NY State Senate Bill 2025-S1961

Current Bill Status - In Senate Committee Internet And Technology Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 14, 2025	referred to internet and technology

2025-S1961 (ACTIVE) - Details

Current Committee:: Senate Internet And Technology
Law Section:: State Technology Law
Laws Affected:: Add §210, St Tech L
Versions Introduced in Other Legislative Sessions:: 2021-2022: S9005
2023-2024: S5007

2025-S1961 (ACTIVE) - Summary

Establishes the "secure our data act"; relates to cybersecurity protection by state entities; requires the office of information technology services to develop standards for data protection of state entity-maintained information.

2025-S1961 (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S1961

SPONSOR: GONZALEZ
 
TITLE OF BILL:

An act to amend the state technology law, in relation to establishing
the "secure our data act"

 
SUMMARY OF PROVISIONS:

Section one of this bill provides the title, which is the "secure our
data act." Section two of this bill provides the legislative intent.

Section three of this bill amends the State Technology Law by adding a
new section 210. New subdivision 210:

(1) provides definitions that will be used in this section. These defi-
nitions include "breach of the security of the system," "data vali-
dation," "immutable," and "information system."

(2) requires the Office of Information Technology Services to promulgate
regulations that include standards for:

* protection against breaches of the security of the system for mission
critical information systems and personal information,

* data backup,

* information system recovery *data retention policies, and

* workforce training regarding protection against breaches of the secu-
rity of the system. These regulations may be promulgated on an emergency
basis after at least one public hearing has been held.

(3) requires state entities to engage in vulnerability testing of their
critical information systems and to annually have their entire informa-
tion system network subjected to vulnerability testing.

(4) requires each state entity to create an, or update an existing,
inventory of the personal information and information systems maintained
by the state entity.

(5) requires each state entity to develop an incident response plan for
breaches of the security of the system. On an annual basis, each state
entity shall complete one exercise of its incident response plan.

(6) provides that this bill does not create a private cause of action.

Section 4 of this bill contains the severability clause. Section 5 of
this bill provides that this act shall take effect immediately.

 
JUSTIFICATION:

Our state's information systems are under attack every day. The emer-
gence of generative Al tools has enabled these attacks to grow in
sophistication. While we cannot eradicate all cyberattacks or halt the
behavior of all bad actors, we must fortify defense of New York's infor-
mation systems and the personal information stored therein.

Personal information about New York residents is stored in each govern-
mental entity's information systems. In fact, these governmental enti-
ties need the collected and maintained personal information to properly
function and provide services to New York residents. In its rote as
protector, government must take affirmative steps to protect the
personal information that it has collected and maintains from cyberat-
tacks.

This legislation is an important step in ensuring that the government is
taking steps to protect the personal information that it has collected
and maintains. New Yorkers trust that their government is protecting
their personal information. We need to ensure that this trust is not
misplaced.

 
PRIOR LEGISLATIVE HISTORY:

2024: S5007B - Passed in Senate

2024: S5007A - Committed to Finance

2024: S5007A - Referred to Internet and Technology

2023: S5007A - Passed in Senate

2023: S5007A - Committed to Rules

2023: 55007 - Committed to Finance

2023: S5007 -Referred to Internet and Technology

 
FISCAL IMPLICATIONS:

To be determined.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2025-S1961 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   1961
 
