[HISTORY: Adopted by the Town Board of the Town of Massena 3-15-2006.
Amendments noted where applicable.]
A.Â
This policy is consistent with the State Technology Law,
§ 208 as added by Chapters 442 and 491 of the Laws of 2005. This
policy requires notification to impacted New York residents and nonresidents.
The Town of Massena and New York State value the protection of private information
of individuals. The Town is required to notify an individual when there has
been or is reasonably believed to have been a compromise of the individual's
private information in compliance with the Information Security Breach and
Notification Act[1] and this policy.
[1]
Editor's Note: See N.Y.S. General Business Law § 899-aa.
B.Â
The Town, after consulting with the New York State Office
of Cyber Security and Critical Infrastructure (CSCIC) to determine the scope
of the breach and restoration measures, shall notify an individual when it
has been determined that there has been, or is reasonably believed to have
been a compromise of private information through unauthorized disclosure.
C.Â
A compromise of private information shall mean the unauthorized
acquisition of unencrypted computerized data with private information.
D.Â
If encrypted data is compromised along with the corresponding
encryption key, the data shall be considered unencrypted and thus fall under
the notification requirements.
E.Â
Notification may be delayed if a law enforcement agency
determines that the notification impedes a criminal investigation. In such
case, notification will be delayed only as long as needed to determine that
notification no longer compromises any investigation.
F.Â
The Town will notify the affected individual. Such notice
shall be directly provided to the affected persons by one of the following
methods:
(1)Â
Written notice;
(2)Â
Electronic notice, provided that the person to whom notice
is required has expressly consented to receiving said notice in electronic
form and a log of each such notification is kept by the Town when affected
persons are notified in such form;
(3)Â
Telephone notification, provided that a log of each such
notification is kept by the Town when affected persons are notified in such
form; or
(4)Â
Substitute notice, if the Town demonstrates to the State
Attorney General that the cost of providing notice would exceed $250,000 or
that the affected class of subject persons to be notified exceeds 500,000
or if the Town does not have sufficient contact information. Substitute notice
shall consist of all of the following:
G.Â
The Town shall notify CSCIC as to the timing, content
and distribution of the notices and approximate number of affected persons.
H.Â
The Town shall notify the Attorney General and the Consumer
Protection Board whenever notification to a New York resident is necessary
as to the timing, content and distribution of the notices and approximate
number of affected persons.
I.Â
Regardless of the method by which notice is provided,
such notice shall include contact information for the Town of Massena and
a description of the categories of information that were, or are reasonably
believed to have been, acquired by a person without valid authorization, including
specification of which of the elements of personal information and private
information were, or are reasonably believed to have been, so acquired.
J.Â
This policy also applies to information maintained on
behalf of the Town by a third party.
K.Â
When more than 5,000 New York residents are to be notified
at one time, then the Town shall notify the consumer reporting agencies as
to the timing, content and distribution of the notices and the approximate
number of affected individuals. This notice, however, will be made without
delaying notice to the individuals.
As used in this chapter, the following terms shall have the meanings
indicated:
The granting of rights which includes the granting of access based
on an authenticated identity.
The property of being operational, accessible, functional and usable
upon demand by an authorized entity, e.g., a system or user.
The designation given to information or a document from a defined
category on the basis of its sensitivity.
All physical, electronic and other components, types and uses of
computers, including but not limited to hardware, software, central processing
units, electronic communications and systems, databases, memory, Internet
service, information systems, laptops, personal digital assistants and accompanying
equipment used to support the use of computers, such as printers, fax machines
and copiers, and any updates, revisions, upgrades or replacements thereto.
Consumer reporting agency shall mean any person which, for monetary
fees, dues, or on a cooperative nonprofit basis, regularly engages in whole
or in part in the practice of assembling or evaluating consumer credit information
or other information on consumers for the purpose of furnishing consumer reports
to third parties, and which uses any means or facility of interstate commerce
for the purpose of preparing or furnishing consumer reports. A list of consumer
reporting agencies shall be compiled by the State Attorney General and furnished
upon request to state entities required to make a notification under this
policy.
The property that information is not made available or disclosed
to unauthorized individuals, entities, or processes.
Countermeasures or safeguards that are the devices or mechanisms
that are needed to meet the requirements of policy.
A condition, vulnerability or threat that could cause danger to data,
a system, network, or a component thereof.
