NY State Assembly Bill 2025-A6769

Current Bill Status - In Senate Committee Local Government Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Mar 24, 2025	referred to local government delivered to senate passed assembly
Mar 20, 2025	advanced to third reading cal.67
Mar 18, 2025	reported
Mar 13, 2025	referred to local governments

2025-A6769 (ACTIVE) - Details

Current Committee:: Senate Local Government
Law Section:: General Municipal Law
Laws Affected:: Add Art 19-C §§995-a - 995-c, Gen Muni L; add §711-c, Exec L; add §103-f, St Fin L

2025-A6769 (ACTIVE) - Summary

Requires all municipal corporations to report cybersecurity incidents and demands of ransom payments to the division of homeland security and emergency services; defines terms; requires that within forty-eight hours of receiving a cybersecurity incident report or notice of a demand for ransom payment, the commissioner of the division for homeland security and emergency services, or their designee, shall provide advice and technical assistance to the municipal corporation reporting such incidents; requires employees of the state who use technology as a part of their official job duties to take annual cybersecurity awareness training.

2025-A6769 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   6769
 
                        2025-2026 Regular Sessions
 
                           I N  A S S E M B L Y
 
                              March 13, 2025
                                ___________
 
 Introduced  by M. of A. JONES -- read once and referred to the Committee
   on Local Governments
 
 AN ACT to amend the general municipal law  and  the  executive  law,  in
   relation  to requiring municipal cybersecurity incident or ransomeware
   attack reporting and exempting such reports from freedom  of  informa-
   tion  requirements; and to amend the state technology law, in relation
   to requiring cybersecurity awareness training
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1. The general municipal law is amended by adding a new arti-
 cle 19-C to read as follows:
                               ARTICLE 19-C
 CYBERSECURITY INCIDENT REPORTING REQUIREMENTS FOR MUNICIPAL CORPORATIONS
 SECTION 995-A. DEFINITIONS.
         995-B. REPORTING OF CYBERSECURITY INCIDENTS.
         995-C. NOTICE AND EXPLANATION OF RANSOM PAYMENT.
   § 995-A. DEFINITIONS. FOR THE PURPOSES OF THIS ARTICLE:  1.  "CYBERSE-
 CURITY  INCIDENT"  MEANS  AN  EVENT  OCCURRING ON OR CONDUCTED THROUGH A
 COMPUTER NETWORK THAT ACTUALLY OR IMMINENTLY JEOPARDIZES THE  INTEGRITY,
 CONFIDENTIALITY,  OR  AVAILABILITY OF COMPUTERS, INFORMATION OR COMMUNI-
 CATIONS  SYSTEMS  OR  NETWORKS,  PHYSICAL  OR   VIRTUAL   INFRASTRUCTURE
 CONTROLLED  BY COMPUTERS OR INFORMATION SYSTEMS, OR INFORMATION RESIDENT
 THEREON.
   2. "INFORMATION SYSTEM" MEANS A DISCRETE SET OF INFORMATION  RESOURCES
 ORGANIZED  FOR  THE  COLLECTION,  PROCESSING, MAINTENANCE, USE, SHARING,
 DISSEMINATION, OR DISPOSITION OF INFORMATION.
   3. "MUNICIPAL CORPORATION" MEANS:
   (A) A MUNICIPAL CORPORATION AS DEFINED IN SECTION  ONE  HUNDRED  NINE-
 TEEN-N OF THIS CHAPTER; OR
   (B)  A  DISTRICT  AS DEFINED IN SECTION ONE HUNDRED NINETEEN-N OF THIS
 CHAPTER.
   4. "RANSOM PAYMENT" MEANS THE TRANSMISSION OF ANY MONEY OR OTHER PROP-
 ERTY OR ASSET, INCLUDING VIRTUAL CURRENCY, OR ANY PORTION THEREOF, WHICH
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets

                       [ ] is old law to be omitted.
                                                            LBD10937-01-5
 A. 6769                             2
 
