New York State Governor Hochul Releases New York State's Cybersecurity Grant Plan

On February 23, 2024, Governor Kathy Hochul released the New York State Cybersecurity Grant Plan, which details a whole-of-state approach to reduce cyber risk and build cyber resiliency in local governments statewide. Through the utilization of nearly $6 million in funding through the federal State and Local Cybersecurity Grant Program, this grant program will expand access to cybersecurity information, tools, resources, and services so that public sector entities in New York have access to the most sophisticated cyber defenses. Given the funding available, New York will use its economy of scale purchasing power to directly procure and deliver best-in-brand software, hardware, and services to eligible entities.

 

“A cyberattack can halt an entire community, and it’s essential that local governments have the resources and information needed to protect themselves and quickly respond to a cyber threat,” Governor Hochul said. “This funding will provide tools to help municipalities secure critical infrastructure to protect New Yorkers and reduce cyber risks.” 

 

As part of the federal Infrastructure Investment and Jobs Act of 2021, Congress established the State and Local Cybersecurity Grant Program (SLCGP) to award funding to each state to help eligible entities address cybersecurity risks and threats to information systems owned or operated by or on behalf of State, local, tribal, and territorial governments. The SLCGP FY2022 funding allocation for New York is $5,810,605, and at least 80 percent of the funds will be allocated to goods and services for local government entities, with at least 25 percent of that allocated to entities in rural areas.

 

To ensure the maximum number of New York entities can benefit from the limited SLCGP funds, New York will directly procure software, hardware, and services for delivery to eligible entities. During the program’s first year, New York State is focusing on shared services initiatives to help local government entities build a baseline level of cybersecurity. These initiatives are:

           1.  Multi-Factor Authentication (MFA): MFA is a method to authenticate a user that requires them to provide two or more verification factors so they can gain access to a resource. New York will provide hardware and/or software tokens and professional services that eligible entities can use to implement MFA in their technology environments;

            2. Cybersecurity Certification Scholarship: New Yorkwill provide scholarships for select employees from eligible entities who currently have roles or responsibilities related to information technology, information security, cybersecurity, data privacy, and/or data security to achieve an industry-recognized cybersecurity certification; and

            3. Cybersecurity Awareness Training: New York will provide an online cybersecurity awareness training for eligible entities for their employees.

Eligible entities can indicate their interest to participate in one or more of the shared services offerings by completing the SLCGP Interest Form. Responses to this form will help the state appropriately plan to address statewide need utilizing FY2022 funding in Year 1 of the program. A formal application process will commence later this year. Application information will be made available on the Division of Homeland Security and Emergency Services’ Grant Programs webpage.

 

New York State Chief Cyber Officer Colin Ahern said, “New York is continuing to take decisive action to bolster cybersecurity statewide. Under Governor Hochul's leadership, and through our partnership with President Biden and Congress, New York is investing in a safer and more resilient cyber future for our communities.”

 

New York State Division of Homeland Security and Emergency Services Commissioner Jackie Bray said, "The threat posed by cyber-attacks continues to grow each year, making it critical we ensure our local partners have access to the cyber security services necessary to keep data and critical infrastructure safe. By utilizing a shared service model, we are making it easier for local governments to obtain key products that are essential in helping keep our communities safe from cyber criminals.”

 

Representative Jerry Nadler said, “The Bipartisan Infrastructure Law continues to deliver. Today’s announcement of the New York Cybersecurity Grant Plan will reduce cyber risk and strengthen cyber defense across our state—helping keep New Yorkers’ information protected and secure.”

 

Representative Grace Meng said, “As technology continues to evolve, the number of cyber threats to systems used by state and local governments each day will only increase. Thanks to the Bipartisan Infrastructure Law, which I helped to pass, we are making historic funding available to ensure that government entities across the state have the technology and training they need to secure and protect sensitive information that employees work with each day. Modernizing the systems that state and local governments utilize is long-overdue and as New York’s representative on the Regional Leadership Council – which works to promote and implement legislation signed into law by President Biden – I am happy to see federal funding supporting initiatives that will help them adapt to growing cybersecurity risks.”

 

Representative Adriano Espaillat said, “With our increased reliance on computer systems and the growing safety threat that AI presents, it is imperative that we take precautions to protect sensitive information held by our state and local governments. I commend Governor Hochul for taking the necessary steps to ensure New York is protected from dangerous cyber threats, and I encourage all eligible entities to participate in New York’s Cybersecurity Grant Plan to ensure they are prepared to prevent and combat cybersecurity attacks today and in the future.”

