Bill Text: NY S01961 | 2025-2026 | General Assembly | Introduced
Bill Title: Establishes the "secure our data act"; relates to cybersecurity protection by state entities; requires the office of information technology services to develop standards for data protection of state entity-maintained information.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced) 2025-02-10 - REPORTED AND COMMITTED TO FINANCE [S01961 Detail]
Download: New_York-2025-S01961-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 1961 2025-2026 Regular Sessions IN SENATE January 14, 2025 ___________ Introduced by Sen. GONZALEZ -- read twice and ordered printed, and when printed to be committed to the Committee on Internet and Technology AN ACT to amend the state technology law, in relation to establishing the "secure our data act" The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. This act shall be known and may be cited as the "secure our 2 data act". 3 § 2. Legislative intent. The legislature finds that information tech- 4 nology attacks and breaches have compromised governmental networks and 5 the electronically stored personal information of countless people 6 statewide and nationwide. State entities often receive such personal 7 information from various sources, including the data subjects them- 8 selves, other state entities, and the federal government. Additionally, 9 state entities use such personal information to make determinations 10 regarding data subjects. New Yorkers deserve to have their personal 11 information in the possession of a state entity stored in a manner that 12 will withstand any attempt by a bad actor to access, alter, or prohibit 13 access to such information. 14 Therefore, the legislature enacts the secure our data act, which will 15 require state entities to employ adequate practices and systems to 16 protect the personal information from any unauthorized acquisition, 17 access, alteration or change in access. 18 § 3. The state technology law is amended by adding a new section 210 19 to read as follows: 20 § 210. Cybersecurity protection. 1. Definitions. For purposes of this 21 section, the following terms shall have the following meanings: 22 (a) "Breach of the security of the system" means (i) unauthorized 23 exfiltration, acquisition, or acquisition without valid authorization, 24 of computerized information which compromises the security, confiden- 25 tiality, or integrity of state entity-maintained personal information, EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD05506-01-5S. 1961 2 1 (ii) unauthorized access, or access without valid authorization, to 2 state entity-maintained personal information or to an information system 3 used for personal information, or (iii) unauthorized modification of the 4 access permissions, including through the use of encryption, to an 5 information system used for personal information. "Breach of the securi- 6 ty of the system" does not include good faith acquisition of or access 7 to personal information, or access to an information system by an 8 employee or agent of a state entity for the purposes of the state enti- 9 ty; provided that the private information or information system is not 10 used in an unauthorized manner, accessed for an unlawful or inappropri- 11 ate purpose, modified to change access permissions without authori- 12 zation, or subject to unauthorized disclosure. In determining whether 13 state entity-maintained personal information or an information system 14 used for personal information has been exfiltrated, acquired, accessed, 15 or experienced a change in access permissions without authorization or 16 without valid authorization, such state entity may consider the follow- 17 ing factors, among others: 18 (1) indications that the information is in the physical possession and 19 control of an unauthorized person, such as a lost or stolen computer or 20 other device containing information; 21 (2) indications that the information has been downloaded or copied; 22 (3) indications that the information was used by an unauthorized 23 person, such as fraudulent accounts opened or instances of identity 24 theft reported; or 25 (4) indications that the information or information system was 26 accessed without authorization or without valid authorization, including 27 but not limited to data in information system access logs, changes modi- 28 fying access to the information or information system, modification or 29 deletion of stored information, injecting or installing malicious code 30 on the information system, or unauthorized encryption of stored informa- 31 tion. 32 (b) "Data subject" means the person who is the subject of the personal 33 information. 34 (c) "Data validation" means ensuring the accuracy, quality, and valid- 35 ity of source data before using, importing, saving, storing, or other- 36 wise processing data. 37 (d) "Immutable" means data that is stored unchanged over time or 38 unable to be changed. For the purposes of backups, "immutable" shall 39 mean that, once ingested, no external or internal operation can modify 40 the data and must never be available in a read/write state to the 41 client. "Immutable" shall specifically apply to the characteristics and 42 attributes of a backup system's file system and may not be applied to 43 temporary systems state, time-bound or expiring configurations, or 44 temporary conditions created by a physical air gap as is implemented in 45 most legacy systems, provided that immutable backups must be capable of 46 deletion and replacement, as applicable, in accordance with the data 47 retention and deletion policy governing the data. An immutable file 48 system must demonstrate characteristics that do not permit the editing 49 or changing of any data backed up to provide agencies with complete 50 recovery capabilities. 