Bill Text: NY S06806 | 2021-2022 | General Assembly | Amended
Bill Title: Prohibits governmental entities, business entities and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2022-02-01 - REPORTED AND COMMITTED TO VETERANS, HOMELAND SECURITY AND MILITARY AFFAIRS [S06806 Detail]
Download: New_York-2021-S06806-Amended.html
STATE OF NEW YORK ________________________________________________________________________ 6806--A 2021-2022 Regular Sessions IN SENATE May 18, 2021 ___________ Introduced by Sen. SAVINO -- read twice and ordered printed, and when printed to be committed to the Committee on Internet and Technology -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee AN ACT to amend the state technology law, in relation to the payment of ransom in the event of a cyber incident or a cyber ransom or ransom- ware attack The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The state technology law is amended by adding a new article 2 4 to read as follows: 3 ARTICLE IV 4 CYBER SECURITY INCIDENTS 5 Section 401. Payment of ransom; cyber incident, cyber ransom or ransom- 6 ware. 7 § 401. Payment of ransom; cyber incident, cyber ransom or ransomware. 8 1. For the purpose of this section: 9 a. "Cyber incident" means the compromise of the security, confiden- 10 tiality, or integrity of computerized data due to the exfiltration, 11 modification, or deletion that results in the unauthorized acquisition 12 of and access to information maintained by a governmental entity, busi- 13 ness entity, or health care entity. 14 b. "Cyber ransom or ransomware" means a type of malware that encrypts 15 or locks valuable digital files and demands a ransom to release the 16 files. 17 c. "Governmental entity" shall mean any state, city, town or village 18 or local department, board, bureau, division, commission, committee, 19 school district, public authority, public benefit corporation, council 20 or office, including all entities defined pursuant to section two of the EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD11518-02-1S. 6806--A 2 1 public authorities law. Such term shall include the state university of 2 New York and the city university of New York as well as the state legis- 3 lature, the judiciary or state and local legislatures. 4 d. "Business entity" shall mean any legal entity that conducts busi- 5 ness in the state of New York. 6 e. "Health care entity" shall mean hospitals, nursing homes, home 7 care, hospice and any other health care facilities regulated by the 8 department of health. 9 2. No governmental entity, business entity or health care entity with- 10 in the state shall pay, or have another entity pay on their behalf, 11 ransom in the event of a cyber incident or a cyber ransom or ransomware 12 attack. 13 3. All governmental entities shall report any cyber incidents and 14 cyber ransom or ransomware attacks to the New York state division of 15 homeland security and emergency services. 16 4. Any business entity that violates the provisions of this section 17 shall be subject to a civil penalty of up to ten thousand dollars 18 assessed by the attorney general. 19 § 2. This act shall take effect immediately.