 HAS AT ANY TIME BEEN DELIVERED AS RANSOM IN CONNECTION WITH A RANSOMWARE
 ATTACK.
   5. "RANSOMWARE ATTACK":
   (A)  MEANS AN INCIDENT THAT INCLUDES THE USE OR THREAT OF USE OF UNAU-
 THORIZED OR MALICIOUS CODE ON AN  INFORMATION  SYSTEM,  OR  THE  USE  OR
 THREAT  OF  USE OF ANOTHER DIGITAL MECHANISM SUCH AS A DENIAL OF SERVICE
 ATTACK, TO INTERRUPT OR DISRUPT THE OPERATIONS OF AN INFORMATION  SYSTEM
 OR  COMPROMISE  THE CONFIDENTIALITY, AVAILABILITY, OR INTEGRITY OF ELEC-
 TRONIC DATA STORED ON, PROCESSED BY, OR TRANSITING AN INFORMATION SYSTEM
 TO EXTORT A DEMAND FOR A RANSOM PAYMENT; AND
   (B) DOES NOT INCLUDE ANY SUCH EVENT IN WHICH THE  DEMAND  FOR  PAYMENT
 IS:
   (I) NOT GENUINE; OR
   (II) MADE IN GOOD FAITH BY AN ENTITY IN RESPONSE TO A SPECIFIC REQUEST
 BY THE OWNER OR OPERATOR OF THE INFORMATION SYSTEM.
   §  995-B. REPORTING OF CYBERSECURITY INCIDENTS. 1. NOTWITHSTANDING ANY
 OTHER PROVISION OF LAW TO THE CONTRARY, ALL MUNICIPAL CORPORATIONS SHALL
 REPORT CYBERSECURITY INCIDENTS AND WHEN  APPLICABLE,  THE  DEMAND  OF  A
 RANSOM PAYMENT, TO THE COMMISSIONER OF THE DIVISION OF HOMELAND SECURITY
 AND EMERGENCY SERVICES IN THE FORM AND METHOD PRESCRIBED BY SUCH COMMIS-
 SIONER.
   2.  ALL  MUNICIPAL  CORPORATIONS SHALL REPORT CYBERSECURITY INCIDENTS,
 AND DEMANDS FOR A RANSOM PAYMENT, NO LATER THAN SEVENTY-TWO HOURS  AFTER
 THE  MUNICIPALITY  REASONABLY  BELIEVES  THE  CYBERSECURITY INCIDENT HAS
 OCCURRED OR DEMAND FOR A RANSOM PAYMENT HAS BEEN MADE.
   3. ANY CYBERSECURITY INCIDENT REPORT AND  ANY  RECORDS  RELATED  TO  A
 RANSOM PAYMENT SUBMITTED TO THE COMMISSIONER OF THE DIVISION OF HOMELAND
 SECURITY  AND  EMERGENCY  SERVICES  PURSUANT TO THE REQUIREMENTS OF THIS
 ARTICLE SHALL BE EXEMPT FROM DISCLOSURE UNDER ARTICLE SIX OF THE  PUBLIC
 OFFICERS LAW.
   § 995-C. NOTICE AND EXPLANATION OF RANSOM PAYMENT. NOTWITHSTANDING ANY
 OTHER  PROVISION  OF  LAW  TO  THE  CONTRARY, EACH MUNICIPAL CORPORATION
 SHALL, IN THE EVENT OF A  RANSOM  PAYMENT  MADE  IN  CONNECTION  WITH  A
 CYBERSECURITY  INCIDENT  OR  RANSOMWARE  ATTACK  INVOLVING THE MUNICIPAL
 CORPORATION, PROVIDE THE COMMISSIONER OF THE DIVISION OF HOMELAND  SECU-
 RITY AND EMERGENCY SERVICES THROUGH MEANS PRESCRIBED BY SUCH COMMISSION-
 ER WITH THE FOLLOWING:
   (A)  WITHIN  TWENTY-FOUR  HOURS  OF  THE RANSOM PAYMENT, NOTICE OF THE
 PAYMENT; AND
   (B) WITHIN THIRTY DAYS OF THE RANSOM PAYMENT, A WRITTEN DESCRIPTION OF
 THE REASONS PAYMENT WAS NECESSARY, THE AMOUNT OF THE RANSOM PAYMENT, THE
 MEANS BY WHICH THE RANSOM PAYMENT WAS MADE, A  DESCRIPTION  OF  ALTERNA-
 TIVES  TO  PAYMENT  CONSIDERED, ALL DILIGENCE PERFORMED TO FIND ALTERNA-
 TIVES TO PAYMENT AND ALL DILIGENCE PERFORMED TO ENSURE  COMPLIANCE  WITH
 APPLICABLE  STATE  AND  FEDERAL RULES AND REGULATIONS INCLUDING THOSE OF
 THE UNITED STATES DEPARTMENT OF THE TREASURY'S OFFICE OF FOREIGN  ASSETS
 CONTROL.
   §  2.  The  executive  law is amended by adding a new section 711-c to
 read as follows:
   § 711-C. CYBERSECURITY INCIDENT REVIEWS. 1. FOR THE PURPOSES  OF  THIS
 SECTION:
   (A) "CYBERSECURITY  INCIDENT" MEANS AN EVENT OCCURRING ON OR CONDUCTED
 THROUGH  A  COMPUTER NETWORK THAT ACTUALLY OR IMMINENTLY JEOPARDIZES THE
 INTEGRITY, CONFIDENTIALITY, OR AVAILABILITY OF COMPUTERS, INFORMATION OR
 COMMUNICATIONS SYSTEMS OR NETWORKS, PHYSICAL OR  VIRTUAL  INFRASTRUCTURE
 A. 6769                             3
 
