Add Art 19-C §§995-a - 995-c, Gen Muni L; add §711-c, Exec L; add §§103-f & 210, St Tech L
 
Requires all municipal corporations to report cybersecurity incidents and demands of ransom payments to the division of homeland security and emergency services; defines terms; requires cybersecurity incident reviews; requires cybersecurity awareness training, cybersecurity protection and data protection standards for state maintained information systems.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A6769A
SPONSOR: Jones
 
TITLE OF BILL:
An act to amend the general municipal law and the executive law, in
relation to requiring municipal cybersecurity incident reporting and
exempting such reports from freedom of information requirements; and to
amend the state technology law, in relation to requiring cybersecurity
awareness training for government employees, data protection standards,
and cybersecurity protection
 
PURPOSE OR GENERAL IDEA OF BILL:
The purpose of this bill is to have DHSES provide information, guidance
and training on cybersecurity issues to local governments and public
authorities, establish certain reporting requirements for cybersecurity
incidents and ransomware attacks, and establish a framework for state
agencies to respond to cybersecurity incidents.
 
SUMMARY OF PROVISIONS:
Section one of the bill adds a new Article 19-c to the General Muncipal
Law that requires municipal corporations and public authorities to
report to the Department of Homeland Security and Emergency Services
(DHSES):
*any cybersecurity incidents within seventy-two hours after such munici-
pal corporation believes that the cybersecurity incident has occurred;
and
*notice of any ransom payment made in connection with a cybersecurity
incident within twenty-four hours, followed by a written description
within thirty days as to why the ransom payment was necessary, alterna-
tives considered, and all diligence preformed to find alternatives and
ensure compliance with the law.
Section two of the bill amends the Executive Law to authorize the
Commissioner of DHSES to review each cybersecurity incident report and
work with local, state, and federal agencies to provide municipal corpo-
rations with, reports. Further, the DHSES would be required to advise
and, to the extent practicable, provide technical assistance as soon as
possible to a local government or public authority that makes a request
for advice and technical assistance.
Section three of the bill amends the State Technology Law to require
that all employees of the state, and a county, city, town, village, or
special district who use technology as a part of their official job
duties take a annual cybersecurity awareness training during compensated
working hours beginning in 2026. The state Office of Information Tech-
nology Services shall be required to make a free training available for
use by county, city, town, village, or special district but employees
can meet the annual training requirement through other training programs
and will not be required to complete the training provided by the
office.
Section four of the bill amends the State Technology Law to require:
*the director of office of information technology services to establish
data protection policies and standards for: protection against breaches,
data backups, information system recovery, sanitization and deletion of
data, vulnerability management, and annual workforce training:
*each state agency to establish and maintain an information system
inventory no later than two years after the effective date, and:
*each state agency to establish an incident response plan for cyberse-
curity incidents that render information systems unavailable and test
and analyze such plan at least once annually beginning in 2028.
Section five of the bill relates to the severability of certain
provisions of the act.
Section six provides the effective date.
 
JUSTIFICATION:
With the rapid advancement and use of technology by local governments,
cybersecurity incidents and demands for ransomware represent an increas-
ing threat, potentially impacting the municipality's ability to provide
services to residents. There is currently no standard or uniform process
among local governments for the reporting of cybersecurity incidents,
including demands for ransomware payments. This bill aims to give clar-
ity to municipalities that are impacted by these cybersecurity incidents
and demands for ransom. This legislation also requires that any state
and municipal employee who uses technology as a part of their job must
take free yearly cyber security training, during compensated work hours,
to ensure that they are aware of emerging threats and are aware of ways
in which they'could reduce the probability of any potential cybersecuri-
ty incidents. Furthermore, this bill requires state agencies to estab-
lish an incident response plan and rigorous data protection policies and
standards to both reduce the risk of a cybersecurity incident and to
establish a comprehensive framework for state agencies to respond to
cybersecurity incidents.
 
PRIOR LEGISLATIVE HISTORY:
This is a new bill.
 
FISCAL IMPLICATIONS FOR STATE' AND LOCAL GOVERNMENTS:
None.
 
