Bill > S01961

This bill establishes the "Secure Our Data Act" to enhance cybersecurity protections for state entities in New York, requiring the Office of Information Technology Services to develop comprehensive data protection standards. The legislation mandates that state entities create detailed inventories of their personal information and information systems, perform regular vulnerability assessments, and develop robust incident response plans. Key requirements include creating immutable backups of critical data in segmented storage, implementing data validation techniques, and conducting annual workforce training on cybersecurity. The bill defines specific terms like "breach of the security of the system" and "mission critical" information, and requires state entities to assess and protect personal information from unauthorized access or modification. Starting in January 2026, agencies must conduct monthly vulnerability tests on mission-critical systems and a full system vulnerability assessment by the end of that year. The bill also requires each state entity to develop an incident response plan by mid-2025 and conduct annual exercises to test their recovery processes. Importantly, the legislation explicitly states that it does not create a private right of action, meaning individuals cannot sue state entities directly under this law. The overall goal is to improve the state's cybersecurity infrastructure and protect sensitive personal information from potential cyber threats.

Budget and Finance, Business and Industry, Government Affairs

https://www.nysenate.gov/legislation/bills/2025/S1961