5672 - Information Security Breach and Notification
|Policy: Information Security Breach and Notification||Policy Number: 5672|
|Date of Original Policy: 03/22/2006||Date Revision Adopted: 07/11/2018|
|Reviewed by Policy Committee: 06/20/2018||Date of Next Review: 08/19/2021|
|Replacement of Policy Number:|
The School District values the protection of private information of individuals in accordance with applicable law and regulations. Further, the District is required to notify affected individuals when there has been or is reasonably believed to have been a compromise of the individuals private information in compliance with the Information Security Breach and Notification Act and Board policy.
a) “Private information” shall mean **personal information in combination with any one or more of the following data elements when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:
“Private information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.
**”Personal information” shall mean any information concerning a person which, because of name, number, symbol, mark or other identifier, can be used to identify that person.
b) “Breach of security of the system,” shall mean unauthorized acquisition or acquisition without valid authorization of computerized data which compromises the security confidentiality, or integrity of person information maintained by the District. Good faith acquisition of person information by an employee or agent of the District for the purposes of the District is not a breach of the security of the system, provided that private information is not used or subject to unauthorized disclosure.
Examples of Determining Factors
In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or person without valid authorization, the District may consider the following factors, among others:
a) Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information
b) Indication that the information has been downloaded or copied
c) Indication that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.
a) For any computerized data owned or licensed by the School District that includes private information, the District shall disclose any breach of the security of the system following discover or notification of the breach to any New York State resident whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. This disclosure to affected individuals shall be made in the most- expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The District shall consult with the State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) to determine the scope of the breach and restoration measures.
b) For any computerized data maintained by the District that includes private information which the District does not owned, the District shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, acquired by a person without valid authorization.
The notification requirement may be delayed if a law enforcement agency determines that such notification impedes a criminal investigation. The required notification shall be made after the law enforcement agency determines that such notification does not compromise the investigation.
Methods of Notification
The required notice shall be directly provided to the affected persons by one of the following methods:
a) Written notice
b) Electronic notice, provided that the person to whom notice is required has expressly consented to receiving the notice in electronic form; and a log of each such notification is kept by the District when notifying affected persons in electron form. However, in no case shall the District require a person to consent to accepting such notice in electronic form as a condition of establishing any business relationship or engaging in any transaction.
c) Telephone notification, provided that a log of each such notification is kept by the District when notifying affected persons by Phone
d) Substitute notice, if the District demonstrates to the State Attorney General that the cost of providing notice would exceed $250,000.00, or that the affected class of subject persons to be notified exceeds 500,000, or that the District does not have sufficient contact information. Substitute notice shall consist of all the following
1. E-mail notice when the District has an e-mail address for the subject person
2. Conspicuous posting of the notice on the District’s website page, if the District maintains one
3. Notification to major statewide media
Regardless of the method by which notice is provided, the notice shall include contact information for the notifying District and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired.
In the event that any New York State residents are to be notified, the District shall notify the State Attorney General, the Consumer Protection Board, and the State Office of Cyber Security and Critical Infrastructure Coordination as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York State residents.
In the event that more than 5,000 New York State residents are to be notified at one time, the District shall also notify consumer reporting agencies, as defined pursuant to State Technology law Section 208, as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York State residents. A list of consumer reporting agencies shall be compiled by the State Attorney General and furnished upon request to school districts required to make a notification in accordance with section 208(2) of the State Technology Law, regarding notification of breach of security of the system for any computerized data owned or licensed by the District that includes private information.
State Technology Law sections 202 and 208
Name of School District:
Date of Discover of Breach:
Estimated Number of Affected Individuals:
Manner of Notification [ ] Written notice
[ ] electronic notice (e-mail)
[ ] telephone notice
Are you requesting substitute notice? [ ] Yes [ ] No (If yes, attach justification)
Content of Notification to Affected Individuals: Describe what happened in general terms and what kind of information was involved. Please attach copy of Notice.
Name of School District: __________________________________________________________
Contact Person/Title: __________________________________________________________
Telephone Number: __________________________________________________________
Submitted by: __________________________________________________________
Please submit this form to all three (3) State Agencies as follows:
Fax this form to the Consumer Protection Board (CPB):
Security Breach Notification
Fax & Mail this form to:
NYS Office of Cyber Security and Critical Infrastructure Coordination (CSCIC):
30 South Pearl St.
Albany NY 12207
Asst. Attorney General in Charge
Bureau of Consumer Frauds
120 Broadway-3rd Floor
New York, NY 10271