As used in this article, the following terms
shall have the meanings indicated:
CONSUMER REPORTING AGENCY
Any person which, for monetary fees, dues, or on a cooperative
nonprofit basis, regularly engages in whole or in part in the practice
of assembling or evaluating consumer credit information or other information
on consumers for the purpose of furnishing consumer reports to third
parties, and which uses any means or facility of interstate commerce
for the purpose of preparing or furnishing consumer reports. The State
Attorney General is responsible for compiling a list of consumer reporting
agencies and furnishing the list upon request to the municipality.
DATA
Any information created, stored (in temporary or permanent
form), filed, produced or reproduced, regardless of the form or media.
Data may include, but is not limited to, personally identifying information,
reports, files, folders, memoranda, statements, examinations, transcripts,
images, communications, electronic or hard copy.
INFORMATION
The representation of facts, concepts, or instructions in
a formalized manner suitable for communication, interpretation, or
processing by human or automated means.
PERSONAL INFORMATION
Any information concerning a natural person which, because
of name, number, personal mark or other identifier, can be used to
identify such natural person.
PRIVATE INFORMATION
A.
Personal information in combination with any
one or more of the following data elements, when either the personal
information or the data element is not encrypted or encrypted with
an encryption key that has also been acquired:
(1)
Social security number; or
(2)
Driver's license number or non-driver identification
card number; or
(3)
Account number, credit or debit card number,
in combination with any required security code, access code, or password
which would permit access to an individual's financial account.
B.
"Private information" does not include publicly
available information that is lawfully made available to the general
public from federal, state, or local government records.
THIRD PARTY
Any nonmunicipal employee such as a contractor, vendor, consultant,
intern, other municipality, etc.
This policy is consistent with State Technology
Law § 208 as added by Chapters 442 and 491 of the Laws of
2005. This policy requires notification to impacted New York residents
and nonresidents. The Village of Carthage values the protection of
private information of individuals. The Village of Carthage, in compliance
with the Information Security Breach and Notification Act and this
policy, is required to notify an individual when there has been or
is reasonably believed to have been a compromise of the individual's
private information.
The Village of Carthage, after consulting with
the New York State Office of Cyber Security & Critical Infrastructure
Coordination (hereinafter CSCIC) to determine the scope of the breach
and restoration measures, shall notify an individual when it has been
determined that there has been, or is reasonably believed to have
been, a compromise of private information through unauthorized disclosure.
A compromise of private information shall mean
the unauthorized acquisition of unencrypted computerized data with
private information.
If encrypted data is compromised along with
the corresponding encryption key, the data shall be considered unencrypted
and thus fall under the notification requirements.
Notification may be delayed if a law enforcement
agency determines that the notification impedes a criminal investigation.
In such case, notification will be delayed only as long as needed
to determine that notification no longer compromises any investigation.
The Village of Carthage will notify the affected
individual. Such notice shall be directly provided to the affect persons
by one of the following methods:
B. Electronic notice, provided that the person to whom
notice is required has expressly consented to receiving said notice
in electronic form and a log of each such notification is kept by
the Village of Carthage;
C. Telephone notification, provided that a log of each
such notification is kept by the Village of Carthage; or
D. Substitute notice, if the Village of Carthage demonstrates
to the State Attorney General that the cost of providing notice would
exceed $250,000, or that the affected class of subject persons to
be notified exceeds 500,000, or the Village of Carthage does not have
sufficient contact information. Substitute notice shall consist of
all of the following:
(1)
E-mail notice when the Village of Carthage has
an e-mail address for the subject persons;
(2)
Conspicuous posting of the notice on the Village
of Carthage Web site page, if the Village maintains one; and
(3)
Notification to major statewide media.
The Village of Carthage shall notify CSCIC as
to the timing, content and distribution of the notices and approximate
number of affected persons.
The Village of Carthage shall notify the Attorney
General and the Consumer Protection Board, whenever notification to
a New York resident is necessary, as to the timing, content and distribution
of the notices and approximate number of affected persons.
Regardless of the method by which notice is
provided, such notice shall include contact information for the Village
of Carthage, and a description of the categories of information that
were, or are reasonably believed to have been, acquired by a person
without valid authorization, including specification of which of the
elements of personal information and private information were, or
are reasonably believed to have been, so acquired.
This policy also applies to information maintained
on behalf of the Village of Carthage by a third party.
When more than 5,000 New York residents are
to be notified at one time, then the Village of Carthage shall notify
the consumer reporting agencies as to the timing, content and distribution
of the notices and the approximate number of affected individuals.
This notice, however, will be made without delaying notice to the
individuals.
This policy and support policies and standards
will be reviewed at a minimum on an annual basis.