Responding to a Suspected Breach of Private Data Procedure
New York State recently enacted the Information Security Breach and Notification Act to provide people with notice that their private information was acquired due to a security breach. A rationale is provided in the below Legislative Intent section of the law.
S 2. Legislative Intent. The legislature finds that identity theft and security breaches have affected thousands statewide and millions of people nationwide. The legislature also finds that affected persons are hindered by a lack of information regarding breaches, and that the impact of exposing information that should be held private can be far-reaching. In addition, the Legislature finds that state residents deserve a right to know when they have been exposed to identity theft. The legislature further finds that affected state residents deserve an advocate who can speak and take action on their behalf because recovering from identity theft can, and sometimes does, take many years. Therefore, the legislature enacts the information security breach and notification act which will guarantee state residents the right to know what information was exposed during a breach, so that they can take the necessary steps to both prevent and repair any damage they may incur because of a public or private sector entity’s failure to make proper notification.
The law requires any state agency or business that owns or licenses a computerized database which includes vulnerable personal information to disclose any breach of security of such system to any resident of NYS whose personal information may have been acquired by an unauthorized person. The CSCIC (NYS Office of Cyber Security and Critical Infrastructure Coordination) has added a component to the NYS Information Security Policy that also requires notification to non-residents of NYS.
The law additionally requires notification to three NYS Offices (Attorney General, CSCIC and Consumer Protection Board) in the event of a security breach that results in personal information being acquired by an unauthorized person. The form and process to be used for notifications to these NYS Offices is published on the CSCIC web site located here.
The college will adhere to the following process for responding to any suspected security breach that may have resulted in personal information being acquired by an unauthorized person.
- Any person suspecting a breach of private data at the college will immediately report the situation to Information Technology Services.
- Information Technology Services will immediately conduct an investigation to determine whether there has been a security breach of private data, to determine the extent of any confirmed security breach of private data and to resolve the problem(s) that allowed or caused any confirmed security breach of private data.
- Information Technology Services will work with the President, Senior Staff and college counsel to determine an appropriate and timely response to affected individuals and the above NYS Offices for any confirmed security breach of private data.