Notification of Specific Events
The District will adhere to the legal requirements for notifying the New York State Attorney General (AG), the New York State Department Consumer Protection Board (CPB), and the New York State Office of Cyber Security (OCS) in the event of a data breach. All affected individuals will be notified of the breach if their compromised data falls within the classifications defined by the law.Notification to affected individuals may be delayed at the discretion of law enforcement if it is determined that such notification might impede a criminal investigation.
The affected individuals must receive the necessary notification through one of the methods listed below:
1. Written notice.
2. Electronic notice, provided that the affected person has expressly consented to receiving electronic notifications, and a log of each electronic notification is maintained by the District. However, the District shall not condition establishing any business relationship or engaging in any transaction on the consent to receive electronic notices.
3. Telephone notification, with a log maintained by the District for each telephonic notification.
4. Substitute notice, if the District demonstrates to the State Attorney General that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds $500,000, or that the District lacks sufficient contact information. Substitute notice will encompass:
a. Email notice when the District possesses an email address for the affected persons.
b. Conspicuous posting of the notice on the District's website page if the District maintains one.
c. Notification to major statewide media.
Irrespective of the notification method employed, the notification must include the following:
1. Contact information for the District official responsible for the notification.
2. A description of the categories of information that were, or are reasonably believed to have been, acquired without authorization.
3. Details regarding which elements of personal and private information were, or are reasonably believed to have been, so acquired.
The New York State Office of Cyber Security will be informed of the timing, content, and distribution of the notices, as well as the approximate number of affected persons. The Attorney General and the Division of Consumer Protection will also receive information about these notices to affected persons. For further details, refer to Form #5672 -- New York State Security Breach Reporting Form for contact information, addresses, and notification guidelines.
