ARTIFICIAL INTELLIGENCE IS NOT USED, IN WHOLE OR IN PART, IN THE SUMMARIES OF JUDICIAL AND QUASI-JUDICIAL DECISIONS PREPARED BY NYPPL

April 24, 2014

Security of government computer records


Security of government computer records
State Technology Law and other provisions of law

A town recently reported that its accounting program was the victim of hacking and a number of “payroll checks” were processed and presented for payment. Although the town’s bank “caught” the fraudulent checks, the town expressed concern that personal information in its system may have been compromised and asked its attorney to advise it as to its possible liability to individuals who may suffer as a result of the theft of personal data.

To assist public agencies to cope with the increasing number of attempts to breach computer security efforts, the New York State Office of Cyber Security has issued its Cyber Security Policy P03-002, Information Security Policy, posted on the Internet at http://www.dhses.ny.gov/ocs/resources/documents/cyber-security-policy-p03-002-v3.4.pdf, while the State Comptroller’s Division of Local Government and School Accountability has issued a “Local Government Information Security” statement that is posted on the Internet at http://www.osc.state.ny.us/localgov/pubs/research/snapshot/cybersecurity0811.pdf

A “Cyber Security Citizen’s Notification Policy” has been adopted by municipalities to deal with a breach of its computer security protocols. For example, the Village of North Hills has such a policy it has posted on the Internet [ http://ecode360.com/6309491] as has the Town of Massena [see http://ecode360.com/11058454]. 

In addition, General Business Law §899-aa, the Security Breach and Notification Act, addresses situations resulting from persons without valid authorization having acquired private information stored on an business  entity's computer..

Also relevant is §208(8) of the State Technology Law captioned “Notification; person without valid authorization has acquired private information,” requiring counties, cities, towns, villages and other governmental entities to adopt a computer security “breach notification policy.”

In addition, §308.1 of the act provides as follows with respect to personal privacy protection:

"Any information reported to the electronic facilitator by a government entity in connection with the authorization of an electronic signature shall continue to be withheld from public disclosure if such information was withheld from public disclosure by such government entity. Electronic records shall be considered and treated as any other records for the purposes of the freedom of information law as set forth in article six of the public officers law and the personal privacy protection law as set forth in article six-A of the public officers law.

“2. A person or an entity that acts as an authenticator of electronic signatures shall not disclose to a third party any personal information reported to it by the electronic signatory other than the information necessary to authenticate the signature unless the disclosure is made pursuant to a court order or statute, or if the information or data is used solely for statistical purposes in aggregate form. For purposes of this section, "personal information" shall mean data that identifies a specific person, including but not limited to home and work addresses, telephone number, e-mail address, social security number, birthdate, gender, marital status, mother's maiden name, and health data.”
.

CAUTION

Subsequent court and administrative rulings, or changes to laws, rules and regulations may have modified or clarified or vacated or reversed the decisions summarized here. Accordingly, these summaries should be Shepardized® or otherwise checked to make certain that the most recent information is being considered by the reader.
THE MATERIAL ON THIS WEBSITE IS FOR INFORMATION ONLY. AGAIN, CHANGES IN LAWS, RULES, REGULATIONS AND NEW COURT AND ADMINISTRATIVE DECISIONS MAY AFFECT THE ACCURACY OF THE INFORMATION PROVIDED IN THIS LAWBLOG. THE MATERIAL PRESENTED IS NOT LEGAL ADVICE AND THE USE OF ANY MATERIAL POSTED ON THIS WEBSITE, OR CORRESPONDENCE CONCERNING SUCH MATERIAL, DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP.
New York Public Personnel Law Blog Editor Harvey Randall served as Principal Attorney, New York State Department of Civil Service; Director of Personnel, SUNY Central Administration; Director of Research, Governor’s Office of Employee Relations; and Staff Judge Advocate General, New York Guard. Consistent with the Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations, the material posted to this blog is presented with the understanding that neither the publisher nor NYPPL and, or, its staff and contributors are providing legal advice to the reader and in the event legal or other expert assistance is needed, the reader is urged to seek such advice from a knowledgeable professional.
New York Public Personnel Law. Email: publications@nycap.rr.com