New York cybersecurity law seeks to limit tech products agencies can buy
New York has bolstered its cybersecurity defenses with Assembly Bill A2237, a law that aims to keep sensitive government data out of the hands of foreign adversaries and reduce the risk of cyberattacks by limiting the purchases of technology state and local governments.
The law, signed by Gov. Kathy Hochul on Monday, bars New York State and its municipalities from purchasing technology products made by companies with ties to foreign governments that may pose national security risks.
Under the law, the state’s chief information officer, in consultation with homeland security and procurement officials, must maintain and regularly update a list of restricted technologies, such as computers, webcams, drones, semiconductors and other components that may contain backdoors, spyware or other vulnerabilities. Any technology on this list will not be permissible for purchase by New York State agencies or local governments unless a waiver is issued under narrow conditions, such as when “no secure alternative” is available at a reasonable price.
Federal agencies, and many other state governments, have already banned many of these technologies in recent years due to national security concerns. The new law will take effect in 2027.
“From our power plants to our public transit to our servers packed with sensitive information, our procurement decisions determine whether or not there is an open door for hackers,” state Rep. Jenifer Rajkumar, the bill’s primary sponsor, said in a press release. “This bill leverages billions of dollars in purchasing power to keep dangerous tech off our shores and uplift our domestic semiconductor industry.”
State and local governments spend hundreds of millions of dollars on technology each year.
Last year, the Legislative Bill Drafting Commission was hit by a cyberattack that disrupted operations during budget negotiations. In 2023, the state Education Department’s Privacy Office received 23 data incident reports related to phishing emails, while New York’s educational agencies suffered approximately 40 cyberattacks, according to the office’s annual report.
Law enforcement agencies around the United States have often used imported drones that some security analysts have worried could transmit sensitive data overseas.
The National Fraternal Order of Police this month urged Congress to authorize state and local law enforcement with more power to stop criminal drone activity ahead of the upcoming 2026 World Cup and 2028 Olympics. In response, the Federal Communications Commission determined that critical drone parts that are produced in foreign countries pose “unacceptable risks to the national security of the United States and to the safety and security of U.S. persons” and should be included on the agency’s banned list of communications equipment and services.