 CONTROLLED  BY COMPUTERS OR INFORMATION SYSTEMS, OR INFORMATION RESIDENT
 THEREON.
   (B)  "CYBER THREAT" MEANS ANY CIRCUMSTANCE OR EVENT WITH THE POTENTIAL
 TO ADVERSELY IMPACT ORGANIZATIONAL OPERATIONS, ORGANIZATIONAL ASSETS, OR
 INDIVIDUALS THROUGH  AN  INFORMATION  SYSTEM  VIA  UNAUTHORIZED  ACCESS,
 DESTRUCTION,  DISCLOSURE,  MODIFICATION OF INFORMATION, AND/OR DENIAL OF
 SERVICE.
   (C) "CYBER THREAT INDICATOR" MEANS INFORMATION THAT  IS  NECESSARY  TO
 DESCRIBE OR IDENTIFY:
   (I) MALICIOUS RECONNAISSANCE, INCLUDING ANOMALOUS PATTERNS OF COMMUNI-
 CATIONS THAT APPEAR TO BE TRANSMITTED FOR THE PURPOSE OF GATHERING TECH-
 NICAL INFORMATION RELATED TO A CYBER THREAT OR SECURITY VULNERABILITY;
   (II)  A  METHOD  OF  DEFEATING A SECURITY CONTROL OR EXPLOITATION OF A
 SECURITY VULNERABILITY;
   (III) A SECURITY  VULNERABILITY,  INCLUDING  ANOMALOUS  ACTIVITY  THAT
 APPEARS TO INDICATE THE EXISTENCE OF A SECURITY VULNERABILITY;
   (IV)  A METHOD OF CAUSING A USER WITH LEGITIMATE ACCESS TO AN INFORMA-
 TION SYSTEM OR INFORMATION THAT IS STORED ON, PROCESSED BY, OR  TRANSIT-
 ING AN INFORMATION SYSTEM TO UNWITTINGLY ENABLE THE DEFEAT OF A SECURITY
 CONTROL OR EXPLOITATION OF A SECURITY VULNERABILITY;
   (V) MALICIOUS CYBER COMMAND AND CONTROL;
   (VI)  THE  ACTUAL OR POTENTIAL HARM CAUSED BY AN INCIDENT, INCLUDING A
 DESCRIPTION OF THE INFORMATION EXFILTRATED AS A RESULT OF  A  PARTICULAR
 CYBER THREAT;
   (VII)  ANY  OTHER  ATTRIBUTE  OF A CYBER THREAT, IF DISCLOSURE OF SUCH
 ATTRIBUTE IS NOT OTHERWISE PROHIBITED BY LAW; OR
   (VIII) ANY COMBINATION THEREOF.
   (D) "DEFENSIVE MEASURE" MEANS AN ACTION, DEVICE, PROCEDURE, SIGNATURE,
 TECHNIQUE, OR OTHER MEASURE APPLIED TO AN INFORMATION SYSTEM OR INFORMA-
 TION THAT IS STORED ON,  PROCESSED  BY,  OR  TRANSITING  AN  INFORMATION
 SYSTEM  THAT  DETECTS, PREVENTS, OR MITIGATES A KNOWN OR SUSPECTED CYBER
 THREAT OR SECURITY VULNERABILITY. THE TERM "DEFENSIVE MEASURE" DOES  NOT
 INCLUDE A MEASURE THAT DESTROYS, RENDERS UNUSABLE, PROVIDES UNAUTHORIZED
 ACCESS  TO,  OR SUBSTANTIALLY HARMS AN INFORMATION SYSTEM OR INFORMATION
 STORED ON, PROCESSED BY, OR TRANSITING SUCH INFORMATION SYSTEM NOT OWNED
 BY THE MUNICIPAL CORPORATION OPERATING THE MEASURE,  OR  FEDERAL  ENTITY
 THAT  IS  AUTHORIZED TO PROVIDE CONSENT AND HAS PROVIDED CONSENT TO THAT
 MUNICIPAL CORPORATION FOR OPERATION OF SUCH MEASURE.
   (E) "INFORMATION SYSTEM" MEANS A DISCRETE SET OF INFORMATION RESOURCES
 ORGANIZED FOR THE COLLECTION, PROCESSING,  MAINTENANCE,  USE,   SHARING,
 DISSEMINATION, OR DISPOSITION OF INFORMATION.
   (F) "MUNICIPAL CORPORATION" MEANS:
   (I)  A  MUNICIPAL  CORPORATION AS DEFINED IN SECTION ONE HUNDRED NINE-
 TEEN-N OF THE GENERAL MUNICIPAL LAW; OR
   (II) A DISTRICT AS DEFINED IN SECTION ONE HUNDRED  NINETEEN-N  OF  THE
 GENERAL MUNICIPAL LAW.
   (G) "RANSOMWARE ATTACK":
   (I)  MEANS AN INCIDENT THAT INCLUDES THE USE OR THREAT OF USE OF UNAU-
 THORIZED  OR  MALICIOUS  CODE  ON  AN  INFORMATION SYSTEM, OR THE USE OR
 THREAT OF USE OF ANOTHER DIGITAL MECHANISM SUCH AS A DENIAL  OF  SERVICE
 ATTACK,  TO INTERRUPT OR DISRUPT THE OPERATIONS OF AN INFORMATION SYSTEM
 OR  COMPROMISE  THE CONFIDENTIALITY, AVAILABILITY, OR INTEGRITY OF ELEC-
 TRONIC DATA STORED ON, PROCESSED BY, OR TRANSITING AN INFORMATION SYSTEM
 TO EXTORT A DEMAND FOR A RANSOM PAYMENT; AND
   (II) DOES NOT INCLUDE ANY SUCH  EVENT  IN  WHICH  THE    DEMAND    FOR
 PAYMENT IS:
 A. 6769                             4
 