                        2025-2026 Regular Sessions
 
                             I N  S E N A T E
 
                             January 14, 2025
                                ___________
 
 Introduced  by Sen. GONZALEZ -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the state technology law, in  relation  to  establishing
   the "secure our data act"
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. This act shall be known and may be cited as the "secure our
 data act".
   § 2. Legislative intent. The legislature finds that information  tech-
 nology  attacks  and breaches have compromised governmental networks and
 the electronically  stored  personal  information  of  countless  people
 statewide  and  nationwide.  State  entities often receive such personal
 information from various sources,  including  the  data  subjects  them-
 selves, other state entities, and the federal government.  Additionally,
 state  entities  use  such  personal  information to make determinations
 regarding data subjects.   New Yorkers deserve to  have  their  personal
 information  in the possession of a state entity stored in a manner that
 will withstand any attempt by a bad actor to access, alter, or  prohibit
 access to such information.
   Therefore,  the legislature enacts the secure our data act, which will
 require state entities to  employ  adequate  practices  and  systems  to
 protect  the  personal  information  from  any unauthorized acquisition,
 access, alteration or change in access.
   § 3. The state technology law is amended by adding a new  section  210
 to read as follows:
   §  210. CYBERSECURITY PROTECTION. 1. DEFINITIONS. FOR PURPOSES OF THIS
 SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING MEANINGS:
   (A) "BREACH OF THE SECURITY OF  THE  SYSTEM"  MEANS  (I)  UNAUTHORIZED
 EXFILTRATION,  ACQUISITION,  OR ACQUISITION WITHOUT VALID AUTHORIZATION,
 OF COMPUTERIZED INFORMATION WHICH COMPROMISES  THE  SECURITY,  CONFIDEN-
 TIALITY,  OR  INTEGRITY OF STATE ENTITY-MAINTAINED PERSONAL INFORMATION,

