NY State Senate Bill 2023-S5007A

Current Bill Status - In Assembly Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Mar 18, 2024	referred to governmental operations delivered to assembly passed senate
Mar 11, 2024	amended on third reading 5007b
Feb 28, 2024	advanced to third reading
Feb 27, 2024	2nd report cal.
Feb 26, 2024	1st report cal.485
Feb 12, 2024	reported and committed to finance
Jan 03, 2024	referred to internet and technology returned to senate died in assembly
May 31, 2023	referred to governmental operations delivered to assembly passed senate
May 22, 2023	ordered to third reading cal.1097 committee discharged and committed to rules
Apr 17, 2023	print number 5007a
Apr 17, 2023	amend and recommit to finance
Feb 28, 2023	reported and committed to finance
Feb 21, 2023	referred to internet and technology

Votes

- Mar 18, 2024 - Floor Vote
  S5007A
  
  58
  
  Aye
  
  0
  
  Nay
  
  0
  
  Absent
  
  5
  
  Excused
  
  0
  
  Abstained
  - - Floor Vote: Mar 18, 2024
      
      aye (58)
      
      Addabbo Jr.
      
      Bailey
      
      Borrello
      
      Breslin
      
      Brisport
      
      Canzoneri-Fitzpatrick
      
      Chu
      
      Cleare
      
      Comrie
      
      Cooney
      
      Felder
      
      Fernandez
      
      Gallivan
      
      Gianaris
      
      Gounardes
      
      Griffo
      
      Harckham
      
      Helming
      
      Hinchey
      
      Hoylman-Sigal
      
      Jackson
      
      Kavanagh
      
      Kennedy
      
      Krueger
      
      Lanza
      
      Liu
      
      Mannion
      
      Martins
      
      Mattera
      
      May
      
      Mayer
      
      Murray
      
      Myrie
      
      O'Mara
      
      Oberacker
      
      Ortt
      
      Palumbo
      
      Parker
      
      Persaud
      
      Ramos
      
      Rhoads
      
      Rivera
      
      Rolison
      
      Ryan
      
      Salazar
      
      Sanders Jr.
      
      Scarcella-Spanton
      
      Sepúlveda
      
      Serrano
      
      Skoufis
      
      Stavisky
      
      Stec
      
      Stewart-Cousins
      
      Tedisco
      
      Thomas
      
      Webb
      
      Weber
      
      Weik
      
      excused (5)
      
      Ashby
      
      Brouk
      
      Gonzalez
      
      Martinez
      
      Walczyk
      
      The following Member(s) participated via videoconferencing: Murray
  May 31, 2023 - Floor Vote
  S5007A
  
  58
  
  Aye
  
  0
  
  Nay
  
  0
  
  Absent
  
  5
  
  Excused
  
  0
  
  Abstained
  - - Floor Vote: May 31, 2023
      
      aye (58)
      
      Addabbo Jr.
      
      Bailey
      
      Borrello
      
      Breslin
      
      Brisport
      
      Brouk
      
      Canzoneri-Fitzpatrick
      
      Chu
      
      Cleare
      
      Comrie
      
      Fernandez
      
      Gallivan
      
      Gianaris
      
      Gonzalez
      
      Gounardes
      
      Griffo
      
      Harckham
      
      Helming
      
      Hinchey
      
      Hoylman-Sigal
      
      Jackson
      
      Kavanagh
      
      Kennedy
      
      Krueger
      
      Lanza
      
      Liu
      
      Mannion
      
      Martinez
      
      Mattera
      
      May
      
      Mayer
      
      Murray
      
      Myrie
      
      O'Mara
      
      Oberacker
      
      Ortt
      
      Palumbo
      
      Parker
      
      Persaud
      
      Ramos
      
      Rhoads
      
      Rivera
      
      Rolison
      
      Ryan
      
      Salazar
      
      Sanders Jr.
      
      Scarcella-Spanton
      
      Sepúlveda
      
      Serrano
      
      Skoufis
      
      Stavisky
      
      Stec
      
      Stewart-Cousins
      
      Tedisco
      
      Thomas
      
      Walczyk
      
      Webb
      
      Weber
      
      excused (5)
      
      Ashby
      
      Cooney
      
      Felder
      
      Martins
      
      Weik
  May 22, 2023 - Rules Committee Vote
  S5007A
  
  18
  
  Aye
  
  0
  
  Nay
  
  3
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Rules Committee Vote: May 22, 2023
      
      aye (18)
      
      Addabbo Jr.
      
      Bailey
      
      Breslin
      
      Comrie
      
      Fernandez
      
      Gallivan
      
      Gianaris
      
      Griffo
      
      Kennedy
      
      Krueger
      
      Lanza
      
      Liu
      
      Mayer
      
      O'Mara
      
      Parker
      
      Stec
      
      Stewart-Cousins
      
      Thomas
      
      aye wr (3)
      
      Helming
      
      Ortt
      
      Sepúlveda
  Feb 12, 2024 - Internet And Technology Committee Vote
  S5007A
  
  7
  
  Aye
  
  0
  
  Nay
  
  0
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Internet And Technology Committee Vote: Feb 12, 2024
      
      aye (7)
      
      Brouk
      
      Canzoneri-Fitzpatrick
      
      Comrie
      
      Gonzalez
      
      Parker
      
      Ryan
      
      Stec
  Feb 28, 2023 - Internet And Technology Committee Vote
  S5007A
  
  6
  
  Aye
  
  0
  
  Nay
  
  1
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Internet And Technology Committee Vote: Feb 28, 2023
      
      aye (6)
      
      Brouk
      
      Comrie
      
      Gonzalez
      
      Parker
      
      Ryan
      
      Stec
      
      aye wr (1)
      
      Walczyk
  Feb 26, 2024 - Finance Committee Vote
  S5007A
  
  20
  
  Aye
  
  0
  
  Nay
  
  0
  
  Aye with Reservations
  
  2
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Finance Committee Vote: Feb 26, 2024
      
      aye (20)
      
      Bailey
      
      Borrello
      
      Breslin
      
      Comrie
      
      Cooney
      
      Gallivan
      
      Griffo
      
      Hinchey
      
      Hoylman-Sigal
      
      Kennedy
      
      Krueger
      
      Liu
      
      Martins
      
      Oberacker
      
      Parker
      
      Rivera
      
      Salazar
      
      Skoufis
      
      Stavisky
      
      Thomas
      
      absent (2)
      
      Gounardes
      
      O'Mara

Bill Amendments

Original

B (Active)

co-Sponsors

2023-S5007 - Details

See Assembly Version of this Bill:: A5736
Current Committee:: Assembly Governmental Operations
Law Section:: State Technology Law
Laws Affected:: Add §210, St Tech L
Versions Introduced in 2021-2022 Legislative Session:: S9005

2023-S5007 - Summary

Establishes the "secure our data act"; relates to state entities preparing for and protecting against a ransomware attack.

2023-S5007 - Sponsor Memo

                                 
BILL NUMBER: S5007

SPONSOR: GONZALEZ
 
TITLE OF BILL:

An act to amend the state technology law, in relation to establishing
the "secure our data act"

 
SUMMARY OF PROVISIONS:

Section one of this bill provides the title, which is the "secure our
data act."

Section two of this bill provides the legislative intent.

Section three of this bill amends the State Technology Law by adding a
new section 210. New subdivision 210:

(1) provides definitions that will be used in this section. These defi-
nitions include "immutable," "information system," "malware," and
"ransomware." New subdivision 210

(2) requires the Office of Information Technology Services ("OITS") to

promulgate regulations that include standards for:

*ransomware and malware protection for mission critical information
systems and personal information,

*the creation of segmented backups of mission critical information
systems and personal information,

*information system recovery and the use of segmented backups, and

*workforce training regarding ransomware and other malware. These regu-
lations may be promulgated on an emergency basis after at least one
public hearing has been held.

(3) requires state entities to engage in monthly vulnerability testing
of their critical information systems and to annually have their entire
information system network subjected to vulnerability testing conducted
by an independent third party.

(4) requires each state entity to create a, or update an existing,
inventory of its mission critical information systems and the personal
information maintained by the state entity.

(5) requires each state entity to develop an incident response plan for
ransomware and other malware attacks. On an annual basis, each state
entity shall complete one exercise of its incident response plan.

Section 4 of this bill contains the severability clause.

Section 5 of this bill provides that this act shall take effect imme-
diately.

 
JUSTIFICATION:

Our information systems are under attack every day. The successful
thwarting of these attacks plants the seed for new variations of cyber-
attacks. Because we cannot eradicate cyberattacks, we must fortify the
defenses that protect our information systems and the personal informa-
tion stored therein.

