S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  926--A
 
                        2017-2018 Regular Sessions
 
                             I N  S E N A T E
 
                              January 5, 2017
                                ___________
 
 Introduced  by  Sens. CROCI, AKSHAR, AVELLA, DeFRANCISCO, FUNKE, GOLDEN,
   HELMING, ROBACH, SERINO, SEWARD -- read twice and ordered printed, and
   when printed to be committed to the Committee  on  Veterans,  Homeland
   Security  and  Military  Affairs  --  recommitted  to the Committee on
   Veterans, Homeland Security and Military Affairs  in  accordance  with
   Senate  Rule  6, sec. 8 -- committee discharged, bill amended, ordered
   reprinted as amended and recommitted to said committee
 
 AN ACT to amend the executive law,  in  relation  to  a  cyber  security
   report
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The executive law is amended by adding a new section 719 to
 read as follows:
   § 719. QUINQUENNIAL CYBER SECURITY REPORT.   1. THE  COMMISSIONER,  IN
 CONSULTATION  WITH  THE  SUPERINTENDENT  OF  THE STATE POLICE, THE CHIEF
 INFORMATION OFFICER, AND THE PRESIDENT OF THE CENTER FOR INTERNET  SECU-
 RITY,  SHALL  PREPARE  A  REPORT,  TO  BE DELIVERED TO THE GOVERNOR, THE
 TEMPORARY PRESIDENT OF THE SENATE, THE  SPEAKER  OF  THE  ASSEMBLY,  THE
 CHAIR  OF  THE  SENATE STANDING COMMITTEE ON VETERANS, HOMELAND SECURITY
 AND MILITARY AFFAIRS, AND THE CHAIR OF THE ASSEMBLY  STANDING  COMMITTEE
 ON GOVERNMENTAL OPERATIONS, ON OR BEFORE THE FIRST DAY OF SEPTEMBER, TWO
 THOUSAND  EIGHTEEN, AND THEN EVERY FIVE YEARS THEREAFTER, WHICH PROVIDES
 A COMPREHENSIVE REVIEW OF ALL CYBER SECURITY SERVICES PERFORMED BY,  AND
 ON BEHALF OF, THE STATE OF NEW YORK.
   2.  THE  REPORT  REQUIRED PURSUANT TO SUBDIVISION ONE OF THIS SECTION,
 SHALL INCLUDE A DETAILED ASSESSMENT OF EACH  AND  EVERY  CYBER  SECURITY
 NEED  OF  THE STATE OF NEW YORK, INCLUDING BUT NOT LIMITED TO, ITS STATE
 AGENCIES AND ITS PUBLIC AUTHORITIES, AND FOR EACH AND EVERY  SUCH  CYBER
 SECURITY   NEED   SO   IDENTIFIED,  SHALL  FURTHER  INCLUDE  A  DETAILED
 DESCRIPTION OF:
   (A) THE TYPE OF CYBER SECURITY SERVICE USED TO ADDRESS SUCH NEED;
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
              