EFFECTIVE DATE:
This act shall take effect on the immediately; provided, however, that
sections one and two shall take effect on the thirtieth day after it
shall have become a law.
STATE OF NEW YORK
________________________________________________________________________
6769--A
Cal. No. 67
2025-2026 Regular Sessions
IN ASSEMBLY
March 13, 2025
___________
Introduced by M. of A. JONES -- read once and referred to the Committee
on Local Governments -- advanced to a third reading, passed by Assem-
bly and delivered to the Senate, recalled from the Senate, vote recon-
sidered, bill amended, ordered reprinted, retaining its place on the
order of third reading
AN ACT to amend the general municipal law and the executive law, in
relation to requiring municipal cybersecurity incident reporting and
exempting such reports from freedom of information requirements; and
to amend the state technology law, in relation to requiring cyberse-
curity awareness training for government employees, data protection
standards, and cybersecurity protection
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general municipal law is amended by adding a new arti-
2 cle 19-C to read as follows:
3 ARTICLE 19-C
4 CYBERSECURITY INCIDENT REPORTING REQUIREMENTS FOR MUNICIPAL CORPORATIONS
5 AND PUBLIC AUTHORITIES
6 Section 995-a. Definitions.
7 995-b. Reporting of cybersecurity incidents.
8 995-c. Notice and explanation of ransom payment.
9 § 995-a. Definitions. For the purposes of this article: 1. "Cyberse-
10 curity incident" means an event occurring on or conducted through a
11 computer network that actually or imminently jeopardizes the integrity,
12 confidentiality, or availability of computers, information or communi-
13 cations systems or networks, physical or virtual infrastructure
14 controlled by computers or information systems, or information resident
15 thereon.
16 2. "Cyber threat" means any circumstance or event with the potential
17 to adversely impact organizational operations, organizational assets, or
18 individuals through an information system via unauthorized access,
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD10937-05-5
A. 6769--A 2
1 destruction, disclosure, modification of information, and/or denial of
2 service.
3 3. "Cyber threat indicator" means information that is necessary to
4 describe or identify:
5 (a) malicious reconnaissance, including anomalous patterns of communi-
6 cations that appear to be transmitted for the purpose of gathering tech-
7 nical information related to a cybersecurity threat or security vulner-
8 ability;
9 (b) a method of defeating a security control or exploitation of a
10 security vulnerability;
11 (c) a security vulnerability, including anomalous activity that
12 appears to indicate the existence of a security vulnerability;
13 (d) a method of causing a user with legitimate access to an informa-
14 tion system or information that is stored on, processed by, or transit-
15 ing an information system to unwittingly enable the defeat of a security
16 control or exploitation of a security vulnerability;
17 (e) malicious cyber command and control;
18 (f) the actual or potential harm caused by an incident, including a
19 description of the information exfiltrated as a result of a particular
20 cybersecurity threat;
21 (g) any other attribute of a cybersecurity threat, if disclosure of
22 such attribute is not otherwise prohibited by law; or
23 (h) any combination thereof.
24 4. "Defensive measure" means an action, device, procedure, signature,
25 technique, or other measure applied to an information system or informa-
26 tion that is stored on, processed by, or transiting an information
27 system that detects, prevents, or mitigates a known or suspected
28 cybersecurity threat or security vulnerability. The term "defensive
29 measure" does not include a measure that destroys, renders unusable,
30 provides unauthorized access to, or substantially harms an information
31 system or information stored on, processed by, or transiting such infor-
32 mation system not owned by the municipal corporation or public authority
33 operating the measure, or federal entity that is authorized to provide
34 consent and has provided consent to that municipal corporation or public
35 authority for operation of such measure.
36 5. "Information system" means a discrete set of information resources
37 organized for the collection, processing, maintenance, use, sharing,
38 dissemination, or disposition of information.
39 6. "Municipal corporation" means:
40 (a) A municipal corporation as defined in section one hundred nine-
41 teen-n of this chapter; or
42 (b) A district as defined in section one hundred nineteen-n of this
43 chapter.
44 7. "Public authority" means any state authority or local authority, as
45 such terms are defined in section two of the public authorities law, or
46 any subsidiary thereof.
47 8. "Ransom payment" means the transmission of any money or other prop-
48 erty or asset, including virtual currency, or any portion thereof, which
49 has at any time been delivered as ransom in connection with a ransomware
50 attack.
51 9. "Ransomware attack":
52 (a) means an incident that includes the use or threat of use of unau-
53 thorized or malicious code on an information system, or the use or
54 threat of use of another digital mechanism such as a denial of service
55 attack, to interrupt or disrupt the operations of an information system
56 or compromise the confidentiality, availability, or integrity of elec-
A. 6769--A 3
1 tronic data stored on, processed by, or transiting an information system
2 to extort a demand for a ransom payment; and
3 (b) does not include any such event in which the demand for payment
4 is:
5 (i) not genuine; or
6 (ii) made in good faith by an entity in response to a specific request
7 by the owner or operator of the information system.
