Cybersecurity and Data Privacy: Senate Finance Committee to Take Up Cybersecurity Legislation

April 10, 2016

By: Michael D. Billok

The New York State Senate Committee on Finance is set to take up two new bills this week relating to cybersecurity.

The first bill, S.3405-A, would mandate that a cybersecurity assessment/report be prepared by the Commissioner of the Department of Homeland Security and Emergency Services (the Commisioner) for release in September 2016, and then every five years thereafter. It directs that the report "shall include a detailed assessment of each and every cybersecurity need of the state of New York, including but not limited to, its state agencies and its public authorities, and for each and every such cybersecurity need so identified shall further include a detailed description of" how to address those needs.

The bill also authorizes those preparing the report to request and receive data from a litany of entities, including "any local government entity," "any regulated entity of the state of New York," "any not-for-profit corporation," "any private sector business in the state of New York" and even "any citizen of the State of New York."

Notably, the proposed legislation expressly requires that entities turn over information to the Commissioner upon request in order to aid in the preparation of the report – even "confidential or sensitive information". The proposed legislation provides that such information must be provided, but will only be included in a special appendix to the report that will not be made public.

A full version of S.3405-A, as proposed, can be accessed here.

The second bill, S.3407-A, would create a new, eleven-member "Cyber Security Advisory Board" within the State Division of Homeland Security and Emergency Services. This Advisory Board would be tasked with investigating, discussing and making recommendations "concerning cybersecurity issues involving both the public and private sectors and what steps can be taken by New York state to protect" critical infrastructure resources, such as the electrical grid and telecommunications systems.

It would also create a voluntary "cybersecurity information sharing and analysis program" pursuant to which participating public and private entities would share data in order "promote the development of effective defenses and strategies to combat, and protect against, cyber threats and attacks." The bill further directs the Division of Homeland Security and Emergency Services to adopt regulations implementing this program, and provides detailed guidance on the content of those eventual regulations.

From the bill itself, it appears that these regulations would be broad, as the bill directs (amongst other things) that the regulations "include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks."

A full version of S.3407-A, as proposed can be accessed here.

For more information, please contact Michael D. Billok.

Michael D. Billok