New York Consolidated Laws, State Technology Law - STT § 210. Cybersecurity protection

(a) “Breach of the security of the system” shall have the same meaning as such term is defined in section two hundred eight of this article.

(b) “Data subject” means any natural person about whom personal information has been collected by a state agency.

(c) “Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

(d) “State agency-maintained personal information” means personal information stored by a state agency that was generated by a state agency or provided to the state agency by the data subject, a state agency, a federal governmental entity, or any other third-party source.  Such term shall also include personal information provided by an adverse party in the course of litigation or other adversarial proceeding.

(e) “State agency” shall have the same meaning as such term is defined in section one hundred one of this chapter.

(a) protection against breaches of the security of the information systems and for personal information used by such information systems;

(b) data backup;

(c) information system recovery;

(d) secure sanitization and deletion of data;

(e) vulnerability management and assessment;  and

(f) annual workforce training regarding protection against breaches of the security of the system, as well as processes and procedures that should be followed in the event of a breach of the security of the system.

3. Information system inventory.  (a) No later than two years after the effective date of this section, each state agency shall create, then maintain, an inventory of its information systems.

(b) Upon written request from the office, a state agency shall provide the office with the state agency-maintained information systems inventories required to be created or updated pursuant to this subdivision.

(c) Notwithstanding paragraph (a) of this subdivision, the state agency-maintained information systems inventories required to be created or updated pursuant to this subdivision shall be kept confidential, as disclosure of such information would jeopardize the security of a state agency's information systems and information technology assets and, further, shall not be made available for disclosure or inspection under the state freedom of information law.

4. Incident management and recovery.  (a) No later than eighteen months after the effective date of this section, each state agency shall have created an incident response plan for incidents involving a breach of the security of the system that render an information system or its data unavailable, and incidents involving a breach of the security of the system that result in the alteration or deletion of or unauthorized access to, personal information.

(b) Such incident response plan shall include, but not be limited to, a procedure for situations where information systems have been adversely affected by a breach of the security of the system, as well as a procedure for the recovery of personal information and information systems.

(c) Beginning January first, two thousand twenty-eight and on an annual basis thereafter, each state agency shall complete at least one exercise of its incident response plan.  Upon completion of such exercise, the state agency shall document the incident response plan's successes and shortcomings in an incident response plan exercise report.  The incident response plan and any incident response plan exercise reports shall be kept confidential, as disclosure of such information would jeopardize the security of a state agency's information systems and information technology assets, and, further, shall not be made available for disclosure or inspection under the state freedom of information law.