Bill Text: NY S06195 | 2019-2020 | General Assembly | Introduced
Bill Title: Relates to critical utility infrastructure security and responsibility; relates to the protection of critical infrastructure in the state; provides that an electric or gas corporation or municipality shall not share, disclose or otherwise provide access to a customer's electrical or gas consumption data.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Engrossed - Dead) 2020-12-28 - COMMITTED TO RULES [S06195 Detail]
Download: New_York-2019-S06195-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 6195 2019-2020 Regular Sessions IN SENATE May 22, 2019 ___________ Introduced by Sen. PARKER -- read twice and ordered printed, and when printed to be committed to the Committee on Energy and Telecommuni- cations AN ACT to amend the energy law, the public officers law, the executive law, and the public service law, in relation to critical utility infrastructure security and responsibility The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Subdivision 1 of section 3-101 of the energy law, as 2 amended by chapter 253 of the laws of 2013, is amended to read as 3 follows: 4 1. to obtain and maintain an adequate and continuous supply of safe, 5 dependable and economical energy for the people of the state, including 6 through the protection of critical infrastructure as defined in subdivi- 7 sion five of section eighty-six of the public officers law, and to 8 accelerate development and use within the state of renewable energy 9 sources, all in order to promote the state's economic growth, to create 10 employment within the state, to protect its environmental values and 11 agricultural heritage, to husband its resources for future generations, 12 and to promote the health and welfare of its people; 13 § 2. Subdivision 5 of section 86 of the public officers law, as added 14 by chapter 403 of the laws of 2003, is amended to read as follows: 15 5. "Critical infrastructure" means systems, including industrial 16 control systems, assets, places or things, whether physical or virtual, 17 so vital to the state that the disruption, incapacitation or destruction 18 of such systems, including industrial control systems, assets, places or 19 things could jeopardize the health, safety, welfare or security of the 20 state, its residents or its economy. 21 § 3. Section 86 of the public officers law is amended by adding a new 22 subdivision 6 to read as follows: EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD08666-04-9S. 6195 2 1 6. "Industrial control systems" means a combination of control compo- 2 nents that support operational functions in gas, distribution, trans- 3 mission, and advanced metering infrastructure control centers, and act 4 together to achieve an industrial objective, including controls that are 5 fully automated or that include a human-machine interface. 6 § 4. Paragraph (j) of subdivision 2 of section 709 of the executive 7 law, as amended by section 14 of part B of chapter 56 of the laws of 8 2010, is amended to read as follows: 9 (j) work with local, state and federal agencies and private entities 10 to conduct assessments of the vulnerability of critical infrastructure 11 to terrorist attack, cyber attack, criminal behavior, and other natural 12 and man-made disasters, including, but not limited to, nuclear facili- 13 ties, power plants, telecommunications systems, mass transportation 14 systems, public roadways, railways, bridges and tunnels, and attendant 15 industrial control systems as defined by subdivision six of section 16 eighty-six of the public officers law and develop strategies that may be 17 used to protect such infrastructure from terrorist attack, cyber attack, 18 criminal behavior, and other natural and man-made disasters; 19 § 5. Subdivision 1 and paragraph (a) of subdivision 2 of section 713 20 of the executive law, as amended by section 16 of part B of chapter 56 21 of the laws of 2010, are amended to read as follows: 22 1. Notwithstanding any other provision of law, the commissioner of the 23 division of homeland security and emergency services, in coordination 24 with the state office of information technology services, shall conduct 25 a review and analysis of measures being taken by the public service 26 commission and any other agency or authority of the state or any poli- 27 tical subdivision thereof and, to the extent practicable, of any federal 28 entity, to protect the security of critical infrastructure related to 29 energy generation and transmission located within the state. The commis- 30 sioner of the division of homeland security and emergency services and 31 the director of the state office of information technology services 32 shall have the authority to review any audits or reports related to the 33 security of such critical infrastructure, including audits or reports 34 conducted at the request of the public service commission or any other 35 agency or authority of the state or any political subdivision thereof 36 or, to the extent practicable, of any federal entity. The owners and 37 operators of such energy generating or transmission facilities shall, in 38 compliance with any federal and state requirements regarding the dissem- 39 ination of such information, provide access to the commissioner of the 40 division of homeland security and emergency services and the director of 41 the state office of information technology services to such audits or 42 reports regarding such critical infrastructure provided, however, that 43 exclusive custody and control of such audits and reports shall remain 44 solely with the owners and operators of such energy generating or trans- 45 mission facilities. For the purposes of this article, the term "critical 46 infrastructure" has the meaning ascribed to that term in subdivision 47 five of section eighty-six of the public officers law. 48 (a) On or before December thirty-first, two thousand four, and not 49 later than three years after such date, and every five years thereafter, 50 the commissioner of the division of homeland security and emergency 51 services, in coordination with the state office of information technolo- 52 gy services, shall report to the governor, the temporary president of 53 the senate, the speaker of the assembly, the chairperson of the assembly 54 standing committee on energy, the chairperson of the senate standing 55 committee on energy and telecommunications, the chairperson of the 56 public service commission and the chief executive of any such affectedS. 