Pursuant to the provisions of § 208 of the State Technology
Law, the Town Board of the Town of Aurora recognizes the requirement
to establish a notification policy for cyber security breach. Section
208(8) defines the requirement to notify an individual when there
has been, or is reasonably believed to have been, a compromise of
that individual's private information, in compliance with this
Code.
As used in this chapter, the following terms have the meanings
indicated:
COMPROMISE OF PRIVATE INFORMATION
The unauthorized acquisition of unencrypted computerized
data with private information and encrypted data with private information.
PRIVATE INFORMATION
Personal information consisting of any information in combination
with any one or more of the following data elements, when either the
personal information or the data element is not encrypted or encrypted
with an encryption key that has also been acquired:
B. Driver's license number or non-driver identification card number;
C. Account number, credit or debit card number, in combination with
any required security code, access code, or password which would permit
access to an individual's financial account;
D. Account number, or credit or debit card number, if circumstances
exist wherein such number could be used to access an individual's
financial account without additional identifying information, security
code, access code, or password;
E. Biometric information, meaning data generated by electronic measurements
of an individual's unique physical characteristics, such as fingerprint,
voice print, or retina or iris image, or other unique physical representation
or digital representation which is used to authenticate or ascertain
the individual's identity;
(1) A username or email address in combination with a password or security
question and answer that would permit access to an online account.
(2) "Private information" does not include publicly available information
that is lawfully made available to the general public from federal,
state, or local government records.
BREACH OF THE SECURITY OF THE SYSTEM
The unauthorized acquisition or acquisition without valid
authorization of computerized data which compromises the security,
confidentiality, or integrity of personal information maintained by
the Town. Good faith acquisition of personal information by an employee
or agent of the Town for the purposes of the Town is not a breach
of the security of the system, provided that the private information
is not used or subject to unauthorized disclosure.
CONSUMER REPORTING AGENCY
Any person which, for monetary fees, dues, or on a cooperative
nonprofit basis, regularly engages, in whole or in part, in the practice
of assembling or evaluating consumer credit information or other information
on consumers for the purpose of furnishing consumer reports to third
parties, and which uses any means or facility of interstate commerce
for the purpose of preparing or furnishing consumer reports.
UNENCRYPTED DATA
If encrypted data is compromised along with the corresponding
encryption key, the data shall be considered unencrypted and thus
fall under the notification requirements.
In addition to any penalties contained in any other provision
of law, any person who shall knowingly and intentionally violate any
of the provisions of this Code may be fined, suspended or removed
from office or employment, as the case may be, in the manner provided
by law.
This chapter shall take effect immediately upon filing with
the New York Secretary of State.