This policy is consistent with State Technology Law § 208,
as added by Chapters 442 and 491 of the Laws of 2005. This policy requires
notification to affected New York residents and nonresidents. New York State
law values the protection of private information of individuals. The Village
is required to notify an individual when there has been or is reasonably believed
to have been a compromise of the individual's private information in
compliance with the Information Security Breach and Notification Act and this
policy.
The Village, after consulting with the State's Office of Cyber
Security and Critical Infrastructure Coordination (CSCIC) to determine the
scope of the breach and restoration measures, is required to notify an individual
when it has been determined that there has been, or is reasonably believed
to have been, a compromise of the individual's private information through
unauthorized disclosure.
A compromise of private information means the unauthorized acquisition
of unencrypted computerized data with private information.
If encrypted data is compromised along with the corresponding encryption
key, the data is considered unencrypted and thus falls under the notification
requirements.
Notification may be delayed if a law enforcement agency determines that
the notification impedes a criminal investigation. In such case, notification
will be delayed only as long as needed to determine that notification no longer
compromises any investigation.
The Village will notify the CSCIC as to the timing, content and distribution
of the notices and approximate number of affected persons.
The Village will notify the Attorney General and the Consumer Protection
Board, whenever notification to a New York resident is necessary, as to the
timing, content and distribution of the notices and approximate number of
affected persons.
Regardless of the method by which notice is provided, the notice shall
include contact information for the Village and a description of the categories
of information that were, or are reasonably believed to have been, acquired
by a person without valid authorization, including specification of which
of the elements of personal information and private information were, or are
reasonably believed to have been, so acquired.
This policy also applies to information maintained on behalf of the
Village by a third party.
When more than 5,000 New York residents must be notified at one time,
then the Village must notify the consumer reporting agencies as to the timing,
content and distribution of the notices and the approximate number of affected
individuals. This notice, however, will be made without delaying notice to
the individuals.
As used in this chapter, the following terms shall have the meanings
indicated:
CONSUMER REPORTING AGENCY
Any person or entity which, for monetary fees, dues, or on a cooperative
nonprofit basis, regularly engages in whole or in part in the practice of
assembling or evaluating consumer credit information or other information
on consumers for the purpose of furnishing consumer reports to third parties,
and which uses any means or facility of interstate commerce for the purpose
of preparing or furnishing consumer reports. The State Attorney General is
responsible for compiling a list of consumer reporting agencies and furnishing
the list upon request to the Village.
DATA
Any information created, stored (in temporary or permanent form),
filed, produced or reproduced, regardless of the form or media. Data may include,
but is not limited to, personally identifying information, reports, files,
folders, memoranda, statements, examinations, transcripts, images, communications,
electronic or hard copy.
INFORMATION
The representation of facts, concepts, or instructions in a formalized
manner suitable for communication, interpretation, or processing by human
or automated means.
PERSONAL INFORMATION
Any information concerning a natural person which, because of name,
number, personal mark or other identifier, can be used to identify such natural
person.
PRIVATE INFORMATION
Personal information in combination with any one or more of the following
data elements, when either the personal information or the data element is
not encrypted or encrypted with an encryption key that has also been acquired:
social security number; or driver's license number or non-driver identification
card number; or account number, credit or debit card number, in combination
with any required security code, access code, or password which would permit
access to an individual's financial account. The term "private information"
does not include publicly available information if it is lawfully made available
to the general public from federal, state, or local government records.
THIRD-PARTY
Any person or entity which is not a municipal employee, such as a
contractor, vendor, consultant, volunteer, other municipality, etc.