This policy is consistent with the State Technology Law § 208,
as added by Chapters 442 and 491 of the Laws of 2005. This policy
requires notification to affected New York residents and nonresidents.
New York State values the protection of private information of individuals.
The Incorporated Village of Canisteo is required to notify an individual
when there has been or is reasonably believed to have been a compromise
of the individual's private information in compliance with the
Information Security Breach and Notification Act and this policy.
For the purpose of this chapter, the terms used are defined
as follows:
BREACH OF THE SECURITY OF THE SYSTEM
Unauthorized acquisition or acquisition without valid authorization
of computerized data which compromises the security, confidentiality,
or integrity of personal information maintained by a state entity.
Good faith acquisition of personal information by an employee or agent
of a state entity for the purposes of the agency is not a breach of
the security of the system, provided that the private information
is not used or subject to unauthorized disclosure.
CONSUMER REPORTING AGENCY
Any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. A list of consumer reporting agencies shall be compiled by the state attorney general and furnished upon request to state entities required to make a notification under §
16-3 of this chapter.
DATA
Any information created, stored (in temporary or permanent
form), filed, produced or reproduced, regardless of the form or media.
"Data" may include, but is not limited to, personally identifying
information, reports, files, folders, memoranda, statements, examinations,
transcripts, images, communications, electronic or hard copy.
INFORMATION
The representation of facts, concepts or instructions in
a formalized manner suitable for communication, interpretation or
processing by human or automated means.
PERSONAL INFORMATION
Any information concerning a natural person which, because
of name, number, personal mark or other identifier, can be used to
identify such natural person.
PRIVATE INFORMATION
A.
Personal information in combination with any one or more of
the following data elements, when either the personal information
or the data element is not encrypted or encrypted with an encryption
key that has also been acquired:
(2)
Driver's license number or non-driver identification card
number;
(3)
Account number, credit or debit card number, in combination
with any required security code, access code, or password which would
permit access to an individual's financial account;
(4)
Account number, or credit or debit card number, if circumstances
exist wherein such number could be used to access to an individual's
financial account without additional identifying information, security
code, access code, or password;
(5)
Biometric information, meaning data generated by electronic
measurements of an individual's unique physical characteristics,
such as fingerprint, voice print, or retina or iris image, or other
unique physical representation or digital representation which are
used to authenticate or ascertain the individual's identity;
or
B.
A user name or e-mail address in combination with a password
or security question and answer that would permit access to an online
account.
C.
"Private information" does not include publicly available information
that is lawfully made available to the general public from federal,
state or local government records.
STATE ENTITY
Any state board, bureau, division, committee, commission,
council, department, public authority, public benefit corporation,
office or other governmental entity performing a governmental or proprietary
function for the State of New York, except:
B.
All cities, counties, municipalities, villages, towns, and other
local agencies.
THIRD PARTY
Any nonmunicipal employee, such as a contractor, vendor,
consultant, intern, other municipality, etc.
The municipality, after consulting with the State Office of
Information Technology Services to determine the scope of the breach
and restoration measures, must notify an individual when it has been
determined that there has been or is reasonably believed to have been
a compromise of the individual's private information through
unauthorized disclosure.
A. A compromise of private information means the unauthorized acquisition
of unencrypted computerized data with private information.
B. If encrypted data is compromised along with the corresponding encryption
key, the data is considered unencrypted and thus falls under the notification
requirements.
C. Notification may be delayed if a law enforcement agency determines
that the notification impedes a criminal investigation. In such case,
notification will be delayed only as long as needed to determine that
notification no longer compromises any investigation.
The following constitute sufficient substitute notice:
A. E-mail notice when the municipality has an e-mail address for the
subject persons;
B. Conspicuous posting of the notice on the municipality's website
page, if the municipality maintains one; and
C. Notification to major statewide media.
This chapter shall take effect immediately upon filing with
the Secretary of State.