NY S01961

Requires the Office of Information Technology Services to develop data protection standards within one year, including requirements for immutable backups, segmented storage, data validation, and annual workforce cybersecurity training

Mandates monthly vulnerability assessments of mission critical information systems beginning January 1, 2026, with full system-wide vulnerability testing required by December 1, 2026

Requires each state entity to create inventories of personal information they maintain and their information systems within one year, with inventories kept confidential and exempt from FOIL requests

Establishes incident response plan requirements for security breaches, with mandatory annual exercises beginning January 1, 2028 to test restoration and recovery processes

Applies to state boards, departments, public authorities, and other state governmental entities, but excludes the judiciary and local governments; creates no private right of action for violations