Bill Text: NY A06130 | 2015-2016 | General Assembly | Introduced
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Requires the formation of a cyber security advisory board and the implementation of a cyber security initiative.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2016-01-20 - print number 6130a [A06130 Detail]
Download: New_York-2015-A06130-Introduced.html
Bill Title: Requires the formation of a cyber security advisory board and the implementation of a cyber security initiative.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2016-01-20 - print number 6130a [A06130 Detail]
Download: New_York-2015-A06130-Introduced.html
S T A T E O F N E W Y O R K ________________________________________________________________________ 6130 2015-2016 Regular Sessions I N A S S E M B L Y March 16, 2015 ___________ Introduced by M. of A. DenDEKKER -- read once and referred to the Committee on Governmental Operations AN ACT to amend the executive law, in relation to a cyber security initiative THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: 1 Section 1. The executive law is amended by adding a new section 719 to 2 read as follows: 3 S 719. NEW YORK STATE CYBER SECURITY INITIATIVE. 1. LEGISLATIVE FIND- 4 INGS. THE LEGISLATURE FINDS AND DECLARES THAT REPEATED CYBER INTRUSIONS 5 INTO CRITICAL INFRASTRUCTURE, EFFECTING GOVERNMENT, PRIVATE SECTOR BUSI- 6 NESS, AND CITIZENS OF THE STATE OF NEW YORK, HAVE DEMONSTRATED THE NEED 7 FOR IMPROVED CYBER SECURITY. 8 THE LEGISLATURE FURTHER FINDS AND DECLARES THAT THIS CYBER THREAT 9 CONTINUES TO GROW AND REPRESENTS ONE OF THE MOST SERIOUS PUBLIC SECURITY 10 CHALLENGES THAT NEW YORK MUST CONFRONT. MOREOVER, THE SECURITY OF THE 11 STATE OF NEW YORK DEPENDS ON THE RELIABLE FUNCTIONING OF NEW YORK 12 STATE'S CRITICAL INFRASTRUCTURE, AND PRIVATE SECTOR BUSINESS INTERESTS, 13 AS WELL AS THE PROTECTION OF THE FINANCES AND INDIVIDUAL LIBERTIES OF 14 EVERY CITIZEN, IN THE FACE OF SUCH THREATS. 15 THE LEGISLATURE ADDITIONALLY FINDS AND DECLARES THAT TO ENHANCE THE 16 SECURITY, PROTECTION AND RESILIENCE OF NEW YORK STATE'S CRITICAL INFRAS- 17 TRUCTURE, AND PRIVATE SECTOR BUSINESS INTERESTS, AS WELL AS THE 18 PROTECTION OF THE FINANCES AND INDIVIDUAL LIBERTIES OF EVERY CITIZEN, 19 THE STATE OF NEW YORK MUST PROMOTE A CYBER ENVIRONMENT THAT ENCOURAGES 20 EFFICIENCY, INNOVATION, AND ECONOMIC PROSPERITY, AND THAT CAN OPERATE 21 WITH SAFETY, SECURITY, BUSINESS CONFIDENTIALITY, PRIVACY, AND CIVIL 22 LIBERTY. 