8 § 995-b. Reporting of cybersecurity incidents. 1. Notwithstanding any
9 other provision of law to the contrary, all municipal corporations and
10 public authorities shall report cybersecurity incidents and when appli-
11 cable, the demand of a ransom payment, to the commissioner of the divi-
12 sion of homeland security and emergency services in the form and method
13 prescribed by such commissioner. Such report shall include whether the
14 reporting municipal corporation or public authority is requesting or
15 declining advice and/or technical assistance from the division of home-
16 land security and emergency services with respect to the reported
17 cybersecurity incident or demand for a ransom payment.
18 2. All municipal corporations and public authorities shall report
19 cybersecurity incidents, including demands for ransom payment, no later
20 than seventy-two hours after the municipal corporation or public author-
21 ity reasonably believes the cybersecurity incident has occurred.
22 3. Any cybersecurity incident report and any records related to a
23 ransom payment submitted to the commissioner of the division of homeland
24 security and emergency services pursuant to the requirements of this
25 article shall be exempt from disclosure under article six of the public
26 officers law.
27 § 995-c. Notice and explanation of ransom payment. Notwithstanding any
28 other provision of law to the contrary, each municipal corporation or
29 public authority shall, in the event of a ransom payment made in
30 connection with a cybersecurity incident involving the municipal corpo-
31 ration or public authority, provide the commissioner of the division of
32 homeland security and emergency services through means prescribed by
33 such commissioner with the following:
34 1. within twenty-four hours of the ransom payment, notice of the
35 payment; and
36 2. within thirty days of the ransom payment, a written description of
37 the reasons payment was necessary, the amount of the ransom payment, the
38 means by which the ransom payment was made, a description of alterna-
39 tives to payment considered, all diligence performed to find alterna-
40 tives to payment and all diligence performed to ensure compliance with
41 applicable state and federal rules and regulations including those of
42 the United States department of the treasury's office of foreign assets
43 control.
44 § 2. The executive law is amended by adding a new section 711-c to
45 read as follows:
46 § 711-c. Cybersecurity incident reviews. 1. Definitions. As used in
47 this section, the terms cybersecurity incident, cyber threat, cyber
48 threat indicator, defensive measure, information system, municipal
49 corporation, public authority, ransom payment and ransomware attack
50 shall have the same meaning as such terms are defined in article nine-
51 teen-C of the general municipal law.
52 2. The commissioner, or their designees, shall review each cybersecur-
53 ity incident report and notice and explanation of ransom payment submit-
54 ted pursuant to sections nine hundred ninety-five-b and nine hundred
55 ninety-five-c of the general municipal law to assess potential impacts
A. 6769--A 4
1 of cybersecurity incidents and ransom payments on the health, safety,
2 welfare or security of the state, or its residents.
3 3. The commissioner, or their designees, may work with appropriate
4 state agencies, federal law enforcement, and federal homeland security
5 agencies to provide municipal corporations and public authorities with
6 reports of cybersecurity incidents and trends, including but not limited
7 to, to the maximum extent practicable, related contextual information,
8 cyber threat indicators, and defensive measures. The commissioner may
9 coordinate and share such reported information with municipal corpo-
10 rations, public authorities, state agencies, and federal law enforcement
11 and homeland security agencies to respond to and mitigate cybersecurity
12 threats.
13 4. Such reports, assessments, records, reviews, documents, recommenda-
14 tions, guidance and any information contained or used in its preparation
15 shall be exempt from disclosure under article six of the public officers
16 law.
17 5. No later than forty-eight hours after receiving a cybersecurity
18 incident report containing a request for advice and/or technical assist-
19 ance from the division pursuant to subdivision one of section nine
20 hundred ninety-five-b of the general municipal law, the commissioner or
21 the commissioner's designees shall acknowledge receipt of such request.
22 As soon as possible after receiving such a request, the commissioner or
23 the commissioner's designees, subject to the commissioner's discretion
24 in prioritizing the division's response to the municipal corporation's
25 or public authority's cybersecurity incident report, shall provide
26 advice to the requesting municipal corporation or public authority and,
27 to the extent practicable, provide technical assistance.
28 § 3. The state technology law is amended by adding a new section 103-f
29 to read as follows:
30 § 103-f. Cybersecurity awareness training. 1. (a) Employees of the
31 state who use technology as a part of their official job duties shall
32 take annual cybersecurity awareness training beginning January first,
33 two thousand twenty-six. Employees of the state shall be required to
34 complete the training provided by the office.
35 (b) For purposes of this section, "employees of the state" shall
36 include employees of all state agencies and all public benefit corpo-
37 rations, the heads of which are appointed by the governor.
38 2. Employees of a county, a city, a town, a village, or a district as
39 defined in section one hundred nineteen-n of the general municipal law,
40 who use technology as a part of their official job duties shall take
