NY A05739

Requires the Office of Information Technology Services to develop cybersecurity standards within one year, including protections against security breaches, immutable data backups, data retention policies, and annual workforce training

Mandates monthly vulnerability assessments of mission critical information systems beginning January 1, 2026, with full system-wide testing required by December 1, 2026

Requires each state entity to create inventories of personal information and information systems within one year, documenting data sources, purposes, and whether systems are protected by immutable backups

Establishes incident response plan requirements by 18 months after enactment, with mandatory annual exercises beginning January 1, 2028 to test restoration and recovery processes

Applies to state boards, departments, public authorities, and other state entities, but excludes the judiciary and local governments; does not create a private right of action for enforcement