Bill Text: NY A08793 | 2021-2022 | General Assembly | Introduced
Bill Title: Relates to the notification of certain state agencies of a breach of the security system or a breach of the security network.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2022-01-31 - substituted by s7786 [A08793 Detail]
Download: New_York-2021-A08793-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 8793 IN ASSEMBLY January 12, 2022 ___________ Introduced by M. of A. OTIS -- read once and referred to the Committee on Governmental Operations AN ACT to amend the state technology law, in relation to the notifica- tion of certain agencies of a breach of the security system or a breach of the security network The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Section 209 of the state technology law, as added by a 2 chapter of the laws of 2021 amending the state technology law relating 3 to the notification of certain state agencies of a data breach or 4 network security breach, as proposed in legislative bills numbers S. 5 7019 and A. 7612, is amended to read as follows: 6 § 209. Notification of [data] a breach [or network] of the security of 7 the system or a breach of network security; shared data. 1. The office 8 shall, within twenty-four hours [following the discovery of a data9breach or network security breach or receiving notice of a data breach10or network security breach] of either being notified of or receiving 11 evidence of a breach of the security of the system, or a breach of 12 network security, as defined in paragraphs (a) and (b) of subdivision 13 three of this section, notify the chief information officer, [and where14appropriate,] the chief information security officer, and where appro- 15 priate, the cyber security coordinator of any state entity with which it 16 shares data, provides networked services or shares a network connection 17 whose data, services or connection is [or may have been the subject of] 18 reasonably suspected to be affected by any such breach [whether or not19such data was, or is reasonably believed to have been, acquired or used20by an unauthorized person]. 21 2. The office shall[, in addition to the provisions of subdivision one22of this section, notify] provide the chief information officer, [and23where appropriate,] the chief information security officer, and where 24 appropriate, the cyber risk coordinator of [such] any state entity [with25which it shares data, provides networked services or shares a network26connection and whose data is or may have been the subject of such27breach, of], who has been notified pursuant to subdivision one of this EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD10523-02-2A. 8793 2 1 section, with its plan for remediation of the breach and future 2 protection of such data and network. 3 3. For purposes of this section: 4 (a) ["Data breach" shall mean an intentional or unintentional incident5where data is disclosed, released, stolen, or taken without the know-6ledge or authorization of the data's owner or steward] "Breach of the 7 security of the system" shall have the same meaning as defined in para- 8 graph (b) of subdivision one of section two hundred eight of this arti- 9 cle. 10 (b) ["Network security breach" shall mean an intentional or uninten-11tional incident where an unauthorized party has gained access to an12organization's network without the knowledge or authorization of the13network owner or steward] "Breach of network security" shall mean unau- 14 thorized access to or access without valid authorization of a computer 15 network which compromises the security, confidentiality, or integrity of 16 such network. 17 (c) "State entity" shall [mean any state board, bureau, division,18committee, commission, council, department, public authority, public19benefit corporation, office or other governmental entity performing a20governmental or proprietary function for the state of New York, includ-21ing the state legislature and the judiciary] have the same meaning as 22 provided by paragraph (c) of subdivision one of section two hundred 23 eight of this article. 24 § 2. This act shall take effect on the same date and in the same 25 manner as a chapter of the laws of 2021 amending the state technology 26 law relating to the notification of certain state agencies of a data 27 breach or network security breach, as proposed in legislative bills 28 numbers S. 7019 and A. 7612, takes effect.