[HISTORY: Adopted by the Board of Trustees of the Village of Perry 4-3-2006.
Amendments noted where applicable.]
This policy is consistent with State Technology Law § 208
as added by Chapters 442 and 491 of the Laws of 2005. This policy requires
notification of affected New York residents and nonresidents. New York State
values the protection of private information of individuals. The Village of
Perry is required to notify an individual when data which is maintained by
the Village and contains the individual's private information has been, or
is reasonably believed to have been, compromised.
The Village of Perry, after consulting with the State's Office of Cyber
Security and Critical Infrastructure Coordination (CSCIC) to determine the
scope of the breach and restoration measures of its compromised data, must
notify an individual when it has been determined that there has been, or is
reasonably believed to have been, a compromise of the individual's private
information through unauthorized disclosure.
A.Â
A compromise of private information means the unauthorized acquisition
of unencrypted computerized data with private information.
B.Â
If encrypted data is compromised along with the corresponding
encryption key, the data is considered unencrypted and thus falls under the
notification requirements.
Notification may be delayed if a law enforcement agency determines that
the notification impedes a criminal investigation. In such case, notification
will be delayed only as long as needed to determine that notification no longer
compromises any investigation.
The Village of Perry will notify the affected individual directly by
one of the following methods:
A.Â
Written notice;
B.Â
Electronic notice, provided that the person to whom notice
is required has expressly consented to receiving notice in electronic form
and a log of each notification is kept by the Village that notifies affected
persons in such form;
C.Â
Telephone notification, provided that a log of each notification
is kept by the Village that notifies affected persons; or
D.Â
Substitute notice, if the Village demonstrates to the
State Attorney General that the cost of providing notice would exceed $250,000,
that the affected class of persons to be notified exceeds 500,000, or that
the Village does not have sufficient contact information. The following constitute
sufficient substitute notice:
A.Â
The Village must notify the State's Office of Cyber Security
and Critical Infrastructure Coordination (CSCIC) as to the timing, content
and distribution of the notices and approximate number of affected persons.
B.Â
The Village must notify the Attorney General and the Consumer
Protection Board, whenever notification of a New York resident is necessary,
as to the timing, content and distribution of the notices and approximate
number of affected persons.
Regardless of the method by which notice is provided, the notice must
include contact information for the Village of Perry making the notification
and a description of the categories of information that were, or are reasonably
believed to have been, acquired by a person without valid authorization, including
specification of which of the elements of personal information and private
information were, or are reasonably believed to have been, so acquired.
This policy applies not only to information maintained by the Village
of Perry itself but also to information maintained on behalf of the Village
of Perry by a third party.
When more than 5,000 New York residents must be notified at one time,
then the Village must notify the consumer reporting agencies as to the timing,
content and distribution of the notices and the approximate number of affected
individuals. This notice, however, will be made without delaying notice to
the individuals.
As used in this chapter, the following terms shall have the meaning
indicated:
Any person which, for monetary fees, dues or on a cooperative nonprofit
basis, regularly engages in whole or in part in the practice of assembling
or evaluating consumer credit information or other information on consumers
for the purpose of furnishing consumer reports to third parties and which
uses any means or facility of interstate commerce for the purpose of preparing
or furnishing consumer reports. The State Attorney General is responsible
for compiling a list of consumer reporting agencies and furnishing the list
upon request to the municipality.
Any information created, stored (in temporary or permanent form),
filed, produced or reproduced, regardless of the form or media. Data may include,
but is not limited to, personal identifying information, reports, files, folders,
memoranda, statements, examinations, transcripts, images, and communications,
electronic or hard copy.
The representation of facts, concepts, or instructions in a formalized
manner suitable for communication, interpretation, or processing by human
or automated means.
Any information concerning a natural person which, because of name,
number, personal mark or other identifier, can be used to identify such natural
person.
Personal information in combination with any one or more of the following
data elements, when either the personal information or the data element is
not encrypted or is encrypted with an encryption key that has also been acquired:
"Private information" does not included publicly available information
that is lawfully made available to the general public from federal, state,
or local government records.
Any nonmunicipal employee such as a contractor, vendor, consultant,
intern, other municipality, etc.
