PRIA Logo
New YorkS 76722025-2026 Regular SessionSenateWALLET

Relates to municipal cybersecurity incidents or ransomware attacks

Sponsored By: Monica Martinez (Democratic)

Became Law

RULESLOCAL GOVERNMENTS

Your PRIA Score

Score Hidden

Personalized for You

How does this bill affect your finances?

Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.

Free to start

Bill Overview

Analyzed Economic Effects

4 provisions identified: 2 benefits, 1 costs, 1 mixed.

Stronger cybersecurity rules for state agencies

The state technology director issues policies to protect systems and personal data, including backups, recovery, secure deletion, vulnerability management, and breach procedures. Each state agency must list its information systems within 2 years and share the list with the Office if asked; these inventories are confidential under FOIL. Each agency must create an incident response plan within 18 months that covers outages and personal data incidents and includes recovery steps. Starting January 1, 2028, agencies must run at least one annual exercise and write a report; plans and reports are confidential.

New cyber reporting for local governments

Municipal governments and public authorities must report cyber incidents to the state within 72 hours of when they reasonably believe it happened. If they ask for help, the state must acknowledge within 48 hours and provide advice and, when possible, technical assistance. If a ransom is paid, they must notify the state within 24 hours and send a written explanation within 30 days that includes the amount, how they paid, options considered, and steps to follow OFAC and other rules. The state reviews each report and may share trends, threat indicators, and defensive steps with local governments while working with state and federal partners. These reports and DHSES review materials are confidential and not available under FOIL. These local reporting rules start 30 days after the law takes effect.

Annual cybersecurity training for public workers

Starting January 1, 2026, state employees who use technology must take yearly cybersecurity training from the state Office. Local government employees who use technology also must take yearly training; the Office offers it at no cost, and locals may use other training instead. All required training happens during regular work hours, and employees are paid their normal rate for that time.

No private lawsuits under cyber rules

The new state cybersecurity protection section does not create a private right to sue. People cannot bring private lawsuits under this section.

Sponsors & Cosponsors

Sponsor

  • Monica Martinez

    Democratic • Senate

Cosponsors

There are no cosponsors for this bill.

Roll Call Votes

All Roll Calls

Yes: 77 • No: 1

Senate vote 5/12/2025

FLOOR Vote

Yes: 56 • No: 1

committee vote 4/29/2025

Rules Committee Vote

Yes: 21 • No: 0

Actions Timeline

  1. SIGNED CHAP.177

    6/26/2025Senate

  2. DELIVERED TO GOVERNOR

    6/26/2025Senate

  3. RETURNED TO SENATE

    5/19/2025House

  4. PASSED ASSEMBLY

    5/19/2025House

  5. ORDERED TO THIRD READING CAL.67

    5/19/2025House

  6. SUBSTITUTED FOR A6769A

    5/19/2025House

  7. REFERRED TO LOCAL GOVERNMENTS

    5/12/2025House

  8. DELIVERED TO ASSEMBLY

    5/12/2025Senate

  9. PASSED SENATE

    5/12/2025Senate

  10. AMENDED ON THIRD READING 7672A

    5/5/2025Senate

  11. ORDERED TO THIRD READING CAL.712

    4/29/2025Senate

  12. REFERRED TO RULES

    4/28/2025Senate

Bill Text

  • Amendment A

    5/5/2025

    PDF

  • Original

    4/28/2025

    PDF

Related Bills

Back to State Legislation