Verizon appears to have carved out a path around New York’s new state-level cybersecurity rules for regulated utilities, even as the Public Service Commission moves to impose what it calls mandatory, minimum, enforceable standards on the sector. The telecom giant filed comments in the PSC’s active rulemaking docket alongside the industry group USTelecom, and the scope of the final rules as applied to telecommunications providers remains unclear. With the formal rulemaking still open and the latest regulatory entries published as recently as February 18, 2026, the gap between the state’s stated ambitions and the obligations that will actually bind Verizon raises serious questions about whether millions of New York telecom customers will receive the same data protections as customers of electric, gas, and water utilities.
New York’s Cybersecurity Push and Its Stated Scope
On June 13, 2025, the New York State Public Service Commission issued an order in Case 25-M-0302 launching a proceeding to establish information technology cybersecurity rules for the industries it regulates. The order, effective immediately, discussed coverage for “all regulated utilities” and cable television companies, and it attached draft regulations as Attachment A for public review. By initiating formal rulemaking through this commission order, the PSC signaled that it intended to create a baseline of enforceable protections across the energy, water, and telecommunications sectors that fall under its jurisdiction, moving beyond voluntary guidelines toward codified obligations.
Governor Kathy Hochul’s office framed the effort as part of a broader, multi-agency cybersecurity campaign that also targeted water and wastewater systems and promised financial support for local infrastructure upgrades. In a public release, the governor described the PSC initiative as a set of minimum standards meant to complement other state actions, positioning the rules alongside grant programs and sector-specific guidance as part of a unified strategy. The Department of Public Service opened a formal comment period so that regulated entities, advocacy groups, and the public could respond to the draft, while a separate statute (Article 19-c of the General Municipal Law signed later that month) imposed statewide incident-reporting and ransom disclosure duties. Together, the governor’s policy announcement and the new law suggested that Albany wanted to tighten cyber oversight across public and private infrastructure alike, including critical communications networks.
How Verizon and Industry Groups Pushed Back
The official docket for Case 25-M-0302, maintained in the Department of Public Service’s online case management system, shows that Verizon filed comments alongside submissions from USTelecom, the Washington-based trade group representing incumbent local exchange carriers and other large telecommunications providers. The docket for the cybersecurity proceeding, accessible through the commission’s case management page, lists multiple rounds of stakeholder input, including industry comments, staff memoranda, and notices extending deadlines. While the specific text of Verizon’s filings is not reproduced here, its appearance in the record together with a national lobbying organization underscores how seriously the company treated the prospect of binding cybersecurity standards and how early it moved to shape the outcome.
Verizon’s willingness to challenge PSC initiatives is well documented beyond this single rulemaking. In 2025, a New York appellate court issued a decision in a Freedom of Information Law dispute between Verizon New York and the commission, addressing the extent to which certain records could be withheld from public disclosure. That case, reported as 2025 NY Slip Op 03612, focused on FOIL exemptions rather than cybersecurity, but it illustrates a broader dynamic in which Verizon actively resists regulatory demands it views as overreaching or commercially sensitive. The opinion, available through the state courts’ official reporter, confirms that the company is prepared to litigate aggressively when it believes PSC actions threaten its interests. Against that backdrop, Verizon’s engagement in the cybersecurity docket appears less like routine participation and more like a strategic effort to cabin the commission’s authority before new rules take hold.
The Regulatory Gap That Emerged
The central tension in the cybersecurity proceeding is whether telecommunications providers like Verizon will be held to the same enforceable standards as energy utilities and cable companies. The PSC’s original order spoke broadly of “all regulated utilities” and cable television companies, but New York’s statutory framework for telecom regulation has been narrowing for years as the industry has migrated from traditional landline service to wireless and broadband offerings. Much of Verizon’s modern business, including its wireless network and fiber-optic broadband products, sits outside the classic common-carrier model that the commission historically oversaw. That evolution creates legal ambiguity about which parts of a diversified telecom company fall within the PSC’s jurisdiction and which do not.
The New York State Register entry dated February 18, 2026, confirms that the PSC’s rulemaking remains active and that the commission continues to pursue “mandatory, minimum, enforceable cybersecurity rules for information technology.” The Register’s notice, listed in the state’s official publication, tracks the language of the June 2025 order and signals that the proceeding has not been quietly abandoned. However, the summary does not clarify whether the final rules will reach Verizon’s broadband and wireless operations or apply only to a narrower subset of legacy telephone services that are clearly regulated today. Nor does the public docket yet contain a definitive staff recommendation or commission vote establishing the precise contours of telecom coverage, leaving stakeholders to infer the likely outcome from interim filings and procedural notices.
