Amd §3-101, Energy L; amd §86, Pub Off L; amd §§709 & 713, Exec L; add §54, amd §66, Pub Serv L
 
Relates to critical utility infrastructure security and responsibility; relates to the protection of critical infrastructure in the state; provides that an electric or gas corporation or municipality shall not share, disclose or otherwise provide access to a customer's electrical or gas consumption data.
STATE OF NEW YORK
________________________________________________________________________
6195
2019-2020 Regular Sessions
IN SENATE
May 22, 2019
___________
Introduced by Sen. PARKER -- read twice and ordered printed, and when
printed to be committed to the Committee on Energy and Telecommuni-
cations
AN ACT to amend the energy law, the public officers law, the executive
law, and the public service law, in relation to critical utility
infrastructure security and responsibility
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Subdivision 1 of section 3-101 of the energy law, as
2 amended by chapter 253 of the laws of 2013, is amended to read as
3 follows:
4 1. to obtain and maintain an adequate and continuous supply of safe,
5 dependable and economical energy for the people of the state, including
6 through the protection of critical infrastructure as defined in subdivi-
7 sion five of section eighty-six of the public officers law, and to
8 accelerate development and use within the state of renewable energy
9 sources, all in order to promote the state's economic growth, to create
10 employment within the state, to protect its environmental values and
11 agricultural heritage, to husband its resources for future generations,
12 and to promote the health and welfare of its people;
13 § 2. Subdivision 5 of section 86 of the public officers law, as added
14 by chapter 403 of the laws of 2003, is amended to read as follows:
15 5. "Critical infrastructure" means systems, including industrial
16 control systems, assets, places or things, whether physical or virtual,
17 so vital to the state that the disruption, incapacitation or destruction
18 of such systems, including industrial control systems, assets, places or
19 things could jeopardize the health, safety, welfare or security of the
20 state, its residents or its economy.
21 § 3. Section 86 of the public officers law is amended by adding a new
22 subdivision 6 to read as follows:
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD08666-04-9
S. 6195 2
1 6. "Industrial control systems" means a combination of control compo-
2 nents that support operational functions in gas, distribution, trans-
3 mission, and advanced metering infrastructure control centers, and act
4 together to achieve an industrial objective, including controls that are
5 fully automated or that include a human-machine interface.
6 § 4. Paragraph (j) of subdivision 2 of section 709 of the executive
7 law, as amended by section 14 of part B of chapter 56 of the laws of
8 2010, is amended to read as follows:
9 (j) work with local, state and federal agencies and private entities
10 to conduct assessments of the vulnerability of critical infrastructure
11 to terrorist attack, cyber attack, criminal behavior, and other natural
12 and man-made disasters, including, but not limited to, nuclear facili-
13 ties, power plants, telecommunications systems, mass transportation
14 systems, public roadways, railways, bridges and tunnels, and attendant
15 industrial control systems as defined by subdivision six of section
16 eighty-six of the public officers law and develop strategies that may be
17 used to protect such infrastructure from terrorist attack, cyber attack,
18 criminal behavior, and other natural and man-made disasters;
19 § 5. Subdivision 1 and paragraph (a) of subdivision 2 of section 713
20 of the executive law, as amended by section 16 of part B of chapter 56
21 of the laws of 2010, are amended to read as follows:
22 1. Notwithstanding any other provision of law, the commissioner of the
23 division of homeland security and emergency services, in coordination
24 with the state office of information technology services, shall conduct
25 a review and analysis of measures being taken by the public service
26 commission and any other agency or authority of the state or any poli-
27 tical subdivision thereof and, to the extent practicable, of any federal
28 entity, to protect the security of critical infrastructure related to
29 energy generation and transmission located within the state. The commis-
30 sioner of the division of homeland security and emergency services and
31 the director of the state office of information technology services
32 shall have the authority to review any audits or reports related to the
33 security of such critical infrastructure, including audits or reports
34 conducted at the request of the public service commission or any other
35 agency or authority of the state or any political subdivision thereof
36 or, to the extent practicable, of any federal entity. The owners and
37 operators of such energy generating or transmission facilities shall, in
38 compliance with any federal and state requirements regarding the dissem-
39 ination of such information, provide access to the commissioner of the
40 division of homeland security and emergency services and the director of
41 the state office of information technology services to such audits or
42 reports regarding such critical infrastructure provided, however, that
43 exclusive custody and control of such audits and reports shall remain
44 solely with the owners and operators of such energy generating or trans-
45 mission facilities. For the purposes of this article, the term "critical
46 infrastructure" has the meaning ascribed to that term in subdivision
47 five of section eighty-six of the public officers law.
