S T A T E O F N E W Y O R K
________________________________________________________________________
926--A
2017-2018 Regular Sessions
I N S E N A T E
January 5, 2017
___________
Introduced by Sens. CROCI, AKSHAR, AVELLA, DeFRANCISCO, FUNKE, GOLDEN,
HELMING, ROBACH, SERINO, SEWARD -- read twice and ordered printed, and
when printed to be committed to the Committee on Veterans, Homeland
Security and Military Affairs -- recommitted to the Committee on
Veterans, Homeland Security and Military Affairs in accordance with
Senate Rule 6, sec. 8 -- committee discharged, bill amended, ordered
reprinted as amended and recommitted to said committee
AN ACT to amend the executive law, in relation to a cyber security
report
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The executive law is amended by adding a new section 719 to
read as follows:
§ 719. QUINQUENNIAL CYBER SECURITY REPORT. 1. THE COMMISSIONER, IN
CONSULTATION WITH THE SUPERINTENDENT OF THE STATE POLICE, THE CHIEF
INFORMATION OFFICER, AND THE PRESIDENT OF THE CENTER FOR INTERNET SECU-
RITY, SHALL PREPARE A REPORT, TO BE DELIVERED TO THE GOVERNOR, THE
TEMPORARY PRESIDENT OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, THE
CHAIR OF THE SENATE STANDING COMMITTEE ON VETERANS, HOMELAND SECURITY
AND MILITARY AFFAIRS, AND THE CHAIR OF THE ASSEMBLY STANDING COMMITTEE
ON GOVERNMENTAL OPERATIONS, ON OR BEFORE THE FIRST DAY OF SEPTEMBER, TWO
THOUSAND EIGHTEEN, AND THEN EVERY FIVE YEARS THEREAFTER, WHICH PROVIDES
A COMPREHENSIVE REVIEW OF ALL CYBER SECURITY SERVICES PERFORMED BY, AND
ON BEHALF OF, THE STATE OF NEW YORK.
2. THE REPORT REQUIRED PURSUANT TO SUBDIVISION ONE OF THIS SECTION,
SHALL INCLUDE A DETAILED ASSESSMENT OF EACH AND EVERY CYBER SECURITY
NEED OF THE STATE OF NEW YORK, INCLUDING BUT NOT LIMITED TO, ITS STATE
AGENCIES AND ITS PUBLIC AUTHORITIES, AND FOR EACH AND EVERY SUCH CYBER
SECURITY NEED SO IDENTIFIED, SHALL FURTHER INCLUDE A DETAILED
DESCRIPTION OF:
(A) THE TYPE OF CYBER SECURITY SERVICE USED TO ADDRESS SUCH NEED;
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD01791-02-8
S. 926--A 2
(B) THE SCOPE OF THE NEED SO ADDRESSED, AS WELL AS THE SCOPE OF THE
SERVICE USED TO ADDRESS SUCH NEED;
(C) THE COST OF THE SERVICE USED TO ADDRESS SUCH NEED;
(D) THE EFFECTIVENESS OF THE CYBER SECURITY SERVICE USED TO ADDRESS
SUCH NEED;
(E) THE ENTITY PROVIDING SUCH CYBER SECURITY SERVICE USED TO ADDRESS
SUCH NEED;
(F) THE GOVERNMENT, INDUSTRY AND/OR ACADEMICALLY ACCEPTED BEST CYBER
SECURITY PRACTICE FOR ADDRESSING SUCH NEED;
(G) HOW OTHER STATES, AND THE FEDERAL GOVERNMENT HAVE ADDRESSED SUCH
NEED; AND
(H) HOW PRIVATE SECTOR ENTITIES ADDRESSED SUCH NEED.
3. DURING THE PREPARATION OF THE REPORT REQUIRED BY SUBDIVISION ONE OF
THIS SECTION, AND AFTER ITS DELIVERY TO THE PERSONS IDENTIFIED TO
RECEIVE SUCH REPORT, THE COMMISSIONER, THE SUPERINTENDENT OF THE STATE
POLICE, THE CHIEF INFORMATION OFFICER, AND THE PRESIDENT OF THE CENTER
FOR INTERNET SECURITY, AS WELL AS THE DIVISIONS, OFFICES AND CORPO-
RATIONS UNDER THEIR DIRECTION, SHALL PROVIDE TO SUCH PERSONS ENTITLED TO
RECEIVE SUCH REPORT, ANY AND ALL ADDITIONAL INFORMATION SUCH PERSONS MAY
REQUEST, WITH RESPECT TO ANY CYBER SECURITY ISSUE CONCERNING:
(A) THE STATE OF NEW YORK, INCLUDING BUT NOT LIMITED TO, ANY AGENCY,
BOARD, BUREAU, COMMISSION, DEPARTMENT, DIVISION, INSTITUTION, OFFICE, OR
PUBLIC AUTHORITY OF THE STATE;
(B) ANY LOCAL GOVERNMENT ENTITY, INCLUDING BUT NOT LIMITED TO, ANY
COUNTY, TOWN, CITY, VILLAGE, SCHOOL DISTRICT, SPECIAL DISTRICT, AND ANY
AGENCY, BOARD, BUREAU, COMMISSION, DEPARTMENT, DIVISION, INSTITUTION,
OFFICE, OR PUBLIC AUTHORITY OF SUCH LOCAL GOVERNMENT ENTITY;
(C) ANY REGULATED ENTITY OF THE STATE OF NEW YORK OR LOCAL GOVERNMENT
ENTITY;
(D) ANY NOT-FOR-PROFIT CORPORATION IN THE STATE OF NEW YORK;
(E) ANY PRIVATE SECTOR BUSINESS IN THE STATE OF NEW YORK, INCLUDING
BUT NOT LIMITED TO, A SOLE PROPRIETOR, PARTNERSHIP, LIMITED LIABILITY
COMPANY OR BUSINESS CORPORATION; AND/OR
(F) ANY CITIZEN OF THE STATE OF NEW YORK.
