April 24, 2014

Security of government computer records


Security of government computer records
State Technology Law and other provisions of law

A town recently reported that its accounting program was the victim of hacking and a number of “payroll checks” were processed and presented for payment. Although the town’s bank “caught” the fraudulent checks, the town expressed concern that personal information in its system may have been compromised and asked its attorney to advise it as to its possible liability to individuals who may suffer as a result of the theft of personal data.

To assist public agencies to cope with the increasing number of attempts to breach computer security efforts, the New York State Office of Cyber Security has issued its Cyber Security Policy P03-002, Information Security Policy, posted on the Internet at http://www.dhses.ny.gov/ocs/resources/documents/cyber-security-policy-p03-002-v3.4.pdf, while the State Comptroller’s Division of Local Government and School Accountability has issued a “Local Government Information Security” statement that is posted on the Internet at http://www.osc.state.ny.us/localgov/pubs/research/snapshot/cybersecurity0811.pdf

A “Cyber Security Citizen’s Notification Policy” has been adopted by municipalities to deal with a breach of its computer security protocols. For example, the Village of North Hills has such a policy it has posted on the Internet [ http://ecode360.com/6309491] as has the Town of Massena [see http://ecode360.com/11058454]. 

In addition, General Business Law §899-aa, the Security Breach and Notification Act, addresses situations resulting from persons without valid authorization having acquired private information stored on an business  entity's computer..

Also relevant is §208(8) of the State Technology Law captioned “Notification; person without valid authorization has acquired private information,” requiring counties, cities, towns, villages and other governmental entities to adopt a computer security “breach notification policy.”

In addition, §308.1 of the act provides as follows with respect to personal privacy protection:

"Any information reported to the electronic facilitator by a government entity in connection with the authorization of an electronic signature shall continue to be withheld from public disclosure if such information was withheld from public disclosure by such government entity. Electronic records shall be considered and treated as any other records for the purposes of the freedom of information law as set forth in article six of the public officers law and the personal privacy protection law as set forth in article six-A of the public officers law.

“2. A person or an entity that acts as an authenticator of electronic signatures shall not disclose to a third party any personal information reported to it by the electronic signatory other than the information necessary to authenticate the signature unless the disclosure is made pursuant to a court order or statute, or if the information or data is used solely for statistical purposes in aggregate form. For purposes of this section, "personal information" shall mean data that identifies a specific person, including but not limited to home and work addresses, telephone number, e-mail address, social security number, birthdate, gender, marital status, mother's maiden name, and health data.”
.