   (A) NOT GENUINE; OR
   (B)  MADE IN GOOD FAITH BY AN ENTITY IN RESPONSE TO A SPECIFIC REQUEST
 BY THE OWNER OR OPERATOR OF THE INFORMATION SYSTEM.
   2. THE COMMISSIONER, OR THEIR DESIGNEE, SHALL REVIEW EACH CYBERSECURI-
 TY INCIDENT REPORT AND NOTICE  OF  RANSOM  PAYMENT  AND  EXPLANATION  OF
 RANSOM PAYMENT SUBMITTED PURSUANT TO SECTIONS NINE HUNDRED NINETY-FIVE-B
 AND  NINE  HUNDRED  NINETY-FIVE-C OF THE GENERAL MUNICIPAL LAW TO ASSESS
 POTENTIAL IMPACTS OF CYBERSECURITY INCIDENTS AND RANSOM PAYMENTS ON  THE
 HEALTH, SAFETY, WELFARE OR SECURITY OF THE STATE, OR ITS RESIDENTS.
   3.  THE  COMMISSIONER,  OR  THEIR  DESIGNEE, MAY WORK WITH APPROPRIATE
 STATE AGENCIES, FEDERAL LAW ENFORCEMENT, AND FEDERAL  HOMELAND  SECURITY
 AGENCIES TO PROVIDE MUNICIPAL CORPORATIONS WITH REPORTS OF CYBERSECURITY
 INCIDENTS  AND  TRENDS,  INCLUDING  BUT  NOT  LIMITED TO, TO THE MAXIMUM
 EXTENT PRACTICABLE, RELATED CONTEXTUAL INFORMATION, CYBER THREAT INDICA-
 TORS, AND DEFENSIVE MEASURES.  THE  COMMISSIONER  SHALL  COORDINATE  AND
 SHARE  SUCH  REPORTED  INFORMATION  WITH MUNICIPAL CORPORATIONS, AND MAY
 COORDINATE AND SHARE SUCH REPORTED INFORMATION WITH STATE AGENCIES,  AND
 FEDERAL  LAW  ENFORCEMENT AND HOMELAND SECURITY AGENCIES AS NECESSARY TO
 RESPOND TO AND MITIGATE CYBER THREATS.
   4. WITHIN FORTY-EIGHT HOURS  OF  RECEIVING  A  CYBERSECURITY  INCIDENT
 REPORT  OR  NOTICE  OF  A  DEMAND FOR RANSOM PAYMENT PURSUANT TO ARTICLE
 NINETEEN-C OF THE GENERAL MUNICIPAL  LAW,  THE  COMMISSIONER,  OR  THEIR
 DESIGNEE, SHALL PROVIDE ADVICE AND TECHNICAL ASSISTANCE TO THE MUNICIPAL
 CORPORATION  THAT  REPORTED  SUCH  CYBERSECURITY  INCIDENT OR DEMAND FOR
 RANSOM IN CONNECTION WITH A CYBERSECURITY INCIDENT OR RANSOMWARE ATTACK,
 AND SHALL FURTHER NOTIFY ANY MUNICIPAL CORPORATION THAT MAY BE  AFFECTED
 OR  IMPACTED  BY  SUCH  CYBERSECURITY THREAT OR RANSOMWARE ATTACK WITHIN
 FORTY-EIGHT HOURS OF RECEIVING SUCH REPORT.
   5. SUCH REPORTS, ASSESSMENTS, RECORDS, REVIEWS, DOCUMENTS, RECOMMENDA-
 TIONS, GUIDANCE AND ANY INFORMATION CONTAINED OR USED IN ITS PREPARATION
