Bill > A06769

This bill requires municipal corporations and public authorities to report cybersecurity incidents and ransom payments to the Division of Homeland Security and Emergency Services within 72 hours of discovering such incidents. The bill provides detailed definitions for key cybersecurity terms like "cybersecurity incident," "cyber threat," and "ransomware attack," and mandates that these reports include information about the incident and whether the reporting entity is seeking technical assistance. It also requires state and local government employees who use technology in their jobs to complete annual cybersecurity awareness training starting January 1, 2026, with the training to be conducted during regular work hours and compensated at the employee's normal rate of pay. Additionally, the bill requires state agencies to develop comprehensive cybersecurity protection standards, including creating inventories of information systems, developing incident response plans, and conducting annual incident response plan exercises. All cybersecurity incident reports and related documents will be exempt from public disclosure to protect sensitive information. The bill aims to improve cybersecurity preparedness and response capabilities across New York state and local government entities by establishing clear reporting requirements, training standards, and protection protocols.

Government Affairs

https://www.nysenate.gov/legislation/bills/2025/A6769