23 THE LEGISLATURE FURTHER FINDS AND DECLARES THAT TO CREATE SUCH A SAFE 24 AND SECURE CYBER ENVIRONMENT FOR GOVERNMENT, PRIVATE SECTOR BUSINESS AND 25 INDIVIDUAL CITIZENS, NEW YORK MUST ADVANCE, IN ADDITION TO ITS CURRENT EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD09031-01-5 A. 6130 2 1 EFFORTS IN THIS FIELD, A NEW YORK STATE CYBER SECURITY INITIATIVE, THAT 2 ESTABLISHES A NEW YORK STATE CYBER SECURITY ADVISORY BOARD; A NEW YORK 3 STATE CYBER SECURITY PARTNERSHIP PROGRAM WITH THE OWNERS AND OPERATORS 4 OF CRITICAL INFRASTRUCTURE, PRIVATE SECTOR BUSINESS, ACADEMIA, AND INDI- 5 VIDUAL CITIZENS TO IMPROVE, DEVELOP AND IMPLEMENT RISK-BASED STANDARDS 6 FOR GOVERNMENT, PRIVATE SECTOR BUSINESSES AND INDIVIDUAL CITIZENS; AND A 7 NEW YORK STATE CYBER SECURITY INFORMATION SHARING PROGRAM. 8 2. CRITICAL INFRASTRUCTURE AND INFORMATION SYSTEMS. AS USED IN THIS 9 SECTION, THE TERM "CRITICAL INFRASTRUCTURE AND INFORMATION SYSTEMS" 10 SHALL MEAN ALL SYSTEMS AND ASSETS, WHETHER PHYSICAL OR VIRTUAL, SO VITAL 11 TO THE GOVERNMENT, PRIVATE SECTOR BUSINESSES AND INDIVIDUAL CITIZENS OF 12 THE STATE OF NEW YORK THAT THE INCAPACITY OR DESTRUCTION OF SUCH SYSTEMS 13 AND ASSETS WOULD HAVE A DEBILITATING IMPACT TO THE SECURITY, ECONOMY, OR 14 PUBLIC HEALTH OF THE INDIVIDUAL CITIZENS, GOVERNMENT, OR PRIVATE SECTOR 15 BUSINESSES OF THE STATE OF NEW YORK. 16 3. NEW YORK STATE CYBER SECURITY ADVISORY BOARD. (A) THERE SHALL BE 17 WITHIN THE DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES, A NEW 18 YORK STATE CYBER SECURITY ADVISORY BOARD, WHICH SHALL ADVISE THE GOVER- 19 NOR AND THE LEGISLATURE ON DEVELOPMENTS IN CYBER SECURITY AND MAKE 20 RECOMMENDATIONS FOR PROTECTING THE STATE'S CRITICAL INFRASTRUCTURE AND 21 INFORMATION SYSTEMS. 22 (B) THE BOARD MEMBERS SHALL CONSIST OF ELEVEN MEMBERS APPOINTED BY THE 23 GOVERNOR, WITH THREE MEMBERS APPOINTED UPON RECOMMENDATION OF THE TEMPO- 24 RARY PRESIDENT OF THE SENATE, AND THREE MEMBERS APPOINTED AT THE RECOM- 25 MENDATION OF THE SPEAKER OF THE ASSEMBLY. ALL MEMBERS SO APPOINTED SHALL 26 HAVE EXPERTISE IN CYBER SECURITY, TELECOMMUNICATIONS, INTERNET SERVICE 27 DELIVERY, PUBLIC PROTECTION, COMPUTER SYSTEMS AND/OR COMPUTER NETWORKS. 28 (C) THE BOARD SHALL INVESTIGATE, DISCUSS AND MAKE RECOMMENDATIONS 29 CONCERNING CYBER SECURITY ISSUES INVOLVING BOTH THE PUBLIC AND PRIVATE 30 SECTORS AND WHAT STEPS CAN BE TAKEN BY NEW YORK STATE TO PROTECT CRIT- 31 ICAL CYBER INFRASTRUCTURE, FINANCIAL SYSTEMS, TELECOMMUNICATIONS 32 NETWORKS, ELECTRICAL GRIDS, SECURITY SYSTEMS, FIRST RESPONDER SYSTEMS 33 AND INFRASTRUCTURE, PHYSICAL INFRASTRUCTURE SYSTEMS, TRANSPORTATION 34 SYSTEMS, AND SUCH OTHER AND FURTHER SECTORS OF STATE GOVERNMENT AND THE 35 PRIVATE SECTOR AS THE ADVISORY BOARD SHALL DEEM PRUDENT. 36 (D) THE PURPOSE OF THE ADVISORY BOARD SHALL BE TO PROMOTE THE DEVELOP- 37 MENT OF INNOVATIVE, ACTIONABLE POLICIES TO ENSURE THAT NEW YORK STATE IS 38 IN THE FOREFRONT OF PUBLIC CYBER SECURITY DEFENSE. 