Personal information about New York residents can be found in each
governmental entity's information systems. To properly function and
provide services to New York residents, each governmental entity needs
the collected and maintained personal information. In its role as
protector, government must take affirmative steps to protect the
personal information that it has collected and maintains from cyberat-
tacks.

This legislation is a necessary first step in ensuring that government
is taking necessary steps to protect the personal information that it
has collected and maintains. New Yorkers trust that government is
protecting their personal information. We need to ensure that their
trust is not misplaced.

 
PRIOR LEGISLATIVE HISTORY:

2022: New bill

 
FISCAL IMPLICATIONS:

To be determined.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2023-S5007 - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   5007
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             February 21, 2023
                                ___________
 
 Introduced  by Sen. GONZALEZ -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the state technology law, in  relation  to  establishing
   the "secure our data act"
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. This act shall be known and may be cited as the "secure our
 data act".
   § 2. Legislative intent. The legislature  finds  that  ransomware  and
 other  malware  attacks have affected the electronically stored personal
 information relating to thousands of people statewide  and  millions  of
 people  nationwide.  The  legislature  also  finds  that  state entities
 receive such personal information from various  sources,  including  the
 data  subjects themselves, other state entities, and the federal govern-
 ment.  In addition, the legislature finds that state entities  use  such
 personal information to make determinations regarding the data subjects.
 The  legislature  further  finds  that New Yorkers deserve to have their
 personal information that is in the possession of a state entity  stored
 in  a  manner  that  will  withstand any attempt by ransomware and other
 malware to alter, change, or encrypt such information.
   Therefore, the legislature enacts the secure our data act  which  will
 guarantee  that  state  entities  will  employ  the proper technology to
 protect the personal information stored as backup information  from  any
 unauthorized alteration or change.
   §  3.  The state technology law is amended by adding a new section 210
 to read as follows:
   § 210. RANSOMWARE AND OTHER MALWARE PROTECTION.  1.  DEFINITIONS.  FOR
 PURPOSES  OF  THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING
 MEANINGS:
   (A) "DATA SUBJECT" SHALL MEAN THE PERSON WHO IS  THE  SUBJECT  OF  THE
 PERSONAL INFORMATION.

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD09002-01-3

 S. 5007                             2
 
   (B)  "IMMUTABLE"  MEANS  DATA  THAT  IS  STORED UNCHANGED OVER TIME OR
 UNABLE TO BE CHANGED. FOR THE PURPOSES  OF  BACKUPS,  "IMMUTABLE"  SHALL
 MEAN  THAT,  ONCE INGESTED, NO EXTERNAL OR INTERNAL OPERATION CAN MODIFY
 THE DATA AND MUST NEVER BE  AVAILABLE  IN  A  READ/WRITE  STATE  TO  THE
 CLIENT.  "IMMUTABLE" SHALL SPECIFICALLY APPLY TO THE CHARACTERISTICS AND
 ATTRIBUTES OF A BACKUP SYSTEM'S FILE SYSTEM AND MAY NOT  BE  APPLIED  TO
 TEMPORARY  SYSTEMS  STATE,  TIME-BOUND  OR  EXPIRING  CONFIGURATIONS, OR
 TEMPORARY CONDITIONS CREATED BY A PHYSICAL AIR GAP AS IS IMPLEMENTED  IN
 MOST  LEGACY SYSTEMS.  AN IMMUTABLE FILE SYSTEM MUST DEMONSTRATE CHARAC-
 TERISTICS THAT DO NOT PERMIT THE EDITING OR CHANGING OF ANY DATA  BACKED
 UP TO PROVIDE AGENCIES WITH COMPLETE RECOVERY CAPABILITIES.
   (C) "INFORMATION SYSTEM" SHALL MEAN ANY GOOD, SERVICE OR A COMBINATION
 THEREOF,  USED  BY ANY COMPUTER, CLOUD SERVICE, OR INTERCONNECTED SYSTEM
 THAT IS MAINTAINED FOR OR USED BY A STATE  ENTITY  IN  THE  ACQUISITION,
 STORAGE,  MANIPULATION,  MANAGEMENT, MOVEMENT, CONTROL, DISPLAY, SWITCH-
 ING, INTERCHANGE, TRANSMISSION, OR RECEPTION OF DATA OR VOICE INCLUDING,
 BUT NOT LIMITED TO, HARDWARE, SOFTWARE,  INFORMATION  APPLIANCES,  FIRM-
 WARE,  PROGRAMS,  SYSTEMS,  NETWORKS, INFRASTRUCTURE, MEDIA, AND RELATED
 MATERIAL USED TO  AUTOMATICALLY  AND  ELECTRONICALLY  COLLECT,  RECEIVE,
 ACCESS,  TRANSMIT,  DISPLAY, STORE, RECORD, RETRIEVE, ANALYZE, EVALUATE,
 PROCESS, CLASSIFY, MANIPULATE, MANAGE, ASSIMILATE, CONTROL, COMMUNICATE,
 EXCHANGE, CONVERT, COVERAGE, INTERFACE, SWITCH, OR DISSEMINATE  DATA  OF
 ANY KIND OR FORM.
   (D)  "MAINTAINED"  SHALL  MEAN  PERSONAL INFORMATION STORED BY A STATE
 ENTITY THAT WAS PROVIDED TO THE STATE ENTITY  BY  THE  DATA  SUBJECT,  A
 STATE  ENTITY,  OR  A  FEDERAL GOVERNMENTAL ENTITY. SUCH TERM SHALL ALSO
 INCLUDE PERSONAL INFORMATION PROVIDED BY AN ADVERSE PARTY IN THE  COURSE
 OF LITIGATION OR OTHER ADVERSARIAL PROCEEDING.
   (E)  "MALWARE"  SHALL MEAN MALICIOUS CODE INCLUDED IN ANY APPLICATION,
 DIGITAL CONTENT, DOCUMENT, EXECUTABLE, FIRMWARE,  PAYLOAD,  OR  SOFTWARE
 FOR  THE  PURPOSE  OF  PERFORMING  OR EXECUTING ONE OR MORE UNAUTHORIZED
 PROCESSES DESIGNED TO HAVE AN ADVERSE IMPACT ON THE AVAILABILITY, CONFI-
 DENTIALITY, OR INTEGRITY OF DATA STORED IN AN INFORMATION SYSTEM.
   (F) "RANSOMWARE" SHALL MEAN ANY TYPE OF MALWARE THAT  USES  ENCRYPTION
 TECHNOLOGY TO PREVENT USERS FROM ACCESSING AN INFORMATION SYSTEM OR DATA
 STORED BY SUCH INFORMATION SYSTEM UNTIL A RANSOM IS PAID.
   (G)  "STATE  ENTITY"  SHALL  MEAN  ANY  STATE BOARD, BUREAU, DIVISION,
 COMMITTEE, COMMISSION, COUNCIL,  DEPARTMENT,  PUBLIC  AUTHORITY,  PUBLIC
 BENEFIT  CORPORATION,  OFFICE  OR OTHER GOVERNMENTAL ENTITY PERFORMING A
 GOVERNMENTAL OR PROPRIETARY FUNCTION FOR THE STATE OF NEW YORK OR ANY OF
 ITS POLITICAL SUBDIVISIONS.
   2. DATA PROTECTION STANDARDS. (A) NO LATER THAN  ONE  YEAR  AFTER  THE
 EFFECTIVE  DATE  OF  THIS  SECTION,  THE  DIRECTOR, IN CONSULTATION WITH
 STAKEHOLDERS AND OTHER INTERESTED PARTIES, WHICH SHALL INCLUDE AT  LEAST
 ONE PUBLIC HEARING, SHALL PROMULGATE REGULATIONS THAT DESIGN AND DEVELOP
 STANDARDS FOR:
   (I) MALWARE AND RANSOMWARE PROTECTION FOR MISSION CRITICAL INFORMATION
 SYSTEMS AND FOR PERSONAL INFORMATION USED BY SUCH INFORMATION SYSTEMS;
   (II)  DATA  BACKUP  THAT INCLUDES THE CREATION OF IMMUTABLE BACKUPS OF
 PERSONAL INFORMATION MAINTAINED BY THE STATE ENTITY AND STORAGE OF  SUCH
 BACKUPS IN A SEGMENTED ENVIRONMENT, INCLUDING A SEGMENTED DEVICE;
   (III)  INFORMATION SYSTEM RECOVERY THAT INCLUDES CREATING AN IDENTICAL
 COPY OF AN IMMUTABLE PERSONAL INFORMATION BACKUP MAINTAINED  BY  OR  FOR
 THE  STATE  ENTITY  THAT  WAS  STORED IN A SEGMENTED ENVIRONMENT OR ON A
 SEGMENTED DEVICE FOR USE WHEN AN INFORMATION SYSTEM HAS  BEEN  ADVERSELY
 S. 5007                             3
 
