§ 25-1. Notification Policy.
[HISTORY: Adopted by the Board of Trustees of the
§ 25-1. Notification Policy.
A.
This policy is consistent with the State Technology Law
§ 208 as added by Chapter’s 442 and 491 of the Laws of 2005. This policy
requires notification to affected
B. The municipality, after consulting with the State’s Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) to determine the scope of the breach and restoration measures, must notify an individual when it has been determined that there has been, or is reasonably believed to have been a compromise of the individual's private information through unauthorized disclosure.
C. A compromise of private information means the unauthorized acquisition of unencrypted data with private information.
D. If encrypted data is compromised along with the corresponding encryption key, the data is considered unencrypted and thus falls under the notification requirements.
E. Notification may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. In such case, notification will be delayed only as long as needed to determine that notification no longer compromises any investigation.
F. The municipality will notify the affected individual directly by one of the following methods:
(1) Written notice;
(2) Electronic notice, provided that the person to whom notice is required has expressly consented to receiving notice in electronic form and a log of each notification is kept by the municipality that notifies affected persons in such form;
(3) Telephone notification, provided that a log of each notification is kept by the municipality that notifies affected persons; or
(4) Substitute notice, if the municipality demonstrates to the state Attorney General that the cost of providing notice would exceed $250,000 or that the affected class of persons to be notified exceeds 5,000, or the municipality does not have sufficient contact information. The following constitute sufficient substitute notice:
a. E-mail notice when the municipality has an e-mail address for the subject persons;
b. Conspicuous posting of the notice on the municipality’s web site page, if the municipality maintains one; and
c. Notification to major statewide media.
G.
The municipality must notify CSCIC as to the timing,
content and distribution of the notices and approximate number of affected
persons.
H.
The municipality must notify the Attorney General and the
Consumer Protection Board, whenever notification to a
I.
Regardless of the method by which notice is provided, the
notice must include contact information for the municipality making the
notification and a description of the categories of information that were, or
are reasonably believed to have been, acquired by a person without valid
authorization, including specification of which of the elements of personal
information and private information were, or are reasonably believed to have
been, so acquired.
J.
This policy also applies to information maintained on
behalf of the municipality by a third party.
K. When more than 5,000
Consumer Reporting Agency: Any person which, for monetary fees, dues, or on a
cooperative nonprofit basis, regularly engages in whole or in part in the
practice of assembling or evaluating consumer credit information or other
information on consumers for the purpose of furnishing consumer reports to
third parties, and which uses any means or facility of interstate commerce for
the purpose of preparing or furnishing consumer reports. The state attorney
general is responsible for compiling a list of consumer reporting agencies and
furnishing the list upon request to the municipality.
Data: Any information created, stored (in
temporary or permanent form), filed, produced or reproduced, regardless of the
form or media. Data may include, but is not limited to personally identifying
information, reports, files, folders, memoranda, statements, examinations,
transcripts, images, communications, electronic or hard copy.
Information: The representation of facts,
concepts, or instructions in a formalized manner suitable for communication,
interpretation, or processing by human or automated means.
Personal Information: Any
information concerning a natural person which, because of name, number,
personal mark or other identifier, can be used to identify such natural person.
Private Information: Personal
information in combination with any one or more of the following data elements,
when either the personal information or the data element is not encrypted or
encrypted with an encryption key that has also been acquired:
1. social security number; or
2. driver’s license number or
non-driver identification card number; or
3. account number, credit or
debit card number, in combination with any required security code, access code,
or password which would permit access to an individual’s financial account.
“Private information” does
not include publicly available information that is lawfully made available to
the general public from federal, state, or local government records.
Third Party: Any non-municipal employee such as a contractor, vendor, consultant,
intern, other municipality, etc.