Social security number;

Driver's license number or non-driver identification card number;

Account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual's financial account;

Account number, or credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password;

Biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as fingerprint, voice print, or retina or iris image, or other unique physical representation or digital representation which is used to authenticate or ascertain the individual's identity;

If the Town owns or licenses computerized data that includes private information, it shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of the State of New York whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. The disclosure shall be made in the most expedient time possible to the Town Supervisor and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

If the employees of Town suspect a breach of the security of the system has occurred, it shall consult with the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSIC) or other agency to determine the scope of the breach and restoration measures. The involved individual shall be notified when it has been determined that there has been, or reasonably believed to have been, a compromise of private information or unauthorized disclosure.

In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, the Town may consider the following factors, among others:

The Town shall notify all individuals whose private information was acquired, or reasonably believed to have been acquired during the breach of the security of the system. Such notification shall be by one of the following methods:

The Town shall immediately notify the Town Clerk of the breach of the security of the system, who shall within 24 hours notify the insurer covering cybersecurity liability.

The Town shall promptly notify the New York State Attorney General, the New York State Consumer Protection Board, and the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSIC) or other agency responsible for the cybersecurity of municipalities as to the timing, content, and distribution of the notices and approximate number of persons affected.

If the breach of the security of the system has affected more than 5,000 persons, the Town shall notify consumer reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals.

Notification may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. In such case, notification will be delayed only as long as needed to determine that notification no longer compromises any investigation.

Regardless of the method by which notice of a breach of the security of the system is provided, such notice shall include contact information for the Town making the notification and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are, reasonably believed to have been so acquired.