51 (e) "Information system" means any good, service or a combination 52 thereof, used by any computer, cloud service, or interconnected system 53 that is maintained for or used by a state entity in the acquisition, 54 storage, manipulation, management, movement, control, display, switch- 55 ing, interchange, transmission, or reception of data or voice including, 56 but not limited to, hardware, software, information appliances, firm-S. 1961 3 1 ware, programs, systems, networks, infrastructure, media, and related 2 material used to automatically and electronically collect, receive, 3 access, transmit, display, store, record, retrieve, analyze, evaluate, 4 process, classify, manipulate, manage, assimilate, control, communicate, 5 exchange, convert, coverage, interface, switch, or disseminate data or 6 information of any kind or form. 7 (f) "Mission critical" means information or information systems that 8 are essential to the functioning of the state entity. 9 (g) "Segmented storage" means the method of data storage whereby (i) 10 information is partitioned or separated, with overlapping or non-over- 11 lapping protection, and (ii) such individual partitioned or separated 12 sets of information are stored in multiple physically or logically 13 distinct secure locations. 14 (h) "State entity-maintained personal information" means personal 15 information stored by a state entity that was generated by a state enti- 16 ty or provided to the state entity by the data subject, a state entity, 17 a federal governmental entity, or any other third-party source. Such 18 term shall also include personal information provided by an adverse 19 party in the course of litigation or other adversarial proceeding. 20 (i) "State entity" means any state board, bureau, division, committee, 21 commission, council, department, public authority, public benefit corpo- 22 ration, office or other governmental entity performing a governmental or 23 proprietary function for the state of New York, except: 24 (i) the judiciary; and 25 (ii) all cities, counties, municipalities, villages, towns, and other 26 local agencies. 27 2. Data protection standards. (a) No later than one year after the 28 effective date of this section, the director, in consultation with 29 stakeholders and other interested parties, which shall include at least 30 one public hearing, shall promulgate regulations that design and develop 31 standards for: 32 (i) protection against breaches of the security of the system for 33 mission critical information systems and for personal information used 34 by such information systems; 35 (ii) data backup that includes; 36 (A) the creation of immutable backups of state entity-maintained 37 personal information; 38 (B) through data validation techniques, the exclusion of unwanted data 39 from such immutable backups, including but not limited to illegal 40 content, corrupted data, malicious code, and content that breaches 41 intellectual property protections; 42 (C) prohibitions on the use of such immutable backups except for 43 conducting data validation and performing information system recovery; 44 and 45 (D) storage of such immutable backups in segmented storage; 46 (iii) information system recovery that includes creating an identical 47 copy of an immutable backup of state entity-maintained personal informa- 48 tion in segmented storage for use when an information system has been 49 adversely affected by a breach of the security of the system and 50 requires restoration from one or more backups; 51 (iv) data retention and deletion policies specifying how long certain 52 types of data shall be retained on information systems and as immutable 53 backups in segmented storage and when or under what circumstances such 54 data shall be deleted; and 55 (v) annual workforce training regarding protection against breaches of 56 the security of the system, as well as processes and procedures thatS. 1961 4 1 should be followed in the event of a breach of the security of the 2 system. 3 (b) Such regulations may be adopted on an emergency basis. If such 4 regulations are adopted on an emergency basis, the office shall engage 5 in the formal rulemaking procedure no later than the day immediately 6 following the date that the office promulgated such regulations on an 7 emergency basis. Provided that the office has commenced the formal rule- 8 making process, the regulations adopted on an emergency basis may be 9 renewed no more than two times. 