 AFFECTED  BY  RENT  SOMEWHERE  OR OTHER MALWARE AND REQUIRES RESTORATION
 FROM ONE OR MORE BACKUPS; AND
   (IV)  ANNUAL  WORKFORCE  TRAINING REGARDING PROTECTION FROM RANSOMWARE
 AND OTHER MALWARE, AS WELL AS PROCESSES AND PROCEDURES  THAT  SHOULD  BE
 FOLLOWED  IN  THE EVENT OF A DATA INCIDENT INVOLVING RANSOMWARE OR OTHER
 MALWARE.
   (B) SUCH REGULATIONS MAY BE ADOPTED ON AN  EMERGENCY  BASIS.  IF  SUCH
 REGULATIONS  ARE  ADOPTED ON AN EMERGENCY BASIS, THE OFFICE SHALL ENGAGE
 IN THE FORMAL RULEMAKING PROCEDURE NO LATER  THAN  THE  DAY  IMMEDIATELY
 FOLLOWING  THE  DATE  THAT THE OFFICE PROMULGATED SUCH REGULATIONS ON AN
 EMERGENCY BASIS. PROVIDED THAT THE OFFICE HAS COMMENCED THE FORMAL RULE-
 MAKING PROCESS, THE REGULATIONS ADOPTED ON AN  EMERGENCY  BASIS  MAY  BE
 RENEWED NO MORE THAN TWO TIMES.
   3.  VULNERABILITY ASSESSMENTS. NOTWITHSTANDING ANY PROVISION OF LAW TO
 THE CONTRARY, EACH STATE ENTITY SHALL ENGAGE IN VULNERABILITY TESTING OF
 ITS INFORMATION SYSTEMS AS FOLLOWS:
   (A) BEGINNING JANUARY FIRST, TWO THOUSAND TWENTY-FOUR AND ON A MONTHLY
 BASIS THEREAFTER, EACH STATE  ENTITY  SHALL  PERFORM,  OR  CAUSE  TO  BE
 PERFORMED,  A  VULNERABILITY ASSESSMENT OF AT LEAST ONE MISSION CRITICAL
 INFORMATION SYSTEM ENSURING THAT EACH MISSION CRITICAL SYSTEM HAS UNDER-
 GONE A VULNERABILITY ASSESSMENT DURING THE PAST YEAR. A REPORT DETAILING
 THE VULNERABILITY ASSESSMENT METHODOLOGY  AND  FINDINGS  SHALL  BE  MADE
 AVAILABLE  TO  THE OFFICE FOR REVIEW NO LATER THAN FORTY-FIVE DAYS AFTER
 THE TESTING HAS BEEN COMPLETED.
   (B) BEGINNING DECEMBER FIRST, TWO  THOUSAND  TWENTY-FOUR,  EACH  STATE
 ENTITY'S  ENTIRE  INFORMATION SYSTEM SHALL UNDERGO VULNERABILITY TESTING
 CONDUCTED BY AN INDEPENDENT THIRD PARTY. A REPORT DETAILING THE  VULNER-
 ABILITY  ASSESSMENT  METHODOLOGY AND FINDINGS SHALL BE MADE AVAILABLE TO
 THE OFFICE FOR REVIEW NO LATER THAN FORTY-FIVE DAYS AFTER  SUCH  TESTING
 HAS BEEN COMPLETED.
   (C)  THE  OFFICE  SHALL  ASSIST  STATE  ENTITIES IN COMPLYING WITH THE
 PROVISIONS OF THIS SECTION.
   4. DATA AND INFORMATION SYSTEM INVENTORY. (A) NO LATER THAN  ONE  YEAR
 AFTER THE EFFECTIVE DATE OF THIS SECTION, EACH STATE ENTITY SHALL CREATE
 AN  INVENTORY OF THE DATA MAINTAINED BY THE STATE ENTITY AND THE PURPOSE
 OR PURPOSES FOR WHICH SUCH DATA IS MAINTAINED AND  USED.  THE  INVENTORY
 SHALL  INCLUDE  A  LISTING OF ALL PERSONAL INFORMATION MAINTAINED BY THE
 STATE ENTITY, ALONG WITH THE SOURCE AND AGE OF SUCH INFORMATION.
   (B) NO LATER THAN ONE YEAR AFTER THE EFFECTIVE DATE OF  THIS  SECTION,
 EACH  STATE  ENTITY SHALL CREATE AN INVENTORY OF THE INFORMATION SYSTEMS
 MAINTAINED BY OR ON BEHALF OF  THE  STATE  ENTITY  AND  THE  PURPOSE  OR
 PURPOSES  FOR WHICH EACH SUCH INFORMATION SYSTEM IS MAINTAINED AND USED.
 THE INVENTORY SHALL DENOTE THOSE INFORMATION SYSTEMS  THAT  ARE  MISSION
 CRITICAL AND THOSE THAT USE PERSONAL INFORMATION, AND WHETHER THE INFOR-
 MATION SYSTEM IS PROTECTED BY IMMUTABLE BACKUPS.
   (C)  NOTWITHSTANDING  PARAGRAPHS (A) AND (B) OF THIS SUBDIVISION, IF A
 STATE ENTITY HAS ALREADY  COMPLETED  A  DATA  INVENTORY  OR  INFORMATION
 SYSTEMS  INVENTORY,  SUCH  STATE  ENTITY  SHALL  UPDATE  THE  PREVIOUSLY
 COMPLETED DATA INVENTORY OR INFORMATION SYSTEM INVENTORY NO  LATER  THAN
 ONE YEAR AFTER THE EFFECTIVE DATE OF THIS SECTION.
   (D) UPON WRITTEN REQUEST FROM THE OFFICE, A STATE ENTITY SHALL PROVIDE
 THE OFFICE WITH EITHER OR BOTH OF THE INVENTORIES REQUIRED TO BE CREATED
 OR UPDATED PURSUANT TO THIS SUBDIVISION.
   5. INCIDENT MANAGEMENT AND RECOVERY. (A) NO LATER THAN EIGHTEEN MONTHS
 AFTER  THE  EFFECTIVE DATE OF THIS SECTION, EACH STATE ENTITY SHALL HAVE
 CREATED AN INCIDENT RESPONSE PLAN FOR INCIDENTS INVOLVING RANSOMWARE  OR
 S. 5007                             4
 
 OTHER  MALWARE  THAT  RENDERS AN INFORMATION SYSTEM OR ITS DATA UNAVAIL-
 ABLE, AND INCIDENTS INVOLVING RANSOMWARE OR OTHER MALWARE THAT RESULT IN
 THE ALTERATION OR DELETION OF OR UNAUTHORIZED ACCESS TO, PERSONAL INFOR-
 MATION.
   (B)  SUCH  INCIDENT  RESPONSE PLAN SHALL INCLUDE A PROCEDURE FOR SITU-
 ATIONS WHERE PRODUCTION AND NON-SEGMENTED INFORMATION SYSTEMS HAVE  BEEN
 ADVERSELY  AFFECTED  BY  A DATA INCIDENT, AS WELL AS A PROCEDURE FOR THE
 STORAGE OF PERSONAL  INFORMATION  AND  MISSION  CRITICAL  BACKUPS  ON  A
 SEGMENTED  DEVICE OR SEGMENTED PORTION OF THE STATE ENTITY'S INFORMATION
 SYSTEM TO ENSURE THAT SUCH PERSONAL  INFORMATION  AND  MISSION  CRITICAL
 SYSTEMS ARE PROTECTED BY IMMUTABLE BACKUPS.
   (C)  BEGINNING JANUARY FIRST, TWO THOUSAND TWENTY-SIX AND ON AN ANNUAL
 BASIS THEREAFTER, EACH STATE ENTITY SHALL COMPLETE AT LEAST ONE EXERCISE
 OF ITS INCIDENT  RESPONSE  PLAN  THAT  INCLUDES  COPYING  THE  IMMUTABLE
 PERSONAL   INFORMATION   AND  MISSION  CRITICAL  APPLICATIONS  FROM  THE
 SEGMENTED PORTION OF THE STATE ENTITY'S  INFORMATION  SYSTEM  AND  USING
 SUCH COPIES IN THE STATE ENTITY'S RESTORATION AND RECOVERY PROCESS. UPON
 COMPLETION  OF  SUCH EXERCISE, THE STATE ENTITY SHALL DOCUMENT THE INCI-
 DENT RESPONSE PLAN'S SUCCESSES AND SHORTCOMINGS.
   6. NO PRIVATE RIGHT OF ACTION. NOTHING SET FORTH IN THIS SECTION SHALL
 BE CONSTRUED AS CREATING OR ESTABLISHING A PRIVATE CAUSE OF ACTION.
   § 4. Severability. The provisions of this act shall be  severable  and
 if  any  portion  thereof  or the applicability thereof to any person or
 circumstances shall be held to be invalid, the remainder of this act and
 the application thereof shall not be affected thereby.
   § 5. This act shall take effect immediately.

co-Sponsors

2023-S5007A - Details

See Assembly Version of this Bill:: A5736
Current Committee:: Assembly Governmental Operations
Law Section:: State Technology Law
Laws Affected:: Add §210, St Tech L
Versions Introduced in 2021-2022 Legislative Session:: S9005

2023-S5007A - Summary

Establishes the "secure our data act"; relates to state entities preparing for and protecting against a ransomware attack.

