Requires state employees who use a computer to complete at least twenty-five percent of such employees' required duties to undergo annual cyber security training.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
BILL NUMBER: A4739
SPONSOR: Rajkumar TITLE OF BILL:
An act to amend the state technology law, in relation to requiring
certain state employees to undergo annual cyber security training
PURPOSE OR GENERAL IDEA OF BILL:
To prevent cyberattacks through employee training
SUMMARY OF PROVISIONS:
Section 1. The state technology law is amended by adding a new section
108 requiring annual cybersecurity training of employees who use comput-
ers, and provides exemptions.
Section 2 is the effective date
DIFFERENCE BETWEEN ORIGINAL AND AMENDED VERSION (IF APPLICABLE):
JUSTIFICATION:
Although cybersecurity is thought of as a matter of having the right
technology to stop a cyberattack, 98% of cyberattacks involve "social
engineering," the manipulation of people to do things such as download-
ing malicious files or clicking on links in phishing emails. This common
sense bill will educate state workers on the telltale signs of social
engineering attempts, in order to prevent cyberattacks.
PRIOR LEGISLATIVE HISTORY:
A10605 06/20/2024referred to governmental operations.
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
To be determined.
EFFECTIVE DATE:
This act shall take effect on the sixtieth day after it shall have
become a law. Effective immediately, the addition, amendment and/or
repeal of any rule or regulation necessary for the implementation of
this act on its effective date are authorized to be made and completed
on or before such effective date.
STATE OF NEW YORK
________________________________________________________________________
4739
2025-2026 Regular Sessions
IN ASSEMBLY
February 6, 2025
___________
Introduced by M. of A. RAJKUMAR -- read once and referred to the Commit-
tee on Governmental Operations
AN ACT to amend the state technology law, in relation to requiring
certain state employees to undergo annual cyber security training
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The state technology law is amended by adding a new section
2 108 to read as follows:
3 § 108. Annual cyber security training for state employees. 1. Each
4 state agency shall identify state employees who use a computer to
5 complete at least twenty-five percent of such employees' required
6 duties. At least once per year, such identified employees shall complete
7 a cyber security training program approved by the office.
8 2. Each state agency may select the most appropriate cyber security
9 training program approved by the office for employees of each such state
10 agency.
11 3. The executive head of each such state agency shall:
12 (a) verify completion of a cyber security training program by employ-
13 ees of each such state agency in such form and manner as specified by
14 the office; and
15 (b) periodically require an internal review of the agency to ensure
16 compliance with the provisions of this section.
17 4. The office shall develop a form for each state agency to use in
18 verifying completion of annual cyber security trainings as required by
19 paragraph (a) of subdivision three of this section. Such form shall
20 allow a state agency to indicate the percentage of employee completion.
21 5. This section shall not apply to state employees who have been:
22 (a) granted military leave;
23 (b) granted leave under the federal family and medical leave act of
24 1993 (29 U.S.C. § 2601 et seq.);
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD08570-01-5
A. 4739 2
1 (c) granted leave related to a sickness or disability covered by work-
2 ers' compensation benefits, if such employee no longer has access to a
3 state agency's database and information technology systems; or
4 (d) granted any other type of extended leave or authorization to work
5 from an alternative work site, if such employee no longer has access to
6 a state agency's database and information technology systems.
7 § 2. This act shall take effect on the sixtieth day after it shall
8 have become a law. Effective immediately, the addition, amendment and/or
9 repeal of any rule or regulation necessary for the implementation of
10 this act on its effective date are authorized to be made and completed
11 on or before such effective date.