39 (E) THE MEMBERS OF THE ADVISORY BOARD SHALL RECEIVE NO COMPENSATION 40 FOR THEIR SERVICES, BUT MAY RECEIVE ACTUAL AND NECESSARY EXPENSES, AND 41 SHALL NOT BE DISQUALIFIED FOR HOLDING ANY OTHER PUBLIC OFFICE OR EMPLOY- 42 MENT BY MEANS OF THEIR SERVICE AS A MEMBER OF THE ADVISORY BOARD. 43 (F) THE ADVISORY BOARD SHALL BE ENTITLED TO REQUEST AND RECEIVE, AND 44 SHALL BE PROVIDED WITH, SUCH FACILITIES, RESOURCES AND DATA OF ANY AGEN- 45 CY, DEPARTMENT, DIVISION, BOARD, BUREAU, COMMISSION, OR PUBLIC AUTHORITY 46 OF THE STATE, AS THEY MAY REASONABLY REQUEST, TO CARRY OUT PROPERLY 47 THEIR POWERS, DUTIES AND PURPOSE. 48 4. NEW YORK STATE CYBER SECURITY INFORMATION SHARING AND THREAT 49 PREVENTION PROGRAM. (A) THE DIVISION OF HOMELAND SECURITY AND EMERGENCY 50 SERVICES, IN CONSULTATION WITH THE DIVISION OF THE STATE POLICE, THE 51 STATE OFFICE OF INFORMATION TECHNOLOGY SERVICES, AND THE CENTER FOR 52 INTERNET SECURITY, SHALL ESTABLISH, WITHIN SIXTY DAYS OF THE EFFECTIVE 53 DATE OF THIS SECTION, A NEW YORK STATE CYBER SECURITY INFORMATION SHAR- 54 ING AND THREAT PREVENTION PROGRAM. 55 (B) IT SHALL BE THE PURPOSE OF THE NEW YORK STATE CYBER SECURITY 56 INFORMATION SHARING AND THREAT PREVENTION PROGRAM TO INCREASE THE A. 6130 3 1 VOLUME, TIMELINESS, AND QUALITY OF CYBER THREAT INFORMATION SHARED WITH 2 NEW YORK STATE PUBLIC AND PRIVATE SECTOR ENTITIES SO THAT THESE ENTITIES 3 MAY BETTER PROTECT AND DEFEND THEMSELVES AGAINST CYBER THREATS AND TO 4 PROMOTE THE DEVELOPMENT OF EFFECTIVE DEFENSES AND STRATEGIES TO COMBAT, 5 AND PROTECT AGAINST, CYBER THREATS AND ATTACKS. 6 (C) TO FACILITATE THE PURPOSES OF THE NEW YORK STATE CYBER SECURITY 7 INFORMATION SHARING AND THREAT PREVENTION PROGRAM, THE DIVISION OF HOME- 8 LAND SECURITY AND EMERGENCY SERVICES, SHALL PROMULGATE REGULATIONS, IN 9 ACCORDANCE WITH THE PROVISIONS OF THIS SUBDIVISION. 10 (D) THE REGULATIONS SHALL PROVIDE FOR THE TIMELY PRODUCTION OF UNCLAS- 11 SIFIED REPORTS OF CYBER THREATS TO NEW YORK STATE AND ITS PUBLIC AND 12 PRIVATE SECTOR ENTITIES, INCLUDING THREATS THAT IDENTIFY A SPECIFIC 13 TARGETED ENTITY. 14 (E) THE REGULATIONS SHALL ADDRESS THE NEED TO PROTECT INTELLIGENCE AND 15 LAW ENFORCEMENT SOURCES, METHODS, OPERATIONS, AND INVESTIGATIONS, AND 16 SHALL FURTHER ESTABLISH A PROCESS THAT RAPIDLY DISSEMINATES THE REPORTS 17 PRODUCED PURSUANT TO PARAGRAPH (D) OF THIS SUBDIVISION, TO BOTH ANY 18 TARGETED ENTITY AS WELL AS SUCH OTHER AND FURTHER PUBLIC AND PRIVATE 19 ENTITIES AS THE DIVISION SHALL DEEM NECESSARY TO ADVANCE THE PURPOSES OF 20 THIS SUBDIVISION. 21 (F) THE REGULATIONS SHALL FURTHER ESTABLISH A SYSTEM FOR TRACKING THE 22 PRODUCTION, DISSEMINATION, AND DISPOSITION OF THE REPORTS PRODUCED IN 23 ACCORDANCE WITH THE PROVISIONS OF THIS SUBDIVISION. 