10 3. Vulnerability assessments. Notwithstanding any provision of law to 11 the contrary, each state entity shall engage in vulnerability testing of 12 its information systems as follows: 13 (a) Beginning January first, two thousand twenty-six and on a monthly 14 basis thereafter, each state entity shall perform, or cause to be 15 performed, a vulnerability assessment of at least one mission critical 16 information system ensuring that each mission critical system has under- 17 gone a vulnerability assessment during the past year. A report detailing 18 the vulnerability assessment methodology and findings shall be made 19 available to the office for review no later than forty-five days after 20 the testing has been completed. 21 (b) Beginning December first, two thousand twenty-six, each state 22 entity's entire information system shall undergo vulnerability testing. 23 A report detailing the vulnerability assessment methodology and findings 24 shall be made available to the office for review no later than forty- 25 five days after such testing has been completed. 26 (c) The office shall assist state entities in complying with the 27 provisions of this section. 28 4. Data and information system inventory. (a) No later than one year 29 after the effective date of this section, each state entity shall create 30 an inventory of the state entity-maintained personal information and the 31 purpose or purposes for which such state entity-maintained personal 32 information is maintained and used. The inventory shall include a list- 33 ing of all types of state entity-maintained personal information, along 34 with the source and the median age of such information. 35 (b) No later than one year after the effective date of this section, 36 each state entity shall create an inventory of its information systems 37 and the purpose or purposes for which each such information system is 38 maintained and used. The inventory shall denote those information 39 systems that are mission critical and those that use personal informa- 40 tion, and whether the information system is protected by immutable back- 41 ups and stored in a segmented manner. 42 (c) Notwithstanding paragraphs (a) and (b) of this subdivision, if a 43 state entity has already completed a state entity-maintained personal 44 information inventory or information systems inventory, such state enti- 45 ty shall update the previously completed state entity-maintained 46 personal information inventory or information system inventory no later 47 than one year after the effective date of this section. 48 (d) Upon written request from the office, a state entity shall provide 49 the office with either or both of the state entity-maintained personal 50 information and information systems inventories required to be created 51 or updated pursuant to this subdivision. 52 (e) Notwithstanding paragraph (d) of this subdivision, the state enti- 53 ty-maintained personal information and information systems inventories 54 required to be created or updated pursuant to this subdivision shall be 55 kept confidential and shall not be made available for disclosure or 56 inspection under the state freedom of information law unless a subpoenaS. 1961 5 1 or other court order directs the office or state entity to release such 2 inventory or information from such inventory. 3 5. Incident management and recovery. (a) No later than eighteen months 4 after the effective date of this section, each state entity shall have 5 created an incident response plan for incidents involving a breach of 6 the security of the system that render an information system or its data 7 unavailable, and incidents involving a breach of the security of the 8 system that result in the alteration or deletion of or unauthorized 9 access to, personal information. 10 (b) Such incident response plan shall include a procedure for situ- 11 ations where information systems have been adversely affected by a 12 breach of the security of the system, as well as a procedure for the 13 storage of personal information and mission critical backups in 14 segmented storage to ensure that such personal information and mission 15 critical systems are protected by immutable backups. 16 (c) Beginning January first, two thousand twenty-eight and on an annu- 17 al basis thereafter, each state entity shall complete at least one exer- 18 cise of its incident response plan that includes copying the immutable 19 personal information and mission critical applications from the 20 segmented portion of the state entity's information system and using 21 such copies in the state entity's restoration and recovery process. Upon 22 completion of such exercise, the state entity shall document the inci- 23 dent response plan's successes and shortcomings in an incident response 24 plan exercise report. Such incident response plan exercise report shall 25 be kept confidential and shall not be made available for disclosure or 26 inspection under the state freedom of information law unless a subpoena 27 or other court order directs the state entity to release such inventory 28 or information from such inventory. 29 6. No private right of action. Nothing set forth in this section shall 30 be construed as creating or establishing a private cause of action. 31 § 4. Severability. The provisions of this act shall be severable and 32 if any portion thereof or the applicability thereof to any person or 33 circumstances shall be held to be invalid, the remainder of this act and 34 the application thereof shall not be affected thereby. 35 § 5. This act shall take effect immediately.
