Bill Text: NY S06195 | 2019-2020 | General Assembly | Introduced


Bill Title: Relates to critical utility infrastructure security and responsibility; relates to the protection of critical infrastructure in the state; provides that an electric or gas corporation or municipality shall not share, disclose or otherwise provide access to a customer's electrical or gas consumption data.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Engrossed) 2019-06-20 - COMMITTED TO RULES [S06195 Detail]

Download: New_York-2019-S06195-Introduced.html



                STATE OF NEW YORK
        ________________________________________________________________________

                                          6195

                               2019-2020 Regular Sessions

                    IN SENATE

                                      May 22, 2019
                                       ___________

        Introduced  by  Sen.  PARKER -- read twice and ordered printed, and when
          printed to be committed to the Committee on  Energy  and  Telecommuni-
          cations

        AN  ACT  to amend the energy law, the public officers law, the executive
          law, and the public service  law,  in  relation  to  critical  utility
          infrastructure security and responsibility

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. Subdivision 1 of  section  3-101  of  the  energy  law,  as
     2  amended  by  chapter  253  of  the  laws  of 2013, is amended to read as
     3  follows:
     4    1. to obtain and maintain an adequate and continuous supply  of  safe,
     5  dependable  and economical energy for the people of the state, including
     6  through the protection of critical infrastructure as defined in subdivi-
     7  sion five of section eighty-six of  the  public  officers  law,  and  to
     8  accelerate  development  and  use  within  the state of renewable energy
     9  sources, all in order to promote the state's economic growth, to  create
    10  employment  within  the  state,  to protect its environmental values and
    11  agricultural heritage, to husband its resources for future  generations,
    12  and to promote the health and welfare of its people;
    13    §  2. Subdivision 5 of section 86 of the public officers law, as added
    14  by chapter 403 of the laws of 2003, is amended to read as follows:
    15    5.  "Critical  infrastructure"  means  systems,  including  industrial
    16  control  systems, assets, places or things, whether physical or virtual,
    17  so vital to the state that the disruption, incapacitation or destruction
    18  of such systems, including industrial control systems, assets, places or
    19  things could jeopardize the health, safety, welfare or security  of  the
    20  state, its residents or its economy.
    21    §  3. Section 86 of the public officers law is amended by adding a new
    22  subdivision 6 to read as follows:

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD08666-04-9

        S. 6195                             2

     1    6. "Industrial control systems" means a combination of control  compo-
     2  nents  that  support  operational functions in gas, distribution, trans-
     3  mission, and advanced metering infrastructure control centers,  and  act
     4  together to achieve an industrial objective, including controls that are
     5  fully automated or that include a human-machine interface.
     6    §  4.  Paragraph  (j) of subdivision 2 of section 709 of the executive
     7  law, as amended by section 14 of part B of chapter 56  of  the  laws  of
     8  2010, is amended to read as follows:
     9    (j)  work  with local, state and federal agencies and private entities
    10  to conduct assessments of the vulnerability of  critical  infrastructure
    11  to  terrorist attack, cyber attack, criminal behavior, and other natural
    12  and man-made disasters, including, but not limited to,  nuclear  facili-
    13  ties,  power  plants,  telecommunications  systems,  mass transportation
    14  systems, public roadways, railways, bridges and tunnels,  and  attendant
    15  industrial  control  systems  as  defined  by subdivision six of section
    16  eighty-six of the public officers law and develop strategies that may be
    17  used to protect such infrastructure from terrorist attack, cyber attack,
    18  criminal behavior, and other natural and man-made disasters;
    19    § 5. Subdivision 1 and paragraph (a) of subdivision 2 of  section  713
    20  of  the  executive law, as amended by section 16 of part B of chapter 56
    21  of the laws of 2010, are amended to read as follows:
    22    1. Notwithstanding any other provision of law, the commissioner of the
    23  division of homeland security and emergency  services,  in  coordination
    24  with  the state office of information technology services, shall conduct
    25  a review and analysis of measures being  taken  by  the  public  service
    26  commission  and  any other agency or authority of the state or any poli-
    27  tical subdivision thereof and, to the extent practicable, of any federal
    28  entity, to protect the security of critical  infrastructure  related  to
    29  energy generation and transmission located within the state. The commis-
    30  sioner  of  the division of homeland security and emergency services and
    31  the director of the state  office  of  information  technology  services
    32  shall  have the authority to review any audits or reports related to the
    33  security of such critical infrastructure, including  audits  or  reports
    34  conducted  at  the request of the public service commission or any other
    35  agency or authority of the state or any  political  subdivision  thereof
    36  or,  to  the  extent  practicable, of any federal entity. The owners and
    37  operators of such energy generating or transmission facilities shall, in
    38  compliance with any federal and state requirements regarding the dissem-
    39  ination of such information, provide access to the commissioner  of  the
    40  division of homeland security and emergency services and the director of
    41  the  state  office  of information technology services to such audits or
    42  reports regarding such critical infrastructure provided,  however,  that
    43  exclusive  custody  and  control of such audits and reports shall remain
    44  solely with the owners and operators of such energy generating or trans-
    45  mission facilities. For the purposes of this article, the term "critical
    46  infrastructure" has the meaning ascribed to  that  term  in  subdivision
    47  five of section eighty-six of the public officers law.
    48    (a)  On  or  before  December thirty-first, two thousand four, and not
    49  later than three years after such date, and every five years thereafter,
    50  the commissioner of the division  of  homeland  security  and  emergency
    51  services, in coordination with the state office of information technolo-
    52  gy  services,  shall  report to the governor, the temporary president of
    53  the senate, the speaker of the assembly, the chairperson of the assembly
    54  standing committee on energy, the chairperson  of  the  senate  standing
    55  committee  on  energy  and  telecommunications,  the  chairperson of the
    56  public service commission and the chief executive of any  such  affected