6195 3 1 generating or transmission company or his or her designee. Such report 2 shall review the security measures being taken regarding critical 3 infrastructure related to energy generating and transmission facilities 4 in consultation with the most recent version of the National Institute 5 of Standards and Technology "Framework for Improving Critical Infras- 6 tructure Cybersecurity" and the North American Electrical Reliability 7 Corporation's Critical Infrastructure Protection Standards, assess the 8 effectiveness thereof, and include recommendations to the legislature or 9 the public service commission if the commissioner of the division of 10 homeland security and emergency services and the director of the state 11 office of information technology services determines that additional 12 measures are required to be implemented, considering, among other 13 factors, the unique characteristics of each energy generating or trans- 14 mission facility. 15 § 6. The public service law is amended by adding a new section 54 to 16 read as follows: 17 § 54. Electric or gas consumption data protection. 1. An electric or 18 gas corporation or municipality shall not share, sell, disclose, or 19 otherwise make accessible to any third party a customer's electric or 20 gas consumption data, except where the customer has consented and as 21 provided in subdivision two of this section. 22 2.(a) Nothing in this section shall preclude an electric or gas corpo- 23 ration or municipality from disclosing a customer's electric or gas 24 consumption data for analysis, reporting, or program management as long 25 as all information has been anonymized regarding the individual identity 26 of a customer. 27 (b) Nothing in this section shall preclude an electric or gas corpo- 28 ration or municipality from disclosing electric or gas consumption data 29 as required or permitted under state or federal law or by an order of 30 the commission. 31 (c) Nothing in this section shall preclude an electric or gas corpo- 32 ration or municipality from disclosing a customer's electric or gas 33 consumption data to a third party that contracts with such corporation 34 or municipality to provide services on behalf of the corporation. 35 3. An electric or gas corporation shall establish: (a) minimum cyber- 36 security and safety standards and (b) minimum cyber-security insurance 37 requirements, which shall be applicable to third parties seeking to 38 connect to any such corporation's systems to receive consumption or 39 other data. Any third party not contracted by such a corporation that 40 seeks to connect to such corporation's systems to receive consumption or 41 other data shall meet any such established cyber-security and safety 42 standards and insurance requirements. 43 4. The commission shall promulgate rules and regulations by January 44 first, two thousand twenty-one to ensure the implementation and enforce- 45 ment of this section. 46 § 7. Paragraph (a) of subdivision 19 of section 66 of the public 47 service law, as amended by section 4 of part X of chapter 57 of the laws 48 of 2013, is amended to read as follows: 49 (a) The commission shall have power to provide for management and 50 operations audits of gas corporations and electric corporations. Such 51 audits shall be performed at least once every five years for combination 52 gas and electric corporations, as well as for straight gas corporations 53 having annual gross revenues in excess of two hundred million dollars. 54 The audit shall include, but not be limited to, an investigation of the 55 company's construction program planning in relation to the needs of its 56 customers for reliable service, an evaluation of the efficiency of theS. 6195 4 1 company's operations and use of customer electric or gas consumption 2 data as provided for in section fifty-four of the public service law, 3 recommendations with respect to same, and the timing with respect to the 4 implementation of such recommendations. The commission shall have 5 discretion to have such audits performed by its staff, or by independent 6 auditors. 7 In every case in which the commission chooses to have the audit 8 provided for in this subdivision or pursuant to subdivision fourteen of 9 section sixty-five of this article performed by independent auditors, it 10 shall have authority to select the auditors, and to require the company 11 being audited to enter into a contract with the auditors providing for 12 their payment by the company. Such contract shall provide further that 13 the auditors shall work for and under the direction of the commission 14 according to such terms as the commission may determine are necessary 15 and reasonable. 16 § 8. This act shall take effect on the one hundred eightieth day after 17 it shall have become a law; provided, however, that section six of this 18 act shall take effect thirty days after it shall have become a law. 19 Effective immediately, the public service commission is authorized and 20 directed to take actions necessary to promulgate rules and regulations 21 related to the implementation of subdivision 3 of section 54 of the 22 public service law on or before such effective date.