Information Technology & Telecommunications Committee Update
February 1, 2018
Staff Contact: Johnny Evers
Governor's State of the State
In the Governor’s State of the State this January several technology and cyber issues were mentioned. These proposals are directly related to either executive order (cyber risk), on-going State programs under Empire State Development (Broadband), or portions of the State Budget (education). These included:
- Proposal to Reduce Cyber Risk in New York State’s Supply Chain: The Governor stated he would be issuing an Executive Order directing State agencies to implement a strategy for reducing the supply chain risk. This strategy is designed to ensure that the State’s suppliers have cyber protections in place that are comparable to the protections in State agencies. The promised executive order would also require vendors to notify the State whenever they experience a “cyber incident” and prove they have certain protections in place.
- Broadband for All: New NY Broadband Program Round III Awards: In 2015, the Governor created the New NY Broadband program. Since its launch, the program has reached 2.3 million homes and extended broadband access to over 98 percent of New Yorkers. In 2018, the Governor will advance Round III of New NY Broadband program awards to address the remaining two percent of New Yorkers. Round III will catalyze more than $360 million in total investment, including $225 million in State funding.
- Expand Computer Science Education to All Elementary, Middle, and High Schools: The Governor proposes a $6 million annual commitment to provide teacher support and development in computer science and engineering. In addition, the Governor will call on the State Education Department to work with industry leaders to develop model computer science standards.
In the recently released proposed Executive Budget, the Governor outlined a few technology/telecommunication issues. These issues included waivers for “highly specialized ITS positions” in Civil Service classifications, authorizing the NYS Thruway Authority to set fees for use of its fiber optic system, and establishing Right of Way (RoW) fees on fiber optic lines located on Department of Transportation properties.
A more detailed breakdown is below:
- ITS Waivers: Permits Term Appointments for Eligible, Highly-Specialized ITS Positions Without Initial Civil Service Examination; allows a term appointment without examination to a temporary position requiring special expertise or qualifications in information technology within ITS. Max of 60 months; 300 appointment limit. PPGG Article VII bill, Part W
- Thruway Fiber: Allow the Thruway to Set Fees for Use of Its Fiber Optic System; Agreement for use of the New York state thruway authority's fiber optic system, or any part thereof, may be made through agreements based on set fees rather than public auction or negotiation based on “best interest of thruway” and “appraisal of the fair market value.” TED Article VII bill, Part D
- Transportation Right of Way Fees: Authorize the Department of Transportation (DOT) to Charge for Use and Occupancy of Fiber Optic Lines on DOT Right of Way and Establish a Uniform Process for the Siting of Small Cell Wireless Facilities; Authorizes DOT to charge for fiber optics right of way; exempts those participating in the New NY Broadband Program; prohibits fee from being passed onto consumers; adds a new article 13-E: Small Wireless Facilities Deployment. Defines terms, size and measurements of equipment and antennas; collocation of small wireless facilities and micro wireless facilities; Rights of way (ROWS) and conditions; application structure and associated fees; fee adjustments; methods for charging for use of ROWS when additional entities also utilize them, repairs; addresses municipal agreements with companies; dispute resolution; indemnification. TED Article VII bill, Part F. The Business Council opposes the assessment of RoW fees on fiber optic lines by the DOT.
Restoring Internet Freedom Order
In response to the Federal Communications Commission (FCC)'s December 14 proposed rule on “Restoring Internet Freedom”, several New York lawmakers have introduced legislation attempting to institute a state system of regulating the internet. Assemblywoman Pat Fahy and Senator David Carlucci introduced S.7283 / A.8222 to allow the New York State Public Service Commission (PSC) to regulate the operations of internet service providers (ISPs) in regard to operations and content. The bill would also amend the state finance law to mandate that all contracts for internet service connection by public entities comply with internet service requirements established under this new state law. Overall, however, adding state by state regulations would only complicate the process – something specifically cited in the federal rule as contrary to the practice of insuring a national system of regulations. Additionally, this bill is a solution in search of a problem in that the federal rule has not even been finalized. The Business Council is preparing its memo in opposition. The bill language can be found here, and The Business Council's Memo in Opposition can be found here.
Governor's Executive Order 175
On January 24, 2018 Governor Cuomo issued Executive Order 175 largely in response to the FCC’s issuance of its Restoring Internet Freedom Order. The Governor’s order directs the Office of General Services, or any other governmental entity of New York State, “to incorporate into the State's procurement process for internet, data, and telecommunications services criteria requiring that recipients of state contracts adhere to internet neutrality principles.” EO 175 defines “net neutrality” as “ISPs will not block, throttle, or prioritize internet content or applications or require that end users pay different or higher rates to access specific types of content or applications.” The Executive Order can be found here.