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD05506-01-5

 S. 1961                             2
 
 (II) UNAUTHORIZED ACCESS, OR  ACCESS  WITHOUT  VALID  AUTHORIZATION,  TO
 STATE ENTITY-MAINTAINED PERSONAL INFORMATION OR TO AN INFORMATION SYSTEM
 USED FOR PERSONAL INFORMATION, OR (III) UNAUTHORIZED MODIFICATION OF THE
 ACCESS  PERMISSIONS,  INCLUDING  THROUGH  THE  USE  OF ENCRYPTION, TO AN
 INFORMATION SYSTEM USED FOR PERSONAL INFORMATION. "BREACH OF THE SECURI-
 TY OF THE SYSTEM" DOES NOT INCLUDE GOOD FAITH ACQUISITION OF  OR  ACCESS
 TO  PERSONAL  INFORMATION,  OR  ACCESS  TO  AN  INFORMATION SYSTEM BY AN
 EMPLOYEE OR AGENT OF A STATE ENTITY FOR THE PURPOSES OF THE STATE  ENTI-
 TY;  PROVIDED  THAT THE PRIVATE INFORMATION OR INFORMATION SYSTEM IS NOT
 USED IN AN UNAUTHORIZED MANNER, ACCESSED FOR AN UNLAWFUL OR  INAPPROPRI-
 ATE  PURPOSE,  MODIFIED  TO  CHANGE  ACCESS PERMISSIONS WITHOUT AUTHORI-
 ZATION, OR SUBJECT TO UNAUTHORIZED DISCLOSURE.  IN  DETERMINING  WHETHER
 STATE  ENTITY-MAINTAINED  PERSONAL  INFORMATION OR AN INFORMATION SYSTEM
 USED FOR PERSONAL INFORMATION HAS BEEN EXFILTRATED, ACQUIRED,  ACCESSED,
 OR  EXPERIENCED  A CHANGE IN ACCESS PERMISSIONS WITHOUT AUTHORIZATION OR
 WITHOUT VALID AUTHORIZATION, SUCH STATE ENTITY MAY CONSIDER THE  FOLLOW-
 ING FACTORS, AMONG OTHERS:
   (1) INDICATIONS THAT THE INFORMATION IS IN THE PHYSICAL POSSESSION AND
 CONTROL  OF AN UNAUTHORIZED PERSON, SUCH AS A LOST OR STOLEN COMPUTER OR
 OTHER DEVICE CONTAINING INFORMATION;
   (2) INDICATIONS THAT THE INFORMATION HAS BEEN DOWNLOADED OR COPIED;
   (3) INDICATIONS THAT THE  INFORMATION  WAS  USED  BY  AN  UNAUTHORIZED
 PERSON,  SUCH  AS  FRAUDULENT  ACCOUNTS  OPENED OR INSTANCES OF IDENTITY
 THEFT REPORTED; OR
   (4)  INDICATIONS  THAT  THE  INFORMATION  OR  INFORMATION  SYSTEM  WAS
 ACCESSED WITHOUT AUTHORIZATION OR WITHOUT VALID AUTHORIZATION, INCLUDING
 BUT NOT LIMITED TO DATA IN INFORMATION SYSTEM ACCESS LOGS, CHANGES MODI-
