[HISTORY: Adopted by the Village Board of the Village of
Canisteo 7-14-2020 by L.L. No.
3-2020; amended in its entirety at time of adoption
of Code (see Ch. 1, General Provisions, Art. I). Subsequent amendments
noted where applicable.]
This policy is consistent with the State Technology Law § 208,
as added by Chapters 442 and 491 of the Laws of 2005. This policy
requires notification to affected New York residents and nonresidents.
New York State values the protection of private information of individuals.
The Incorporated Village of Canisteo is required to notify an individual
when there has been or is reasonably believed to have been a compromise
of the individual's private information in compliance with the
Information Security Breach and Notification Act and this policy.
For the purpose of this chapter, the terms used are defined
as follows:
Unauthorized acquisition or acquisition without valid authorization
of computerized data which compromises the security, confidentiality,
or integrity of personal information maintained by a state entity.
Good faith acquisition of personal information by an employee or agent
of a state entity for the purposes of the agency is not a breach of
the security of the system, provided that the private information
is not used or subject to unauthorized disclosure.
Any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. A list of consumer reporting agencies shall be compiled by the state attorney general and furnished upon request to state entities required to make a notification under § 16-3 of this chapter.
Any information created, stored (in temporary or permanent
form), filed, produced or reproduced, regardless of the form or media.
"Data" may include, but is not limited to, personally identifying
information, reports, files, folders, memoranda, statements, examinations,
transcripts, images, communications, electronic or hard copy.
The representation of facts, concepts or instructions in
a formalized manner suitable for communication, interpretation or
processing by human or automated means.
Any information concerning a natural person which, because
of name, number, personal mark or other identifier, can be used to
identify such natural person.
Personal information in combination with any one or more of
the following data elements, when either the personal information
or the data element is not encrypted or encrypted with an encryption
key that has also been acquired:
Social security number;
Driver's license number or non-driver identification card
number;
Account number, credit or debit card number, in combination
with any required security code, access code, or password which would
permit access to an individual's financial account;
Account number, or credit or debit card number, if circumstances
exist wherein such number could be used to access to an individual's
financial account without additional identifying information, security
code, access code, or password;
Biometric information, meaning data generated by electronic
measurements of an individual's unique physical characteristics,
such as fingerprint, voice print, or retina or iris image, or other
unique physical representation or digital representation which are
used to authenticate or ascertain the individual's identity;
or
A user name or e-mail address in combination with a password
or security question and answer that would permit access to an online
account.
"Private information" does not include publicly available information
that is lawfully made available to the general public from federal,
state or local government records.
Any state board, bureau, division, committee, commission,
council, department, public authority, public benefit corporation,
office or other governmental entity performing a governmental or proprietary
function for the State of New York, except:
Any nonmunicipal employee, such as a contractor, vendor,
consultant, intern, other municipality, etc.
The municipality, after consulting with the State Office of
Information Technology Services to determine the scope of the breach
and restoration measures, must notify an individual when it has been
determined that there has been or is reasonably believed to have been
a compromise of the individual's private information through
unauthorized disclosure.
A.
A compromise of private information means the unauthorized acquisition
of unencrypted computerized data with private information.
B.
If encrypted data is compromised along with the corresponding encryption
key, the data is considered unencrypted and thus falls under the notification
requirements.
C.
Notification may be delayed if a law enforcement agency determines
that the notification impedes a criminal investigation. In such case,
notification will be delayed only as long as needed to determine that
notification no longer compromises any investigation.
A.
The municipality will notify the affected individual directly by
one of the following methods:
(1)
Written notice;
(2)
Electronic notice, provided that the person to whom notice is required
has expressly consented to receiving notice in electronic form and
a log of each notification is kept by the municipality that notifies
affected persons in such form; provided further, however, that in
no case shall any person or business require a person to consent to
accepting said notice in said form as a condition of establishing
any business relationship or engaging in any transaction;
(3)
Telephone notification, provided that a log of each notification
is kept by the municipality that notifies affected persons; or
(4)
Substitute notice, if the municipality demonstrates to the State
Attorney General that cost of providing notice would exceed $250,000
or that the affected class of persons to be notified exceeds 500,000,
or the municipality does not have sufficient contact information.
B.
The notification required by this section may be delayed if a law
enforcement agency determines that such notification impedes a criminal
investigation. The notification required by this section shall be
made after such law enforcement agency determines that such notification
does not compromise such investigation.
The following constitute sufficient substitute notice:
A.
The municipality must notify:
(1)
The State Attorney General, the Department of State and the State
Office of Information Technology Services as to the timing, content
and distribution of the notices and approximate number of affected
persons and provide a copy of the template of the notice sent to affected
persons. Such notice shall be made without delaying notice to affected
New York residents.
(2)
In the event that more than 5,000 New York residents are to be notified
at one time, the municipality shall also notify consumer reporting
agencies as to the timing, content and distribution of the notices
and approximate number of affected persons.
B.
Regardless of the method by which notice is provided, the notice
must include contact information for the municipality making the notification
and a description of the categories of information that were, or are
reasonably believed to have been, acquired by a person without valid
authorization, including specification of which of the elements of
personal information and private information were, or are reasonably
believed to have been, so accessed or acquired.
C.
This policy also applies to information maintained on behalf of the
municipality by a third party.
This chapter shall take effect immediately upon filing with
the Secretary of State.
