STATE OF NEW YORK
________________________________________________________________________
3405--A
2015-2016 Regular Sessions
IN SENATE
February 6, 2015
___________
Introduced by Sens. CROCI, AVELLA, FLANAGAN, FUNKE, GOLDEN, MARTINS,
NOZZOLIO -- read twice and ordered printed, and when printed to be
committed to the Committee on Rules -- recommitted to the Committee on
Veterans, Homeland Security and Military Affairs in accordance with
Senate Rule 6, sec. 8 -- committee discharged, bill amended, ordered
reprinted as amended and recommitted to said committee
AN ACT to amend the executive law, in relation to a cyber security
report
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The executive law is amended by adding a new section 719 to
2 read as follows:
3 § 719. Quinquennial cyber security report. 1. The commissioner, in
4 consultation with the superintendent of the state police, the chief
5 information officer, and the president of the center for internet secu-
6 rity, shall prepare a report, to be delivered to the governor, the
7 temporary president of the senate, the speaker of the assembly, the
8 chair of the senate standing committee on veterans, homeland security
9 and military affairs, and the chair of the assembly standing committee
10 on governmental operations, on or before the first day of September, two
11 thousand sixteen, and then every five years thereafter, which provides a
12 comprehensive review of all cyber security services performed by, and on
13 behalf of, the state of New York.
14 2. The report required pursuant to subdivision one of this section,
15 shall include a detailed assessment of each and every cyber security
16 need of the state of New York, including but not limited to, its state
17 agencies and its public authorities, and for each and every such cyber
18 security need so identified, shall further include a detailed
19 description of:
20 (a) the type of cyber security service used to address such need;
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD08759-02-6
S. 3405--A 2
1 (b) the scope of the need so addressed, as well as the scope of the
2 service used to address such need;
3 (c) the cost of the service used to address such need;
4 (d) the effectiveness of the cyber security service used to address
5 such need;
6 (e) the entity providing such cyber security service used to address
7 such need;
8 (f) the government, industry and/or academically accepted best cyber
9 security practice for addressing such need;
10 (g) how other states, and the federal government have addressed such
11 need; and
12 (h) how private sector entities addressed such need.
13 3. During the preparation of the report required by subdivision one of
14 this section, and after its delivery to the persons identified to
15 receive such report, the commissioner, the superintendent of the state
16 police, the chief information officer, and the president of the center
17 for internet security, as well as the divisions, offices and corpo-
18 rations under their direction, shall provide to such persons entitled to
19 receive such report, any and all additional information such persons may
20 request, with respect to any cyber security issue concerning:
21 (a) the state of New York, including but not limited to, any agency,
22 board, bureau, commission, department, division, institution, office, or
23 public authority of the state;
24 (b) any local government entity, including but not limited to, any
25 county, town, city, village, school district, special district, and any
26 agency, board, bureau, commission, department, division, institution,
27 office, or public authority of such local government entity;
28 (c) any regulated entity of the state of New York or local government
29 entity;
30 (d) any not-for-profit corporation in the state of New York;
31 (e) any private sector business in the state of New York, including
32 but not limited to, a sole proprietor, partnership, limited liability
33 company or business corporation; and/or
34 (f) any citizen of the state of New York.
35 4. Where compliance with this section shall require the disclosure of
36 confidential information, or the disclosure of sensitive information
37 which in the judgment of the commissioner would jeopardize the cyber
38 security of the state:
39 (a) such confidential or sensitive information shall be provided to
40 the persons entitled to receive the report as provided by subdivision
41 one of this section, as follows:
42 (i) In the case of the report required by subdivision one of this
43 section, in the form of a supplemental appendix to the report; and
44 (ii) In the case of a response to a request for information made in
45 accordance with subdivision three of this section, in a secure manner as
46 determined by the commissioner;
47 (b) neither a supplemental appendix to the report, nor any confiden-
48 tial or sensitive information provided in accordance with subdivision
49 three of this section, shall be posted on the division's website as
50 required by subdivision five of this section;
51 (c) neither a supplemental appendix to the report, nor any confiden-
52 tial or sensitive information provided in accordance with subdivision
53 three of this section, shall be subject to the provisions of the freedom
54 of information law pursuant to article six of the public officers law;
55 and
S. 3405--A 3
1 (d) the persons entitled to receive the report as provided by subdivi-
2 sion one of this section, may disclose the supplemental appendix to the
3 report, and any confidential or sensitive information provided in
4 accordance with subdivision three of this section, to their professional
5 staff, but shall not otherwise publicly disclose such confidential or
6 secure information.
7 5. Except with respect to any confidential or sensitive information as
8 described in subdivision four of this section, the division shall post a
9 copy of the report prepared in accordance with subdivision one of this
10 section, on its website, not more than fifteen days after such report is
11 delivered to the persons entitled to receive such report. The division
12 may further post any and all further information it may deem appropri-
13 ate, on its website, regarding cyber security, and the protection of
14 public and private computer systems, networks, hardware and software.
15 § 2. This act shall take effect immediately.