STATE OF NEW YORK
        ________________________________________________________________________

                                          8793

                   IN ASSEMBLY

                                    January 12, 2022
                                       ___________

        Introduced  by  M. of A. OTIS -- read once and referred to the Committee
          on Governmental Operations

        AN ACT to amend the state technology law, in relation to  the  notifica-
          tion  of  certain  agencies  of  a  breach of the security system or a
          breach of the security network

          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:

     1    Section  1.  Section  209  of  the state technology law, as added by a
     2  chapter of the laws of 2021 amending the state technology  law  relating
     3  to  the  notification  of  certain  state  agencies  of a data breach or
     4  network security breach, as proposed in  legislative  bills  numbers  S.
     5  7019 and A.  7612, is amended to read as follows:
     6    § 209. Notification of [data] a breach [or network] of the security of
     7  the  system  or a breach of network security; shared data. 1. The office
     8  shall, within twenty-four hours  [following  the  discovery  of  a  data
     9  breach  or  network security breach or receiving notice of a data breach
    10  or network security breach] of either being  notified  of  or  receiving
    11  evidence  of  a  breach  of  the  security of the system, or a breach of
    12  network security, as defined in paragraphs (a) and  (b)  of  subdivision
    13  three  of this section, notify the chief information officer, [and where
    14  appropriate,] the chief information security officer, and  where  appro-
    15  priate, the cyber security coordinator of any state entity with which it
    16  shares  data, provides networked services or shares a network connection
    17  whose data, services or connection is [or may have been the subject  of]
    18  reasonably  suspected  to be affected by any such breach [whether or not
    19  such data was, or is reasonably believed to have been, acquired or  used
    20  by an unauthorized person].
    21    2. The office shall[, in addition to the provisions of subdivision one
    22  of  this  section,  notify]  provide the chief information officer, [and
    23  where appropriate,] the chief information security  officer,  and  where
    24  appropriate, the cyber risk coordinator of [such] any state entity [with
    25  which  it  shares  data, provides networked services or shares a network
    26  connection and whose data is or  may  have  been  the  subject  of  such
    27  breach,  of],  who has been notified pursuant to subdivision one of this

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD10523-02-2
        A. 8793                             2

     1  section, with  its  plan  for  remediation  of  the  breach  and  future
     2  protection of such data and network.
     3    3. For purposes of this section:
     4    (a) ["Data breach" shall mean an intentional or unintentional incident
     5  where  data  is  disclosed, released, stolen, or taken without the know-
     6  ledge or authorization of the data's owner or steward]  "Breach  of  the
     7  security  of the system" shall have the same meaning as defined in para-
     8  graph (b) of subdivision one of section two hundred eight of this  arti-
     9  cle.
    10    (b)  ["Network  security breach" shall mean an intentional or uninten-
    11  tional incident where an unauthorized party  has  gained  access  to  an
    12  organization's  network  without  the  knowledge or authorization of the
    13  network owner or steward] "Breach of network security" shall mean  unau-
    14  thorized  access  to or access without valid authorization of a computer
    15  network which compromises the security, confidentiality, or integrity of
    16  such network.
    17    (c) "State entity" shall [mean  any  state  board,  bureau,  division,
    18  committee,  commission,  council,  department,  public authority, public
    19  benefit corporation, office or other governmental  entity  performing  a
    20  governmental  or proprietary function for the state of New York, includ-
    21  ing the state legislature and the judiciary] have the  same  meaning  as
    22  provided  by  paragraph  (c)  of  subdivision one of section two hundred
    23  eight of this article.
    24    § 2. This act shall take effect on the  same  date  and  in  the  same
    25  manner  as  a  chapter of the laws of 2021 amending the state technology
    26  law relating to the notification of certain state  agencies  of  a  data
    27  breach  or  network  security  breach,  as proposed in legislative bills
    28  numbers S.  7019 and A. 7612, takes effect.