An employee or organizational unit acting as a caretaker of an automated
file or database on behalf of its owner.
Any information created, stored (in temporary or permanent form),
filed, produced or reproduced, regardless of the form or media. Data may include,
but is not limited to personally identifying information, reports, files,
folders, memoranda, statements, examinations, transcripts, images, communications,
electronic or hard copy.
The protection of information assets from accidental or intentional
but unauthorized disclosure, modification, or destruction, or the inability
to process that information.
The reversal of a corresponding reversible encryption to render information
intelligible using the appropriate algorithm and key.
The cryptographic transformation of data to render it unintelligible
through an algorithmic process using a cryptographic key.
Any adverse event that threatens the confidentiality, integrity or
accessibility of information resources.
The manual and automated procedures used to respond to reported network
intrusions (real or suspected); network failures and errors; and other undesirable
events.
Information is defined as the representation of facts, concepts,
or instructions in a formalized manner suitable for communication, interpretation,
or processing by human or automated means.
All categories of automated information, including but not limited
to: records, files, and databases; and information technology facilities,
equipment (including microcomputer systems), and software owned or leased
by the state.
An individual or a group of individuals that has responsibility for
making classification and control decisions regarding use of information.
The concepts, techniques and measures used to protect information
from accidental or intentional unauthorized access, modification, destruction,
disclosure or temporary or permanent loss (see "availability").
Loss of business information through theft of data.
The property that data has not been altered or destroyed from its
intended form or content in an unintentional or an unauthorized manner.
A system of linked computer networks, international in scope, that
facilitates data transmission and exchange, which all use the standard Internet
protocol, TCP/IP, to communicate and share data with each other.
The monitoring of network activities, primarily through automated
measures, to detect, log and report upon actual or suspected authorized access
and events for investigation and resolution.
Any information that is covered by an exception to the Freedom of
Information Law, Public Officer Law Article 6, or is otherwise protected from
disclosure by law.
An individual or organizational unit having responsibility for making
classification and control decisions regarding use of information.
Personal information means any information concerning a natural person
which, because of name, number, personal mark or other identifier can be used
to identify such natural person.
The right of individuals and organizations to control the collection,
storage, and dissemination of information about themselves.
Private information means personal information in combination with
any one or more of the following data elements, when either the personal information
or the data element is not encrypted or encrypted with an encryption key that
has also been acquired: social security number; or driver's license number
or nondriver identification card number; or account number, credit or debit
card number, in combination with any required security code, access code,
or password which would permit access to an individual's financial account.
Private information does not include publicly available information that is
lawfully made available to the general public from federal, state, or local
government records.
Specific operational steps that individuals must take to achieve
goals stated in this policy.
Information on Town programs and services, disseminated information
through publications and through the news media.
The probability of suffering harm or loss. It refers to an action,
event or a natural occurrence that could cause an undesirable outcome, resulting
in a negative impact or consequence.
The process of identifying threats to information or information
systems, determining the likelihood of occurrence of the threat, and identifying
system vulnerabilities that could be exploited by the threat.
The process of taking actions to assess risks and avoid or reduce
risk to acceptable levels.
The set of criteria for the provision of security services based
on global rules imposed for all users. These rules usually rely on a comparison
of the sensitivity of the resources being accessed and the possession of corresponding
attributes of users, a group of users, or entities acting on behalf of users.
The measurable, harmful impact resulting from disclosure, modification,
or destruction of information.
Sets of rules for implementing policy. Standards make specific mention
of technologies, methodologies, implementation procedures and other detail
factors.
The State of New York.
An interconnected set of information resources under the same direct
management control that shares common functionality. A system may include
hardware, software, information, data, applications or communications infrastructure.
Any non-Town employees such as a contractor, vendor, consultant,
intern, another municipal agency, etc.
A force, organization or person, which seeks to gain access to, or
compromise, information. A threat can be assessed in terms of the probability
of an attack. Looking at the nature of the threat, its capability and resources,
one can assess it, and then determine the likelihood of occurrence, as in
risk assessment.
Insider or outsider who gains access to network or computer resources
without permission.
Any Town entity(ies), state entity(ies), federal government entity(ies),
political subdivisions(s), their employees or third-party contractor(s) or
business associates, or any other individual(s) who are authorized by such
entities to access a system for a legitimate government purpose.
An individual having specific limited authority from the owner of
information to view, change, add to, disseminate or delete such information.