Bill Text: NY A07682 | 2019-2020 | General Assembly | Introduced
Bill Title: Relates to critical utility infrastructure security and responsibility; relates to the protection of critical infrastructure in the state; provides that an electric or gas corporation or municipality shall not share, disclose or otherwise provide access to a customer's electrical or gas consumption data.
Spectrum: Slight Partisan Bill (Democrat 16-7)
Status: (Introduced - Dead) 2020-01-08 - referred to governmental operations [A07682 Detail]
Download: New_York-2019-A07682-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 7682 2019-2020 Regular Sessions IN ASSEMBLY May 16, 2019 ___________ Introduced by M. of A. CUSICK -- read once and referred to the Committee on Governmental Operations AN ACT to amend the energy law, the public officers law, the executive law, and the public service law, in relation to critical utility infrastructure security and responsibility The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Subdivision 1 of section 3-101 of the energy law, as 2 amended by chapter 253 of the laws of 2013, is amended to read as 3 follows: 4 1. to obtain and maintain an adequate and continuous supply of safe, 5 dependable and economical energy for the people of the state, including 6 through the protection of critical infrastructure as defined in subdivi- 7 sion five of section eighty-six of the public officers law, and to 8 accelerate development and use within the state of renewable energy 9 sources, all in order to promote the state's economic growth, to create 10 employment within the state, to protect its environmental values and 11 agricultural heritage, to husband its resources for future generations, 12 and to promote the health and welfare of its people; 13 § 2. Subdivision 5 of section 86 of the public officers law, as added 14 by chapter 403 of the laws of 2003, is amended to read as follows: 15 5. "Critical infrastructure" means systems, including industrial 16 control systems, assets, places or things, whether physical or virtual, 17 so vital to the state that the disruption, incapacitation or destruction 18 of such systems, including industrial control systems, assets, places or 19 things could jeopardize the health, safety, welfare or security of the 20 state, its residents or its economy. 21 § 3. Section 86 of the public officers law is amended by adding a new 22 subdivision 6 to read as follows: 23 6. "Industrial control systems" means a combination of control compo- 24 nents that support operational functions in gas, distribution, trans- EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD08666-04-9A. 7682 2 1 mission, and advanced metering infrastructure control centers, and act 2 together to achieve an industrial objective, including controls that are 3 fully automated or that include a human-machine interface. 4 § 4. Paragraph (j) of subdivision 2 of section 709 of the executive 5 law, as amended by section 14 of part B of chapter 56 of the laws of 6 2010, is amended to read as follows: 7 (j) work with local, state and federal agencies and private entities 8 to conduct assessments of the vulnerability of critical infrastructure 9 to terrorist attack, cyber attack, criminal behavior, and other natural 10 and man-made disasters, including, but not limited to, nuclear facili- 11 ties, power plants, telecommunications systems, mass transportation 12 systems, public roadways, railways, bridges and tunnels, and attendant 13 industrial control systems as defined by subdivision six of section 14 eighty-six of the public officers law and develop strategies that may be 15 used to protect such infrastructure from terrorist attack, cyber attack, 16 criminal behavior, and other natural and man-made disasters; 17 § 5. Subdivision 1 and paragraph (a) of subdivision 2 of section 713 18 of the executive law, as amended by section 16 of part B of chapter 56 19 of the laws of 2010, are amended to read as follows: 20 1. Notwithstanding any other provision of law, the commissioner of the 21 division of homeland security and emergency services, in coordination 22 with the state office of information technology services, shall conduct 23 a review and analysis of measures being taken by the public service 24 commission and any other agency or authority of the state or any poli- 25 tical subdivision thereof and, to the extent practicable, of any federal 26 entity, to protect the security of critical infrastructure related to 27 energy generation and transmission located within the state. The commis- 28 sioner of the division of homeland security and emergency services and 29 the director of the state office of information technology services 30 shall have the authority to review any audits or reports related to the 31 security of such critical infrastructure, including audits or reports 32 conducted at the request of the public service commission or any other 33 agency or authority of the state or any political subdivision thereof 34 or, to the extent practicable, of any federal entity. The owners and 35 operators of such energy generating or transmission facilities shall, in 36 compliance with any federal and state requirements regarding the dissem- 37 ination of such information, provide access to the commissioner of the 38 division of homeland security and emergency services and the director of 39 the state office of information technology services to such audits or 40 reports regarding such critical infrastructure provided, however, that 41 exclusive custody and control of such audits and reports shall remain 42 solely with the owners and operators of such energy generating or trans- 43 mission facilities. For the purposes of this article, the term "critical 44 infrastructure" has the meaning ascribed to that term in subdivision 45 five of section eighty-six of the public officers law. 46 (a) On or before December thirty-first, two thousand four, and not 47 later than three years after such date, and every five years thereafter, 48 the commissioner of the division of homeland security and emergency 49 services, in coordination with the state office of information technolo- 50 gy services, shall report to the governor, the temporary president of 51 the senate, the speaker of the assembly, the chairperson of the assembly 52 standing committee on energy, the chairperson of the senate standing 53 committee on energy and telecommunications, the chairperson of the 54 public service commission and the chief executive of any such affected 55 generating or transmission company or his or her designee. Such report 56 shall review the security measures being taken regarding criticalA. 