 

Representative Joe Morelle said, “As our digital landscape continues to evolve and change, it’s critical we continue taking the actions necessary to protect people, organizations, and governments from online threats. By establishing the New York State Cybersecurity Grant Plan using funding I helped secure in Washington, Governor Hochul is helping keep our state safe from cybersecurity threats and ensuring we remain at the forefront of these technologies for decades to come. I look forward to more opportunities to collaborate with state and local partners to bolster cybersecurity and support our local governments.”

 

Representative Andrew Garbarino said, “Securing our cyber landscape across the Nation starts with risk mitigation at the local level. In an increasingly interconnected world, every touchpoint is vulnerable with the potential for debilitating and cascading impacts across critical infrastructure sectors. That’s why I helped introduce the State and Local Cybersecurity Improvement Act last Congress to establish this grant program. I’m pleased to see the State rolling out this funding to help communities in New York improve their overall cybersecurity posture. Every organization, big and small, should act as though they will be the next victim of a cyberattack and prepare accordingly. Leveraging the many resources from CISA for smart investments in risk mitigation is an important first step.”

 

Representative Nicole Malliotakis said, “In today’s technological age, it’s critically important for private and public sector entities to be educated, vigilant and prepared against cyber security threats. I’m proud to have voted to secure this critical infrastructure funding to help our community build its cyber resiliency to prevent breaches in privacy, attacks against infrastructure and interruptions to services.”

 

Representative Ritchie Torres said, “The Cybersecurity Grant Plan underscores New York's commitment to bolstering cyber defenses in local governments. This plan, backed by nearly $6 million in federal funding, will enable us to provide essential tools, resources, and training to our public sector entities, ensuring they have the necessary defenses against evolving threats. Together, we can build a stronger and more secure New York for all.”

 

The release of New York’s Cybersecurity Grant Plan is the latest step taken by Governor Hochul to strengthen the state’s cyber defenses and ensure the state and its local partners are prepared as digital threats continue to increase.

 

In August 2023, Governor Hochul released the first-ever New York State Cybersecurity Strategy that set forth an approach to cybersecurity and resilience based on the principles of unification, resilience, and preparedness. The Cybersecurity Strategy’s five pillars –Operate, Collaborate, Regulate, Communicate, and Grow– informed the development of the Grant Plan and are reflected throughout. As an administrative requirement of the SLCGP, the Grant Plan not only represents another facet of New York State’s extensive portfolio of cybersecurity measures that builds cybersecurity maturity among our critical institutions, but it is also an iterative effort designed to respond to the shifting needs of our state.

 

Under Governor Hochul's leadership, New York also launched a nation-leading program to provide cybersecurity services to county and local government entities, covering more than 76,000 government-owned computers across the state, and expanded the state’s law enforcement cyber capabilities by growing the Computer Crimes Unit, Cyber Analysis Unit, and Internet Crimes Against Children Center at the New York State Police. In 2024, Governor Hochul is expanding the Shared Services Program by extending eligibility for the endpoint detection and response shared service and adding an additional capability, attack surface management, to the Shared Services Program. To further protect New York's critical infrastructure, Governor Hochul has also proposed new hospital cybersecurity regulations and signed landmark legislation to protect New York's energy grid from cyberattacks. As cyber threats rapidly evolve, New York remains at the cutting edge of cybersecurity policy and continues to strengthen defenses across the public and private sectors.

Governmental function immunity

Governmental immunity, sometimes referred to as sovereign immunity, is based on the theory that "government" is an entity immune from being held responsible for its actions or inactions that cause harm, provided the harm was caused while the entity, or its agent, was performing its governmental functions.

In this action presented to the Court of Claims Claimant alleged that he was erroneously listed on New York State's public sex offender registry website after his cousin assumed his name and birth date when registering as a sex offender.*

Claimant asked  the Court of Claims of the State of New York grant his motion for summary judgment to resolve the issue but his motion was denied. In contrast the State's motion for summary judgment dismissing Claimant's action was granted by the Court of Claims.

Claimant appealed but the Appellate Division unanimously affirmed the Court of Claims' rulings. The court opined that Claimant's defamation claim was properly dismissed as barred by "governmental function immunity".

