§ 209. Notification of a breach of the security of the system or a breach of network security; shared data. 1. The office shall, within twenty-four hours of either being notified of or receiving evidence of a breach of the security of the system, or a breach of network security, as defined in paragraphs (a) and (b) of subdivision three of this section, notify the chief information officer, the chief information security officer, and where appropriate, the cyber security coordinator of any state entity with which it shares data, provides networked services or shares a network connection whose data, services or connection is reasonably suspected to be affected by any such breach. 2. The office shall provide the chief information officer, the chief information security officer, and where appropriate, the cyber risk coordinator of any state entity, who has been notified pursuant to subdivision one of this section, with its plan for remediation of the breach and future protection of such data and network. 3. For purposes of this section:(a) "Breach of the security of the system" shall have the same meaning as defined in paragraph (b) of subdivision one of section two hundred eight of this article.
(b) "Breach of network security" shall mean unauthorized access to or access without valid authorization of a computer network which compromises the security, confidentiality, or integrity of such network.
(c) "State entity" shall have the same meaning as provided by paragraph (c) of subdivision one of section two hundred eight of this article.
