[HISTORY: Adopted by the Board of Trustees of the Village
of East Hampton 11-15-2013 by L.L. No. 22-2013. Amendments noted
where applicable.]
This policy is consistent with the State Technology Law, § 208.
This policy requires notification to affected New York residents and
nonresidents. New York State values the protection of private information
of individuals. The Village of East Hampton is required to notify
an individual when there has been, or is reasonably believed to have
been, a compromise of the individual's private information in
compliance with the Information Security Breach and Notification Act
and this policy.
For the purpose of this chapter, the terms used are defined
as follows:
Any person who, for monetary fees, dues, or on a cooperative
nonprofit basis, regularly engages in whole or in part in the practice
of assembling or evaluating consumer credit information or other information
on consumers for the purpose of furnishing consumer reports to third
parties, and which uses any means or facility of interstate commerce
for the purpose of preparing or furnishing consumer reports. The State
Attorney General is responsible for compiling a list of consumer reporting
agencies and furnishing the list upon request to the municipality.
Any information created, stored (in temporary or permanent
form), filed, produced or reproduced, regardless of the form or media.
Data may include, but is not limited to, personal identifying information,
reports, files, folders, memoranda, statements, examinations, transcripts,
images, communications, electronic or hard copy.
The representation of facts, concepts, or instructions in
a formalized manner suitable for communication, interpretation, or
processing by human or automated means.
Any information concerning a natural person which, because
of name, number, personal mark or other identifier, can be used to
identify such natural person.
Personal information in combination with any one or more of
the following data elements, when either the personal information
or the data element is not encrypted or encrypted with an encryption
key that has also been acquired:
Private information does not include publicly available information
that is lawfully made available to the general public from federal,
state, or local government records.
Any nonmunicipal employee, such as a contractor, vendor,
consultant, intern or other municipality.
The municipality, after consulting with the State's Office
of Cyber Security and Critical Infrastructure Coordination (CSCIC)
to determine the scope of the breach and restoration measures, must
notify an individual when it has been determined that there has been,
or is reasonably believed to have been, a compromise of the individual's
private information through unauthorized disclosure.
A.
A "compromise of private information" means the unauthorized acquisition
of unencrypted computerized data with private information.
B.
If encrypted data is compromised along with the corresponding encryption
key, the data is considered unencrypted and thus falls under the notification
requirements.
C.
Notification may be delayed if a law enforcement agency determines
that the notification impedes a criminal investigation. In such case,
notification will be delayed only as long as needed to determine that
notification no longer compromises the investigation.
A.
Written notice;
B.
Electronic notice, provided that the person to whom notice is required
has expressly consented to receiving notice in electronic form and
a log of each notification is kept by the municipality that notifies
affected persons in such form;
C.
Telephone notification, provided that a log of each notification
is kept by the municipality that notifies affected persons; or
D.
Substitute notice, if the municipality demonstrates to the State
Attorney General that the cost of providing notice would exceed $250,000.00,
or that the affected class of persons to be notified exceeds 500,000,
or the municipality does not have sufficient contact information.
The following constitute sufficient substitute notice:
A.
The municipality must notify:
(1)
CSCIC as to the timing, content and distribution of the notices and
approximate number of affected persons;
(2)
The Attorney General and the Consumer Protection Board, whenever
notification to a New York resident is necessary, as to the timing,
content and distribution of the notices and approximate number of
affected persons.
B.
Regardless of the method by which notice is provided, the notice
must include contact information for the municipality making the notification
and a description of the categories of information that were, or are
reasonably believed to have been, acquired by a person without valid
authorization, including specification of which of the elements of
personal information and private information were, or are reasonably
believed to have been, so acquired by a third party.
C.
This policy also applies to information maintained on behalf of the
municipality by a third party.
D.
When more than 5,000 New York residents must be notified at one time,
then the municipality must notify the consumer reporting agencies
as to the timing, content and distribution of the notices and the
approximate number of affected individuals. This notice, however,
will be made without delaying notice to the individuals.