48 (a) On or before December thirty-first, two thousand four, and not
49 later than three years after such date, and every five years thereafter,
50 the commissioner of the division of homeland security and emergency
51 services, in coordination with the state office of information technolo-
52 gy services, shall report to the governor, the temporary president of
53 the senate, the speaker of the assembly, the chairperson of the assembly
54 standing committee on energy, the chairperson of the senate standing
55 committee on energy and telecommunications, the chairperson of the
56 public service commission and the chief executive of any such affected
S. 6195 3
1 generating or transmission company or his or her designee. Such report
2 shall review the security measures being taken regarding critical
3 infrastructure related to energy generating and transmission facilities
4 in consultation with the most recent version of the National Institute
5 of Standards and Technology "Framework for Improving Critical Infras-
6 tructure Cybersecurity" and the North American Electrical Reliability
7 Corporation's Critical Infrastructure Protection Standards, assess the
8 effectiveness thereof, and include recommendations to the legislature or
9 the public service commission if the commissioner of the division of
10 homeland security and emergency services and the director of the state
11 office of information technology services determines that additional
12 measures are required to be implemented, considering, among other
13 factors, the unique characteristics of each energy generating or trans-
14 mission facility.
15 § 6. The public service law is amended by adding a new section 54 to
16 read as follows:
17 § 54. Electric or gas consumption data protection. 1. An electric or
18 gas corporation or municipality shall not share, sell, disclose, or
19 otherwise make accessible to any third party a customer's electric or
20 gas consumption data, except where the customer has consented and as
21 provided in subdivision two of this section.
22 2.(a) Nothing in this section shall preclude an electric or gas corpo-
23 ration or municipality from disclosing a customer's electric or gas
24 consumption data for analysis, reporting, or program management as long
25 as all information has been anonymized regarding the individual identity
26 of a customer.
27 (b) Nothing in this section shall preclude an electric or gas corpo-
28 ration or municipality from disclosing electric or gas consumption data
29 as required or permitted under state or federal law or by an order of
30 the commission.
31 (c) Nothing in this section shall preclude an electric or gas corpo-
32 ration or municipality from disclosing a customer's electric or gas
33 consumption data to a third party that contracts with such corporation
34 or municipality to provide services on behalf of the corporation.
35 3. An electric or gas corporation shall establish: (a) minimum cyber-
36 security and safety standards and (b) minimum cyber-security insurance
37 requirements, which shall be applicable to third parties seeking to
38 connect to any such corporation's systems to receive consumption or
39 other data. Any third party not contracted by such a corporation that
40 seeks to connect to such corporation's systems to receive consumption or
41 other data shall meet any such established cyber-security and safety
42 standards and insurance requirements.
43 4. The commission shall promulgate rules and regulations by January
44 first, two thousand twenty-one to ensure the implementation and enforce-
45 ment of this section.
46 § 7. Paragraph (a) of subdivision 19 of section 66 of the public
47 service law, as amended by section 4 of part X of chapter 57 of the laws
48 of 2013, is amended to read as follows:
49 (a) The commission shall have power to provide for management and
50 operations audits of gas corporations and electric corporations. Such
51 audits shall be performed at least once every five years for combination
52 gas and electric corporations, as well as for straight gas corporations
53 having annual gross revenues in excess of two hundred million dollars.
54 The audit shall include, but not be limited to, an investigation of the
55 company's construction program planning in relation to the needs of its
56 customers for reliable service, an evaluation of the efficiency of the
S. 6195 4
1 company's operations and use of customer electric or gas consumption
2 data as provided for in section fifty-four of the public service law,
3 recommendations with respect to same, and the timing with respect to the
4 implementation of such recommendations. The commission shall have
5 discretion to have such audits performed by its staff, or by independent
6 auditors.
7 In every case in which the commission chooses to have the audit
8 provided for in this subdivision or pursuant to subdivision fourteen of
9 section sixty-five of this article performed by independent auditors, it
10 shall have authority to select the auditors, and to require the company
11 being audited to enter into a contract with the auditors providing for
12 their payment by the company. Such contract shall provide further that
13 the auditors shall work for and under the direction of the commission
14 according to such terms as the commission may determine are necessary
15 and reasonable.
16 § 8. This act shall take effect on the one hundred eightieth day after
17 it shall have become a law; provided, however, that section six of this
18 act shall take effect thirty days after it shall have become a law.
19 Effective immediately, the public service commission is authorized and
20 directed to take actions necessary to promulgate rules and regulations
21 related to the implementation of subdivision 3 of section 54 of the
22 public service law on or before such effective date.