STATE OF NEW YORK
________________________________________________________________________
7612
2021-2022 Regular Sessions
IN ASSEMBLY
May 19, 2021
___________
Introduced by M. of A. OTIS, ZEBROWSKI -- (at request of the State Comp-
troller) -- read once and referred to the Committee on Governmental
Operations
AN ACT to amend the state technology law, in relation to the notifica-
tion of certain state agencies of a data breach or network security
breach
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The state technology law is amended by adding a new section
2 209 to read as follows:
3 § 209. Notification of data breach or network security breach; shared
4 data. 1. The office shall, within twenty-four hours following the
5 discovery of a data breach or network security breach or receiving
6 notice of a data breach or network security breach, notify the chief
7 information officer, and where appropriate, the chief information secu-
8 rity officer, of any state entity with which it shares data, provides
9 networked services or shares a network connection whose data, services
10 or connection is or may have been the subject of such breach whether or
11 not such data was, or is reasonably believed to have been, acquired or
12 used by an unauthorized person.
13 2. The office shall, in addition to the provisions of subdivision one
14 of this section, notify the chief information officer, and where appro-
15 priate, the chief information security officer, of such state entity
16 with which it shares data, provides networked services or shares a
17 network connection and whose data is or may have been the subject of
18 such breach, of its plan for remediation of the breach and future
19 protection of such data and network.
20 3. For purposes of this section:
21 (a) "Data breach" shall mean an intentional or unintentional incident
22 where data is disclosed, released, stolen, or taken without the know-
23 ledge or authorization of the data's owner or steward.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD10523-01-1
A. 7612 2
1 (b) "Network security breach" shall mean an intentional or uninten-
2 tional incident where an unauthorized party has gained access to an
3 organization's network without the knowledge or authorization of the
4 network owner or steward.
5 (c) "State entity" shall mean any state board, bureau, division,
6 committee, commission, council, department, public authority, public
7 benefit corporation, office or other governmental entity performing a
8 governmental or proprietary function for the state of New York, includ-
9 ing the state legislature and the judiciary.
10 § 2. This act shall take effect immediately.
