§ 210. Cybersecurity protection.
1.Definitions. For purposes of this\nsection, the following terms shall have the following meanings:\n (a) "Breach of the security of the system" shall have the same meaning\nas such term is defined in section two hundred eight of this article.\n (b) "Data subject" means any natural person about whom personal\ninformation has been collected by a state agency.\n (c) "Information system" means a discrete set of information resources\norganized for the collection, processing, maintenance, use, sharing,\ndissemination, or disposition of information.\n (d) "State agency-maintained personal information" means personal\ninformation stored by a state agency that was generated by a state\nagency or provided to the state agency by the data subject, a state\nag
Free access — add to your briefcase to read the full text and ask questions with AI
§ 210. Cybersecurity protection. 1. Definitions. For purposes of this\nsection, the following terms shall have the following meanings:\n (a) "Breach of the security of the system" shall have the same meaning\nas such term is defined in section two hundred eight of this article.\n (b) "Data subject" means any natural person about whom personal\ninformation has been collected by a state agency.\n (c) "Information system" means a discrete set of information resources\norganized for the collection, processing, maintenance, use, sharing,\ndissemination, or disposition of information.\n (d) "State agency-maintained personal information" means personal\ninformation stored by a state agency that was generated by a state\nagency or provided to the state agency by the data subject, a state\nagency, a federal governmental entity, or any other third-party source.\nSuch term shall also include personal information provided by an adverse\nparty in the course of litigation or other adversarial proceeding.\n (e) "State agency" shall have the same meaning as such term is defined\nin section one hundred one of this chapter.\n 2. Data protection standards. The director shall issue policies and\nstandards for:\n (a) protection against breaches of the security of the information\nsystems and for personal information used by such information systems;\n (b) data backup;\n (c) information system recovery;\n (d) secure sanitization and deletion of data;\n (e) vulnerability management and assessment; and\n (f) annual workforce training regarding protection against breaches of\nthe security of the system, as well as processes and procedures that\nshould be followed in the event of a breach of the security of the\nsystem.\n 3. Information system inventory. (a) No later than two years after the\neffective date of this section, each state agency shall create, then\nmaintain, an inventory of its information systems.\n (b) Upon written request from the office, a state agency shall provide\nthe office with the state agency-maintained information systems\ninventories required to be created or updated pursuant to this\nsubdivision.\n (c) Notwithstanding paragraph (a) of this subdivision, the state\nagency-maintained information systems inventories required to be created\nor updated pursuant to this subdivision shall be kept confidential, as\ndisclosure of such information would jeopardize the security of a state\nagency's information systems and information technology assets and,\nfurther, shall not be made available for disclosure or inspection under\nthe state freedom of information law.\n 4. Incident management and recovery. (a) No later than eighteen months\nafter the effective date of this section, each state agency shall have\ncreated an incident response plan for incidents involving a breach of\nthe security of the system that render an information system or its data\nunavailable, and incidents involving a breach of the security of the\nsystem that result in the alteration or deletion of or unauthorized\naccess to, personal information.\n (b) Such incident response plan shall include, but not be limited to,\na procedure for situations where information systems have been adversely\naffected by a breach of the security of the system, as well as a\nprocedure for the recovery of personal information and information\nsystems.\n (c) Beginning January first, two thousand twenty-eight and on an\nannual basis thereafter, each state agency shall complete at least one\nexercise of its incident response plan. Upon completion of such\nexercise, the state agency shall document the incident response plan's\nsuccesses and shortcomings in an incident response plan exercise report.\nThe incident response plan and any incident response plan exercise\nreports shall be kept confidential, as disclosure of such information\nwould jeopardize the security of a state agency's information systems\nand information technology assets, and, further, shall not be made\navailable for disclosure or inspection under the state freedom of\ninformation law.\n 5. No private right of action. Nothing set forth in this section shall\nbe construed as creating or establishing a private cause of action.\n