Prohibits governmental entities, business entities and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.
STATE OF NEW YORK
________________________________________________________________________
6806--A
2021-2022 Regular Sessions
IN SENATE
May 18, 2021
___________
Introduced by Sen. SAVINO -- read twice and ordered printed, and when
printed to be committed to the Committee on Internet and Technology --
committee discharged, bill amended, ordered reprinted as amended and
recommitted to said committee
AN ACT to amend the state technology law, in relation to the payment of
ransom in the event of a cyber incident or a cyber ransom or ransom-
ware attack
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The state technology law is amended by adding a new article
2 4 to read as follows:
3 ARTICLE IV
4 CYBER SECURITY INCIDENTS
5 Section 401. Payment of ransom; cyber incident, cyber ransom or ransom-
6 ware.
7 § 401. Payment of ransom; cyber incident, cyber ransom or ransomware.
8 1. For the purpose of this section:
9 a. "Cyber incident" means the compromise of the security, confiden-
10 tiality, or integrity of computerized data due to the exfiltration,
11 modification, or deletion that results in the unauthorized acquisition
12 of and access to information maintained by a governmental entity, busi-
13 ness entity, or health care entity.
14 b. "Cyber ransom or ransomware" means a type of malware that encrypts
15 or locks valuable digital files and demands a ransom to release the
16 files.
17 c. "Governmental entity" shall mean any state, city, town or village
18 or local department, board, bureau, division, commission, committee,
19 school district, public authority, public benefit corporation, council
20 or office, including all entities defined pursuant to section two of the
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD11518-02-1
S. 6806--A 2
1 public authorities law. Such term shall include the state university of
2 New York and the city university of New York as well as the state legis-
3 lature, the judiciary or state and local legislatures.
4 d. "Business entity" shall mean any legal entity that conducts busi-
5 ness in the state of New York.
6 e. "Health care entity" shall mean hospitals, nursing homes, home
7 care, hospice and any other health care facilities regulated by the
8 department of health.
9 2. No governmental entity, business entity or health care entity with-
10 in the state shall pay, or have another entity pay on their behalf,
11 ransom in the event of a cyber incident or a cyber ransom or ransomware
12 attack.
13 3. All governmental entities shall report any cyber incidents and
14 cyber ransom or ransomware attacks to the New York state division of
15 homeland security and emergency services.
16 4. Any business entity that violates the provisions of this section
17 shall be subject to a civil penalty of up to ten thousand dollars
18 assessed by the attorney general.
19 § 2. This act shall take effect immediately.