4. WHERE COMPLIANCE WITH THIS SECTION SHALL REQUIRE THE DISCLOSURE OF
CONFIDENTIAL INFORMATION, OR THE DISCLOSURE OF SENSITIVE INFORMATION
WHICH IN THE JUDGMENT OF THE COMMISSIONER WOULD JEOPARDIZE THE CYBER
SECURITY OF THE STATE:
(A) SUCH CONFIDENTIAL OR SENSITIVE INFORMATION SHALL BE PROVIDED TO
THE PERSONS ENTITLED TO RECEIVE THE REPORT AS PROVIDED BY SUBDIVISION
ONE OF THIS SECTION, AS FOLLOWS:
(I) IN THE CASE OF THE REPORT REQUIRED BY SUBDIVISION ONE OF THIS
SECTION, IN THE FORM OF A SUPPLEMENTAL APPENDIX TO THE REPORT; AND
(II) IN THE CASE OF A RESPONSE TO A REQUEST FOR INFORMATION MADE IN
ACCORDANCE WITH SUBDIVISION THREE OF THIS SECTION, IN A SECURE MANNER AS
DETERMINED BY THE COMMISSIONER;
(B) NEITHER A SUPPLEMENTAL APPENDIX TO THE REPORT, NOR ANY CONFIDEN-
TIAL OR SENSITIVE INFORMATION PROVIDED IN ACCORDANCE WITH SUBDIVISION
THREE OF THIS SECTION, SHALL BE POSTED ON THE DIVISION'S WEBSITE AS
REQUIRED BY SUBDIVISION FIVE OF THIS SECTION;
(C) NEITHER A SUPPLEMENTAL APPENDIX TO THE REPORT, NOR ANY CONFIDEN-
TIAL OR SENSITIVE INFORMATION PROVIDED IN ACCORDANCE WITH SUBDIVISION
THREE OF THIS SECTION, SHALL BE SUBJECT TO THE PROVISIONS OF THE FREEDOM
OF INFORMATION LAW PURSUANT TO ARTICLE SIX OF THE PUBLIC OFFICERS LAW;
AND
S. 926--A 3
(D) THE PERSONS ENTITLED TO RECEIVE THE REPORT AS PROVIDED BY SUBDIVI-
SION ONE OF THIS SECTION, MAY DISCLOSE THE SUPPLEMENTAL APPENDIX TO THE
REPORT, AND ANY CONFIDENTIAL OR SENSITIVE INFORMATION PROVIDED IN
ACCORDANCE WITH SUBDIVISION THREE OF THIS SECTION, TO THEIR PROFESSIONAL
STAFF, BUT SHALL NOT OTHERWISE PUBLICLY DISCLOSE SUCH CONFIDENTIAL OR
SECURE INFORMATION.
5. EXCEPT WITH RESPECT TO ANY CONFIDENTIAL OR SENSITIVE INFORMATION AS
DESCRIBED IN SUBDIVISION FOUR OF THIS SECTION, THE DIVISION SHALL POST A
COPY OF THE REPORT PREPARED IN ACCORDANCE WITH SUBDIVISION ONE OF THIS
SECTION, ON ITS WEBSITE, NOT MORE THAN FIFTEEN DAYS AFTER SUCH REPORT IS
DELIVERED TO THE PERSONS ENTITLED TO RECEIVE SUCH REPORT. THE DIVISION
MAY FURTHER POST ANY AND ALL FURTHER INFORMATION IT MAY DEEM APPROPRI-
ATE, ON ITS WEBSITE, REGARDING CYBER SECURITY, AND THE PROTECTION OF
PUBLIC AND PRIVATE COMPUTER SYSTEMS, NETWORKS, HARDWARE AND SOFTWARE.
§ 2. This act shall take effect immediately.