Requires all state entities, including local governments, to notify affected individuals in the event of a data breach where information is compromised; defines "cybersecurity incident".
STATE OF NEW YORK
________________________________________________________________________
8169
2025-2026 Regular Sessions
IN SENATE
May 16, 2025
___________
Introduced by Sen. BYNOE -- read twice and ordered printed, and when
printed to be committed to the Committee on Internet and Technology
AN ACT to amend the state technology law, in relation to prompt notifi-
cation to affected individuals in the event of a data breach within
certain state entities
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Paragraphs (b) and (c) of subdivision 1 of section 208 of
2 the state technology law, paragraph (b) of subdivision 1 as amended by
3 chapter 491 of the laws of 2005 and paragraph (c) of subdivision 1 as
4 added by chapter 442 of the laws of 2005, are amended and a new para-
5 graph (e) is added to read as follows:
6 (b) "Breach of the security of the system" shall mean unauthorized
7 acquisition [or], acquisition without valid authorization, or unauthor-
8 ized utilization of computerized data which compromises the security,
9 confidentiality, or integrity of personal information maintained by a
10 state entity. Good faith acquisition of personal information by an
11 employee or agent of a state entity for the purposes of the agency is
12 not a breach of the security of the system, provided that the private
13 information is not used or subject to unauthorized disclosure.
14 In determining whether information has been acquired or utilized, or
15 is reasonably believed to have been acquired or utilized, by an unau-
16 thorized person [or a], person without valid authorization or unauthor-
17 ized entity, such state entity may consider the following factors, among
18 others:
19 (1) indications that the information is in the physical possession and
20 control of an unauthorized person, such as a lost or stolen computer or
21 other device containing information; or
22 (2) indications that the information has been downloaded or copied; or
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD13104-03-5
S. 8169 2
1 (3) indications that the information was used by an unauthorized
2 person, such as fraudulent accounts opened or instances of identity
3 theft reported[.]; or
4 (4) indications that a cybersecurity incident, as defined in paragraph
5 (e) of this subdivision, as occurred.
6 (c) "State entity" shall mean any state board, bureau, division,
7 committee, commission, council, department, public authority, public
8 benefit corporation, office or other governmental entity performing a
9 governmental or proprietary function for the state of New York, except[:
10 (1)] the judiciary; [and
11 (2)] but shall include all cities, counties, municipalities, villages,
12 towns, and other local agencies.
13 (e) "Cybersecurity incident" shall mean an event occurring on or
14 conducted through a computer network that actually or imminently jeop-
15 ardizes the integrity, confidentiality, or availability of computers,
16 information or communications systems or networks, physical or virtu-
17 al infrastructure controlled by computers or information systems, or
18 information resident thereon.
19 § 2. The opening paragraph of subdivision 2 of section 208 of the
20 state technology law, as amended by chapter 117 of the laws of 2019, is
21 amended to read as follows:
22 Any state entity that owns [or], licenses, or maintains computerized
23 data that includes private information shall disclose any breach of the
24 security of the system following discovery or notification of the breach
25 in the security of the system to any resident of New York state whose
26 private information was, or is reasonably believed to have been,
27 accessed or acquired by a person or entity without valid authorization.
28 The disclosure shall be made in the most expedient time possible and
29 without unreasonable delay, consistent with the legitimate needs of law
30 enforcement, as provided in subdivision four of this section, or any
31 measures necessary to determine the scope of the breach and restore the
32 integrity of the data system. The state entity shall consult with the
33 state office of information technology services to determine the scope
34 of the breach and restoration measures. Within ninety days of the notice
35 of the breach, the office of information technology services shall
36 deliver a report on the scope of the breach and recommendations to
37 restore and improve the security of the system to the state entity.
38 § 3. Subdivision 3 of section 208 of the state technology law, as
39 amended by chapter 117 of the laws of 2019, is amended to read as
40 follows:
41 3. Any state entity that maintains computerized data that includes
42 private information which such agency does not own shall notify the
43 owner or licensee of the information of any breach of the security of
44 the system immediately following discovery, if the private information
45 was, or is reasonably believed to have been, accessed [or], acquired, or
46 utilized by [a] any person or entity without valid authorization.
47 § 4. This act shall take effect on the ninetieth day after it shall
48 have become a law.