2023-S5007A - Sponsor Memo

                                 
BILL NUMBER: S5007AREVISED 4/18/23

SPONSOR: GONZALEZ
 
TITLE OF BILL:

An act to amend the state technology law, in relation to establishing
the "secure our data act"

 
SUMMARY OF PROVISIONS:

Section one of this bill provides the title, which is the "secure our
data act."

Section two of this bill provides the legislative intent.

Section three of this bill amends the State Technology Law by adding a
new section 210. New subdivision 210:

(1) provides definitions that will be used in this section. These defi-
nitions include "immutable," "information system," "malware," and
"ransomware." New subdivision 210

(2) requires the Office of Information Technology Services ("OITS") to

promulgate regulations that include standards for:

*ransomware and malware protection for mission critical information
systems and personal information,

*the creation of segmented backups of mission critical information
systems and personal information,

*information system recovery and the use of segmented backups, and

*workforce training regarding ransomware and other malware. These regu-
lations may be promulgated on an emergency basis after at least one
public hearing has been held.

(3) requires state entities to engage in monthly vulnerability testing
of their critical information systems and to annually have their entire
information system network subjected to vulnerability testing.

(4) requires each state entity to create a, or update an existing,
inventory of its mission critical information systems and the personal
information maintained by the state entity.

(5) requires each state entity to develop an incident response plan for
ransomware and other malware attacks. On an annual basis, each state
entity shall complete one exercise of its incident response plan.

Section 4 of this bill contains the severability clause.

Section 5 of this bill provides that this act shall take effect imme-
diately.

 
JUSTIFICATION:

Our information systems are under attack every day. The successful
thwarting of these attacks plants the seed for new variations of cyber-
attacks. Because we cannot eradicate cyberattacks, we must fortify the
defenses that protect our information systems and the personal informa-
tion stored therein.

Personal information about New York residents can be found in each
governmental entity's information systems. To properly function and
provide services to New York residents, each governmental entity needs
the collected and maintained personal information. In its role as
protector, government must take affirmative steps to protect the
personal information that it has collected and maintains from cyberat-
tacks.

This legislation is a necessary first step in ensuring that government
is taking necessary steps to protect the personal information that it
has collected and maintains. New Yorkers trust that government is
protecting their personal information. We need to ensure that their
trust is not misplaced.

 
PRIOR LEGISLATIVE HISTORY:

2022: New bill, S9005

 
FISCAL IMPLICATIONS:

To be determined.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2023-S5007A - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  5007--A
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             February 21, 2023
                                ___________
 
 Introduced by Sens. GONZALEZ, SALAZAR -- read twice and ordered printed,
   and  when  printed  to  be  committed to the Committee on Internet and
   Technology -- reported favorably from said committee and committed  to
   the  Committee  on  Finance  --  committee  discharged,  bill amended,
   ordered reprinted as amended and recommitted to said committee

 AN ACT to amend the state technology law, in  relation  to  establishing
   the "secure our data act"
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. This act shall be known and may be cited as the "secure our
 data act".
   § 2. Legislative intent. The legislature  finds  that  ransomware  and
 other  malware  attacks have affected the electronically stored personal
 information relating to thousands of people statewide  and  millions  of
 people  nationwide.  The  legislature  also  finds  that  state entities
 receive such personal information from various  sources,  including  the
 data  subjects themselves, other state entities, and the federal govern-
 ment.  In addition, the legislature finds that state entities  use  such
 personal information to make determinations regarding the data subjects.
 The  legislature  further  finds  that New Yorkers deserve to have their
 personal information that is in the possession of a state entity  stored
 in  a  manner  that  will  withstand any attempt by ransomware and other
 malware to alter, change, or encrypt such information.
   Therefore, the legislature enacts the secure our data act  which  will
 guarantee  that  state  entities  will  employ  the proper technology to
 protect the personal information stored as backup information  from  any
 unauthorized alteration or change.
   §  3.  The state technology law is amended by adding a new section 210
 to read as follows:
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD09002-02-3
 S. 5007--A                          2

   § 210. RANSOMWARE AND OTHER MALWARE PROTECTION.  1.  DEFINITIONS.  FOR
 PURPOSES  OF  THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING
 MEANINGS:
   (A)  "DATA  SUBJECT"  SHALL  MEAN THE PERSON WHO IS THE SUBJECT OF THE
 PERSONAL INFORMATION.
   (B) "IMMUTABLE" MEANS DATA THAT  IS  STORED  UNCHANGED  OVER  TIME  OR
 UNABLE  TO  BE  CHANGED.  FOR THE PURPOSES OF BACKUPS, "IMMUTABLE" SHALL
 MEAN THAT, ONCE INGESTED, NO EXTERNAL OR INTERNAL OPERATION  CAN  MODIFY
 THE  DATA  AND  MUST  NEVER  BE  AVAILABLE  IN A READ/WRITE STATE TO THE
 CLIENT. "IMMUTABLE" SHALL SPECIFICALLY APPLY TO THE CHARACTERISTICS  AND
 ATTRIBUTES  OF  A  BACKUP SYSTEM'S FILE SYSTEM AND MAY NOT BE APPLIED TO
 TEMPORARY SYSTEMS  STATE,  TIME-BOUND  OR  EXPIRING  CONFIGURATIONS,  OR
 TEMPORARY  CONDITIONS CREATED BY A PHYSICAL AIR GAP AS IS IMPLEMENTED IN
 MOST LEGACY SYSTEMS.  AN IMMUTABLE FILE SYSTEM MUST DEMONSTRATE  CHARAC-
 TERISTICS  THAT DO NOT PERMIT THE EDITING OR CHANGING OF ANY DATA BACKED
 UP TO PROVIDE AGENCIES WITH COMPLETE RECOVERY CAPABILITIES.
   (C) "INFORMATION SYSTEM" SHALL MEAN ANY GOOD, SERVICE OR A COMBINATION
 THEREOF, USED BY ANY COMPUTER, CLOUD SERVICE, OR  INTERCONNECTED  SYSTEM
 THAT  IS  MAINTAINED  FOR  OR USED BY A STATE ENTITY IN THE ACQUISITION,
 STORAGE, MANIPULATION, MANAGEMENT, MOVEMENT, CONTROL,  DISPLAY,  SWITCH-
 ING, INTERCHANGE, TRANSMISSION, OR RECEPTION OF DATA OR VOICE INCLUDING,
 BUT  NOT  LIMITED  TO, HARDWARE, SOFTWARE, INFORMATION APPLIANCES, FIRM-
 WARE, PROGRAMS, SYSTEMS, NETWORKS, INFRASTRUCTURE,  MEDIA,  AND  RELATED
 MATERIAL  USED  TO  AUTOMATICALLY  AND  ELECTRONICALLY COLLECT, RECEIVE,
 ACCESS, TRANSMIT, DISPLAY, STORE, RECORD, RETRIEVE,  ANALYZE,  EVALUATE,
 PROCESS, CLASSIFY, MANIPULATE, MANAGE, ASSIMILATE, CONTROL, COMMUNICATE,
 EXCHANGE,  CONVERT,  COVERAGE, INTERFACE, SWITCH, OR DISSEMINATE DATA OF
 ANY KIND OR FORM.
   (D) "MAINTAINED" SHALL MEAN PERSONAL INFORMATION  STORED  BY  A  STATE
 ENTITY  THAT  WAS  PROVIDED  TO  THE STATE ENTITY BY THE DATA SUBJECT, A
 STATE ENTITY, OR A FEDERAL GOVERNMENTAL ENTITY.  SUCH  TERM  SHALL  ALSO
 INCLUDE  PERSONAL INFORMATION PROVIDED BY AN ADVERSE PARTY IN THE COURSE
 OF LITIGATION OR OTHER ADVERSARIAL PROCEEDING.
   (E) "MALWARE" SHALL MEAN MALICIOUS CODE INCLUDED IN  ANY  APPLICATION,
 DIGITAL  CONTENT,  DOCUMENT,  EXECUTABLE, FIRMWARE, PAYLOAD, OR SOFTWARE
 FOR THE PURPOSE OF PERFORMING OR  EXECUTING  ONE  OR  MORE  UNAUTHORIZED
 PROCESSES DESIGNED TO HAVE AN ADVERSE IMPACT ON THE AVAILABILITY, CONFI-
 DENTIALITY, OR INTEGRITY OF DATA STORED IN AN INFORMATION SYSTEM.
   (F)  "RANSOMWARE"  SHALL MEAN ANY TYPE OF MALWARE THAT USES ENCRYPTION
 TECHNOLOGY TO PREVENT USERS FROM ACCESSING AN INFORMATION SYSTEM OR DATA
 STORED BY SUCH INFORMATION SYSTEM UNTIL A RANSOM IS PAID.
   (G) "STATE ENTITY" SHALL  MEAN  ANY  STATE  BOARD,  BUREAU,  DIVISION,
 COMMITTEE,  COMMISSION,  COUNCIL,  DEPARTMENT,  PUBLIC AUTHORITY, PUBLIC
 BENEFIT CORPORATION, OFFICE OR OTHER GOVERNMENTAL  ENTITY  PERFORMING  A
 GOVERNMENTAL OR PROPRIETARY FUNCTION FOR THE STATE OF NEW YORK, EXCEPT:
   (I) THE JUDICIARY; AND
   (II)  ALL CITIES, COUNTIES, MUNICIPALITIES, VILLAGES, TOWNS, AND OTHER
 LOCAL AGENCIES.
   2. DATA PROTECTION STANDARDS. (A) NO LATER THAN  ONE  YEAR  AFTER  THE
 EFFECTIVE  DATE  OF  THIS  SECTION,  THE  DIRECTOR, IN CONSULTATION WITH
 STAKEHOLDERS AND OTHER INTERESTED PARTIES, WHICH SHALL INCLUDE AT  LEAST
 ONE PUBLIC HEARING, SHALL PROMULGATE REGULATIONS THAT DESIGN AND DEVELOP
 STANDARDS FOR:
   (I) MALWARE AND RANSOMWARE PROTECTION FOR MISSION CRITICAL INFORMATION
 SYSTEMS AND FOR PERSONAL INFORMATION USED BY SUCH INFORMATION SYSTEMS;
 S. 5007--A                          3
 