In the words of the Appellate Division: 

"Claimant's defamation claim was properly dismissed as barred by governmental function immunity (see generally McLean v City of NY, 12 NY3d 194, 199 [2009]). Even if the alleged misconduct was ministerial and not discretionary in nature, [Claimant] has failed to show a special duty (see id. at 199, 202-203; Hephzibah v City of New York, 124 AD3d 442, 443 [1st Dept 2015], lv denied 26 NY3d 903 [2015]). Correction Law §168-r(1) does not create a private right of action on behalf of [Claimant] because he is not within the class of persons it is intended to protect. Indeed, [Claimant] admits that the misconduct at issue did not reflect any discretionary decision-making, which is the subject of the immunity waiver at Correction Law §168-r(1)."

* Although the error was corrected, Claimant's name continues to be listed as an alias of his cousin. 

Click HERE to access the Appellate Division's decision posted on the Internet.

 

New York State Comptroller issues local government and school audits

On February 21, 2024 New York State Comptroller Thomas P. DiNapoli today announced the following local government and school audits were issued.

Click on the text highlighted in color to access both the summary and the complete audit report

 

Village of Mexico – Financial Management (Oswego County) The board did not adopt realistic budgets or manage fund balance. As a result, more taxes were levied than needed to fund operations. For the four fiscal years reviewed (2019-20 through 2022-23), the board did not establish a fund balance policy and maintained an excessive level of unassigned surplus fund balance in the general fund with balances ranging between $839,530 and $1.1 million, or between 109% and 124% of the ensuing year’s budget. The board did not consider historical or known trends of revenues and expenditures when developing the budgets, so revenues were underestimated by a total of $439,767 and expenditures were overestimated by a total of $287,238 for the audit period. The board also appropriated fund balance of $216,780 that was not needed to fund operations which contributed to the accumulation of surplus fund balance. Additionally, the property tax levy for 2023-24 was $509,000 while the village had over $1.1 million in surplus funds available at the end of 2022-23 to use toward supplementing next year’s budget.

 

Dolgeville Central School District – Fuel Monitoring (Fulton County) District officials did not adequately account for or monitor fuel usage. As a result, 690 gallons of diesel fuel valued at $2,064 were not properly accounted for during the 50-day test period. Officials did not maintain perpetual inventory records or take a periodic physical inventory of diesel fuel on hand. Consequently, no fuel reconciliations were performed.

 

West Genesee Central School District – Capital Assets (Onondaga County) District officials did not always properly monitor and account for the capital assets tested and did not conduct periodic physical inventories to help ensure the records were accurate and complete and the assets were on hand. The last physical inventory was completed in 2017 and officials only updated the district’s asset records on an annual basis thereafter. As a result, officials may be unable to identify lost or stolen items. Of the 337 assets totaling approximately $2.3 million selected for review, 54 were in use but not properly recorded in the inventory records and 38 of these assets, valued at over $176,000, were also not tagged as district property. Another 27 assets could not be located, including 18 with a total cost of $50,905 and nine with no documented cost. Additionally, 45 assets had an incorrect location recorded.

 

Village of Madison – Collections (Madison County) The clerk-treasurer accurately recorded collections. However, the collections were not always recorded and deposited in a timely manner, and the board did not establish adequate controls for collections. The clerk-treasurer did not make timely deposits for 247 collections totaling $120,743 and did not record 27 water fund collections totaling $4,120 in a timely manner. Officials did not receive any reports from a third-party vendor showing ambulance billings, collections, write-offs and unpaid balances. Officials also did not perform reconciliations of water and ambulance receivable accounts and the board did not approve adjustments and write-offs. Lastly, the board did not audit the clerk-treasurer's records and reports.

 

Village of Deposit – Claims Auditing (Broome County) Of the 93 credit card purchases during the audit period, the board did not ensure compliance with the village’s credit card policy and approved 83 purchases totaling $20,659 without the required supporting documents. As a result, the board approved the use of taxpayer funds without having support to show funds were being expended for legitimate village purposes and increased the risk for fraud, waste or abuse. 

