New York Agency Disclosure Of A Security Breach

Code Resources

New York Resources
New York Website
New York Governor
New York Legislature
New York Courts

Search this Code
in Google Scholar

on the Web
Google Web Search
MSN Web Search
Yahoo! Web Search

in the News
Google News Search
Google News Archive Search
Yahoo! News Search

in the Blogs
BlawgSearch.com Search
Google Blog Search
Technorati Blog Search

in other Databases
Google Book Search 



 
    § 10-502  Agency  disclosure  of a security breach  a. Any city agency
  that owns or leases data that includes personal identifying  information
  and  any  city agency that maintains but does not own data that includes
  personal identifying information,  shall  immediately  disclose  to  the
  police  department  any  breach  of  security  following  discovery by a
  supervisor or manager, or following  notification  to  a  supervisor  or
  manager, of such breach if such personal identifying information was, or
  is reasonably believed to have been, acquired by an unauthorized person.
    b.   Subsequent  to  compliance  with  the  provisions  set  forth  in
  subdivision a of this section, any city agency that owns or leases  data
  that  includes  personal  identifying  information  shall  disclose,  in
  accordance with the procedures  set  forth  in  subdivision  d  of  this
  section,  any  breach of security following discovery by a supervisor or
  manager, or following notification to a supervisor or manager,  of  such
  breach  to  any person whose personal identifying information was, or is
  reasonably believed to have been, acquired by an unauthorized person.
    c.  Subsequent  to  compliance  with  the  provisions  set  forth   in
  subdivision  a  of this section, any city agency that maintains but does
  not own  data  that  includes  personal  identifying  information  shall
  disclose,  in  accordance with the procedures set forth in subdivision d
  of this section,  any  breach  of  security  following  discovery  by  a
  supervisor  or  manager,  or  following  notification to a supervisor or
  manager, of such breach to the owner, lessor or licensor of the data  if
  the  personal  identifying information was, or is reasonably believed to
  have been, acquired by an unauthorized person.
    d. The disclosures required by subdivisions b and c  of  this  section
  shall  be  made  as soon as practicable by a method reasonable under the
  circumstances.  Provided  said  method  is  not  inconsistent  with  the
  legitimate  needs  of  law  enforcement  or  any  other investigative or
  protective measures necessary to restore the reasonable integrity of the
  data system, disclosure shall be made by at least one of  the  following
  means:
    1.  Written notice to the individual at his or her last known address;
  or
    2. Verbal notification to the individual by telephonic  communication;
  or
    3.  Electronic notification to the individual at his or her last known
  e-mail address.
    e. Should disclosure pursuant  to  paragraph  one,  two  or  three  of
  subdivision  d be impracticable or inappropriate given the circumstances
  of the breach and the identity of the victim, such disclosure  shall  be
  made by a mechanism of the agency's election, provided such mechanism is
  reasonably  targeted to the individual in a manner that does not further
  compromise the integrity of the personal information.