Section 10-501
§ 10-501 Definitions. For the purposes of this chapter,
a. The term "personal identifying information" shall mean any person's
date of birth, social security number, driver's license number,
non-driver photo identification card number, financial services account
number or code, savings account number or code, checking account number
or code, brokerage account number or code, credit card account number or
code, debit card number or code, automated teller machine number or
code, personal identification number, mother's maiden name, computer
system password, electronic signature or unique biometric data that is a
fingerprint, voice print, retinal image or iris image of another person.
This term shall apply to all such data, notwithstanding the method by
which such information is maintained.
b. The term "breach of security" shall mean the unauthorized
disclosure or use by an employee or agent of an agency, or the
unauthorized possession by someone other than an employee or agent of an
agency, of personal identifying information that compromises the
security, confidentiality or integrity of such information. Good faith
or inadvertent possession of any personal identifying information by an
employee or agent of an agency for the legitimate purposes of the
agency, and good faith or legally mandated disclosure of any personal
identifying information by an employee or agent of an agency for the
legitimate purposes of the agency shall not constitute a breach of
security.
Section 10-502
§ 10-502 Agency disclosure of a security breach a. Any city agency
that owns or leases data that includes personal identifying information
and any city agency that maintains but does not own data that includes
personal identifying information, shall immediately disclose to the
police department any breach of security following discovery by a
supervisor or manager, or following notification to a supervisor or
manager, of such breach if such personal identifying information was, or
is reasonably believed to have been, acquired by an unauthorized person.
b. Subsequent to compliance with the provisions set forth in
subdivision a of this section, any city agency that owns or leases data
that includes personal identifying information shall disclose, in
accordance with the procedures set forth in subdivision d of this
section, any breach of security following discovery by a supervisor or
manager, or following notification to a supervisor or manager, of such
breach to any person whose personal identifying information was, or is
reasonably believed to have been, acquired by an unauthorized person.
c. Subsequent to compliance with the provisions set forth in
subdivision a of this section, any city agency that maintains but does
not own data that includes personal identifying information shall
disclose, in accordance with the procedures set forth in subdivision d
of this section, any breach of security following discovery by a
supervisor or manager, or following notification to a supervisor or
manager, of such breach to the owner, lessor or licensor of the data if
the personal identifying information was, or is reasonably believed to
have been, acquired by an unauthorized person.
d. The disclosures required by subdivisions b and c of this section
shall be made as soon as practicable by a method reasonable under the
circumstances. Provided said method is not inconsistent with the
legitimate needs of law enforcement or any other investigative or
protective measures necessary to restore the reasonable integrity of the
data system, disclosure shall be made by at least one of the following
means:
1. Written notice to the individual at his or her last known address;
or
2. Verbal notification to the individual by telephonic communication;
or
3. Electronic notification to the individual at his or her last known
e-mail address.
e. Should disclosure pursuant to paragraph one, two or three of
subdivision d be impracticable or inappropriate given the circumstances
of the breach and the identity of the victim, such disclosure shall be
made by a mechanism of the agency's election, provided such mechanism is
reasonably targeted to the individual in a manner that does not further
compromise the integrity of the personal information.
Section 10-503
§ 10-503 Agency disposal of personal identifying information. An
agency that discards records containing any individual's personal
identifying information shall do so in a manner intended to prevent
retrieval of the information contained therein or thereon.