   (II)  DATA  BACKUP  THAT INCLUDES THE CREATION OF IMMUTABLE BACKUPS OF
 PERSONAL INFORMATION MAINTAINED BY THE STATE ENTITY AND STORAGE OF  SUCH
 BACKUPS IN A SEGMENTED ENVIRONMENT, INCLUDING A SEGMENTED DEVICE;
   (III)  INFORMATION SYSTEM RECOVERY THAT INCLUDES CREATING AN IDENTICAL
 COPY OF AN IMMUTABLE PERSONAL INFORMATION BACKUP MAINTAINED  BY  OR  FOR
 THE  STATE  ENTITY  THAT  WAS  STORED IN A SEGMENTED ENVIRONMENT OR ON A
 SEGMENTED DEVICE FOR USE WHEN AN INFORMATION SYSTEM HAS  BEEN  ADVERSELY
 AFFECTED  BY  RENT  SOMEWHERE  OR OTHER MALWARE AND REQUIRES RESTORATION
 FROM ONE OR MORE BACKUPS; AND
   (IV) ANNUAL WORKFORCE TRAINING REGARDING  PROTECTION  FROM  RANSOMWARE
 AND  OTHER  MALWARE,  AS WELL AS PROCESSES AND PROCEDURES THAT SHOULD BE
 FOLLOWED IN THE EVENT OF A DATA INCIDENT INVOLVING RANSOMWARE  OR  OTHER
 MALWARE.
   (B)  SUCH  REGULATIONS  MAY  BE ADOPTED ON AN EMERGENCY BASIS. IF SUCH
 REGULATIONS ARE ADOPTED ON AN EMERGENCY BASIS, THE OFFICE  SHALL  ENGAGE
 IN  THE  FORMAL  RULEMAKING  PROCEDURE NO LATER THAN THE DAY IMMEDIATELY
 FOLLOWING THE DATE THAT THE OFFICE PROMULGATED SUCH  REGULATIONS  ON  AN
 EMERGENCY BASIS. PROVIDED THAT THE OFFICE HAS COMMENCED THE FORMAL RULE-
 MAKING  PROCESS,  THE  REGULATIONS  ADOPTED ON AN EMERGENCY BASIS MAY BE
 RENEWED NO MORE THAN TWO TIMES.
   3. VULNERABILITY ASSESSMENTS. NOTWITHSTANDING ANY PROVISION OF LAW  TO
 THE CONTRARY, EACH STATE ENTITY SHALL ENGAGE IN VULNERABILITY TESTING OF
 ITS INFORMATION SYSTEMS AS FOLLOWS:
   (A) BEGINNING JANUARY FIRST, TWO THOUSAND TWENTY-FOUR AND ON A MONTHLY
 BASIS  THEREAFTER,  EACH  STATE  ENTITY  SHALL  PERFORM,  OR CAUSE TO BE
 PERFORMED, A VULNERABILITY ASSESSMENT OF AT LEAST ONE  MISSION  CRITICAL
 INFORMATION SYSTEM ENSURING THAT EACH MISSION CRITICAL SYSTEM HAS UNDER-
 GONE A VULNERABILITY ASSESSMENT DURING THE PAST YEAR. A REPORT DETAILING
 THE  VULNERABILITY  ASSESSMENT  METHODOLOGY  AND  FINDINGS SHALL BE MADE
 AVAILABLE TO THE OFFICE FOR REVIEW NO LATER THAN FORTY-FIVE  DAYS  AFTER
 THE TESTING HAS BEEN COMPLETED.
   (B)  BEGINNING  DECEMBER  FIRST,  TWO THOUSAND TWENTY-FOUR, EACH STATE
 ENTITY'S ENTIRE INFORMATION SYSTEM SHALL UNDERGO VULNERABILITY  TESTING.
 A REPORT DETAILING THE VULNERABILITY ASSESSMENT METHODOLOGY AND FINDINGS
 SHALL  BE  MADE  AVAILABLE TO THE OFFICE FOR REVIEW NO LATER THAN FORTY-
 FIVE DAYS AFTER SUCH TESTING HAS BEEN COMPLETED.
   (C) THE OFFICE SHALL ASSIST  STATE  ENTITIES  IN  COMPLYING  WITH  THE
 PROVISIONS OF THIS SECTION.
   4.  DATA  AND INFORMATION SYSTEM INVENTORY. (A) NO LATER THAN ONE YEAR
 AFTER THE EFFECTIVE DATE OF THIS SECTION, EACH STATE ENTITY SHALL CREATE
 AN INVENTORY OF THE DATA MAINTAINED BY THE STATE ENTITY AND THE  PURPOSE
 OR  PURPOSES  FOR  WHICH SUCH DATA IS MAINTAINED AND USED. THE INVENTORY
 SHALL INCLUDE A LISTING OF ALL PERSONAL INFORMATION  MAINTAINED  BY  THE
 STATE ENTITY, ALONG WITH THE SOURCE AND AGE OF SUCH INFORMATION.
   (B)  NO  LATER THAN ONE YEAR AFTER THE EFFECTIVE DATE OF THIS SECTION,
 EACH STATE ENTITY SHALL CREATE AN INVENTORY OF THE  INFORMATION  SYSTEMS
 MAINTAINED  BY  OR  ON  BEHALF  OF  THE  STATE ENTITY AND THE PURPOSE OR
 PURPOSES FOR WHICH EACH SUCH INFORMATION SYSTEM IS MAINTAINED AND  USED.
 THE  INVENTORY  SHALL  DENOTE THOSE INFORMATION SYSTEMS THAT ARE MISSION
 CRITICAL AND THOSE THAT USE PERSONAL INFORMATION, AND WHETHER THE INFOR-
 MATION SYSTEM IS PROTECTED BY IMMUTABLE BACKUPS.
   (C) NOTWITHSTANDING PARAGRAPHS (A) AND (B) OF THIS SUBDIVISION,  IF  A
 STATE  ENTITY  HAS  ALREADY  COMPLETED  A  DATA INVENTORY OR INFORMATION
 SYSTEMS  INVENTORY,  SUCH  STATE  ENTITY  SHALL  UPDATE  THE  PREVIOUSLY
 COMPLETED  DATA  INVENTORY OR INFORMATION SYSTEM INVENTORY NO LATER THAN
 ONE YEAR AFTER THE EFFECTIVE DATE OF THIS SECTION.
 S. 5007--A                          4
 