7682 3 1 infrastructure related to energy generating and transmission facilities 2 in consultation with the most recent version of the National Institute 3 of Standards and Technology "Framework for Improving Critical Infras- 4 tructure Cybersecurity" and the North American Electrical Reliability 5 Corporation's Critical Infrastructure Protection Standards, assess the 6 effectiveness thereof, and include recommendations to the legislature or 7 the public service commission if the commissioner of the division of 8 homeland security and emergency services and the director of the state 9 office of information technology services determines that additional 10 measures are required to be implemented, considering, among other 11 factors, the unique characteristics of each energy generating or trans- 12 mission facility. 13 § 6. The public service law is amended by adding a new section 54 to 14 read as follows: 15 § 54. Electric or gas consumption data protection. 1. An electric or 16 gas corporation or municipality shall not share, sell, disclose, or 17 otherwise make accessible to any third party a customer's electric or 18 gas consumption data, except where the customer has consented and as 19 provided in subdivision two of this section. 20 2.(a) Nothing in this section shall preclude an electric or gas corpo- 21 ration or municipality from disclosing a customer's electric or gas 22 consumption data for analysis, reporting, or program management as long 23 as all information has been anonymized regarding the individual identity 24 of a customer. 25 (b) Nothing in this section shall preclude an electric or gas corpo- 26 ration or municipality from disclosing electric or gas consumption data 27 as required or permitted under state or federal law or by an order of 28 the commission. 29 (c) Nothing in this section shall preclude an electric or gas corpo- 30 ration or municipality from disclosing a customer's electric or gas 31 consumption data to a third party that contracts with such corporation 32 or municipality to provide services on behalf of the corporation. 33 3. An electric or gas corporation shall establish: (a) minimum cyber- 34 security and safety standards and (b) minimum cyber-security insurance 35 requirements, which shall be applicable to third parties seeking to 36 connect to any such corporation's systems to receive consumption or 37 other data. Any third party not contracted by such a corporation that 38 seeks to connect to such corporation's systems to receive consumption or 39 other data shall meet any such established cyber-security and safety 40 standards and insurance requirements. 41 4. The commission shall promulgate rules and regulations by January 42 first, two thousand twenty-one to ensure the implementation and enforce- 43 ment of this section. 44 § 7. Paragraph (a) of subdivision 19 of section 66 of the public 45 service law, as amended by section 4 of part X of chapter 57 of the laws 46 of 2013, is amended to read as follows: 47 (a) The commission shall have power to provide for management and 48 operations audits of gas corporations and electric corporations. Such 49 audits shall be performed at least once every five years for combination 50 gas and electric corporations, as well as for straight gas corporations 51 having annual gross revenues in excess of two hundred million dollars. 52 The audit shall include, but not be limited to, an investigation of the 53 company's construction program planning in relation to the needs of its 54 customers for reliable service, an evaluation of the efficiency of the 55 company's operations and use of customer electric or gas consumption 56 data as provided for in section fifty-four of the public service law,A. 7682 4 1 recommendations with respect to same, and the timing with respect to the 2 implementation of such recommendations. The commission shall have 3 discretion to have such audits performed by its staff, or by independent 4 auditors. 5 In every case in which the commission chooses to have the audit 6 provided for in this subdivision or pursuant to subdivision fourteen of 7 section sixty-five of this article performed by independent auditors, it 8 shall have authority to select the auditors, and to require the company 9 being audited to enter into a contract with the auditors providing for 10 their payment by the company. Such contract shall provide further that 11 the auditors shall work for and under the direction of the commission 12 according to such terms as the commission may determine are necessary 13 and reasonable. 14 § 8. This act shall take effect on the one hundred eightieth day after 15 it shall have become a law; provided, however, that section six of this 16 act shall take effect thirty days after it shall have become a law. 17 Effective immediately, the public service commission is authorized and 18 directed to take actions necessary to promulgate rules and regulations 19 related to the implementation of subdivision 3 of section 54 of the 20 public service law on or before such effective date.