Establishes the "secure our data act"; relates to cybersecurity protection by state entities; requires the office of information technology services to develop standards for data protection of state entity-maintained information.
STATE OF NEW YORK
________________________________________________________________________
1961
2025-2026 Regular Sessions
IN SENATE
January 14, 2025
___________
Introduced by Sen. GONZALEZ -- read twice and ordered printed, and when
printed to be committed to the Committee on Internet and Technology
AN ACT to amend the state technology law, in relation to establishing
the "secure our data act"
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as the "secure our
2 data act".
3 § 2. Legislative intent. The legislature finds that information tech-
4 nology attacks and breaches have compromised governmental networks and
5 the electronically stored personal information of countless people
6 statewide and nationwide. State entities often receive such personal
7 information from various sources, including the data subjects them-
8 selves, other state entities, and the federal government. Additionally,
9 state entities use such personal information to make determinations
10 regarding data subjects. New Yorkers deserve to have their personal
11 information in the possession of a state entity stored in a manner that
12 will withstand any attempt by a bad actor to access, alter, or prohibit
13 access to such information.
14 Therefore, the legislature enacts the secure our data act, which will
15 require state entities to employ adequate practices and systems to
16 protect the personal information from any unauthorized acquisition,
17 access, alteration or change in access.
18 § 3. The state technology law is amended by adding a new section 210
19 to read as follows:
20 § 210. Cybersecurity protection. 1. Definitions. For purposes of this
21 section, the following terms shall have the following meanings:
22 (a) "Breach of the security of the system" means (i) unauthorized
23 exfiltration, acquisition, or acquisition without valid authorization,
24 of computerized information which compromises the security, confiden-
25 tiality, or integrity of state entity-maintained personal information,
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD05506-01-5
S. 1961 2
1 (ii) unauthorized access, or access without valid authorization, to
2 state entity-maintained personal information or to an information system
3 used for personal information, or (iii) unauthorized modification of the
4 access permissions, including through the use of encryption, to an
5 information system used for personal information. "Breach of the securi-
6 ty of the system" does not include good faith acquisition of or access
7 to personal information, or access to an information system by an
8 employee or agent of a state entity for the purposes of the state enti-
9 ty; provided that the private information or information system is not
10 used in an unauthorized manner, accessed for an unlawful or inappropri-
11 ate purpose, modified to change access permissions without authori-
12 zation, or subject to unauthorized disclosure. In determining whether
13 state entity-maintained personal information or an information system
14 used for personal information has been exfiltrated, acquired, accessed,
15 or experienced a change in access permissions without authorization or
16 without valid authorization, such state entity may consider the follow-
17 ing factors, among others:
18 (1) indications that the information is in the physical possession and
19 control of an unauthorized person, such as a lost or stolen computer or
20 other device containing information;
21 (2) indications that the information has been downloaded or copied;
22 (3) indications that the information was used by an unauthorized
23 person, such as fraudulent accounts opened or instances of identity
24 theft reported; or
25 (4) indications that the information or information system was
26 accessed without authorization or without valid authorization, including
27 but not limited to data in information system access logs, changes modi-
28 fying access to the information or information system, modification or
29 deletion of stored information, injecting or installing malicious code
30 on the information system, or unauthorized encryption of stored informa-
31 tion.
32 (b) "Data subject" means the person who is the subject of the personal
33 information.
34 (c) "Data validation" means ensuring the accuracy, quality, and valid-
35 ity of source data before using, importing, saving, storing, or other-
36 wise processing data.
37 (d) "Immutable" means data that is stored unchanged over time or
38 unable to be changed. For the purposes of backups, "immutable" shall
39 mean that, once ingested, no external or internal operation can modify
40 the data and must never be available in a read/write state to the
41 client. "Immutable" shall specifically apply to the characteristics and
42 attributes of a backup system's file system and may not be applied to
43 temporary systems state, time-bound or expiring configurations, or
44 temporary conditions created by a physical air gap as is implemented in
45 most legacy systems, provided that immutable backups must be capable of
46 deletion and replacement, as applicable, in accordance with the data
47 retention and deletion policy governing the data. An immutable file
48 system must demonstrate characteristics that do not permit the editing
49 or changing of any data backed up to provide agencies with complete
50 recovery capabilities.