   (D) UPON WRITTEN REQUEST FROM THE OFFICE, A STATE ENTITY SHALL PROVIDE
 THE OFFICE WITH EITHER OR BOTH OF THE INVENTORIES REQUIRED TO BE CREATED
 OR UPDATED PURSUANT TO THIS SUBDIVISION.
   5. INCIDENT MANAGEMENT AND RECOVERY. (A) NO LATER THAN EIGHTEEN MONTHS
 AFTER  THE  EFFECTIVE DATE OF THIS SECTION, EACH STATE ENTITY SHALL HAVE
 CREATED AN INCIDENT RESPONSE PLAN FOR INCIDENTS INVOLVING RANSOMWARE  OR
 OTHER  MALWARE  THAT  RENDERS AN INFORMATION SYSTEM OR ITS DATA UNAVAIL-
 ABLE, AND INCIDENTS INVOLVING RANSOMWARE OR OTHER MALWARE THAT RESULT IN
 THE ALTERATION OR DELETION OF OR UNAUTHORIZED ACCESS TO, PERSONAL INFOR-
 MATION.
   (B) SUCH INCIDENT RESPONSE PLAN SHALL INCLUDE A  PROCEDURE  FOR  SITU-
 ATIONS  WHERE PRODUCTION AND NON-SEGMENTED INFORMATION SYSTEMS HAVE BEEN
 ADVERSELY AFFECTED BY A DATA INCIDENT, AS WELL AS A  PROCEDURE  FOR  THE
 STORAGE  OF  PERSONAL  INFORMATION  AND  MISSION  CRITICAL  BACKUPS ON A
 SEGMENTED DEVICE OR SEGMENTED PORTION OF THE STATE ENTITY'S  INFORMATION
 SYSTEM  TO  ENSURE  THAT  SUCH PERSONAL INFORMATION AND MISSION CRITICAL
 SYSTEMS ARE PROTECTED BY IMMUTABLE BACKUPS.
   (C) BEGINNING JANUARY FIRST, TWO THOUSAND TWENTY-SIX AND ON AN  ANNUAL
 BASIS THEREAFTER, EACH STATE ENTITY SHALL COMPLETE AT LEAST ONE EXERCISE
 OF  ITS  INCIDENT  RESPONSE  PLAN  THAT  INCLUDES  COPYING THE IMMUTABLE
 PERSONAL  INFORMATION  AND  MISSION  CRITICAL  APPLICATIONS   FROM   THE
 SEGMENTED  PORTION  OF  THE  STATE ENTITY'S INFORMATION SYSTEM AND USING
 SUCH COPIES IN THE STATE ENTITY'S RESTORATION AND RECOVERY PROCESS. UPON
 COMPLETION OF SUCH EXERCISE, THE STATE ENTITY SHALL DOCUMENT  THE  INCI-
 DENT RESPONSE PLAN'S SUCCESSES AND SHORTCOMINGS.
   6. NO PRIVATE RIGHT OF ACTION. NOTHING SET FORTH IN THIS SECTION SHALL
 BE CONSTRUED AS CREATING OR ESTABLISHING A PRIVATE CAUSE OF ACTION.
   §  4.  Severability. The provisions of this act shall be severable and
 if any portion thereof or the applicability thereof  to  any  person  or
 circumstances shall be held to be invalid, the remainder of this act and
 the application thereof shall not be affected thereby.
   § 5. This act shall take effect immediately.

co-Sponsors

2023-S5007B (ACTIVE) - Details

See Assembly Version of this Bill:: A5736
Current Committee:: Assembly Governmental Operations
Law Section:: State Technology Law
Laws Affected:: Add §210, St Tech L
Versions Introduced in 2021-2022 Legislative Session:: S9005

2023-S5007B (ACTIVE) - Summary

Establishes the "secure our data act"; relates to state entities preparing for and protecting against a ransomware attack.

2023-S5007B (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S5007B

SPONSOR: GONZALEZ
 
TITLE OF BILL:

An act to amend the state technology law, in relation to establishing
the "secure our data act"

 
SUMMARY OF PROVISIONS:

Section one of this bill provides the title, which is the "secure our
data act."

Section two of this bill provides the legislative intent.

Section three of this bill amends the State Technology Law by adding a
new section 210. New subdivision 210:

(1) provides definitions that will be used in this section. These defi-
nitions include "immutable," "information system," "malware," and
"ransomware." New subdivision 210

(2) requires the Office of Information Technology Services ("OITS") to

promulgate regulations that include standards for:

*ransomware and malware protection for mission critical information
systems and personal information,

*the creation of segmented backups of mission critical information
systems and personal information,

*information system recovery and the use of segmented backups, and

*workforce training regarding ransomware and other malware. These regu-
lations may be promulgated on an emergency basis after at least one
public hearing has been held.

(3) requires state entities to engage in monthly vulnera bility testing
of their critical information systems and to annually have their entire
information system network subjected to vulnerability testing.

(4) requires each state entity to create a, or update an existing,
inventory of its mission critical information systems and the personal
information maintained by the state entity.

(5) requires each state entity to develop an incident response plan for
ransomware and other malware attacks. On an annual basis, each state
entity shall complete one exercise of its incident response plan.

Section 4 of this bill contains the severability clause.

Section 5 of this bill provides that this act shall take effect imme-
diately.

 
JUSTIFICATION:

Our information systems are under attack every day. The successful
thwarting of these attacks plants the seed for new variations of cyber-
attacks. Because we cannot eradicate cyberattacks, we must fortifythe
defenses that protect our information systems and the personal informa-
tion stored therein.

Personal information about New York residents can be found in each
governmental entity's information systems. To properly function and
provide services to New York residents, each governmental entity needs
the collected and maintained personal information. In its role as
protector, government must take affirmative steps to protect the
personal information that it has collected and maintains from cyberat-
tacks.

This legislation is a necessary first step in ensuring that government
is taking necessary steps to protect the personal information that it
has collected and maintains. New Yorkers trust that government is
protecting their personal information. We need to ensure that their
trust is not misplaced.

 
PRIOR LEGISLATIVE HISTORY:

2024: S5007A- Committed to Finance

2024: S5007A- Referred to Internet and Technology/ A5736A- Referred to
Governmental Operations

2023: S5007A- Passed in Senate /A5736A- Died in Assembly

2023: S5007A- Committed to Rules

2023: S5007A- Committed to Finance

2023: S5007 -Referred to Internet and Technology /A5736 - Referred to
Governmental Operations

 
FISCAL IMPLICATIONS:

To be determined.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2023-S5007B (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  5007--B
     Cal. No. 485
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             February 21, 2023
                                ___________
 
 Introduced by Sens. GONZALEZ, SALAZAR -- read twice and ordered printed,
   and  when  printed  to  be  committed to the Committee on Internet and
   Technology -- reported favorably from said committee and committed  to
   the  Committee  on  Finance  --  committee  discharged,  bill amended,
   ordered reprinted as amended and  recommitted  to  said  committee  --
   recommitted  to the Committee on Internet and Technology in accordance
   with Senate Rule 6, sec. 8 -- reported favorably from  said  committee
   and  committed  to the Committee on Finance -- reported favorably from
   said committee, ordered to first and second report, ordered to a third
   reading, amended and ordered reprinted, retaining  its  place  in  the
   order of third reading
 
 AN  ACT  to  amend the state technology law, in relation to establishing
   the "secure our data act"
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. This act shall be known and may be cited as the "secure our
 data act".
   §  2.  Legislative  intent.  The legislature finds that ransomware and
 other malware attacks have affected the electronically  stored  personal
 information  relating  to  thousands of people statewide and millions of
 people nationwide.  The  legislature  also  finds  that  state  entities
 receive  such  personal  information from various sources, including the
 data subjects themselves, other state entities, and the federal  govern-
 ment.    In addition, the legislature finds that state entities use such
 personal information to make determinations regarding the data subjects.
 The legislature further finds that New Yorkers  deserve  to  have  their
 personal  information that is in the possession of a state entity stored
 in a manner that will withstand any  attempt  by  ransomware  and  other
 malware to alter, change, or encrypt such information.
   Therefore,  the  legislature enacts the secure our data act which will
 guarantee that state entities  will  employ  the  proper  technology  to
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD09002-04-4
 S. 5007--B                          2
 