 

Village of Islandia – Overtime (Suffolk County) During the audit period, the village paid eight employees a total of $149,964 in overtime that was not properly approved or supported by the employees’ timecards. Auditors found 95% of the village’s overtime was paid to the fire marshal and building inspector and was equivalent to 73% and 49% of their budgeted salaries, respectively.  The fire marshal approved his own overtime that totaled $88,718 and did not provide any documentation he claimed to have in support of his overtime pay. The building inspector approved his own overtime that totaled $53,719 for the audit period. Village officials and the inspector had no documentation to support the hours that resulted in overtime, or the actual work performed. Six other employees were paid $7,528 without preapproval or documentation explaining why the overtime was necessary. 

###

 

The doctrines of res judicata and collateral estoppel apply to arbitration awards with the same force and effect as they apply to judgments of a court

The State of New York Justice Center for the Protection of People with Special Needs [Justice Center] adopted the findings of fact and conclusions of law of an administrative law judge [ALJ] made after a hearing. The ALJ had found that Petitioner committed category two neglect as defined by Social Services Law §493(4)(b). Justice Center then denied Petitioner's request that the relevant substantiated report of neglect be amended and sealed and Petitioner initiated a CPLR Article 78 appealing the Justice Center's decision. 

The Petitioner had exercised her right to a hearing before the ALJ but prior to the hearing, the Justice Center moved to preclude relitigation of the facts decided against the Petitioner during an earlier arbitration hearing conducted pursuant to a collective bargaining agreement in effect between the New York State Office for People With Developmental Disabilities [OPWDD] and the Petitioner's union, at which the Petitioner was represented by the union's counsel and OPWDD was represented by the Justice Center.

Although Petitioner opposed the Justice Center's motion, the ALJ granted the Justice Center's motion, precluded the Petitioner "from relitigating the issues of whether she had a duty and breached her duty to provide adequate medical care to the Service Recipient and follow the Service Recipient's seizure protocols." 

The evidentiary scope of the administrative hearing was thus limited to whether the Petitioner's breach of duty resulted in or was likely to result in physical injury or serious or protracted impairment of the physical, mental, or emotional condition of the service recipient and, if substantiated, whether the category level designated, category two neglect, was appropriate.

The ALJ determined that the Justice Center proved, by a preponderance of the evidence, that the Petitioner committed an act of category two neglect. The ALJ's recommended decision was adopted in its entirety and the Petitioner's request to amend and seal the substantiated report was denied by the Administrative Law Judge of the Administrative Hearings Unit, who was designated by the Executive Director of the Justice Center to make such decisions. Petitioner commenced the instant Article 78  proceeding to review the Executive Director's determination.*

The Appellate Division, citing Ippolito v TJC Dev., LLC, 83 AD3d 57, ruled that the ALJ properly granted the Justice Center's motion to preclude Petitioner from relitigating the issues of whether she had a duty and breached her duty to provide adequate medical care to the Service Recipient as "The doctrines of res judicata and collateral estoppel apply to arbitration awards with the same force and effect as they apply to judgments of a court". 

The court noted that the Justice Center met its burden of demonstrating that the identical issue was "necessarily decided in the prior [contract arbitration] proceeding and is decisive of the present proceeding and, in opposition, the [Petitioner] failed to demonstrate the absence of a full and fair opportunity to contest the prior [contract arbitration] determination."

Accordingly, the Appellate Division opined that "at the administrative hearing, the [Petitioner] was precluded by the doctrine of collateral estoppel from relitigating the questions of fact that were resolved against her in the [contract] arbitration proceeding".

* The Appellate Division's decision notes: "At an administrative hearing to determine whether a report of category two neglect is substantiated, the Justice Center is required to establish, by a preponderance of the evidence, that the subject committed abuse or neglect. Upon a review of such an administrative determination made after an evidentiary hearing, the determination of the Justice Center must be upheld if supported by substantial evidence."

Click HERE to access the Appellate Division's decision posted on the Internet.

 

Justia's Daily Opinion Summaries

Justia Daily Opinion Summaries is a free newsletter service with over 65 newsletters covering every federal appellate court and the highest court in each U.S. state. Justia also provides "weekly practice area" newsletters in 60+ different practice areas. All daily and weekly Justia Newsletters are free. You may request newsletters or modify your current preferences by visiting daily.justia.com.

N.B. Justia cautions "some case metadata and case summaries were written with the help of AI [Artificial Intelligence], which can produce inaccuracies" and urges readers to "read the full [text of the] case before relying on any Justia summaries for legal research purposes."