 FYING  ACCESS  TO THE INFORMATION OR INFORMATION SYSTEM, MODIFICATION OR
 DELETION OF STORED INFORMATION, INJECTING OR INSTALLING  MALICIOUS  CODE
 ON THE INFORMATION SYSTEM, OR UNAUTHORIZED ENCRYPTION OF STORED INFORMA-
 TION.
   (B) "DATA SUBJECT" MEANS THE PERSON WHO IS THE SUBJECT OF THE PERSONAL
 INFORMATION.
   (C) "DATA VALIDATION" MEANS ENSURING THE ACCURACY, QUALITY, AND VALID-
 ITY  OF  SOURCE DATA BEFORE USING, IMPORTING, SAVING, STORING, OR OTHER-
 WISE PROCESSING DATA.
   (D) "IMMUTABLE" MEANS DATA THAT  IS  STORED  UNCHANGED  OVER  TIME  OR
 UNABLE  TO  BE  CHANGED.  FOR THE PURPOSES OF BACKUPS, "IMMUTABLE" SHALL
 MEAN THAT, ONCE INGESTED, NO EXTERNAL OR INTERNAL OPERATION  CAN  MODIFY
 THE  DATA  AND  MUST  NEVER  BE  AVAILABLE  IN A READ/WRITE STATE TO THE
 CLIENT. "IMMUTABLE" SHALL SPECIFICALLY APPLY TO THE CHARACTERISTICS  AND
 ATTRIBUTES  OF  A  BACKUP SYSTEM'S FILE SYSTEM AND MAY NOT BE APPLIED TO
 TEMPORARY SYSTEMS  STATE,  TIME-BOUND  OR  EXPIRING  CONFIGURATIONS,  OR
 TEMPORARY  CONDITIONS CREATED BY A PHYSICAL AIR GAP AS IS IMPLEMENTED IN
 MOST LEGACY SYSTEMS, PROVIDED THAT IMMUTABLE BACKUPS MUST BE CAPABLE  OF
 DELETION  AND  REPLACEMENT,  AS  APPLICABLE, IN ACCORDANCE WITH THE DATA
 RETENTION AND DELETION POLICY GOVERNING THE DATA.    AN  IMMUTABLE  FILE
 SYSTEM  MUST  DEMONSTRATE CHARACTERISTICS THAT DO NOT PERMIT THE EDITING
 OR CHANGING OF ANY DATA BACKED UP  TO  PROVIDE  AGENCIES  WITH  COMPLETE
 RECOVERY CAPABILITIES.
   (E)  "INFORMATION  SYSTEM"  MEANS  ANY  GOOD, SERVICE OR A COMBINATION
 THEREOF, USED BY ANY COMPUTER, CLOUD SERVICE, OR  INTERCONNECTED  SYSTEM
 THAT  IS  MAINTAINED  FOR  OR USED BY A STATE ENTITY IN THE ACQUISITION,
 STORAGE, MANIPULATION, MANAGEMENT, MOVEMENT, CONTROL,  DISPLAY,  SWITCH-
 ING, INTERCHANGE, TRANSMISSION, OR RECEPTION OF DATA OR VOICE INCLUDING,
 BUT  NOT  LIMITED  TO, HARDWARE, SOFTWARE, INFORMATION APPLIANCES, FIRM-
 S. 1961                             3
 
