Questions about eCode360? Municipal users Join us Monday through Wednesday between 12pm and 1pm EDT to get answers and other tips!
City of Middletown, NY
Orange County
By using eCode360 you agree to be legally bound by the Terms of Use. If you do not agree to the Terms of Use, please do not use eCode360.
Table of Contents
Table of Contents
[HISTORY: Adopted by the Common Council of the City of Middletown 4-7-2015 by L.L. No. 1-2015. Amendments noted where applicable.]
Code of Ethics — See Ch. 48.
Records — See Ch. 112.
Background checks — See Ch. 173.
In response to the increasing breaches of sensitive private information maintained in electronic format, the New York State Legislature enacted the New York State Information Security Breach and Notification Act, Chapters 442 and 491 of the Laws of 2005, and codified as Section 208 of the New York State Technology Law ("the Law"). New York State values the protection of private information of individuals. Under the Law, municipalities must adopt a notification policy designed to alert persons if private information maintained by the municipality in electronic format has been accessed without authorization. This policy requires notification to affected New York residents and nonresidents. The purpose of this enactment is to comply with the Law; under the Law, the City of Middletown is required to notify an individual when data, which is maintained by the City of Middletown and contains the individual's private information, has been, or is reasonably believed to have been, compromised.
As used in this chapter, the following terms shall have the meanings indicated:
Any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. The State Attorney General is responsible for compiling a list of consumer reporting agencies and furnishing the list upon request to the City of Middletown.
Any information created, stored (in temporary or permanent form), filed, produced or reproduced, regardless of the form or media. Data may include, but is not limited to, personally identifying information, reports, files, folders, memoranda, statements, examinations, transcripts, images, communications, electronic or hard copy.
The representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by human or automated means.
Any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person.
Personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:
Social security number; or
Driver's license number or nondriver identification card number; or
Account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual's financial account
Private information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Any non-City of Middletown employee such as a contractor, vendor, consultant, intern, other municipality and the like.
The City of Middletown, after consulting with the New York State Office of Information Technology Services to determine the scope of the breach and restoration measures of its compromised data, must notify an individual when it has been determined that there has been, or is reasonably believed to have been, a compromise of the individual's private information through unauthorized disclosure.
A compromise of private information means the unauthorized acquisition of unencrypted computerized data with private information.
If encrypted data is compromised along with the corresponding encryption key, the data is considered unencrypted and thus falls under the notification requirements.
Notification may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. In such case, notification will be delayed only as long as needed to determine that notification no longer compromises any investigation.
When there has been, or it is reasonably believed that there has been, a compromise of individuals' private information through unauthorized disclosure or as otherwise required by this chapter, the City of Middletown will notify the affected individual(s) directly by one of the following methods:
Written notice;
Electronic notice, provided that the person to whom notice is required has expressly consented to receiving notice in electronic form and a log of each notification is kept by the City of Middletown that notifies affected persons in such form;
Telephone notification, provided that a log of each notification is kept by the City of Middletown that notifies affected persons; or
Substitute notice, if the City of Middletown demonstrates to the New York State Attorney General that the cost of providing notice would exceed $250,000, that the affected class of persons to be notified exceeds 500,000, or that the City of Middletown does not have sufficient contact information. The following constitute sufficient substitute notice:
E-mail notice when the City of Middletown has an e-mail address for the subject persons;
Conspicuous posting of the notice on the City of Middletown's web site page; and
Notification to major statewide media.
The City of Middletown must notify the New York State Office of Information Technology Services as to the timing, content and distribution of the notices and approximate number of affected persons.
The City of Middletown must notify the New York State Attorney General and the New York State Consumer Protection Board, whenever notification to a New York resident is necessary, as to the timing, content and distribution of the notices and approximate number of affected persons.
Regardless of the method by which notice is provided, the notice must include contact information for the City of Middletown and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired.
When more than 5,000 New York residents must be notified at one time, then the City of Middletown must notify the consumer reporting agencies as to the timing, content and distribution of the notices and the approximate number of affected individuals. This notice, however, will be made without delaying notice to the individuals.
This chapter, and the policies contained in this chapter, applies not only to information maintained by the City of Middletown itself, but also to information maintained on behalf of the City of Middletown by a third party.