Policy 5672

NON-INSTRUCTIONAL OPERATIONS
5672 INFORMATION SECURITY BREACH AND NOTIFICATION


The District values the protection of private information of individuals in accordance with applicable law and regulations. The District is required to notify affected individuals when there has been or is reasonably believed to have been a compromise of the individual's private information in compliance with the Information Security Breach and Notification Act and Board policy.

a) "Personal information" means any information concerning a person which, because of name, number, symbol, mark, or other identifier, can be used to identify that person.
b) "Private information" means either:  

1. Personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted or encrypted with an encryption key that has also been accessed or acquired:

(a) Social security number;
(b) Driver's license number or non-driver identification card number; 
(c) Account number, credit or debit card number, in combination with any required security code, access code, password, or other information which would permit access to an individual's financial account;
(d) Account number, or credit or debit card number, if circumstances exist where the number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or
(e) Biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation which are used to authenticate or ascertain the individual's identity;

2. A username or email address in combination with a password or security question and answer that would permit access to an online account.

Private information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

c) "Breach of the security of the system" means unauthorized acquisition or acquisition without valid authorization of computerized data which compromises the security, confidentiality, or integrity of personal information maintained by the District. Good faith acquisition of personal information by an employee or agent of the District for the purposes of the District is not a breach of the security of the system, provided that private information is not used or subject to unauthorized disclosure.

Determining if a Breach Has Occurred


In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or person without valid authorization, the District may consider the following factors, among others:

a) Indications that the information is in the physical possession or control of an unauthorized person, such as a lost or stolen computer or other device containing information; 
b) Indications that the information has been downloaded or copied; 
c) Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or
d) System failures.

Notification Requirements


a) For any computerized data owned or licensed by the District that includes private information, the District will disclose any breach of the security of the system following discovery or notification of the breach to any New York State resident whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. The disclosure to affected individuals will be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the integrity of the data system. The District will consult with the New York State Office of Information Technology Services to determine the scope of the breach and restoration measures. Within 90 days of the notice of the breach, the New York State Office of Information Technology Services will deliver a report to the District on the scope of the breach and recommendations to restore and improve the security of the system.
b) Notice to affected persons under State Technology Law is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the District reasonably determines the exposure will not likely result in the misuse of the information, or financial or emotional harm to the affected persons. This determination must be documented in writing and maintained for at least five years. If the incident affected over 500 New York State residents, the District will provide the written determination to the New York State Attorney General within ten days after the determination.
c) If notice of the breach of the security of the system is made to affected persons pursuant to the breach notification requirements under certain laws and regulations, the District is not required to provide additional notice to those affected persons under State Technology Law. However, the District will still provide notice to the New York State Attorney General, the New York State Department of State, the New York State Office of Information Technology Services, and to consumer reporting agencies.
d) For any computerized data maintained by the District that includes private information which the District does not own, the District will notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.

The notification requirement may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. The required notification will be made after the law enforcement agency determines that the notification does not compromise the investigation.

If the District is required to provide notification of a breach, including breach of information that is not private information, to the United States Secretary of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 or the Health Information Technology for Economic and Clinical Health Act, it will provide notification to the New York State Attorney General within five business days of notifying the United States Secretary of Health and Human Services.

Methods of Notification

The required notice will be directly provided to the affected persons by one of the following methods:

a) Written notice;
b) Electronic notice, provided that the person to whom notice is required has expressly consented to receiving the notice in electronic form; and a log of each notification is kept by the District when notifying affected persons in electronic form. However, in no case will the District require a person to consent to accepting the notice in electronic form as a condition of establishing any business relationship or engaging in any transaction;
c) Telephone notification, provided that a log of each notification is kept by the District when notifying affected persons by phone; or
d) Substitute notice, if the District demonstrates to the New York State Attorney General that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or that the District does not have sufficient contact information. Substitute notice will consist of all of the following:

1. Email notice when the District has an email address for the subject persons; 
2. Conspicuous posting of the notice on the District's website page, if the District maintains one; and
3. Notification to major statewide media.

Regardless of the method by which notice is provided, the notice will include:

a) Contact information for the notifying District; 
b) The telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information; and
c) A description of the categories of information that were, or are reasonably believed to have been, accessed or acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, accessed or acquired.

In the event that any New York State residents are to be notified, the District will notify the New York State Attorney General, New York State Department of State, and New York State Office of Information Technology Services as to the timing, content, and distribution of the notices and approximate number of affected persons and provide a copy of the template of the notice sent to affected persons. This notice will be made without delaying notice to affected New York State residents.

In the event that more than 5,000 New York State residents are to be notified at one time, the District will also notify consumer reporting agencies as to the timing, content, and distribution of the notices and approximate number of affected persons. This notice will be made without delaying notice to affected New York State residents.

A list of consumer reporting agencies will be compiled by the New York State Attorney General and furnished upon request to any district required to make a notification in accordance with State Technology Law.

Policy References:
State Technology Law §§ 202 and 208


Adopted: 6/22/99
Revised: 9/6/22, 2/28/23

Policy 5672