 WARE, PROGRAMS, SYSTEMS, NETWORKS, INFRASTRUCTURE,  MEDIA,  AND  RELATED
 MATERIAL  USED  TO  AUTOMATICALLY  AND  ELECTRONICALLY COLLECT, RECEIVE,
 ACCESS, TRANSMIT, DISPLAY, STORE, RECORD, RETRIEVE,  ANALYZE,  EVALUATE,
 PROCESS, CLASSIFY, MANIPULATE, MANAGE, ASSIMILATE, CONTROL, COMMUNICATE,
 EXCHANGE,  CONVERT,  COVERAGE, INTERFACE, SWITCH, OR DISSEMINATE DATA OR
 INFORMATION OF ANY KIND OR FORM.
   (F) "MISSION CRITICAL" MEANS INFORMATION OR INFORMATION  SYSTEMS  THAT
 ARE ESSENTIAL TO THE FUNCTIONING OF THE STATE ENTITY.
   (G)  "SEGMENTED  STORAGE" MEANS THE METHOD OF DATA STORAGE WHEREBY (I)
 INFORMATION IS PARTITIONED OR SEPARATED, WITH OVERLAPPING  OR  NON-OVER-
 LAPPING  PROTECTION,  AND  (II) SUCH INDIVIDUAL PARTITIONED OR SEPARATED
 SETS OF INFORMATION ARE  STORED  IN  MULTIPLE  PHYSICALLY  OR  LOGICALLY
 DISTINCT SECURE LOCATIONS.
   (H)  "STATE  ENTITY-MAINTAINED  PERSONAL  INFORMATION"  MEANS PERSONAL
 INFORMATION STORED BY A STATE ENTITY THAT WAS GENERATED BY A STATE ENTI-
 TY OR PROVIDED TO THE STATE ENTITY BY THE DATA SUBJECT, A STATE  ENTITY,
 A  FEDERAL  GOVERNMENTAL  ENTITY, OR ANY OTHER THIRD-PARTY SOURCE.  SUCH
 TERM SHALL ALSO INCLUDE PERSONAL  INFORMATION  PROVIDED  BY  AN  ADVERSE
 PARTY IN THE COURSE OF LITIGATION OR OTHER ADVERSARIAL PROCEEDING.
   (I) "STATE ENTITY" MEANS ANY STATE BOARD, BUREAU, DIVISION, COMMITTEE,
 COMMISSION, COUNCIL, DEPARTMENT, PUBLIC AUTHORITY, PUBLIC BENEFIT CORPO-
 RATION, OFFICE OR OTHER GOVERNMENTAL ENTITY PERFORMING A GOVERNMENTAL OR
 PROPRIETARY FUNCTION FOR THE STATE OF NEW YORK, EXCEPT:
   (I) THE JUDICIARY; AND
   (II)  ALL CITIES, COUNTIES, MUNICIPALITIES, VILLAGES, TOWNS, AND OTHER
 LOCAL AGENCIES.
   2. DATA PROTECTION STANDARDS. (A) NO LATER THAN  ONE  YEAR  AFTER  THE
 EFFECTIVE  DATE  OF  THIS  SECTION,  THE  DIRECTOR, IN CONSULTATION WITH
 STAKEHOLDERS AND OTHER INTERESTED PARTIES, WHICH SHALL INCLUDE AT  LEAST
 ONE PUBLIC HEARING, SHALL PROMULGATE REGULATIONS THAT DESIGN AND DEVELOP
 STANDARDS FOR:
   (I)  PROTECTION  AGAINST  BREACHES  OF  THE SECURITY OF THE SYSTEM FOR
 MISSION CRITICAL INFORMATION SYSTEMS AND FOR PERSONAL  INFORMATION  USED
 BY SUCH INFORMATION SYSTEMS;
   (II) DATA BACKUP THAT INCLUDES;
   (A)  THE  CREATION  OF  IMMUTABLE  BACKUPS  OF STATE ENTITY-MAINTAINED
 PERSONAL INFORMATION;
   (B) THROUGH DATA VALIDATION TECHNIQUES, THE EXCLUSION OF UNWANTED DATA
 FROM SUCH IMMUTABLE  BACKUPS,  INCLUDING  BUT  NOT  LIMITED  TO  ILLEGAL
 CONTENT,  CORRUPTED  DATA,  MALICIOUS  CODE,  AND  CONTENT THAT BREACHES
 INTELLECTUAL PROPERTY PROTECTIONS;
   (C) PROHIBITIONS ON THE USE  OF  SUCH  IMMUTABLE  BACKUPS  EXCEPT  FOR
 CONDUCTING  DATA  VALIDATION AND PERFORMING INFORMATION SYSTEM RECOVERY;
 AND
   (D) STORAGE OF SUCH IMMUTABLE BACKUPS IN SEGMENTED STORAGE;
   (III) INFORMATION SYSTEM RECOVERY THAT INCLUDES CREATING AN  IDENTICAL
 COPY OF AN IMMUTABLE BACKUP OF STATE ENTITY-MAINTAINED PERSONAL INFORMA-
 TION  IN  SEGMENTED  STORAGE FOR USE WHEN AN INFORMATION SYSTEM HAS BEEN
 ADVERSELY AFFECTED BY A  BREACH  OF  THE  SECURITY  OF  THE  SYSTEM  AND
 REQUIRES RESTORATION FROM ONE OR MORE BACKUPS;
   (IV)  DATA RETENTION AND DELETION POLICIES SPECIFYING HOW LONG CERTAIN
 TYPES OF DATA SHALL BE RETAINED ON INFORMATION SYSTEMS AND AS  IMMUTABLE
 BACKUPS  IN  SEGMENTED STORAGE AND WHEN OR UNDER WHAT CIRCUMSTANCES SUCH
 DATA SHALL BE DELETED; AND
   (V) ANNUAL WORKFORCE TRAINING REGARDING PROTECTION AGAINST BREACHES OF
 THE SECURITY OF THE SYSTEM, AS WELL AS  PROCESSES  AND  PROCEDURES  THAT
 S. 1961                             4
 