 protect  the  personal information stored as backup information from any
 unauthorized alteration or change.
   §  3.  The state technology law is amended by adding a new section 210
 to read as follows:
   § 210. RANSOMWARE AND OTHER MALWARE PROTECTION.  1.  DEFINITIONS.  FOR
 PURPOSES  OF  THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING
 MEANINGS:
   (A) "DATA SUBJECT" SHALL MEAN THE PERSON WHO IS  THE  SUBJECT  OF  THE
 PERSONAL INFORMATION.
   (B)  "IMMUTABLE"  MEANS  DATA  THAT  IS  STORED UNCHANGED OVER TIME OR
 UNABLE TO BE CHANGED. FOR THE PURPOSES  OF  BACKUPS,  "IMMUTABLE"  SHALL
 MEAN  THAT,  ONCE INGESTED, NO EXTERNAL OR INTERNAL OPERATION CAN MODIFY
 THE DATA AND MUST NEVER BE  AVAILABLE  IN  A  READ/WRITE  STATE  TO  THE
 CLIENT.  "IMMUTABLE" SHALL SPECIFICALLY APPLY TO THE CHARACTERISTICS AND
 ATTRIBUTES OF A BACKUP SYSTEM'S FILE SYSTEM AND MAY NOT  BE  APPLIED  TO
 TEMPORARY  SYSTEMS  STATE,  TIME-BOUND  OR  EXPIRING  CONFIGURATIONS, OR
 TEMPORARY CONDITIONS CREATED BY A PHYSICAL AIR GAP AS IS IMPLEMENTED  IN
 MOST  LEGACY SYSTEMS.  AN IMMUTABLE FILE SYSTEM MUST DEMONSTRATE CHARAC-
 TERISTICS THAT DO NOT PERMIT THE EDITING OR CHANGING OF ANY DATA  BACKED
 UP TO PROVIDE AGENCIES WITH COMPLETE RECOVERY CAPABILITIES.
   (C) "INFORMATION SYSTEM" SHALL MEAN ANY GOOD, SERVICE OR A COMBINATION
 THEREOF,  USED  BY ANY COMPUTER, CLOUD SERVICE, OR INTERCONNECTED SYSTEM
 THAT IS MAINTAINED FOR OR USED BY A STATE  ENTITY  IN  THE  ACQUISITION,
 STORAGE,  MANIPULATION,  MANAGEMENT, MOVEMENT, CONTROL, DISPLAY, SWITCH-
 ING, INTERCHANGE, TRANSMISSION, OR RECEPTION OF DATA OR VOICE INCLUDING,
 BUT NOT LIMITED TO, HARDWARE, SOFTWARE,  INFORMATION  APPLIANCES,  FIRM-
 WARE,  PROGRAMS,  SYSTEMS,  NETWORKS, INFRASTRUCTURE, MEDIA, AND RELATED
 MATERIAL USED TO  AUTOMATICALLY  AND  ELECTRONICALLY  COLLECT,  RECEIVE,
 ACCESS,  TRANSMIT,  DISPLAY, STORE, RECORD, RETRIEVE, ANALYZE, EVALUATE,
 PROCESS, CLASSIFY, MANIPULATE, MANAGE, ASSIMILATE, CONTROL, COMMUNICATE,
 EXCHANGE, CONVERT, COVERAGE, INTERFACE, SWITCH, OR DISSEMINATE  DATA  OF
 ANY KIND OR FORM.
   (D)  "MAINTAINED"  SHALL  MEAN  PERSONAL INFORMATION STORED BY A STATE
 ENTITY THAT WAS PROVIDED TO THE STATE ENTITY  BY  THE  DATA  SUBJECT,  A
 STATE  ENTITY,  OR  A  FEDERAL GOVERNMENTAL ENTITY. SUCH TERM SHALL ALSO
 INCLUDE PERSONAL INFORMATION PROVIDED BY AN ADVERSE PARTY IN THE  COURSE
 OF LITIGATION OR OTHER ADVERSARIAL PROCEEDING.
   (E)  "MALWARE"  SHALL MEAN MALICIOUS CODE INCLUDED IN ANY APPLICATION,
 DIGITAL CONTENT, DOCUMENT, EXECUTABLE, FIRMWARE,  PAYLOAD,  OR  SOFTWARE
 FOR  THE  PURPOSE  OF  PERFORMING  OR EXECUTING ONE OR MORE UNAUTHORIZED
 PROCESSES DESIGNED TO HAVE AN ADVERSE IMPACT ON THE AVAILABILITY, CONFI-
 DENTIALITY, OR INTEGRITY OF DATA STORED IN AN INFORMATION SYSTEM.
   (F) "RANSOMWARE" SHALL MEAN ANY TYPE OF MALWARE THAT  USES  ENCRYPTION
 TECHNOLOGY TO PREVENT USERS FROM ACCESSING AN INFORMATION SYSTEM OR DATA
 STORED BY SUCH INFORMATION SYSTEM UNTIL A RANSOM IS PAID.
   (G)  "STATE  ENTITY"  SHALL  MEAN  ANY  STATE BOARD, BUREAU, DIVISION,
 COMMITTEE, COMMISSION, COUNCIL,  DEPARTMENT,  PUBLIC  AUTHORITY,  PUBLIC
 BENEFIT  CORPORATION,  OFFICE  OR OTHER GOVERNMENTAL ENTITY PERFORMING A
 GOVERNMENTAL OR PROPRIETARY FUNCTION FOR THE STATE OF NEW YORK, EXCEPT:
   (I) THE JUDICIARY; AND
   (II) ALL CITIES, COUNTIES, MUNICIPALITIES, VILLAGES, TOWNS, AND  OTHER
 LOCAL AGENCIES.
   2.  DATA  PROTECTION  STANDARDS.  (A) NO LATER THAN ONE YEAR AFTER THE
 EFFECTIVE DATE OF THIS  SECTION,  THE  DIRECTOR,  IN  CONSULTATION  WITH
 STAKEHOLDERS  AND OTHER INTERESTED PARTIES, WHICH SHALL INCLUDE AT LEAST
 S. 5007--B                          3
 
 ONE PUBLIC HEARING, SHALL PROMULGATE REGULATIONS THAT DESIGN AND DEVELOP
 STANDARDS FOR:
   (I) MALWARE AND RANSOMWARE PROTECTION FOR MISSION CRITICAL INFORMATION
 SYSTEMS AND FOR PERSONAL INFORMATION USED BY SUCH INFORMATION SYSTEMS;
   (II)  DATA  BACKUP  THAT INCLUDES THE CREATION OF IMMUTABLE BACKUPS OF
 PERSONAL INFORMATION MAINTAINED BY THE STATE ENTITY AND STORAGE OF  SUCH
 BACKUPS IN A SEGMENTED ENVIRONMENT, INCLUDING A SEGMENTED DEVICE;
   (III)  INFORMATION SYSTEM RECOVERY THAT INCLUDES CREATING AN IDENTICAL
 COPY OF AN IMMUTABLE PERSONAL INFORMATION BACKUP MAINTAINED  BY  OR  FOR
 THE  STATE  ENTITY  THAT  WAS  STORED IN A SEGMENTED ENVIRONMENT OR ON A
 SEGMENTED DEVICE FOR USE WHEN AN INFORMATION SYSTEM HAS  BEEN  ADVERSELY
 AFFECTED  BY  RENT  SOMEWHERE  OR OTHER MALWARE AND REQUIRES RESTORATION
 FROM ONE OR MORE BACKUPS; AND
   (IV) ANNUAL WORKFORCE TRAINING REGARDING  PROTECTION  FROM  RANSOMWARE
 AND  OTHER  MALWARE,  AS WELL AS PROCESSES AND PROCEDURES THAT SHOULD BE
 FOLLOWED IN THE EVENT OF A DATA INCIDENT INVOLVING RANSOMWARE  OR  OTHER
 MALWARE.
   (B)  SUCH  REGULATIONS  MAY  BE ADOPTED ON AN EMERGENCY BASIS. IF SUCH
 REGULATIONS ARE ADOPTED ON AN EMERGENCY BASIS, THE OFFICE  SHALL  ENGAGE
 IN  THE  FORMAL  RULEMAKING  PROCEDURE NO LATER THAN THE DAY IMMEDIATELY
 FOLLOWING THE DATE THAT THE OFFICE PROMULGATED SUCH  REGULATIONS  ON  AN
 EMERGENCY BASIS. PROVIDED THAT THE OFFICE HAS COMMENCED THE FORMAL RULE-
 MAKING  PROCESS,  THE  REGULATIONS  ADOPTED ON AN EMERGENCY BASIS MAY BE
 RENEWED NO MORE THAN TWO TIMES.
   3. VULNERABILITY ASSESSMENTS. NOTWITHSTANDING ANY PROVISION OF LAW  TO
 THE CONTRARY, EACH STATE ENTITY SHALL ENGAGE IN VULNERABILITY TESTING OF
 ITS INFORMATION SYSTEMS AS FOLLOWS:
   (A) BEGINNING JANUARY FIRST, TWO THOUSAND TWENTY-FIVE AND ON A MONTHLY
 BASIS  THEREAFTER,  EACH  STATE  ENTITY  SHALL  PERFORM,  OR CAUSE TO BE
 PERFORMED, A VULNERABILITY ASSESSMENT OF AT LEAST ONE  MISSION  CRITICAL
 INFORMATION SYSTEM ENSURING THAT EACH MISSION CRITICAL SYSTEM HAS UNDER-
 GONE A VULNERABILITY ASSESSMENT DURING THE PAST YEAR. A REPORT DETAILING
 THE  VULNERABILITY  ASSESSMENT  METHODOLOGY  AND  FINDINGS SHALL BE MADE
 AVAILABLE TO THE OFFICE FOR REVIEW NO LATER THAN FORTY-FIVE  DAYS  AFTER
 THE TESTING HAS BEEN COMPLETED.
   (B)  BEGINNING  DECEMBER  FIRST,  TWO THOUSAND TWENTY-FIVE, EACH STATE
 ENTITY'S ENTIRE INFORMATION SYSTEM SHALL UNDERGO VULNERABILITY  TESTING.
 A REPORT DETAILING THE VULNERABILITY ASSESSMENT METHODOLOGY AND FINDINGS
 SHALL  BE  MADE  AVAILABLE TO THE OFFICE FOR REVIEW NO LATER THAN FORTY-
 FIVE DAYS AFTER SUCH TESTING HAS BEEN COMPLETED.
   (C) THE OFFICE SHALL ASSIST  STATE  ENTITIES  IN  COMPLYING  WITH  THE
 PROVISIONS OF THIS SECTION.
   4.  DATA  AND INFORMATION SYSTEM INVENTORY. (A) NO LATER THAN ONE YEAR
 AFTER THE EFFECTIVE DATE OF THIS SECTION, EACH STATE ENTITY SHALL CREATE
 AN INVENTORY OF THE DATA MAINTAINED BY THE STATE ENTITY AND THE  PURPOSE
 OR  PURPOSES  FOR  WHICH SUCH DATA IS MAINTAINED AND USED. THE INVENTORY
 SHALL INCLUDE A LISTING OF ALL PERSONAL INFORMATION  MAINTAINED  BY  THE
 STATE ENTITY, ALONG WITH THE SOURCE AND AGE OF SUCH INFORMATION.
   (B)  NO  LATER THAN ONE YEAR AFTER THE EFFECTIVE DATE OF THIS SECTION,
 EACH STATE ENTITY SHALL CREATE AN INVENTORY OF THE  INFORMATION  SYSTEMS
 MAINTAINED  BY  OR  ON  BEHALF  OF  THE  STATE ENTITY AND THE PURPOSE OR
 PURPOSES FOR WHICH EACH SUCH INFORMATION SYSTEM IS MAINTAINED AND  USED.
 THE  INVENTORY  SHALL  DENOTE THOSE INFORMATION SYSTEMS THAT ARE MISSION
 CRITICAL AND THOSE THAT USE PERSONAL INFORMATION, AND WHETHER THE INFOR-
 MATION SYSTEM IS PROTECTED BY IMMUTABLE BACKUPS.
 S. 5007--B                          4
 