Why the Telecom Carve-Out Matters for Customers
If Verizon’s broadband and wireless operations ultimately escape the new rules, millions of New Yorkers who rely on Verizon Fios or Verizon Wireless for internet access, phone service, and home connectivity will lack the state-level cybersecurity protections that govern their electric or gas utility. Under the proposed framework, covered entities would be required to maintain specific information security controls, document their risk management programs, and report significant incidents to the commission, all under the threat of enforcement action. By contrast, a large telecom provider whose core offerings fall outside PSC jurisdiction would face no comparable, sector-specific state mandate, relying instead on a patchwork of federal requirements and internal policies that may be less transparent or enforceable.
New York’s broader posture shows that the state is willing to impose stringent cyber obligations when it believes the public interest demands them. Article 19-c of the General Municipal Law, for example, requires municipal corporations and public authorities to notify state officials of cybersecurity incidents within 72 hours and to disclose any ransom payments within 24 hours. The implementation of that statute is reflected in guidance for public entities, including a state reporting portal that details how and when local governments must file incident reports. Yet the PSC’s separate cybersecurity proceeding, which was initially framed as a way to bring utilities and telecommunications providers under one enforceable umbrella, now risks treating the state’s largest telecom carrier differently from a mid-sized electric cooperative. For customers, that disparity could mean that the network they depend on for work, school, and emergency alerts is subject to weaker oversight than the infrastructure that keeps their lights on.
A Pattern of Quiet Regulatory Retreat
The emerging carve-out for major telecom operations reflects a structural weakness in how states regulate communications infrastructure at a time when technology has outpaced legal definitions. The PSC’s authority over “regulated utilities” was built for an era of copper-wire telephone monopolies and vertically integrated power companies, not for a marketplace dominated by wireless data plans and fiber-to-the-home networks. Extending that authority to encompass a company that now derives most of its revenue from services never contemplated by earlier statutes would require either legislative updates or assertive regulatory interpretation, either of which could invite legal challenges from providers determined to limit oversight.
Verizon’s history of contesting commission initiatives suggests that regulators are acutely aware of the litigation risks. The FOIL dispute resolved in 2025 demonstrated the company’s willingness to take the PSC to court over information access alone, and industry comments in the cybersecurity docket reinforce the impression that carriers view expansive security mandates as a potential threat to their autonomy and competitive positioning. The commission’s own document systems, searchable through its online records portal, show how often utilities and telecom providers press for narrow readings of regulatory authority. In that context, any hesitation by the PSC to assert jurisdiction over broadband and wireless cybersecurity can be seen as a form of quiet retreat, a recognition that pushing too far, too fast might lead to courtroom defeats that weaken the agency’s hand in other areas.
Unfinished Rules, Unanswered Questions
The cybersecurity rulemaking remains in flux, and the path from draft regulations to enforceable standards is far from settled. The Department of Public Service has kept the proceeding open, with notices inviting comments and replies from interested stakeholders. One such notice, accessible through a DPS event listing, set deadlines for written submissions and pointed commenters back to the June 2025 order that launched the case. Those procedural steps confirm that staff are still gathering input and refining their recommendations, but they do little to illuminate how the commission will ultimately balance its desire for comprehensive protections against the legal and political constraints of its jurisdiction over telecommunications.
Meanwhile, New York continues to build out cybersecurity expectations in other sectors, reinforcing the perception that telecom may be lagging behind. State agencies have promoted cyber guidance and compliance expectations for health providers, for example, through resources hosted on the Department of Health’s public website, and have emphasized the importance of safeguarding patient information and critical clinical systems. Separate job postings and policy materials associated with Article 19-c, including references in a state employment portal, highlight how incident reporting for public entities is being operationalized across agencies. Against that backdrop, the unresolved status of the PSC’s cybersecurity rules, and the possibility that large portions of Verizon’s network will remain outside their reach, stands out as a conspicuous gap in the state’s otherwise assertive cyber agenda.
More From The Daily Overview
*This article was researched with the help of AI, with human editors creating the final content.
Grant Mercer covers market dynamics, business trends, and the economic forces driving growth across industries. His analysis connects macro movements with real-world implications for investors, entrepreneurs, and professionals. Through his work at The Daily Overview, Grant helps readers understand how markets function and where opportunities may emerge.