 SHALL BE EXEMPT FROM DISCLOSURE UNDER ARTICLE SIX OF THE PUBLIC OFFICERS
 LAW.
   § 3. The state technology law is amended by adding a new section 103-f
 to read as follows:
   § 103-F. CYBERSECURITY AWARENESS TRAINING. 1.  (A)  EMPLOYEES  OF  THE
 STATE  WHO  USE  TECHNOLOGY AS A PART OF THEIR OFFICIAL JOB DUTIES SHALL
 TAKE ANNUAL CYBERSECURITY AWARENESS TRAINING  BEGINNING  JANUARY  FIRST,
 TWO  THOUSAND  TWENTY-SIX.  EMPLOYEES  OF THE STATE SHALL BE REQUIRED TO
 COMPLETE THE TRAINING PROVIDED BY THE OFFICE.
   (B) FOR PURPOSES OF THIS  SECTION,  "EMPLOYEES  OF  THE  STATE"  SHALL
 INCLUDE  EMPLOYEES  OF  ALL STATE AGENCIES AND ALL PUBLIC BENEFIT CORPO-
 RATIONS, THE HEADS OF WHICH ARE APPOINTED BY THE GOVERNOR.
   2. EMPLOYEES OF A COUNTY, A CITY, A TOWN, VILLAGE, OR  A  DISTRICT  AS
 DEFINED  IN  SECTION ONE HUNDRED NINETEEN-N OF THE GENERAL MUNICIPAL LAW
 WHO USE TECHNOLOGY AS A PART OF THEIR OFFICIAL  JOB  DUTIES  SHALL  TAKE
 ANNUAL  CYBERSECURITY  AWARENESS  TRAINING  BEGINNING JANUARY FIRST, TWO
 THOUSAND TWENTY-SIX. THE OFFICE  SHALL  MAKE  A  CYBERSECURITY  TRAINING
 AVAILABLE  FOR  USE  BY  A  COUNTY,  A  CITY, A TOWN, OR A VILLAGE AT NO
 CHARGE.
   3. ALL TRAINING MANDATED BY THIS SECTION SHALL BE CONDUCTED DURING THE
 EMPLOYEE'S REGULAR WORKING HOURS AND  EMPLOYEES  SHALL  RECEIVE  COMPEN-
 SATION  AT THEIR REGULAR RATE OF PAY FOR ANY TIME SPENT PARTICIPATING IN
 SUCH TRAINING.
   § 4. This act shall take effect on the one hundred eightieth day after
 it shall have become a law.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Assembly Bill A6769

Sponsored By

Current Bill Status - In Senate Committee Local Government Committee

2025-A6769 (ACTIVE) - Details

2025-A6769 (ACTIVE) - Summary

2025-A6769 (ACTIVE) - Bill Text download pdf

Comments

Assembly Bill A6769

Share this bill

Sponsored By

JONES

Current Bill Status - In Senate Committee Local Government Committee

2025-A6769 (ACTIVE) - Details

2025-A6769 (ACTIVE) - Summary

2025-A6769 (ACTIVE) - Bill Text download pdf

Comments