51 (e) "Information system" means any good, service or a combination
52 thereof, used by any computer, cloud service, or interconnected system
53 that is maintained for or used by a state entity in the acquisition,
54 storage, manipulation, management, movement, control, display, switch-
55 ing, interchange, transmission, or reception of data or voice including,
56 but not limited to, hardware, software, information appliances, firm-
S. 1961 3
1 ware, programs, systems, networks, infrastructure, media, and related
2 material used to automatically and electronically collect, receive,
3 access, transmit, display, store, record, retrieve, analyze, evaluate,
4 process, classify, manipulate, manage, assimilate, control, communicate,
5 exchange, convert, coverage, interface, switch, or disseminate data or
6 information of any kind or form.
7 (f) "Mission critical" means information or information systems that
8 are essential to the functioning of the state entity.
9 (g) "Segmented storage" means the method of data storage whereby (i)
10 information is partitioned or separated, with overlapping or non-over-
11 lapping protection, and (ii) such individual partitioned or separated
12 sets of information are stored in multiple physically or logically
13 distinct secure locations.
14 (h) "State entity-maintained personal information" means personal
15 information stored by a state entity that was generated by a state enti-
16 ty or provided to the state entity by the data subject, a state entity,
17 a federal governmental entity, or any other third-party source. Such
18 term shall also include personal information provided by an adverse
19 party in the course of litigation or other adversarial proceeding.
20 (i) "State entity" means any state board, bureau, division, committee,
21 commission, council, department, public authority, public benefit corpo-
22 ration, office or other governmental entity performing a governmental or
23 proprietary function for the state of New York, except:
24 (i) the judiciary; and
25 (ii) all cities, counties, municipalities, villages, towns, and other
26 local agencies.
27 2. Data protection standards. (a) No later than one year after the
28 effective date of this section, the director, in consultation with
29 stakeholders and other interested parties, which shall include at least
30 one public hearing, shall promulgate regulations that design and develop
31 standards for:
32 (i) protection against breaches of the security of the system for
33 mission critical information systems and for personal information used
34 by such information systems;
35 (ii) data backup that includes;
36 (A) the creation of immutable backups of state entity-maintained
37 personal information;
38 (B) through data validation techniques, the exclusion of unwanted data
39 from such immutable backups, including but not limited to illegal
40 content, corrupted data, malicious code, and content that breaches
41 intellectual property protections;
42 (C) prohibitions on the use of such immutable backups except for
43 conducting data validation and performing information system recovery;
44 and
45 (D) storage of such immutable backups in segmented storage;
46 (iii) information system recovery that includes creating an identical
47 copy of an immutable backup of state entity-maintained personal informa-
48 tion in segmented storage for use when an information system has been
49 adversely affected by a breach of the security of the system and
50 requires restoration from one or more backups;
51 (iv) data retention and deletion policies specifying how long certain
52 types of data shall be retained on information systems and as immutable
53 backups in segmented storage and when or under what circumstances such
54 data shall be deleted; and
55 (v) annual workforce training regarding protection against breaches of
56 the security of the system, as well as processes and procedures that
S. 1961 4
1 should be followed in the event of a breach of the security of the
2 system.
3 (b) Such regulations may be adopted on an emergency basis. If such
4 regulations are adopted on an emergency basis, the office shall engage
5 in the formal rulemaking procedure no later than the day immediately
6 following the date that the office promulgated such regulations on an
7 emergency basis. Provided that the office has commenced the formal rule-
8 making process, the regulations adopted on an emergency basis may be
9 renewed no more than two times.