                                                            LBD01791-02-8

 S. 926--A                           2
 
   (B) THE SCOPE OF THE NEED SO ADDRESSED, AS WELL AS THE  SCOPE  OF  THE
 SERVICE USED TO ADDRESS SUCH NEED;
   (C) THE COST OF THE SERVICE USED TO ADDRESS SUCH NEED;
   (D)  THE  EFFECTIVENESS  OF THE CYBER SECURITY SERVICE USED TO ADDRESS
 SUCH NEED;
   (E) THE ENTITY PROVIDING SUCH CYBER SECURITY SERVICE USED  TO  ADDRESS
 SUCH NEED;
   (F)  THE  GOVERNMENT, INDUSTRY AND/OR ACADEMICALLY ACCEPTED BEST CYBER
 SECURITY PRACTICE FOR ADDRESSING SUCH NEED;
   (G) HOW OTHER STATES, AND THE FEDERAL GOVERNMENT HAVE  ADDRESSED  SUCH
 NEED; AND
   (H) HOW PRIVATE SECTOR ENTITIES ADDRESSED SUCH NEED.
   3. DURING THE PREPARATION OF THE REPORT REQUIRED BY SUBDIVISION ONE OF
 THIS  SECTION,  AND  AFTER  ITS  DELIVERY  TO  THE PERSONS IDENTIFIED TO
 RECEIVE SUCH REPORT, THE COMMISSIONER, THE SUPERINTENDENT OF  THE  STATE
 POLICE,  THE  CHIEF INFORMATION OFFICER, AND THE PRESIDENT OF THE CENTER
 FOR INTERNET SECURITY, AS WELL AS  THE  DIVISIONS,  OFFICES  AND  CORPO-
 RATIONS UNDER THEIR DIRECTION, SHALL PROVIDE TO SUCH PERSONS ENTITLED TO
 RECEIVE SUCH REPORT, ANY AND ALL ADDITIONAL INFORMATION SUCH PERSONS MAY
 REQUEST, WITH RESPECT TO ANY CYBER SECURITY ISSUE CONCERNING:
   (A)  THE  STATE OF NEW YORK, INCLUDING BUT NOT LIMITED TO, ANY AGENCY,
 BOARD, BUREAU, COMMISSION, DEPARTMENT, DIVISION, INSTITUTION, OFFICE, OR
 PUBLIC AUTHORITY OF THE STATE;
   (B) ANY LOCAL GOVERNMENT ENTITY, INCLUDING BUT  NOT  LIMITED  TO,  ANY
 COUNTY,  TOWN, CITY, VILLAGE, SCHOOL DISTRICT, SPECIAL DISTRICT, AND ANY
 AGENCY, BOARD, BUREAU, COMMISSION,  DEPARTMENT,  DIVISION,  INSTITUTION,
 OFFICE, OR PUBLIC AUTHORITY OF SUCH LOCAL GOVERNMENT ENTITY;
   (C)  ANY REGULATED ENTITY OF THE STATE OF NEW YORK OR LOCAL GOVERNMENT
 ENTITY;
   (D) ANY NOT-FOR-PROFIT CORPORATION IN THE STATE OF NEW YORK;
   (E) ANY PRIVATE SECTOR BUSINESS IN THE STATE OF  NEW  YORK,  INCLUDING
 BUT  NOT  LIMITED  TO, A SOLE PROPRIETOR, PARTNERSHIP, LIMITED LIABILITY
 COMPANY OR BUSINESS CORPORATION; AND/OR
   (F) ANY CITIZEN OF THE STATE OF NEW YORK.
   4. WHERE COMPLIANCE WITH THIS SECTION SHALL REQUIRE THE DISCLOSURE  OF
 CONFIDENTIAL  INFORMATION,  OR  THE  DISCLOSURE OF SENSITIVE INFORMATION
 WHICH IN THE JUDGMENT OF THE COMMISSIONER  WOULD  JEOPARDIZE  THE  CYBER
 SECURITY OF THE STATE:
   (A)  SUCH  CONFIDENTIAL  OR SENSITIVE INFORMATION SHALL BE PROVIDED TO
 THE PERSONS ENTITLED TO RECEIVE THE REPORT AS  PROVIDED  BY  SUBDIVISION
 ONE OF THIS SECTION, AS FOLLOWS:
   (I)  IN  THE  CASE  OF  THE REPORT REQUIRED BY SUBDIVISION ONE OF THIS
 SECTION, IN THE FORM OF A SUPPLEMENTAL APPENDIX TO THE REPORT; AND
   (II) IN THE CASE OF A RESPONSE TO A REQUEST FOR  INFORMATION  MADE  IN
 ACCORDANCE WITH SUBDIVISION THREE OF THIS SECTION, IN A SECURE MANNER AS
 DETERMINED BY THE COMMISSIONER;
   (B)  NEITHER  A SUPPLEMENTAL APPENDIX TO THE REPORT, NOR ANY CONFIDEN-
 TIAL OR SENSITIVE INFORMATION PROVIDED IN  ACCORDANCE  WITH  SUBDIVISION
 THREE  OF  THIS  SECTION,  SHALL  BE POSTED ON THE DIVISION'S WEBSITE AS
 REQUIRED BY SUBDIVISION FIVE OF THIS SECTION;
   (C) NEITHER A SUPPLEMENTAL APPENDIX TO THE REPORT, NOR  ANY  CONFIDEN-
 TIAL  OR  SENSITIVE  INFORMATION PROVIDED IN ACCORDANCE WITH SUBDIVISION
 THREE OF THIS SECTION, SHALL BE SUBJECT TO THE PROVISIONS OF THE FREEDOM
 OF INFORMATION LAW PURSUANT TO ARTICLE SIX OF THE PUBLIC  OFFICERS  LAW;
 AND

 S. 926--A                           3
 
   (D) THE PERSONS ENTITLED TO RECEIVE THE REPORT AS PROVIDED BY SUBDIVI-
 SION  ONE OF THIS SECTION, MAY DISCLOSE THE SUPPLEMENTAL APPENDIX TO THE
 REPORT, AND  ANY  CONFIDENTIAL  OR  SENSITIVE  INFORMATION  PROVIDED  IN
 ACCORDANCE WITH SUBDIVISION THREE OF THIS SECTION, TO THEIR PROFESSIONAL
 STAFF,  BUT  SHALL  NOT OTHERWISE PUBLICLY DISCLOSE SUCH CONFIDENTIAL OR
 SECURE INFORMATION.
   5. EXCEPT WITH RESPECT TO ANY CONFIDENTIAL OR SENSITIVE INFORMATION AS
 DESCRIBED IN SUBDIVISION FOUR OF THIS SECTION, THE DIVISION SHALL POST A
 COPY OF THE REPORT PREPARED IN ACCORDANCE WITH SUBDIVISION ONE  OF  THIS
 SECTION, ON ITS WEBSITE, NOT MORE THAN FIFTEEN DAYS AFTER SUCH REPORT IS
 DELIVERED  TO  THE PERSONS ENTITLED TO RECEIVE SUCH REPORT. THE DIVISION
 MAY FURTHER POST ANY AND ALL FURTHER INFORMATION IT MAY  DEEM  APPROPRI-
 ATE,  ON  ITS  WEBSITE,  REGARDING CYBER SECURITY, AND THE PROTECTION OF
 PUBLIC AND PRIVATE COMPUTER SYSTEMS, NETWORKS, HARDWARE AND SOFTWARE.
   § 2. This act shall take effect immediately.