Information Technology & Telecommunications Committee Update

February 1, 2018
Staff Contact: Johnny Evers

Governor's State of the State

In the Governor’s State of the State this January several technology and cyber issues were mentioned. These proposals are directly related to either executive order (cyber risk), on-going State programs under Empire State Development (Broadband), or portions of the State Budget (education). These included:

Executive Budget

In the recently released proposed Executive Budget, the Governor outlined a few technology/telecommunication issues. These issues included waivers for “highly specialized ITS positions” in Civil Service classifications, authorizing the NYS Thruway Authority to set fees for use of its fiber optic system, and establishing Right of Way (RoW) fees on fiber optic lines located on Department of Transportation properties.

A more detailed breakdown is below:

Restoring Internet Freedom Order

In response to the Federal Communications Commission (FCC)'s December 14 proposed rule on “Restoring Internet Freedom”, several New York lawmakers have introduced legislation attempting to institute a state system of regulating the internet. Assemblywoman Pat Fahy and Senator David Carlucci introduced S.7283 / A.8222 to allow the New York State Public Service Commission (PSC) to regulate the operations of internet service providers (ISPs) in regard to operations and content. The bill would also amend the state finance law to mandate that all contracts for internet service connection by public entities comply with internet service requirements established under this new state law. Overall, however, adding state by state regulations would only complicate the process – something specifically cited in the federal rule as contrary to the practice of insuring a national system of regulations. Additionally, this bill is a solution in search of a problem in that the federal rule has not even been finalized. The Business Council is preparing its memo in opposition. The bill language can be found here, and The Business Council's Memo in Opposition can be found here.

Governor's Executive Order 175

On January 24, 2018 Governor Cuomo issued Executive Order 175 largely in response to the FCC’s issuance of its Restoring Internet Freedom Order. The Governor’s order directs the Office of General Services, or any other governmental entity of New York State, “to incorporate into the State's procurement process for internet, data, and telecommunications services criteria requiring that recipients of state contracts adhere to internet neutrality principles.” EO 175 defines “net neutrality” as “ISPs will not block, throttle, or prioritize internet content or applications or require that end users pay different or higher rates to access specific types of content or applications.” The Executive Order can be found here.

Attorney General Security Breach Legislation

On November 1, Attorney General Eric Schneiderman released new legislation regarding security breaches. This legislation – S.6933 (Carlucci) / A.8756 (Kavanagh) – is broader than prior AG proposes in several respects. On December 14, representatives of the Attorney General reviewed their bill at The Business Council’s IT Forum. The representatives stated that they would welcome feedback and are open to a dialogue on the bill including suggestions for amendments.

In general, the bill modifies existing state requirements for notification of a security breach, extends the state law to credit card and debit cards (as defined in the bill), and establishes a new section of the general business law, §899-bb regarding data security protections. This new proposal would apply data breech notification and new data security mandates to any person or business that owns, licenses or maintains computerized data on “any resident” of New York State. Current data breach notice requirements only apply to entities authorized to do business in NYS.

The legislation would impose new requirements that any such persons or businesses that own, license or maintain data on NYS residents to implement “reasonable security measures.” Failure to do so is subject to AG civil enforcement and injunction; civil penalty is $5000 for “each violation.” Reasonable measures include compliance with federal or NYS issued and certified security protocols (i.e. Graham-Leach-Bliley, HIPPA, etc.), or consistence with specific security program attributes listed in the bill. Small business (less than 50 jobs, less than $3 million in gross receipts, and less than $5 million in assets) will be judged whether their security efforts are appropriate based on the size and complexity of the business. For instance, steps to be taken by smaller businesses include: the appointment of “employees to coordinate security”, specific technology training, and “technical safeguards” to assess the risks of network, software, and procedures such as disposal of sensitive information, and others.

The new law also increases penalties for, and adds provisions to, the state’s preexisting data breach notice law. One key aspect of the proposal is the stipulation that any entity with a database including “NYS residents” will be subject to the NYS notification and security laws, and be subject to NYS enforcement – even if they do not do business in NYS. Failure to implement reasonable security measures is subject to civil enforcement (but no private right of action).

Several aspects of earlier AG proposals are contained in the new bill such as the procedures to be followed in the case of beach, the issuance of new credit/debit cards and consumer notices, the notification of state offices in the case of event, and the classifications of “identifying information” (biometric, private, and the combination of user name or e-mail in combination with password or security question/answer) in determining data breached and thus reportable to state offices. The Business Council is seeking feedback from members on this bill.

Senate Introduces Personal Information Protection Act

Senator Terrence Murphy introduced an omnibus “personal information protection act” (S. 7555) to establish protocols and regulations protecting citizens' private information on the internet on January 23. The bill amends the state technology law “to establish safeguards, standards, protocols and best practices for the protection of personal information by public and private entities.” It directs the Office of Information Technology Services (ITS) to establish model comprehensive security programs “with safeguards, standards, protocols and best practices” that will be “tailored to the size and scope of all such persons or entities” and “all agencies of state government.” The law would require a notification to the State Police of cyber breaches and to persons whose information has been compromised. The State’s Chief Information Officer also plays a role in the assessment of reported data breaches and the extent to which they are deemed serious breaches of cyber security. Persons whose information has been stolen will be allowed to bring suit within six (6) years of a reported breach and seek damages against those who failed to follow the safeguards and standards of the program. However, entities that follow the proscribed security procedures “shall be entitled to a defense against any action brought by a personal information subject” and are covered by a “liability protection.” The Office of General Services (OGS) would be responsible for producing and disseminating the personal information bill of rights.

ITS is charged with an annual review of all programs to be completed by April 1st of each year. Those subject to reporting are entities with 50 or more employees or more than 100 volunteers, and/or annual revenues in excess of $1 million. Several security protocols are outlined and defined such as “secure user authentication protocols” and “secure access control measures.” The new law would require covered entities to employ encryptions, firewalls, “air-gapped storage”, systems supported by up-to-date patches, current security updates, and virus ware. Entities are also responsible for the education and training of staff accessing their systems.

There is also established under the law a “New York State cyber security information sharing and analysis program” that shall promulgate regulations to assist the State in identifying and analyzing threats, and the sharing of reports and information collected by the Department of ITS between select State agencies. The protocols, standards, safeguards, and other information, shall be submitted in report form to the Governor, Assembly and Senate. Members are asked if they have any comments to direct them to Johnny EversThe full bill text can be found here.

John T. Evers, PhD
Director of Government Affairs
The Business Council of New York State, Inc.
111 Washington Avenue
Albany, NY 12210
Tel. 518-465-7511 ext. 204  
C. 518-424-6214