NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
BILL NUMBER: A7612
SPONSOR: Otis TITLE OF BILL:
An act to amend the state technology law, in relation to the notifica-
tion of certain state agencies of a data breach or network security
breach
PURPOSE:
This legislation would require the Office of Information Technology
Services to notify, within 24 hours following discovery of a data breach
or receiving notice of a data breach or network security breach, the
chief information officer or where appropriate the chief information
security officer of a state entity with which the office shares data of
such breach.
SUMMARY OF SPECIFIC PROVISIONS:
Section 1 of the bill adds a new section 209 to the state technology
law. Subdivision 1 of the new section 209 requires the office, within 24
hours following discovery of a data breach or network security breach,
to notify the chief information officer and where appropriate the chief
information security officer of any state entity with which it shares
data, provides networked services or shares a network connection and
whose data is or may have been the subject of such breach whether or not
such data was, or is reasonably believed to have been, acquired or used
by an unauthorized person.
Subdivision 2 of the new section 209 requires the office to notify the
chief information officer and where appropriate the chief information
security officer of such state entity with which it shares data,
provides networked services or shares a network connection and whose
data is or may have been the subject of such breach of its plan for
remediation of the breach and future protection of such data and
network.
Subdivision 3 defines "data breach" as an intentional or unintentional
incident where data is disclosed, released, stolen, or taken without the
knowledge or authorization of the data's owner or steward. Addi-
tionally, "network security breach" is defined as an intentional or
unintentional incident where an unauthorized party has gained access to
an organization's network without the knowledge or authorization of the
network owner or steward. Finally, "state entity" is defined as any
state board, bureau, division, committee, commission, council, depart-
ment, public authority, public benefit corporation, office or other
governmental entity performing a governmental or proprietary function
for the state of New York, including the state legislature and the judi-
ciary.
Section 2 of the bill provides for an immediate effective date.
JUSTIFICATION:
The Office of Information Technology Services (Office) has, since its
creation in 2002, assumed an interactive role with state entities by
sharing data and providing support serves to these entities. The Office
has access to an unprecedented amount of information and shared
information/data.
It is imperative that such data be protected and yet, occurrences of
breach occur. In January of 2020 such a breach occurred and the Office
failed to inform the state entities with which it shares data that the
breach had occurred thereby putting other systems at risk.
Though the Office became aware of the breach in late January, the issue
went unreported until April when it was disclosed in the Wall Street
Journal.
This bill would address this failure by requiring notification by the
Office when a breach occurs. Additionally, the bill requires the Office
to inform the entities of its plan for remediation of the breach.
PRIOR LEGISLATIVE HISTORY:
New bill.
FISCAL IMPLICATIONS:
Minimal.
EFFECTIVE DATE:
This act shall take effect immediately.
