NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
BILL NUMBER: A5239
SPONSOR: Brown K TITLE OF BILL:
An act to amend the state technology law, in relation to increasing
security on digital submissions to the state
PURPOSE OR GENERAL IDEA OF BILL:
Increases security on digital submissions to the state by requiring the
use of verified accounts and multi-factor authorization
SUMMARY OF PROVISIONS:
Section 1: The state technology law is amended by adding a new section 2
106c.
Section 2: Identifies effective date.
JUSTIFICATION:
Fraud costs the state billions of dollars each year. One way to combat
fraud is to increase security on digital submissions to the state by
requiring the use of •verified accounts and multi-factor authorization.
Every financial institution currently employ these modern measures in
order to combat fraud and there is no reason why the state government
should not employ the same industry standards to prevent fraud.
This bill will reduce fraud by individuals against state agencies by
requiring for any digital submissions of information to any state agen-
cy, board, bureau, authority, commission, division, or other govern-
mental entity shall require a person to create 'a digital account. Such
account shall have the following security features:
1. Verified account.
(a) To create an account, a user shall provide and confirm the following
information:.
(i) the user's full name;
(ii) the user's physical residential address;
(iii) the user's date of birth;
(iv) at least two of the following:
(A) the user's social security number;
(B) the user's driver's license number;
(C) the user's United States passport number;
(D) the user's taxpayer identification number; or
(E) any other form of identification issued by a governmental entity
approved by the office; and
(v) the user's email address or telephone number.
(b) The user's account shall have a unique username chosen by the user
using rules, approved by the office.
(c) The governmental entity shall validate the information provided by
the user to create such account is accurate.
2. Multi-factor authorization. To access an account, a user shall be
required to use the user's username and two of the following methods of
authentication to verify such user's identity:
(a) a password;
(b) answers to previously provided security questions;
(c) biometric data, including fingerprint, facial or voice recognition;
(d) an authorization code sent by phone call, text message or email to
the appropriate contact information provided; or
(e) any other authorization types approved by the office.
PRIOR LEGISLATIVE HISTORY:
2023-24: A.6128
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
EFFECTIVE DATE:
This act shall take effect immediately.
STATE OF NEW YORK
________________________________________________________________________
5239
2025-2026 Regular Sessions
IN ASSEMBLY
February 12, 2025
___________
Introduced by M. of A. K. BROWN -- read once and referred to the Commit-
tee on Governmental Operations
AN ACT to amend the state technology law, in relation to increasing
security on digital submissions to the state
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The state technology law is amended by adding a new section
2 106-c to read as follows:
3 § 106-c. Digital submissions to the state. Any state agency, board,
4 bureau, authority, commission, division, or other governmental entity
5 performing a governmental or proprietary function for the state that
6 allows for the digital submission of information to such governmental
7 entity shall require a person to create an account with the governmental
8 entity through which the digital submission can be made. Such account
9 shall have the following security features:
10 1. Verified account. (a) To create an account, a user shall provide
11 and confirm the following information:
12 (i) the user's full name;
13 (ii) the user's physical residential address;
14 (iii) the user's date of birth;
15 (iv) at least two of the following:
16 (A) the user's social security number;
17 (B) the user's driver's license number;
18 (C) the user's United States passport number;
19 (D) the user's taxpayer identification number; or
20 (E) any other form of identification issued by a governmental entity
21 approved by the office; and
22 (v) the user's email address or telephone number.
23 (b) The user's account shall have a unique username chosen by the user
24 using rules approved by the office.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD08052-01-5
A. 5239 2
1 (c) The governmental entity shall validate the information provided by
2 the user to create such account is accurate.
3 2. Multi-factor authorization. To access an account made under subdi-
4 vision one of this section, a user shall be required to use the user's
5 username and two of the following methods of authentication to verify
6 such user's identity:
7 (a) a password;
8 (b) answers to previously provided security questions;
9 (c) biometric data, including fingerprint, facial or voice recogni-
10 tion;
11 (d) an authorization code sent by phone call, text message or email to
12 the appropriate contact information provided; or
13 (e) any other authorization types approved by the office.
14 § 2. This act shall take effect one year after it shall have become a
15 law. Effective immediately, the addition, amendment and/or repeal of any
16 rule or regulation necessary for the implementation of this act on its
17 effective date are authorized to be made and completed on or before such
18 effective date.
