ARTIFICIAL INTELLIGENCE [AI] IS NOT USED, IN WHOLE OR IN PART, IN PREPARING NYPPL SUMMARIES OF JUDICIAL AND QUASI-JUDICIAL DECISIONS

October 05, 2023

Cybercrime in New York Rises

Cyberattacks in New York state increased 53% between 2016 and 2022, jumping from 16,426 incidents in 2016 to 25,112 in 2022. The number of attacks targeting critical infrastructure in New York state nearly doubled to 83 in the first half of 2023 compared to 48 during the entirety of last year, according to a report released on October 5, 2023, by State Comptroller Thomas P. DiNapoli.

Estimated losses in New York from cyberattacks in 2022 totaled over $775 million, while losses nationwide totaled $10.3 billion.

“Cyberattacks are a serious threat to New York’s critical infrastructure, economy and our everyday lives,” said DiNapoli. “Data breaches at companies and institutions that collect large amounts of personal information expose New Yorkers to potential invasions of privacy, identity theft and fraud. Also troubling is the rise in ransomware attacks that can shut down systems we rely on for water, power, health care and other necessities. Safeguarding our state from cyberattacks requires sustained investment, coordination, and vigilance.”

Relative to other states, New York had the third highest number of ransomware attacks (135) and corporate data breaches (238) in 2022, trailing only California and Texas for ransomware attacks and California and Florida for corporate data breaches. New York also had the fourth-highest number of cybercrime victims in the nation in 2022 with losses skyrocketing 632% since 2016.

The two most attacked critical infrastructure sectors through ransomware and data breaches in New York were Healthcare and Public Health (9) and Financial Services (8). Commercial Facilities and Government Facilities (7) tied for third.

Combatting the Threat

Securing critical infrastructure from cyberattacks will require sustained investment, coordination and vigilance. In 2022, the Governor appointed a state chief cyber officer to lead cross-agency efforts to combat cyber threats and improve the state's critical infrastructure assets’ cybersecurity. The cyber chief leads a newly created Joint Security Operations Center, a multi-agency cybersecurity coordination hub linking New York state, New York City, local and regional governments and critical infrastructure stakeholders and federal partners for information sharing, cyber threat detection and incident response. In August, the Governor released the first statewide cybersecurity strategy, which will allow the state to access new federal funding.

The federal Cyber Incident Reporting for Critical Infrastructure Act of 2022, for which rules and regulations are being developed, will require cybersecurity reporting for critical infrastructure sectors. The creation of a centralized repository of data breach reports from across the critical infrastructure sectors would also aid in identifying new attack-vectors or exploits before they become widespread, and for coordinated responses to emerging cyberthreats. Encompassing local governments in this database would be important.

DiNapoli’s cybersecurity audits of state agencies and public authorities have found several common technical weaknesses and risks across its audits, such as entities’ misunderstanding of security risks, unsupported applications, unknown data on systems, poor access controls and a lack of monitoring of changes to systems, among others. Recommendations are provided to each agency to enable them to begin corrective actions immediately to strengthen their networks.

Cybersecurity Challenges Facing Local Governments and Schools

DiNapoli also released a report on the cybersecurity challenges facing New York’s local governments and school districts. In New York, cyberattacks have impacted local governments and schools both large and small, including reported attacks at counties including Albany, Chenango, Erie, Nassau, Schenectady, Suffolk, and Schuyler; cities including New York, Albany, Buffalo, Yonkers, Long Beach, and Olean; and towns including Brookhaven, Ulster, Canandaigua, and Moreau.

In 2019, a ransomware attack on the Syracuse City School District froze the district out of its own systems, crippling the website, email system, phones, and back-end functions like payroll and student management. Other attacks on local governments have had far reaching impacts. The September 2022 ransomware attack on Suffolk County, the ramifications of which the county is still dealing with, required the county to disable important computer systems and move many of the county’s functions back to pen and paper for months. It was a cautionary example of the potential impacts of a cyberattack, and highlighted the risk to state systems that linked local government systems could pose.

These and other recent events have demonstrated the serious risks that illegal access to these systems can pose to critical local government and school operations that rely heavily on technology. DiNapoli’s report provides guidance and resources for local governments and schools to help them manage the risks associated with cybersecurity.

Risks in Local Governments and School Districts

From 2019 through July 31, 2023, DiNapoli’s Local Government and School Accountability division released more than 190 information technology (IT) audits, finding more than 2,400 cybersecurity-related issues. The audits focused on breakdowns or gaps in fundamental cybersecurity components. The most common areas where improvement and corrective action were needed included cybersecurity governance aspects such as training in IT security awareness, policies and procedures, and the need for contingency plans. Because these cybersecurity audits are sensitive in nature, many findings and recommendations for corrective action are communicated confidentially to local government and school officials. Often the audit recommendations can be implemented at no or low cost to local governments or school districts.

Reports

Cyberattacks on New York’s Critical Infrastructure: Staying Ahead of the Threat

 
New York Local Government and School Cybersecurity: A Cyber Profile

 

CAUTION

Subsequent court and administrative rulings, or changes to laws, rules and regulations may have modified or clarified or vacated or reversed the information and, or, decisions summarized in NYPPL. For example, New York State Department of Civil Service's Advisory Memorandum 24-08 reflects changes required as the result of certain amendments to §72 of the New York State Civil Service Law to take effect January 1, 2025 [See Chapter 306 of the Laws of 2024]. Advisory Memorandum 24-08 in PDF format is posted on the Internet at https://www.cs.ny.gov/ssd/pdf/AM24-08Combined.pdf. Accordingly, the information and case summaries should be Shepardized® or otherwise checked to make certain that the most recent information is being considered by the reader.
THE MATERIAL ON THIS WEBSITE IS FOR INFORMATION ONLY. AGAIN, CHANGES IN LAWS, RULES, REGULATIONS AND NEW COURT AND ADMINISTRATIVE DECISIONS MAY AFFECT THE ACCURACY OF THE INFORMATION PROVIDED IN THIS LAWBLOG. THE MATERIAL PRESENTED IS NOT LEGAL ADVICE AND THE USE OF ANY MATERIAL POSTED ON THIS WEBSITE, OR CORRESPONDENCE CONCERNING SUCH MATERIAL, DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP.
NYPPL Blogger Harvey Randall served as Principal Attorney, New York State Department of Civil Service; Director of Personnel, SUNY Central Administration; Director of Research, Governor’s Office of Employee Relations; and Staff Judge Advocate General, New York Guard. Consistent with the Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations, the material posted to this blog is presented with the understanding that neither the publisher nor NYPPL and, or, its staff and contributors are providing legal advice to the reader and in the event legal or other expert assistance is needed, the reader is urged to seek such advice from a knowledgeable professional.
New York Public Personnel Law. Email: publications@nycap.rr.com