24 (G) THE REGULATIONS SHALL ALSO ESTABLISH AN ENHANCED CYBER SECURITY 25 SERVICES PROGRAM, WITHIN NEW YORK STATE, TO PROVIDE FOR PROCEDURES, 26 METHODS AND DIRECTIVES, FOR A VOLUNTARY INFORMATION SHARING PROGRAM, 27 THAT WILL PROVIDE CYBER THREAT AND TECHNICAL INFORMATION COLLECTED FROM 28 BOTH PUBLIC AND PRIVATE SECTOR ENTITIES, TO SUCH PRIVATE AND PUBLIC 29 SECTOR ENTITIES AS THE DIVISION DEEMS PRUDENT, TO ADVISE ELIGIBLE CRIT- 30 ICAL INFRASTRUCTURE COMPANIES OR COMMERCIAL SERVICE PROVIDERS THAT OFFER 31 SECURITY SERVICES TO CRITICAL INFRASTRUCTURE ON CYBER SECURITY THREATS 32 AND DEFENSE MEASURES. 33 (H) THE REGULATIONS SHALL ALSO SEEK TO DEVELOP STRATEGIES TO MAXIMIZE 34 THE UTILITY OF CYBER THREAT INFORMATION SHARING BETWEEN AND ACROSS THE 35 PRIVATE AND PUBLIC SECTORS, AND SHALL FURTHER SEEK TO PROMOTE THE USE OF 36 PRIVATE AND PUBLIC SECTOR SUBJECT MATTER EXPERTS TO ADDRESS CYBER SECU- 37 RITY NEEDS IN NEW YORK STATE, WITH THESE SUBJECT MATTER EXPERTS PROVID- 38 ING ADVICE REGARDING THE CONTENT, STRUCTURE, AND TYPES OF INFORMATION 39 MOST USEFUL TO CRITICAL INFRASTRUCTURE OWNERS AND OPERATORS IN REDUCING 40 AND MITIGATING CYBER RISKS. 41 (I) THE REGULATIONS SHALL FURTHER SEEK TO ESTABLISH A CONSULTATIVE 42 PROCESS TO COORDINATE IMPROVEMENTS TO THE CYBER SECURITY OF CRITICAL 43 INFRASTRUCTURE, WHERE AS PART OF THE CONSULTATIVE PROCESS, THE PUBLIC 44 AND PRIVATE ENTITIES OF THE STATE OF NEW YORK SHALL ENGAGE AND CONSIDER 45 THE ADVICE OF THE DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES, 46 THE DIVISION OF THE STATE POLICE, THE STATE OFFICE OF INFORMATION TECH- 47 NOLOGY SERVICES, THE CENTER FOR INTERNET SECURITY, THE NEW YORK STATE 48 CYBER SECURITY ADVISORY BOARD, THE PROGRAMS ESTABLISHED BY THIS SUBDIVI- 49 SION, AND SUCH OTHER AND FURTHER PRIVATE AND PUBLIC SECTOR ENTITIES, 50 UNIVERSITIES, AND CYBER SECURITY EXPERTS AS THE DIVISION OF HOMELAND 51 SECURITY AND EMERGENCY SERVICES MAY DEEM PRUDENT. 52 (J) THE REGULATIONS SHALL FURTHER SEEK TO ESTABLISH A BASELINE FRAME- 53 WORK TO REDUCE CYBER RISK TO CRITICAL INFRASTRUCTURE, AND SHALL SEEK TO 54 HAVE THE DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES, IN 55 CONSULTATION WITH THE DIVISION OF STATE POLICE, THE STATE OFFICE OF 56 INFORMATION TECHNOLOGY SERVICES, AND THE CENTER FOR INTERNET SECURITY, A. 6130 4 1 LEAD THE DEVELOPMENT OF A FRAMEWORK TO REDUCE CYBER RISKS TO CRITICAL 2 INFRASTRUCTURE, TO BE KNOWN AS THE CYBER SECURITY FRAMEWORK, WHICH 3 SHALL: 4 (I) INCLUDE A SET OF STANDARDS, METHODOLOGIES, PROCEDURES, AND PROC- 5 ESSES THAT ALIGN POLICY, BUSINESS, AND TECHNOLOGICAL APPROACHES TO 6 ADDRESS CYBER RISKS; 7 (II) INCORPORATE VOLUNTARY CONSENSUS STANDARDS AND INDUSTRY BEST PRAC- 8 TICES TO THE FULLEST EXTENT POSSIBLE; 9 (III) PROVIDE A PRIORITIZED, FLEXIBLE, REPEATABLE, PERFORMANCE-BASED, 