        S. 6195                             3

     1  generating  or  transmission company or his or her designee. Such report
     2  shall review  the  security  measures  being  taken  regarding  critical
     3  infrastructure  related to energy generating and transmission facilities
     4  in  consultation  with the most recent version of the National Institute
     5  of Standards and Technology "Framework for  Improving  Critical  Infras-
     6  tructure  Cybersecurity"  and  the North American Electrical Reliability
     7  Corporation's Critical Infrastructure Protection Standards,  assess  the
     8  effectiveness thereof, and include recommendations to the legislature or
     9  the  public  service  commission  if the commissioner of the division of
    10  homeland security and emergency services and the director of  the  state
    11  office  of  information  technology  services determines that additional
    12  measures are  required  to  be  implemented,  considering,  among  other
    13  factors,  the unique characteristics of each energy generating or trans-
    14  mission facility.
    15    § 6. The public service law is amended by adding a new section  54  to
    16  read as follows:
    17    §  54.  Electric or gas consumption data protection. 1. An electric or
    18  gas corporation or municipality shall  not  share,  sell,  disclose,  or
    19  otherwise  make  accessible  to any third party a customer's electric or
    20  gas consumption data, except where the customer  has  consented  and  as
    21  provided in subdivision two of this section.
    22    2.(a) Nothing in this section shall preclude an electric or gas corpo-
    23  ration  or  municipality  from  disclosing  a customer's electric or gas
    24  consumption data for analysis, reporting, or program management as  long
    25  as all information has been anonymized regarding the individual identity
    26  of a customer.
    27    (b)  Nothing  in this section shall preclude an electric or gas corpo-
    28  ration or municipality from disclosing electric or gas consumption  data
    29  as  required  or  permitted under state or federal law or by an order of
    30  the commission.
    31    (c) Nothing in this section shall preclude an electric or  gas  corpo-
    32  ration  or  municipality  from  disclosing  a customer's electric or gas
    33  consumption data to a third party that contracts with  such  corporation
    34  or municipality to provide services on behalf of the corporation.
    35    3.  An electric or gas corporation shall establish: (a) minimum cyber-
    36  security and safety standards and (b) minimum  cyber-security  insurance
    37  requirements,  which  shall  be  applicable  to third parties seeking to
    38  connect to any such corporation's  systems  to  receive  consumption  or
    39  other  data.  Any  third party not contracted by such a corporation that
    40  seeks to connect to such corporation's systems to receive consumption or
    41  other data shall meet any such  established  cyber-security  and  safety
    42  standards and insurance requirements.
    43    4.  The  commission  shall promulgate rules and regulations by January
    44  first, two thousand twenty-one to ensure the implementation and enforce-
    45  ment of this section.
    46    § 7. Paragraph (a) of subdivision 19  of  section  66  of  the  public
    47  service law, as amended by section 4 of part X of chapter 57 of the laws
    48  of 2013, is amended to read as follows:
    49    (a)  The  commission  shall  have  power to provide for management and
    50  operations audits of gas corporations and  electric  corporations.  Such
    51  audits shall be performed at least once every five years for combination
    52  gas  and electric corporations, as well as for straight gas corporations
    53  having annual gross revenues in excess of two hundred  million  dollars.
    54  The  audit shall include, but not be limited to, an investigation of the
    55  company's construction program planning in relation to the needs of  its
    56  customers  for  reliable service, an evaluation of the efficiency of the

        S. 6195                             4

     1  company's operations and use of customer  electric  or  gas  consumption
     2  data  as  provided  for in section fifty-four of the public service law,
     3  recommendations with respect to same, and the timing with respect to the
     4  implementation  of  such  recommendations.  The  commission  shall  have
     5  discretion to have such audits performed by its staff, or by independent
     6  auditors.
     7    In every case in which  the  commission  chooses  to  have  the  audit
     8  provided  for in this subdivision or pursuant to subdivision fourteen of
     9  section sixty-five of this article performed by independent auditors, it
    10  shall have authority to select the auditors, and to require the  company
    11  being  audited  to enter into a contract with the auditors providing for
    12  their payment by the company. Such contract shall provide  further  that
    13  the  auditors  shall  work for and under the direction of the commission
    14  according to such terms as the commission may  determine  are  necessary
    15  and reasonable.
    16    § 8. This act shall take effect on the one hundred eightieth day after
    17  it  shall have become a law; provided, however, that section six of this
    18  act shall take effect thirty days after it  shall  have  become  a  law.
    19  Effective  immediately,  the public service commission is authorized and
    20  directed to take actions necessary to promulgate rules  and  regulations
    21  related  to  the  implementation  of  subdivision 3 of section 54 of the
    22  public service law on or before such effective date.
feedback