41 annual cybersecurity awareness training beginning January first, two
42 thousand twenty-six. The office shall make a cybersecurity training
43 available for use by a county, a city, a town, a village, or a district
44 as defined in section one hundred nineteen-n of the general municipal
45 law, at no charge, provided however, no employee of a county, a city, a
46 town, a village, or a district as defined in section one hundred nine-
47 teen-n of the general municipal law shall be required to complete such
48 training provided by the office and the cybersecurity awareness training
49 requirements of this section may be satisfied by the completion of other
50 cybersecurity awareness training.
51 3. All training mandated by this section shall be conducted during the
52 employee's regular working hours and employees shall receive compen-
53 sation at their regular rate of pay for any time spent participating in
54 such training.
55 § 4. The state technology law is amended by adding a new section 210
56 to read as follows:
A. 6769--A 5
1 § 210. Cybersecurity protection. 1. Definitions. For purposes of this
2 section, the following terms shall have the following meanings:
3 (a) "Breach of the security of the system" shall have the same meaning
4 as such term is defined in section two hundred eight of this article.
5 (b) "Data subject" means any natural person about whom personal infor-
6 mation has been collected by a state agency.
7 (c) "Information system" means a discrete set of information resources
8 organized for the collection, processing, maintenance, use, sharing,
9 dissemination, or disposition of information.
10 (d) "State agency-maintained personal information" means personal
11 information stored by a state agency that was generated by a state agen-
12 cy or provided to the state agency by the data subject, a state agency,
13 a federal governmental entity, or any other third-party source. Such
14 term shall also include personal information provided by an adverse
15 party in the course of litigation or other adversarial proceeding.
16 (e) "State agency" shall have the same meaning as such term is defined
17 in section one hundred one of this chapter.
18 2. Data protection standards. The director shall issue policies and
19 standards for:
20 (a) protection against breaches of the security of the information
21 systems and for personal information used by such information systems;
22 (b) data backup;
23 (c) information system recovery;
24 (d) secure sanitization and deletion of data;
25 (e) vulnerability management and assessment; and
26 (f) annual workforce training regarding protection against breaches of
27 the security of the system, as well as processes and procedures that
28 should be followed in the event of a breach of the security of the
29 system.
30 3. Information system inventory. (a) No later than two years after the
31 effective date of this section, each state agency shall create, then
32 maintain, an inventory of its information systems.
33 (b) Upon written request from the office, a state agency shall provide
34 the office with the state agency-maintained information systems invento-
35 ries required to be created or updated pursuant to this subdivision.
36 (c) Notwithstanding paragraph (a) of this subdivision, the state agen-
37 cy-maintained information systems inventories required to be created or
38 updated pursuant to this subdivision shall be kept confidential, as
39 disclosure of such information would jeopardize the security of a state
40 agency's information systems and information technology assets and,
41 further, shall not be made available for disclosure or inspection under
42 the state freedom of information law.
43 4. Incident management and recovery. (a) No later than eighteen months
44 after the effective date of this section, each state agency shall have
45 created an incident response plan for incidents involving a breach of
46 the security of the system that render an information system or its data
47 unavailable, and incidents involving a breach of the security of the
48 system that result in the alteration or deletion of or unauthorized
49 access to, personal information.
50 (b) Such incident response plan shall include, but not be limited to,
51 a procedure for situations where information systems have been adversely
52 affected by a breach of the security of the system, as well as a proce-
53 dure for the recovery of personal information and information systems.
54 (c) Beginning January first, two thousand twenty-eight and on an annu-
55 al basis thereafter, each state agency shall complete at least one exer-
56 cise of its incident response plan. Upon completion of such exercise,
A. 6769--A 6
1 the state agency shall document the incident response plan's successes
2 and shortcomings in an incident response plan exercise report. The inci-
3 dent response plan and any incident response plan exercise reports shall
4 be kept confidential, as disclosure of such information would jeopardize
5 the security of a state agency's information systems and information
6 technology assets, and, further, shall not be made available for disclo-
7 sure or inspection under the state freedom of information law.
8 5. No private right of action. Nothing set forth in this section shall
9 be construed as creating or establishing a private cause of action.
10 § 5. Severability. The provisions of this act shall be severable and
11 if any portion thereof or the applicability thereof to any person or
12 circumstances shall be held to be invalid, the remainder of this act and
13 the application thereof shall not be affected thereby.
14 § 6. This act shall take effect immediately; provided, however, that
15 sections one and two of this act shall take effect on the thirtieth day
16 after such effective date.