•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 

S03405 Summary:

BILL NOS03405A
 
SAME ASSAME AS A06133-A
 
SPONSORCROCI
 
COSPNSRAVELLA, DEFRANCISCO, FLANAGAN, FUNKE, GOLDEN, MARTINS, NOZZOLIO, SEWARD
 
MLTSPNSR
 
Add §719, Exec L
 
Requires a comprehensive review of all cyber security services to be performed every five years.
Go to top

S03405 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                         3405--A
 
                               2015-2016 Regular Sessions
 
                    IN SENATE
 
                                    February 6, 2015
                                       ___________
 
        Introduced  by  Sens.  CROCI,  AVELLA, FLANAGAN, FUNKE, GOLDEN, MARTINS,
          NOZZOLIO -- read twice and ordered printed, and  when  printed  to  be
          committed to the Committee on Rules -- recommitted to the Committee on
          Veterans,  Homeland  Security  and Military Affairs in accordance with
          Senate Rule 6, sec. 8 -- committee discharged, bill  amended,  ordered
          reprinted as amended and recommitted to said committee
 
        AN  ACT  to  amend  the  executive  law, in relation to a cyber security
          report
 
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
 
     1    Section 1. The executive law is amended by adding a new section 719 to
     2  read as follows:
     3    §  719.  Quinquennial  cyber security report.  1. The commissioner, in
     4  consultation with the superintendent of  the  state  police,  the  chief
     5  information  officer, and the president of the center for internet secu-
     6  rity, shall prepare a report, to  be  delivered  to  the  governor,  the
     7  temporary  president  of  the  senate,  the speaker of the assembly, the
     8  chair of the senate standing committee on  veterans,  homeland  security
     9  and  military  affairs, and the chair of the assembly standing committee
    10  on governmental operations, on or before the first day of September, two
    11  thousand sixteen, and then every five years thereafter, which provides a
    12  comprehensive review of all cyber security services performed by, and on
    13  behalf of, the state of New York.
    14    2. The report required pursuant to subdivision one  of  this  section,
    15  shall  include  a  detailed  assessment of each and every cyber security
    16  need of the state of New York, including but not limited to,  its  state
    17  agencies  and  its public authorities, and for each and every such cyber
    18  security  need  so  identified,  shall  further   include   a   detailed
    19  description of:
    20    (a) the type of cyber security service used to address such need;
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD08759-02-6

        S. 3405--A                          2
 
     1    (b)  the  scope  of the need so addressed, as well as the scope of the
     2  service used to address such need;
     3    (c) the cost of the service used to address such need;
     4    (d)  the  effectiveness  of the cyber security service used to address
     5  such need;
     6    (e) the entity providing such cyber security service used  to  address
     7  such need;
     8    (f)  the  government, industry and/or academically accepted best cyber
     9  security practice for addressing such need;
    10    (g) how other states, and the federal government have  addressed  such
    11  need; and
    12    (h) how private sector entities addressed such need.
    13    3. During the preparation of the report required by subdivision one of
    14  this  section,  and  after  its  delivery  to  the persons identified to
    15  receive such report, the commissioner, the superintendent of  the  state
    16  police,  the  chief information officer, and the president of the center
    17  for internet security, as well as  the  divisions,  offices  and  corpo-
    18  rations under their direction, shall provide to such persons entitled to
    19  receive such report, any and all additional information such persons may
    20  request, with respect to any cyber security issue concerning:
    21    (a)  the  state of New York, including but not limited to, any agency,
    22  board, bureau, commission, department, division, institution, office, or
    23  public authority of the state;
    24    (b) any local government entity, including but  not  limited  to,  any
    25  county,  town, city, village, school district, special district, and any
    26  agency, board, bureau, commission,  department,  division,  institution,
    27  office, or public authority of such local government entity;
    28    (c)  any regulated entity of the state of New York or local government
    29  entity;
    30    (d) any not-for-profit corporation in the state of New York;
    31    (e) any private sector business in the state of  New  York,  including
    32  but  not  limited  to, a sole proprietor, partnership, limited liability
    33  company or business corporation; and/or
    34    (f) any citizen of the state of New York.
    35    4. Where compliance with this section shall require the disclosure  of
    36  confidential  information,  or  the  disclosure of sensitive information
    37  which in the judgment of the commissioner  would  jeopardize  the  cyber
    38  security of the state:
    39    (a)  such  confidential  or sensitive information shall be provided to
    40  the persons entitled to receive the report as  provided  by  subdivision
    41  one of this section, as follows:
    42    (i)  In  the  case  of  the report required by subdivision one of this
    43  section, in the form of a supplemental appendix to the report; and
    44    (ii) In the case of a response to a request for  information  made  in
    45  accordance with subdivision three of this section, in a secure manner as
    46  determined by the commissioner;
    47    (b)  neither  a supplemental appendix to the report, nor any confiden-
    48  tial or sensitive information provided in  accordance  with  subdivision
    49  three  of  this  section,  shall  be posted on the division's website as
    50  required by subdivision five of this section;
    51    (c) neither a supplemental appendix to the report, nor  any  confiden-
    52  tial  or  sensitive  information provided in accordance with subdivision
    53  three of this section, shall be subject to the provisions of the freedom
    54  of information law pursuant to article six of the public  officers  law;
    55  and

        S. 3405--A                          3
 
     1    (d) the persons entitled to receive the report as provided by subdivi-
     2  sion  one of this section, may disclose the supplemental appendix to the
     3  report, and  any  confidential  or  sensitive  information  provided  in
     4  accordance with subdivision three of this section, to their professional
     5  staff,  but  shall  not otherwise publicly disclose such confidential or
     6  secure information.
     7    5. Except with respect to any confidential or sensitive information as
     8  described in subdivision four of this section, the division shall post a
     9  copy of the report prepared in accordance with subdivision one  of  this
    10  section, on its website, not more than fifteen days after such report is
    11  delivered  to  the persons entitled to receive such report. The division
    12  may further post any and all further information it may  deem  appropri-
    13  ate,  on  its  website,  regarding cyber security, and the protection of
    14  public and private computer systems, networks, hardware and software.
    15    § 2. This act shall take effect immediately.
Go to top