Requires all municipal corporations to report cybersecurity incidents and demands of ransom payments to the division of homeland security and emergency services; defines terms; requires cybersecurity incident reviews; requires cybersecurity awareness training, cybersecurity protection and data protection standards for state maintained information systems.
Impact
The bill introduces significant changes to existing municipal laws by requiring public authorities to maintain detailed records of cybersecurity incidents, which are to be kept confidential and exempt from public disclosure under the state's freedom of information laws. This provision aims to protect sensitive information regarding the state's response to cyber threats. Furthermore, the legislation emphasizes the necessity of developing incident response plans within eighteen months of its enactment, thereby standardizing how municipal corporations manage and recover from cybersecurity breaches.
Summary
Bill S07672 aims to enhance cybersecurity measures across municipal corporations and public authorities in New York State. It establishes a framework that requires these entities to report any cybersecurity incidents, particularly those involving ransom demands, to the Division of Homeland Security and Emergency Services within 72 hours. The bill intends to improve incident response capabilities and protect state-maintained information systems from potential vulnerabilities. It also mandates annual cybersecurity awareness training for government employees starting in 2026, ensuring that personnel are well-equipped to handle cyber threats.
Contention
Notably, the bill has sparked discussions regarding privacy and transparency. Critics argue that exempting incident reports from public scrutiny could hinder accountability and oversight of municipal data management. There are concerns that, while aiming to fortify cybersecurity, the legislation could potentially create a lack of transparency about how effectively these municipalities handle cyber threats and ransom situations. Proponents defend the bill, asserting that the confidentiality of these reports is essential to safeguard sensitive operational details and minimize risks of further attacks.
Same As
Requires all municipal corporations to report cybersecurity incidents and demands of ransom payments to the division of homeland security and emergency services; defines terms; requires cybersecurity incident reviews; requires cybersecurity awareness training, cybersecurity protection and data protection standards for state maintained information systems.
Requires all municipal corporations to report cybersecurity incidents and demands of ransom payments to the division of homeland security and emergency services; defines terms; requires cybersecurity incident reviews; requires cybersecurity awareness training, cybersecurity protection and data protection standards for state maintained information systems.
Requires businesses in financial essential infrastructure, and health care industries to develop cybersecurity plans and report cybersecurity incidents.
Establishes the "secure our data act"; relates to cybersecurity protection by state entities; requires the office of information technology services to develop standards for data protection of state entity-maintained information.
Requires all state entities, including local governments, to notify affected individuals in the event of a data breach where information is compromised; defines "cybersecurity incident".