 SHOULD  BE  FOLLOWED  IN  THE  EVENT  OF A BREACH OF THE SECURITY OF THE
 SYSTEM.
   (B)  SUCH  REGULATIONS  MAY  BE ADOPTED ON AN EMERGENCY BASIS. IF SUCH
 REGULATIONS ARE ADOPTED ON AN EMERGENCY BASIS, THE OFFICE  SHALL  ENGAGE
 IN  THE  FORMAL  RULEMAKING  PROCEDURE NO LATER THAN THE DAY IMMEDIATELY
 FOLLOWING THE DATE THAT THE OFFICE PROMULGATED SUCH  REGULATIONS  ON  AN
 EMERGENCY BASIS. PROVIDED THAT THE OFFICE HAS COMMENCED THE FORMAL RULE-
 MAKING  PROCESS,  THE  REGULATIONS  ADOPTED ON AN EMERGENCY BASIS MAY BE
 RENEWED NO MORE THAN TWO TIMES.
   3. VULNERABILITY ASSESSMENTS. NOTWITHSTANDING ANY PROVISION OF LAW  TO
 THE CONTRARY, EACH STATE ENTITY SHALL ENGAGE IN VULNERABILITY TESTING OF
 ITS INFORMATION SYSTEMS AS FOLLOWS:
   (A)  BEGINNING JANUARY FIRST, TWO THOUSAND TWENTY-SIX AND ON A MONTHLY
 BASIS THEREAFTER, EACH STATE  ENTITY  SHALL  PERFORM,  OR  CAUSE  TO  BE
 PERFORMED,  A  VULNERABILITY ASSESSMENT OF AT LEAST ONE MISSION CRITICAL
 INFORMATION SYSTEM ENSURING THAT EACH MISSION CRITICAL SYSTEM HAS UNDER-
 GONE A VULNERABILITY ASSESSMENT DURING THE PAST YEAR. A REPORT DETAILING
 THE VULNERABILITY ASSESSMENT METHODOLOGY  AND  FINDINGS  SHALL  BE  MADE
 AVAILABLE  TO  THE OFFICE FOR REVIEW NO LATER THAN FORTY-FIVE DAYS AFTER
 THE TESTING HAS BEEN COMPLETED.
   (B) BEGINNING DECEMBER FIRST,  TWO  THOUSAND  TWENTY-SIX,  EACH  STATE
 ENTITY'S  ENTIRE INFORMATION SYSTEM SHALL UNDERGO VULNERABILITY TESTING.
 A REPORT DETAILING THE VULNERABILITY ASSESSMENT METHODOLOGY AND FINDINGS
 SHALL BE MADE AVAILABLE TO THE OFFICE FOR REVIEW NO  LATER  THAN  FORTY-
 FIVE DAYS AFTER SUCH TESTING HAS BEEN COMPLETED.
   (C)  THE  OFFICE  SHALL  ASSIST  STATE  ENTITIES IN COMPLYING WITH THE
 PROVISIONS OF THIS SECTION.
   4. DATA AND INFORMATION SYSTEM INVENTORY. (A) NO LATER THAN  ONE  YEAR
 AFTER THE EFFECTIVE DATE OF THIS SECTION, EACH STATE ENTITY SHALL CREATE
 AN INVENTORY OF THE STATE ENTITY-MAINTAINED PERSONAL INFORMATION AND THE
 PURPOSE  OR  PURPOSES  FOR  WHICH  SUCH STATE ENTITY-MAINTAINED PERSONAL
 INFORMATION IS MAINTAINED AND USED. THE INVENTORY SHALL INCLUDE A  LIST-
 ING  OF ALL TYPES OF STATE ENTITY-MAINTAINED PERSONAL INFORMATION, ALONG
 WITH THE SOURCE AND THE MEDIAN AGE OF SUCH INFORMATION.
   (B) NO LATER THAN ONE YEAR AFTER THE EFFECTIVE DATE OF  THIS  SECTION,
 EACH  STATE  ENTITY SHALL CREATE AN INVENTORY OF ITS INFORMATION SYSTEMS
 AND THE PURPOSE OR PURPOSES FOR WHICH EACH SUCH  INFORMATION  SYSTEM  IS
 MAINTAINED  AND  USED.    THE  INVENTORY  SHALL DENOTE THOSE INFORMATION
 SYSTEMS THAT ARE MISSION CRITICAL AND THOSE THAT USE  PERSONAL  INFORMA-
 TION, AND WHETHER THE INFORMATION SYSTEM IS PROTECTED BY IMMUTABLE BACK-
 UPS AND STORED IN A SEGMENTED MANNER.
   (C)  NOTWITHSTANDING  PARAGRAPHS (A) AND (B) OF THIS SUBDIVISION, IF A
 STATE ENTITY HAS ALREADY COMPLETED A  STATE  ENTITY-MAINTAINED  PERSONAL
 INFORMATION INVENTORY OR INFORMATION SYSTEMS INVENTORY, SUCH STATE ENTI-
 TY   SHALL  UPDATE  THE  PREVIOUSLY  COMPLETED  STATE  ENTITY-MAINTAINED
 PERSONAL INFORMATION INVENTORY OR INFORMATION SYSTEM INVENTORY NO  LATER
 THAN ONE YEAR AFTER THE EFFECTIVE DATE OF THIS SECTION.
   (D) UPON WRITTEN REQUEST FROM THE OFFICE, A STATE ENTITY SHALL PROVIDE
 THE  OFFICE  WITH EITHER OR BOTH OF THE STATE ENTITY-MAINTAINED PERSONAL
 INFORMATION AND INFORMATION SYSTEMS INVENTORIES REQUIRED TO  BE  CREATED
 OR UPDATED PURSUANT TO THIS SUBDIVISION.
   (E) NOTWITHSTANDING PARAGRAPH (D) OF THIS SUBDIVISION, THE STATE ENTI-
 TY-MAINTAINED  PERSONAL  INFORMATION AND INFORMATION SYSTEMS INVENTORIES
 REQUIRED TO BE CREATED OR UPDATED PURSUANT TO THIS SUBDIVISION SHALL  BE
 KEPT  CONFIDENTIAL  AND  SHALL  NOT  BE MADE AVAILABLE FOR DISCLOSURE OR
 INSPECTION UNDER THE STATE FREEDOM OF INFORMATION LAW UNLESS A  SUBPOENA
 S. 1961                             5
 
