City of New Rochelle, NY
Westchester County
By using eCode360 you agree to be legally bound by the Terms of Use. If you do not agree to the Terms of Use, please do not use eCode360.
Table of Contents
Table of Contents
[HISTORY: Adopted by the Council of the City of New Rochelle 4-20-2006 by Ord. No. 100-2006. Amendments noted where applicable.]

§ 28-1 Legislative authority; purpose.

This policy is consistent with the State Technology Law, Section 208 as added by Chapters 442 and 491 of the laws of 2005. This policy requires notification to impacted New York residents and nonresidents. New York State values the protection of private information of individuals. The City of New Rochelle is required to notify an individual when there has been or is reasonably believed to have been a compromise of the individual's private information in compliance with the Information Security Breach and Notification Act and this policy.

§ 28-2 Notification to citizens of compromised private information through unauthorized disclosure.

The City of New Rochelle, after consulting with the State's Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) to determine the scope of the breach and restoration measures, shall notify an individual when it has been determined that there has been, or is reasonably believed to have been, a compromise of private information through unauthorized disclosure.

§ 28-3 "Compromise of private information" defined.

A "compromise of private information" shall mean the unauthorized acquisition of unencrypted computerized data with private information.

§ 28-4 Encrypted data.

If encrypted data is compromised along with the corresponding encryption key, the data shall be considered unencrypted and thus fall under the notification requirements.

§ 28-5 Delay of notification during criminal investigation.

Notification may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. In such case, notification will be delayed only as long as needed to determine that notification no longer compromises any investigation.

§ 28-6 Methods of notification.

The City will notify the affected individual. Such notice shall be directly provided to the affected persons by one of the following methods:
A. 
Written notice.
B. 
Electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the City that notifies affected persons in such form.
C. 
Telephone notification provided that a log of each such notification is kept by the City that notifies affected persons.
D. 
Substitute notice, if the City demonstrates to the state Attorney General that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 55,000, or the City does not have sufficient contact information. Substitute notice shall consist of all of the following:
(1) 
E-mail notice when the City has an e-mail address for the subject persons;
(2) 
Conspicuous posting of the notice on the City's web site page, if the City maintains one; and
(3) 
Notification to major statewide media.

§ 28-7 Notification to CSCIC, Attorney General and Consumer Protection Board.

A. 
The City must notify CSCIC as to the timing, content and distribution of the notices and approximate number of affected persons.
B. 
The City must notify the Attorney General and the Consumer Protection Board, whenever notification to a New York resident is necessary, as to the timing, content and distribution of the notices and approximate number of affected persons.

§ 28-8 Contents of notification.

Regardless of the method by which notice is provided, such notice shall include contact information for the City making the notification and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired.

§ 28-9 Third-party applicability.

This Policy also applies to information maintained on behalf of the City by a third party.

§ 28-10 Notification to consumer reporting agencies when certain quantity of residents impacted.

When more than 5,000 New York residents are to be notified at one time, then the City must notify the consumer reporting agencies as to the timing, content and distribution of the notices and the approximate number of affected individuals. This notice, however, will be made without delaying notice to the individuals.

§ 28-11 Definitions.

As used in this chapter, the following terms shall have the meanings indicated:
CONSUMER REPORTING AGENCY
Any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. The state Attorney General is responsible for compiling a list of consumer reporting agencies and furnishing the list upon request to the City.
DATA
Any information created, stored (in temporary or permanent form), filed, produced or reproduced, regardless of the form or media. Data may include, but is not limited to personally identifying information, reports, files, folders, memoranda, statements, examinations, transcripts, images, communications, electronic or hard copy.
INFORMATION
The representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by human or automated means.
PERSONAL INFORMATION
Any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person.
A. 
Personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:
(1) 
Social security number;
(2) 
Driver's license number or nondriver identification card number; or
(3) 
Account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual's financial account.
B. 
Private information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
THIRD PARTY
Any nonmunicipal employee such as a contractor, vendor, consultant, intern, other than the City, etc.