N.Y.
Executive Law Section 711-C
Cybersecurity incident reviews
1.
Definitions. As used in this section, the terms cybersecurity incident, cyber threat, cyber threat indicator, defensive measure, information system, municipal corporation, public authority, ransom payment and ransomware attack shall have the same meaning as such terms are defined in article nineteen-C of the general municipal law.2.
The commissioner, or their designees, shall review each cybersecurity incident report and notice and explanation of ransom payment submitted pursuant to sections nine hundred ninety-five-b and nine hundred ninety-five-c of the general municipal law to assess potential impacts of cybersecurity incidents and ransom payments on the health, safety, welfare or security of the state, or its residents.3.
The commissioner, or their designees, may work with appropriate state agencies, federal law enforcement, and federal homeland security agencies to provide municipal corporations and public authorities with reports of cybersecurity incidents and trends, including but not limited to, to the maximum extent practicable, related contextual information, cyber threat indicators, and defensive measures. The commissioner may coordinate and share such reported information with municipal corporations, public authorities, state agencies, and federal law enforcement and homeland security agencies to respond to and mitigate cybersecurity threats.4.
Such reports, assessments, records, reviews, documents, recommendations, guidance and any information contained or used in its preparation shall be exempt from disclosure under article six of the public officers law.5.
No later than forty-eight hours after receiving a cybersecurity incident report containing a request for advice and/or technical assistance from the division pursuant to subdivision one of General Municipal Law § 995-B (Reporting of cybersecurity incidents)section nine hundred ninety-five-b of the general municipal law, the commissioner or the commissioner’s designees shall acknowledge receipt of such request. As soon as possible after receiving such a request, the commissioner or the commissioner’s designees, subject to the commissioner’s discretion in prioritizing the division’s response to the municipal corporation’s or public authority’s cybersecurity incident report, shall provide advice to the requesting municipal corporation or public authority and, to the extent practicable, provide technical assistance. * NB Effective July 26, 2025
Source:
Section 711-C — Cybersecurity incident reviews, https://www.nysenate.gov/legislation/laws/EXC/711-C (updated Jul. 4, 2025; accessed Jul. 12, 2025).
