STATE OF NEW YORK
________________________________________________________________________
6128
2023-2024 Regular Sessions
IN ASSEMBLY
April 3, 2023
___________
Introduced by M. of A. K. BROWN -- read once and referred to the Commit-
tee on Governmental Operations
AN ACT to amend the state technology law, in relation to increasing
security on digital submissions to the state
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The state technology law is amended by adding a new section
2 106-c to read as follows:
3 § 106-c. Digital submissions to the state. Any state agency, board,
4 bureau, authority, commission, division, or other governmental entity
5 performing a governmental or proprietary function for the state that
6 allows for the digital submission of information to such governmental
7 entity shall require a person to create an account with the governmental
8 entity through which the digital submission can be made. Such account
9 shall have the following security features:
10 1. Verified account. (a) To create an account, a user shall provide
11 and confirm the following information:
12 (i) the user's full name;
13 (ii) the user's physical residential address;
14 (iii) the user's date of birth;
15 (iv) at least two of the following:
16 (A) the user's social security number;
17 (B) the user's driver's license number;
18 (C) the user's United States passport number;
19 (D) the user's taxpayer identification number; or
20 (E) any other form of identification issued by a governmental entity
21 approved by the office; and
22 (v) the user's email address or telephone number.
23 (b) The user's account shall have a unique username chosen by the user
24 using rules approved by the office.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD10307-01-3
A. 6128 2
1 (c) The governmental entity shall validate the information provided by
2 the user to create such account is accurate.
3 2. Multi-factor authorization. To access an account made under subdi-
4 vision one of this section, a user shall be required to use the user's
5 username and two of the following methods of authentication to verify
6 such user's identity:
7 (a) a password;
8 (b) answers to previously provided security questions;
9 (c) biometric data, including fingerprint, facial or voice recogni-
10 tion;
11 (d) an authorization code sent by phone call, text message or email to
12 the appropriate contact information provided; or
13 (e) any other authorization types approved by the office.
14 § 2. This act shall take effect one year after it shall have become a
15 law. Effective immediately, the addition, amendment and/or repeal of any
16 rule or regulation necessary for the implementation of this act on its
17 effective date are authorized to be made and completed on or before such
18 effective date.