10 3. Vulnerability assessments. Notwithstanding any provision of law to
11 the contrary, each state entity shall engage in vulnerability testing of
12 its information systems as follows:
13 (a) Beginning January first, two thousand twenty-six and on a monthly
14 basis thereafter, each state entity shall perform, or cause to be
15 performed, a vulnerability assessment of at least one mission critical
16 information system ensuring that each mission critical system has under-
17 gone a vulnerability assessment during the past year. A report detailing
18 the vulnerability assessment methodology and findings shall be made
19 available to the office for review no later than forty-five days after
20 the testing has been completed.
21 (b) Beginning December first, two thousand twenty-six, each state
22 entity's entire information system shall undergo vulnerability testing.
23 A report detailing the vulnerability assessment methodology and findings
24 shall be made available to the office for review no later than forty-
25 five days after such testing has been completed.
26 (c) The office shall assist state entities in complying with the
27 provisions of this section.
28 4. Data and information system inventory. (a) No later than one year
29 after the effective date of this section, each state entity shall create
30 an inventory of the state entity-maintained personal information and the
31 purpose or purposes for which such state entity-maintained personal
32 information is maintained and used. The inventory shall include a list-
33 ing of all types of state entity-maintained personal information, along
34 with the source and the median age of such information.
35 (b) No later than one year after the effective date of this section,
36 each state entity shall create an inventory of its information systems
37 and the purpose or purposes for which each such information system is
38 maintained and used. The inventory shall denote those information
39 systems that are mission critical and those that use personal informa-
40 tion, and whether the information system is protected by immutable back-
41 ups and stored in a segmented manner.
42 (c) Notwithstanding paragraphs (a) and (b) of this subdivision, if a
43 state entity has already completed a state entity-maintained personal
44 information inventory or information systems inventory, such state enti-
45 ty shall update the previously completed state entity-maintained
46 personal information inventory or information system inventory no later
47 than one year after the effective date of this section.
48 (d) Upon written request from the office, a state entity shall provide
49 the office with either or both of the state entity-maintained personal
50 information and information systems inventories required to be created
51 or updated pursuant to this subdivision.
52 (e) Notwithstanding paragraph (d) of this subdivision, the state enti-
53 ty-maintained personal information and information systems inventories
54 required to be created or updated pursuant to this subdivision shall be
55 kept confidential and shall not be made available for disclosure or
56 inspection under the state freedom of information law unless a subpoena
S. 1961 5
1 or other court order directs the office or state entity to release such
2 inventory or information from such inventory.
3 5. Incident management and recovery. (a) No later than eighteen months
4 after the effective date of this section, each state entity shall have
5 created an incident response plan for incidents involving a breach of
6 the security of the system that render an information system or its data
7 unavailable, and incidents involving a breach of the security of the
8 system that result in the alteration or deletion of or unauthorized
9 access to, personal information.
10 (b) Such incident response plan shall include a procedure for situ-
11 ations where information systems have been adversely affected by a
12 breach of the security of the system, as well as a procedure for the
13 storage of personal information and mission critical backups in
14 segmented storage to ensure that such personal information and mission
15 critical systems are protected by immutable backups.
16 (c) Beginning January first, two thousand twenty-eight and on an annu-
17 al basis thereafter, each state entity shall complete at least one exer-
18 cise of its incident response plan that includes copying the immutable
19 personal information and mission critical applications from the
20 segmented portion of the state entity's information system and using
21 such copies in the state entity's restoration and recovery process. Upon
22 completion of such exercise, the state entity shall document the inci-
23 dent response plan's successes and shortcomings in an incident response
24 plan exercise report. Such incident response plan exercise report shall
25 be kept confidential and shall not be made available for disclosure or
26 inspection under the state freedom of information law unless a subpoena
27 or other court order directs the state entity to release such inventory
28 or information from such inventory.
29 6. No private right of action. Nothing set forth in this section shall
30 be construed as creating or establishing a private cause of action.
31 § 4. Severability. The provisions of this act shall be severable and
32 if any portion thereof or the applicability thereof to any person or
33 circumstances shall be held to be invalid, the remainder of this act and
34 the application thereof shall not be affected thereby.
35 § 5. This act shall take effect immediately.
