Bill > S01961

This bill, known as the "Secure Our Data Act," aims to enhance cybersecurity protections for data held by New York State entities by requiring the Office of Information Technology Services (ITS) to establish comprehensive data protection standards. The act defines key terms such as "breach of the security of the system" (which includes unauthorized access, acquisition, or modification of computerized information), "data subject" (the individual whose personal information is involved), "immutable" (data that cannot be changed, particularly for backups), "information system" (any computer or interconnected system used by a state entity), "mission critical" (essential systems for state operations), and "segmented storage" (partitioning data into multiple secure locations). State entities will be mandated to implement these standards, which include developing regulations for breach protection, creating immutable data backups that are validated to exclude unwanted content and stored in segmented storage, establishing data retention and deletion policies, and providing annual workforce training on cybersecurity. Furthermore, state entities must conduct regular vulnerability assessments of their information systems and create inventories of their data and systems. The bill also requires the development of incident response plans and annual exercises to test these plans, ensuring that critical data and systems are protected and recoverable in the event of a security incident. Importantly, this act does not create a private right for individuals to sue.

Budget and Finance, Business and Industry, Government Affairs

https://www.nysenate.gov/legislation/bills/2025/S1961