STATE OF NEW YORK
________________________________________________________________________
8793
IN ASSEMBLY
January 12, 2022
___________
Introduced by M. of A. OTIS -- read once and referred to the Committee
on Governmental Operations
AN ACT to amend the state technology law, in relation to the notifica-
tion of certain agencies of a breach of the security system or a
breach of the security network
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Section 209 of the state technology law, as added by a
2 chapter of the laws of 2021 amending the state technology law relating
3 to the notification of certain state agencies of a data breach or
4 network security breach, as proposed in legislative bills numbers S.
5 7019 and A. 7612, is amended to read as follows:
6 § 209. Notification of [data] a breach [or network] of the security of
7 the system or a breach of network security; shared data. 1. The office
8 shall, within twenty-four hours [following the discovery of a data
9 breach or network security breach or receiving notice of a data breach
10 or network security breach] of either being notified of or receiving
11 evidence of a breach of the security of the system, or a breach of
12 network security, as defined in paragraphs (a) and (b) of subdivision
13 three of this section, notify the chief information officer, [and where
14 appropriate,] the chief information security officer, and where appro-
15 priate, the cyber security coordinator of any state entity with which it
16 shares data, provides networked services or shares a network connection
17 whose data, services or connection is [or may have been the subject of]
18 reasonably suspected to be affected by any such breach [whether or not
19 such data was, or is reasonably believed to have been, acquired or used
20 by an unauthorized person].
21 2. The office shall[, in addition to the provisions of subdivision one
22 of this section, notify] provide the chief information officer, [and
23 where appropriate,] the chief information security officer, and where
24 appropriate, the cyber risk coordinator of [such] any state entity [with
25 which it shares data, provides networked services or shares a network
26 connection and whose data is or may have been the subject of such
27 breach, of], who has been notified pursuant to subdivision one of this
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD10523-02-2
A. 8793 2
1 section, with its plan for remediation of the breach and future
2 protection of such data and network.
3 3. For purposes of this section:
4 (a) ["Data breach" shall mean an intentional or unintentional incident
5 where data is disclosed, released, stolen, or taken without the know-
6 ledge or authorization of the data's owner or steward] "Breach of the
7 security of the system" shall have the same meaning as defined in para-
8 graph (b) of subdivision one of section two hundred eight of this arti-
9 cle.
10 (b) ["Network security breach" shall mean an intentional or uninten-
11 tional incident where an unauthorized party has gained access to an
12 organization's network without the knowledge or authorization of the
13 network owner or steward] "Breach of network security" shall mean unau-
14 thorized access to or access without valid authorization of a computer
15 network which compromises the security, confidentiality, or integrity of
16 such network.
17 (c) "State entity" shall [mean any state board, bureau, division,
18 committee, commission, council, department, public authority, public
19 benefit corporation, office or other governmental entity performing a
20 governmental or proprietary function for the state of New York, includ-
21 ing the state legislature and the judiciary] have the same meaning as
22 provided by paragraph (c) of subdivision one of section two hundred
23 eight of this article.
24 § 2. This act shall take effect on the same date and in the same
25 manner as a chapter of the laws of 2021 amending the state technology
26 law relating to the notification of certain state agencies of a data
27 breach or network security breach, as proposed in legislative bills
28 numbers S. 7019 and A. 7612, takes effect.