This chapter shall be known and may be cited
as the "Cyber Security Citizens' Notification Policy."
The policy set forth in this Chapter is intended
to be consistent with the State Technology Law, § 208, as
added by Chapters 442 and 491 of the Laws of 2005. This policy requires
notification to affected New York residents and nonresidents. The
City of Ithaca and New York State value the protection of private
information of individuals. The City of Ithaca is required to notify
an individual when there has been or is reasonably believed to have
been a compromise of the individual's private information, in compliance
with the applicable provisions of the State Technology Law and this
policy.
As used in this chapter, the following terms
shall have the meanings indicated:
COMPROMISE OF PRIVATE INFORMATION
The unauthorized acquisition of unencrypted computerized
data containing private information from records maintained by the
City of Ithaca.
CONSUMER REPORTING AGENCY
Any person or entity which, for monetary fees, dues, or on
a cooperative nonprofit basis, regularly engages in whole or in part
in the practice of assembling or evaluating consumer credit information
or other information on consumers for the purpose of furnishing consumer
reports to third parties, and which uses any means or facility of
interstate commerce for the purpose of preparing or furnishing consumer
reports. (The State Attorney General is responsible for compiling
a list of consumer reporting agencies and furnishing the list upon
request to the City of Ithaca.)
DATA
Any information created, stored (in temporary or permanent
form), filed, produced or reproduced, regardless of the form or media.
Data may include, but is not limited to personally identifying information,
reports, files, folders, memoranda, statements, examinations, transcripts,
images, communications, and electronic or hard copy.
INFORMATION
The representation of facts, concepts, or instructions in
a formalized manner suitable for communication, interpretation, or
processing by human or automated means.
PERSONAL INFORMATION
Any information concerning a natural person which, because
of name, number, personal mark or other identifier, can be used to
identify such natural person.
PRIVATE INFORMATION
A.
Personal information in combination with any
one or more of the following data elements, when either the personal
information or the data element is not encrypted or encrypted with
an encryption key that has also been acquired:
(1)
Social security number; or
(2)
Driver's license number or nondriver identification
card number; or
(3)
Account number, credit or debit card number,
in combination with any required security code, access code, or password
which would permit access to an individual's financial account.
B.
Private information does not include publicly
available information that is lawfully made available to the general
public from federal, state, or local government records.
THIRD-PARTY
Any nonmunicipal employee such as a contractor, vendor, consultant,
intern, other municipality, etc.
[Amended 11-3-2021 by Ord. No. 2021-09]
The City Manager shall ensure that a written,
city-wide protocol is established, which protocol shall stipulate
how the notification requirements in this policy are to be implemented.