 OR  OTHER COURT ORDER DIRECTS THE OFFICE OR STATE ENTITY TO RELEASE SUCH
 INVENTORY OR INFORMATION FROM SUCH INVENTORY.
   5. INCIDENT MANAGEMENT AND RECOVERY. (A) NO LATER THAN EIGHTEEN MONTHS
 AFTER  THE  EFFECTIVE DATE OF THIS SECTION, EACH STATE ENTITY SHALL HAVE
 CREATED AN INCIDENT RESPONSE PLAN FOR INCIDENTS INVOLVING  A  BREACH  OF
 THE SECURITY OF THE SYSTEM THAT RENDER AN INFORMATION SYSTEM OR ITS DATA
 UNAVAILABLE,  AND  INCIDENTS  INVOLVING  A BREACH OF THE SECURITY OF THE
 SYSTEM THAT RESULT IN THE ALTERATION  OR  DELETION  OF  OR  UNAUTHORIZED
 ACCESS TO, PERSONAL INFORMATION.
   (B)  SUCH  INCIDENT  RESPONSE PLAN SHALL INCLUDE A PROCEDURE FOR SITU-
 ATIONS WHERE INFORMATION SYSTEMS  HAVE  BEEN  ADVERSELY  AFFECTED  BY  A
 BREACH  OF  THE  SECURITY  OF THE SYSTEM, AS WELL AS A PROCEDURE FOR THE
 STORAGE  OF  PERSONAL  INFORMATION  AND  MISSION  CRITICAL  BACKUPS   IN
 SEGMENTED  STORAGE  TO ENSURE THAT SUCH PERSONAL INFORMATION AND MISSION
 CRITICAL SYSTEMS ARE PROTECTED BY IMMUTABLE BACKUPS.
   (C) BEGINNING JANUARY FIRST, TWO THOUSAND TWENTY-EIGHT AND ON AN ANNU-
 AL BASIS THEREAFTER, EACH STATE ENTITY SHALL COMPLETE AT LEAST ONE EXER-
 CISE OF ITS INCIDENT RESPONSE PLAN THAT INCLUDES COPYING  THE  IMMUTABLE
 PERSONAL   INFORMATION   AND  MISSION  CRITICAL  APPLICATIONS  FROM  THE
 SEGMENTED PORTION OF THE STATE ENTITY'S  INFORMATION  SYSTEM  AND  USING
 SUCH COPIES IN THE STATE ENTITY'S RESTORATION AND RECOVERY PROCESS. UPON
 COMPLETION  OF  SUCH EXERCISE, THE STATE ENTITY SHALL DOCUMENT THE INCI-
 DENT RESPONSE PLAN'S SUCCESSES AND SHORTCOMINGS IN AN INCIDENT  RESPONSE
 PLAN  EXERCISE REPORT. SUCH INCIDENT RESPONSE PLAN EXERCISE REPORT SHALL
 BE KEPT CONFIDENTIAL AND SHALL NOT BE MADE AVAILABLE FOR  DISCLOSURE  OR
 INSPECTION  UNDER THE STATE FREEDOM OF INFORMATION LAW UNLESS A SUBPOENA
 OR OTHER COURT ORDER DIRECTS THE STATE ENTITY TO RELEASE SUCH  INVENTORY
 OR INFORMATION FROM SUCH INVENTORY.
   6. NO PRIVATE RIGHT OF ACTION. NOTHING SET FORTH IN THIS SECTION SHALL
 BE CONSTRUED AS CREATING OR ESTABLISHING A PRIVATE CAUSE OF ACTION.
   §  4.  Severability. The provisions of this act shall be severable and
 if any portion thereof or the applicability thereof  to  any  person  or
 circumstances shall be held to be invalid, the remainder of this act and
 the application thereof shall not be affected thereby.
   § 5. This act shall take effect immediately.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Senate Bill S1961

Sponsored By

Current Bill Status - In Senate Committee Internet And Technology Committee

2025-S1961 (ACTIVE) - Details

2025-S1961 (ACTIVE) - Summary

2025-S1961 (ACTIVE) - Sponsor Memo

2025-S1961 (ACTIVE) - Bill Text download pdf

Comments

Senate Bill S1961

Share this bill

Sponsored By

Kristen Gonzalez

Current Bill Status - In Senate Committee Internet And Technology Committee

2025-S1961 (ACTIVE) - Details

2025-S1961 (ACTIVE) - Summary

2025-S1961 (ACTIVE) - Sponsor Memo

2025-S1961 (ACTIVE) - Bill Text download pdf

Comments