.
    43    4. Incident management and recovery. (a) No later than eighteen months
    44  after the effective date of this section, each state agency  shall  have
    45  created  an  incident  response plan for incidents involving a breach of
    46  the security of the system that render an information system or its data
    47  unavailable, and incidents involving a breach of  the  security  of  the
    48  system  that  result  in  the  alteration or deletion of or unauthorized
    49  access to, personal information.
    50    (b) Such incident response plan shall include, but not be limited  to,
    51  a procedure for situations where information systems have been adversely
    52  affected  by a breach of the security of the system, as well as a proce-
    53  dure for the recovery of personal information and information systems.
    54    (c) Beginning January first, two thousand twenty-eight and on an annu-
    55  al basis thereafter, each state agency shall complete at least one exer-
    56  cise of its incident response plan. Upon completion  of  such  exercise,

        A. 6769--A                          6
 
     1  the  state  agency shall document the incident response plan's successes
     2  and shortcomings in an incident response plan exercise report. The inci-
     3  dent response plan and any incident response plan exercise reports shall
     4  be kept confidential, as disclosure of such information would jeopardize
     5  the  security  of  a  state agency's information systems and information
     6  technology assets, and, further, shall not be made available for disclo-
     7  sure or inspection under the state freedom of information law.
     8    5. No private right of action. Nothing set forth in this section shall
     9  be construed as creating or establishing a private cause of action.
    10    § 5. Severability. The provisions of this act shall be  severable  and
    11  if  any  portion  thereof  or the applicability thereof to any person or
    12  circumstances shall be held to be invalid, the remainder of this act and
    13  the application thereof shall not be affected thereby.
    14    § 6. This act shall take effect immediately; provided,  however,  that
    15  sections  one and two of this act shall take effect on the thirtieth day
    16  after such effective date.
Go to top