NYCAC

Chapter 5 - DISCLOSURE OF SECURITY BREACH¶

Section 10-501¶

Section 10-501

  § 10-501 Definitions. For the purposes of this chapter,
  a. The term "personal identifying information" shall mean any person's
date   of  birth,  social  security  number,  driver's  license  number,
non-driver photo identification card number, financial services  account
number  or code, savings account number or code, checking account number
or code, brokerage account number or code, credit card account number or
code, debit card number or code,  automated  teller  machine  number  or
code,  personal  identification  number,  mother's maiden name, computer
system password, electronic signature or unique biometric data that is a
fingerprint, voice print, retinal image or iris image of another person.
This term shall apply to all such data, notwithstanding  the  method  by
which such information is maintained.
  b.   The  term  "breach  of  security"  shall  mean  the  unauthorized
disclosure or use  by  an  employee  or  agent  of  an  agency,  or  the
unauthorized possession by someone other than an employee or agent of an
agency,   of  personal  identifying  information  that  compromises  the
security, confidentiality or integrity of such information.  Good  faith
or  inadvertent possession of any personal identifying information by an
employee or agent of an  agency  for  the  legitimate  purposes  of  the
agency,  and  good  faith or legally mandated disclosure of any personal
identifying information by an employee or agent of  an  agency  for  the
legitimate  purposes  of  the  agency  shall  not constitute a breach of
security.

Section 10-502¶

Section 10-502

  § 10-502  Agency  disclosure  of a security breach  a. Any city agency
that owns or leases data that includes personal identifying  information
and  any  city agency that maintains but does not own data that includes
personal identifying information,  shall  immediately  disclose  to  the
police  department  any  breach  of  security  following  discovery by a
supervisor or manager, or following  notification  to  a  supervisor  or
manager, of such breach if such personal identifying information was, or
is reasonably believed to have been, acquired by an unauthorized person.
  b.   Subsequent  to  compliance  with  the  provisions  set  forth  in
subdivision a of this section, any city agency that owns or leases  data
that  includes  personal  identifying  information  shall  disclose,  in
accordance with the procedures  set  forth  in  subdivision  d  of  this
section,  any  breach of security following discovery by a supervisor or
manager, or following notification to a supervisor or manager,  of  such
breach  to  any person whose personal identifying information was, or is
reasonably believed to have been, acquired by an unauthorized person.
  c.  Subsequent  to  compliance  with  the  provisions  set  forth   in
subdivision  a  of this section, any city agency that maintains but does
not own  data  that  includes  personal  identifying  information  shall
disclose,  in  accordance with the procedures set forth in subdivision d
of this section,  any  breach  of  security  following  discovery  by  a
supervisor  or  manager,  or  following  notification to a supervisor or
manager, of such breach to the owner, lessor or licensor of the data  if
the  personal  identifying information was, or is reasonably believed to
have been, acquired by an unauthorized person.
  d. The disclosures required by subdivisions b and c  of  this  section
shall  be  made  as soon as practicable by a method reasonable under the
circumstances.  Provided  said  method  is  not  inconsistent  with  the
legitimate  needs  of  law  enforcement  or  any  other investigative or
protective measures necessary to restore the reasonable integrity of the
data system, disclosure shall be made by at least one of  the  following
means:
  1.  Written notice to the individual at his or her last known address;
or
  2. Verbal notification to the individual by telephonic  communication;
or
  3.  Electronic notification to the individual at his or her last known
e-mail address.
  e. Should disclosure pursuant  to  paragraph  one,  two  or  three  of
subdivision  d be impracticable or inappropriate given the circumstances
of the breach and the identity of the victim, such disclosure  shall  be
made by a mechanism of the agency's election, provided such mechanism is
reasonably  targeted to the individual in a manner that does not further
compromise the integrity of the personal information.

Section 10-503¶

Section 10-503

  §  10-503  Agency  disposal  of  personal  identifying information. An
agency  that  discards  records  containing  any  individual's  personal
identifying  information  shall  do  so  in a manner intended to prevent
retrieval of the information contained therein or thereon.