Attorney General Security Breach Legislation
On November 1, Attorney General Eric Schneiderman released new legislation regarding security breaches. This legislation – S.6933 (Carlucci) / A.8756 (Kavanagh) – is broader than prior AG proposes in several respects. On December 14, representatives of the Attorney General reviewed their bill at The Business Council’s IT Forum. The representatives stated that they would welcome feedback and are open to a dialogue on the bill including suggestions for amendments.
In general, the bill modifies existing state requirements for notification of a security breach, extends the state law to credit card and debit cards (as defined in the bill), and establishes a new section of the general business law, §899-bb regarding data security protections. This new proposal would apply data breech notification and new data security mandates to any person or business that owns, licenses or maintains computerized data on “any resident” of New York State. Current data breach notice requirements only apply to entities authorized to do business in NYS.
The legislation would impose new requirements that any such persons or businesses that own, license or maintain data on NYS residents to implement “reasonable security measures.” Failure to do so is subject to AG civil enforcement and injunction; civil penalty is $5000 for “each violation.” Reasonable measures include compliance with federal or NYS issued and certified security protocols (i.e. Graham-Leach-Bliley, HIPPA, etc.), or consistence with specific security program attributes listed in the bill. Small business (less than 50 jobs, less than $3 million in gross receipts, and less than $5 million in assets) will be judged whether their security efforts are appropriate based on the size and complexity of the business. For instance, steps to be taken by smaller businesses include: the appointment of “employees to coordinate security”, specific technology training, and “technical safeguards” to assess the risks of network, software, and procedures such as disposal of sensitive information, and others.
The new law also increases penalties for, and adds provisions to, the state’s preexisting data breach notice law. One key aspect of the proposal is the stipulation that any entity with a database including “NYS residents” will be subject to the NYS notification and security laws, and be subject to NYS enforcement – even if they do not do business in NYS. Failure to implement reasonable security measures is subject to civil enforcement (but no private right of action).
Several aspects of earlier AG proposals are contained in the new bill such as the procedures to be followed in the case of beach, the issuance of new credit/debit cards and consumer notices, the notification of state offices in the case of event, and the classifications of “identifying information” (biometric, private, and the combination of user name or e-mail in combination with password or security question/answer) in determining data breached and thus reportable to state offices. The Business Council is seeking feedback from members on this bill.
Senate Introduces Personal Information Protection Act
Senator Terrence Murphy introduced an omnibus “personal information protection act” (S. 7555) to establish protocols and regulations protecting citizens' private information on the internet on January 23. The bill amends the state technology law “to establish safeguards, standards, protocols and best practices for the protection of personal information by public and private entities.” It directs the Office of Information Technology Services (ITS) to establish model comprehensive security programs “with safeguards, standards, protocols and best practices” that will be “tailored to the size and scope of all such persons or entities” and “all agencies of state government.” The law would require a notification to the State Police of cyber breaches and to persons whose information has been compromised. The State’s Chief Information Officer also plays a role in the assessment of reported data breaches and the extent to which they are deemed serious breaches of cyber security. Persons whose information has been stolen will be allowed to bring suit within six (6) years of a reported breach and seek damages against those who failed to follow the safeguards and standards of the program. However, entities that follow the proscribed security procedures “shall be entitled to a defense against any action brought by a personal information subject” and are covered by a “liability protection.” The Office of General Services (OGS) would be responsible for producing and disseminating the personal information bill of rights.
ITS is charged with an annual review of all programs to be completed by April 1st of each year. Those subject to reporting are entities with 50 or more employees or more than 100 volunteers, and/or annual revenues in excess of $1 million. Several security protocols are outlined and defined such as “secure user authentication protocols” and “secure access control measures.” The new law would require covered entities to employ encryptions, firewalls, “air-gapped storage”, systems supported by up-to-date patches, current security updates, and virus ware. Entities are also responsible for the education and training of staff accessing their systems.
There is also established under the law a “New York State cyber security information sharing and analysis program” that shall promulgate regulations to assist the State in identifying and analyzing threats, and the sharing of reports and information collected by the Department of ITS between select State agencies. The protocols, standards, safeguards, and other information, shall be submitted in report form to the Governor, Assembly and Senate. Members are asked if they have any comments to direct them to Johnny Evers. The full bill text can be found here.
John T. Evers, PhD
Director of Government Affairs
The Business Council of New York State, Inc.
111 Washington Avenue
Albany, NY 12210
Tel. 518-465-7511 ext. 204