10 AND COST-EFFECTIVE APPROACH, INCLUDING INFORMATION SECURITY MEASURES AND 11 CONTROLS, TO HELP OWNERS AND OPERATORS OF CRITICAL INFRASTRUCTURE IDEN- 12 TIFY, ASSESS, AND MANAGE CYBER RISK; 13 (IV) FOCUS ON IDENTIFYING CROSS-SECTOR SECURITY STANDARDS AND GUIDE- 14 LINES APPLICABLE TO CRITICAL INFRASTRUCTURE; 15 (V) IDENTIFY AREAS FOR IMPROVEMENT THAT SHOULD BE ADDRESSED THROUGH 16 FUTURE COLLABORATION WITH PARTICULAR SECTORS AND STANDARDS-DEVELOPING 17 ORGANIZATIONS; 18 (VI) ENABLE TECHNICAL INNOVATION AND ACCOUNT FOR ORGANIZATIONAL 19 DIFFERENCES, TO PROVIDE GUIDANCE THAT IS TECHNOLOGY NEUTRAL AND THAT 20 ENABLES CRITICAL INFRASTRUCTURE SECTORS TO BENEFIT FROM A COMPETITIVE 21 MARKET FOR PRODUCTS AND SERVICES THAT MEET THE STANDARDS, METHODOLOGIES, 22 PROCEDURES, AND PROCESSES DEVELOPED TO ADDRESS CYBER RISKS; 23 (VII) INCLUDE GUIDANCE FOR MEASURING THE PERFORMANCE OF AN ENTITY IN 24 IMPLEMENTING THE CYBER SECURITY FRAMEWORK; 25 (VIII) INCLUDE METHODOLOGIES TO IDENTIFY AND MITIGATE IMPACTS OF THE 26 CYBER SECURITY FRAMEWORK AND ASSOCIATED INFORMATION SECURITY MEASURES OR 27 CONTROLS ON BUSINESS CONFIDENTIALITY, AND TO PROTECT INDIVIDUAL PRIVACY 28 AND CIVIL LIBERTIES; AND 29 (IX) ENGAGE IN THE REVIEW OF THREAT AND VULNERABILITY INFORMATION AND 30 TECHNICAL EXPERTISE. 31 (K) THE REGULATIONS SHALL ADDITIONALLY ESTABLISH A VOLUNTARY CRITICAL 32 INFRASTRUCTURE CYBER SECURITY PROGRAM TO SUPPORT THE ADOPTION OF THE 33 CYBER SECURITY FRAMEWORK BY OWNERS AND OPERATORS OF CRITICAL INFRASTRUC- 34 TURE AND ANY OTHER INTERESTED ENTITIES, WHERE UNDER THIS PROGRAM IMPLE- 35 MENTATION GUIDANCE OR SUPPLEMENTAL MATERIALS WOULD BE DEVELOPED TO 36 ADDRESS SECTOR-SPECIFIC RISKS AND OPERATING ENVIRONMENTS, AND RECOMMEND 37 LEGISLATION FOR ENACTMENT TO ADDRESS CYBER SECURITY ISSUES. 38 (L) IN DEVELOPING THE NEW YORK STATE CYBER SECURITY INFORMATION SHAR- 39 ING AND THREAT PREVENTION PROGRAM IN ACCORDANCE WITH THE PROVISIONS OF 40 THIS SUBDIVISION, THE DIVISION OF HOMELAND SECURITY AND EMERGENCY 41 SERVICES, IN CONSULTATION WITH THE DIVISION OF STATE POLICE, THE STATE 42 OFFICE OF INFORMATION TECHNOLOGY SERVICES, AND THE CENTER FOR INTERNET 43 SECURITY, SHALL PRODUCE AND SUBMIT A REPORT, TO THE GOVERNOR, THE TEMPO- 44 RARY PRESIDENT OF THE SENATE, AND THE SPEAKER OF THE ASSEMBLY, MAKING 45 RECOMMENDATIONS ON THE FEASIBILITY, SECURITY BENEFITS, AND RELATIVE 46 MERITS OF INCORPORATING SECURITY STANDARDS INTO ACQUISITION PLANNING AND 47 CONTRACT ADMINISTRATION, AND SUCH REPORT SHALL FURTHER ADDRESS WHAT 48 STEPS CAN BE TAKEN TO HARMONIZE AND MAKE CONSISTENT EXISTING PROCUREMENT 49 REQUIREMENTS RELATED TO CYBER SECURITY. 