Bill Text: NY S09005 | 2021-2022 | General Assembly | Introduced


Bill Title: Establishes the "secure our data act"; relates to state entities preparing for and protecting against a ransomware attack.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Introduced - Dead) 2022-06-03 - COMMITTED TO RULES [S09005 Detail]

Download: New_York-2021-S09005-Introduced.html



                STATE OF NEW YORK
        ________________________________________________________________________

                                          9005

                    IN SENATE

                                       May 3, 2022
                                       ___________

        Introduced  by  Sen.  SAVINO -- read twice and ordered printed, and when
          printed to be committed to the Committee on Internet and Technology

        AN ACT to amend the state technology law, in  relation  to  establishing
          the "secure our data act"

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. This act shall be known and may be cited as the "secure our
     2  data act".
     3    § 2. Legislative intent. The legislature  finds  that  ransomware  and
     4  other  malware  attacks have affected the electronically stored personal
     5  information relating to thousands of people statewide  and  millions  of
     6  people  nationwide.  The  legislature  also  finds  that  state entities
     7  receive such personal information from various  sources,  including  the
     8  data  subjects themselves, other state entities, and the federal govern-
     9  ment.  In addition, the legislature finds that state entities  use  such
    10  personal information to make determinations regarding the data subjects.
    11  The  legislature  further  finds  that New Yorkers deserve to have their
    12  personal information that is in the possession of a state entity  stored
    13  in  a  manner  that  will  withstand any attempt by ransomware and other
    14  malware to alter, change, or encrypt such information.
    15    Therefore, the legislature enacts the secure our data act  which  will
    16  guarantee  that  state  entities  will  employ  the proper technology to
    17  protect the personal information stored as backup information  from  any
    18  unauthorized alteration or change.
    19    §  3.  The state technology law is amended by adding a new section 210
    20  to read as follows:
    21    § 210. Ransomware and other malware protection.  1.  Definitions.  For
    22  purposes  of  this section, the following terms shall have the following
    23  meanings:
    24    (a) "Data subject" shall mean the person who is  the  subject  of  the
    25  personal information.
    26    (b)  "Immutable"  means  data  that  is  stored unchanged over time or
    27  unable to be changed. For the purposes  of  backups,  "immutable"  shall
    28  mean  that,  once ingested, no external or internal operation can modify

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD15661-01-2

        S. 9005                             2

     1  the data and must never be  available  in  a  read/write  state  to  the
     2  client.  "Immutable" shall specifically apply to the characteristics and
     3  attributes of a backup system's file system and may not  be  applied  to
     4  temporary  systems  state,  time-bound  or  expiring  configurations, or
     5  temporary conditions created by a physical air gap as is implemented  in
     6  most  legacy systems.  An immutable file system must demonstrate charac-
     7  teristics that do not permit the editing or changing of any data  backed
     8  up to provide agencies with complete recovery capabilities.
     9    (c) "Information system" shall mean any good, service or a combination
    10  thereof,  used  by any computer, cloud service, or interconnected system
    11  that is maintained for or used by a state  entity  in  the  acquisition,
    12  storage,  manipulation,  management, movement, control, display, switch-
    13  ing, interchange, transmission, or reception of data or voice including,
    14  but not limited to, hardware, software,  information  appliances,  firm-
    15  ware,  programs,  systems,  networks, infrastructure, media, and related
    16  material used to  automatically  and  electronically  collect,  receive,
    17  access,  transmit,  display, store, record, retrieve, analyze, evaluate,
    18  process, classify, manipulate, manage, assimilate, control, communicate,
    19  exchange, convert, coverage, interface, switch, or disseminate  data  of
    20  any kind or form.
    21    (d)  "Maintained"  shall  mean  personal information stored by a state
    22  entity that was provided to the state entity  by  the  data  subject,  a
    23  state  entity,  or  a  federal governmental entity. Such term shall also
    24  include personal information provided by an adverse party in the  course
    25  of litigation or other adversarial proceeding.
    26    (e)  "Malware"  shall mean malicious code included in any application,
    27  digital content, document, executable, firmware,  payload,  or  software
    28  for  the  purpose  of  performing  or executing one or more unauthorized
    29  processes designed to have an adverse impact on the availability, confi-
    30  dentiality, or integrity of data stored in an information system.
    31    (f) "Ransomware" shall mean any type of malware that  uses  encryption
    32  technology to prevent users from accessing an information system or data
    33  stored by such information system until a ransom is paid.
    34    (g)  "State  entity"  shall  mean  any  state board, bureau, division,
    35  committee, commission, council,  department,  public  authority,  public
    36  benefit  corporation,  office  or other governmental entity performing a
    37  governmental or proprietary function for the state of New York or any of
    38  its political subdivisions.
    39    2. Data protection standards. (a) No later than  one  year  after  the
    40  effective  date  of  this  section,  the  director, in consultation with
    41  stakeholders and other interested parties, which shall include at  least
    42  one public hearing, shall promulgate regulations that design and develop
    43  standards for:
    44    (i) malware and ransomware protection for mission critical information
    45  systems and for personal information used by such information systems;
    46    (ii)  data  backup  that includes the creation of immutable backups of
    47  personal information maintained by the state entity and storage of  such
    48  backups in a segmented environment, including a segmented device;
    49    (iii)  information system recovery that includes creating an identical
    50  copy of an immutable personal information backup maintained  by  or  for
    51  the  state  entity  that  was  stored in a segmented environment or on a
    52  segmented device for use when an information system has  been  adversely
    53  affected  by  rent  somewhere  or other malware and requires restoration
    54  from one or more backups; and
    55    (iv) annual workforce training regarding  protection  from  ransomware
    56  and  other  malware,  as well as processes and procedures that should be