   (C) NOTWITHSTANDING PARAGRAPHS (A) AND (B) OF THIS SUBDIVISION,  IF  A
 STATE  ENTITY  HAS  ALREADY  COMPLETED  A  DATA INVENTORY OR INFORMATION
 SYSTEMS  INVENTORY,  SUCH  STATE  ENTITY  SHALL  UPDATE  THE  PREVIOUSLY
 COMPLETED  DATA  INVENTORY OR INFORMATION SYSTEM INVENTORY NO LATER THAN
 ONE YEAR AFTER THE EFFECTIVE DATE OF THIS SECTION.
   (D) UPON WRITTEN REQUEST FROM THE OFFICE, A STATE ENTITY SHALL PROVIDE
 THE OFFICE WITH EITHER OR BOTH OF THE INVENTORIES REQUIRED TO BE CREATED
 OR UPDATED PURSUANT TO THIS SUBDIVISION.
   5. INCIDENT MANAGEMENT AND RECOVERY. (A) NO LATER THAN EIGHTEEN MONTHS
 AFTER  THE  EFFECTIVE DATE OF THIS SECTION, EACH STATE ENTITY SHALL HAVE
 CREATED AN INCIDENT RESPONSE PLAN FOR INCIDENTS INVOLVING RANSOMWARE  OR
 OTHER  MALWARE  THAT  RENDERS AN INFORMATION SYSTEM OR ITS DATA UNAVAIL-
 ABLE, AND INCIDENTS INVOLVING RANSOMWARE OR OTHER MALWARE THAT RESULT IN
 THE ALTERATION OR DELETION OF OR UNAUTHORIZED ACCESS TO, PERSONAL INFOR-
 MATION.
   (B) SUCH INCIDENT RESPONSE PLAN SHALL INCLUDE A  PROCEDURE  FOR  SITU-
 ATIONS  WHERE PRODUCTION AND NON-SEGMENTED INFORMATION SYSTEMS HAVE BEEN
 ADVERSELY AFFECTED BY A DATA INCIDENT, AS WELL AS A  PROCEDURE  FOR  THE
 STORAGE  OF  PERSONAL  INFORMATION  AND  MISSION  CRITICAL  BACKUPS ON A
 SEGMENTED DEVICE OR SEGMENTED PORTION OF THE STATE ENTITY'S  INFORMATION
 SYSTEM  TO  ENSURE  THAT  SUCH PERSONAL INFORMATION AND MISSION CRITICAL
 SYSTEMS ARE PROTECTED BY IMMUTABLE BACKUPS.
   (C) BEGINNING JANUARY FIRST, TWO THOUSAND TWENTY-SEVEN AND ON AN ANNU-
 AL BASIS THEREAFTER, EACH STATE ENTITY SHALL COMPLETE AT LEAST ONE EXER-
 CISE OF ITS INCIDENT RESPONSE PLAN THAT INCLUDES COPYING  THE  IMMUTABLE
 PERSONAL   INFORMATION   AND  MISSION  CRITICAL  APPLICATIONS  FROM  THE
 SEGMENTED PORTION OF THE STATE ENTITY'S  INFORMATION  SYSTEM  AND  USING
 SUCH COPIES IN THE STATE ENTITY'S RESTORATION AND RECOVERY PROCESS. UPON
 COMPLETION  OF  SUCH EXERCISE, THE STATE ENTITY SHALL DOCUMENT THE INCI-
 DENT RESPONSE PLAN'S SUCCESSES AND SHORTCOMINGS.
   6. NO PRIVATE RIGHT OF ACTION. NOTHING SET FORTH IN THIS SECTION SHALL
 BE CONSTRUED AS CREATING OR ESTABLISHING A PRIVATE CAUSE OF ACTION.
   § 4. Severability. The provisions of this act shall be  severable  and
 if  any  portion  thereof  or the applicability thereof to any person or
 circumstances shall be held to be invalid, the remainder of this act and
 the application thereof shall not be affected thereby.
   § 5. This act shall take effect immediately.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Senate Bill S5007A

Sponsored By

Current Bill Status - In Assembly Committee

Mar 18, 2024 - Floor Vote

Floor Vote: Mar 18, 2024

May 31, 2023 - Floor Vote

Floor Vote: May 31, 2023

May 22, 2023 - Rules Committee Vote

Rules Committee Vote: May 22, 2023

Feb 12, 2024 - Internet And Technology Committee Vote

Internet And Technology Committee Vote: Feb 12, 2024

Feb 28, 2023 - Internet And Technology Committee Vote

Internet And Technology Committee Vote: Feb 28, 2023

Feb 26, 2024 - Finance Committee Vote

Finance Committee Vote: Feb 26, 2024

Bill Amendments

co-Sponsors

2023-S5007 - Details

2023-S5007 - Summary

2023-S5007 - Sponsor Memo

2023-S5007 - Bill Text download pdf

co-Sponsors

2023-S5007A - Details

2023-S5007A - Summary

2023-S5007A - Sponsor Memo

2023-S5007A - Bill Text download pdf

co-Sponsors

2023-S5007B (ACTIVE) - Details

2023-S5007B (ACTIVE) - Summary

2023-S5007B (ACTIVE) - Sponsor Memo

2023-S5007B (ACTIVE) - Bill Text download pdf

Comments

Senate Bill S5007A

Share this bill

Sponsored By

Kristen Gonzalez

Current Bill Status - In Assembly Committee

Bill Amendments

co-Sponsors

Julia Salazar

2023-S5007 - Details

2023-S5007 - Summary

2023-S5007 - Sponsor Memo

2023-S5007 - Bill Text download pdf

co-Sponsors

Julia Salazar

2023-S5007A - Details

2023-S5007A - Summary

2023-S5007A - Sponsor Memo

2023-S5007A - Bill Text download pdf

co-Sponsors

Julia Salazar

Lea Webb

2023-S5007B (ACTIVE) - Details

2023-S5007B (ACTIVE) - Summary

2023-S5007B (ACTIVE) - Sponsor Memo

2023-S5007B (ACTIVE) - Bill Text download pdf

Comments