50 5. NEW YORK STATE CYBER SECURITY CRITICAL INFRASTRUCTURE RISK ASSESS- 51 MENT REPORT. (A) THE DIVISION OF HOMELAND SECURITY AND EMERGENCY 52 SERVICES, IN CONSULTATION WITH THE DIVISION OF STATE POLICE, THE STATE 53 OFFICE OF INFORMATION TECHNOLOGY SERVICES, AND THE CENTER FOR INTERNET 54 SECURITY, WITHIN ONE HUNDRED TWENTY DAYS OF THE EFFECTIVE DATE OF THIS 55 SECTION, SHALL PRODUCE A NEW YORK STATE CYBER SECURITY CRITICAL INFRAS- 56 TRUCTURE RISK ASSESSMENT REPORT. A. 6130 5 1 (B) THE PRODUCTION OF THE NEW YORK STATE CYBER SECURITY CRITICAL 2 INFRASTRUCTURE RISK ASSESSMENT REPORT SHALL USE A RISK-BASED APPROACH TO 3 IDENTIFY CRITICAL INFRASTRUCTURE WHERE A CYBER SECURITY INCIDENT COULD 4 REASONABLY RESULT IN CATASTROPHIC REGIONAL OR STATE-WIDE EFFECTS ON 5 PUBLIC HEALTH OR SAFETY, ECONOMIC DISTRESS, AND/OR THREATEN PUBLIC 6 PROTECTION OF THE PEOPLE AND/OR PROPERTY OF NEW YORK STATE. 7 (C) THE PRODUCTION OF THE REPORT SHALL FURTHER USE THE CONSULTATIVE 8 PROCESS AND DRAW UPON THE EXPERTISE OF AND ADVICE OF THE DIVISION OF 9 HOMELAND SECURITY AND EMERGENCY SERVICES, THE DIVISION OF STATE POLICE, 10 THE STATE OFFICE OF INFORMATION TECHNOLOGY SERVICES, THE CENTER FOR 11 INTERNET SECURITY, THE NEW YORK STATE CYBER SECURITY ADVISORY BOARD, THE 12 PROGRAMS ESTABLISHED BY THIS SECTION, AND SUCH OTHER AND FURTHER PRIVATE 13 AND PUBLIC SECTOR ENTITIES, UNIVERSITIES, AND CYBER SECURITY EXPERTS AS 14 THE DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES MAY DEEM 15 PRUDENT. 16 (D) THE NEW YORK STATE CYBER SECURITY CRITICAL INFRASTRUCTURE RISK 17 ASSESSMENT REPORT SHALL BE DELIVERED TO THE GOVERNOR, THE TEMPORARY 18 PRESIDENT OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, THE CHAIR OF THE 19 SENATE STANDING COMMITTEE ON VETERANS, HOMELAND SECURITY AND MILITARY 20 AFFAIRS, AND THE CHAIR OF THE ASSEMBLY STANDING COMMITTEE ON GOVERN- 21 MENTAL OPERATIONS. 22 (E) WHERE COMPLIANCE WITH THIS SECTION SHALL REQUIRE THE DISCLOSURE OF 23 CONFIDENTIAL INFORMATION, OR THE DISCLOSURE OF SENSITIVE INFORMATION 24 WHICH IN THE JUDGMENT OF THE COMMISSIONER OF THE DIVISION OF HOMELAND 25 SECURITY AND EMERGENCY SERVICES WOULD JEOPARDIZE THE CYBER SECURITY OF 26 THE STATE: 27 (I) SUCH CONFIDENTIAL OR SENSITIVE INFORMATION SHALL BE PROVIDED TO 28 THE PERSONS ENTITLED TO RECEIVE THE REPORT, IN THE FORM OF A SUPPLE- 29 MENTAL APPENDIX TO THE REPORT; AND 30 (II) SUCH SUPPLEMENTAL APPENDIX TO THE REPORT SHALL NOT BE SUBJECT TO 31 THE PROVISIONS OF THE FREEDOM OF INFORMATION LAW PURSUANT TO ARTICLE SIX 32 OF THE PUBLIC OFFICERS LAW; AND 33 (III) THE PERSONS ENTITLED TO RECEIVE THE REPORT MAY DISCLOSE THE 34 SUPPLEMENTAL APPENDIX TO THE REPORT TO THEIR PROFESSIONAL STAFF, BUT 35 SHALL NOT OTHERWISE PUBLICALLY DISCLOSE SUCH CONFIDENTIAL OR SECURE 36 INFORMATION. 37 S 2. This act shall take effect immediately.