        S. 9005                             3

     1  followed in the event of a data incident involving ransomware  or  other
     2  malware.
     3    (b)  Such  regulations  may  be adopted on an emergency basis. If such
     4  regulations are adopted on an emergency basis, the office  shall  engage
     5  in  the  formal  rulemaking  procedure no later than the day immediately
     6  following the date that the office promulgated such  regulations  on  an
     7  emergency basis. Provided that the office has commenced the formal rule-
     8  making  process,  the  regulations  adopted on an emergency basis may be
     9  renewed no more than two times.
    10    3. Vulnerability assessments. Notwithstanding any provision of law  to
    11  the contrary, each state entity shall engage in vulnerability testing of
    12  its information systems as follows:
    13    (a) Beginning January first, two thousand twenty-three and on a month-
    14  ly  basis  thereafter,  each  state entity shall perform, or cause to be
    15  performed, a vulnerability assessment of at least one  mission  critical
    16  information system ensuring that each mission critical system has under-
    17  gone a vulnerability assessment during the past year. A report detailing
    18  the  vulnerability  assessment  methodology  and  findings shall be made
    19  available to the office for review no later than forty-five  days  after
    20  the testing has been completed.
    21    (b)  Beginning  December  first, two thousand twenty-three, each state
    22  entity's entire information system shall undergo  vulnerability  testing
    23  conducted  by an independent third party. A report detailing the vulner-
    24  ability assessment methodology and findings shall be made  available  to
    25  the  office  for review no later than forty-five days after such testing
    26  has been completed.
    27    (c) The office shall assist  state  entities  in  complying  with  the
    28  provisions of this section.
    29    4.  Data  and information system inventory. (a) No later than one year
    30  after the effective date of this section, each state entity shall create
    31  an inventory of the data maintained by the state entity and the  purpose
    32  or  purposes  for  which such data is maintained and used. The inventory
    33  shall include a listing of all personal information  maintained  by  the
    34  state entity, along with the source and age of such information.
    35    (b)  No  later than one year after the effective date of this section,
    36  each state entity shall create an inventory of the  information  systems
    37  maintained  by  or  on  behalf  of  the  state entity and the purpose or
    38  purposes for which each such information system is maintained and  used.
    39  The  inventory  shall  denote those information systems that are mission
    40  critical and those that use personal information, and whether the infor-
    41  mation system is protected by immutable backups.
    42    (c) Notwithstanding paragraphs (a) and (b) of this subdivision,  if  a
    43  state  entity  has  already  completed  a  data inventory or information
    44  systems  inventory,  such  state  entity  shall  update  the  previously
    45  completed  data  inventory or information system inventory no later than
    46  one year after the effective date of this section.
    47    (d) Upon written request from the office, a state entity shall provide
    48  the office with either or both of the inventories required to be created
    49  or updated pursuant to this subdivision.
    50    5. Incident management and recovery. (a) No later than eighteen months
    51  after the effective date of this section, each state entity  shall  have
    52  created  an incident response plan for incidents involving ransomware or
    53  other malware that renders an information system or  its  data  unavail-
    54  able, and incidents involving ransomware or other malware that result in
    55  the alteration or deletion of or unauthorized access to, personal infor-
    56  mation.

        S. 9005                             4

     1    (b)  Such  incident  response plan shall include a procedure for situ-
     2  ations where production and non-segmented information systems have  been
     3  adversely  affected  by  a data incident, as well as a procedure for the
     4  storage of personal  information  and  mission  critical  backups  on  a
     5  segmented  device or segmented portion of the state entity's information
     6  system to ensure that such personal  information  and  mission  critical
     7  systems are protected by immutable backups.
     8    (c)  Beginning  January  first,  twenty thousand twenty-five and on an
     9  annual basis thereafter, each state entity shall complete at  least  one
    10  exercise of its incident response plan that includes copying the immuta-
    11  ble  personal  information  and  mission  critical applications from the
    12  segmented portion of the state entity's  information  system  and  using
    13  such copies in the state entity's restoration and recovery process. Upon
    14  completion  of  such exercise, the state entity shall document the inci-
    15  dent response plan's successes and shortcomings.
    16    6. No private right of action. Nothing set forth in this section shall
    17  be construed as creating or establishing a private cause of action.
    18    § 4. Severability. The provisions of this act shall be  severable  and
    19  if  any  portion  thereof  or the applicability thereof to any person or
    20  circumstances shall be held to be invalid, the remainder of this act and
    21  the application thereof shall not be affected thereby.
    22    § 5. This act shall take effect immediately.
feedback