For the purposes of this chapter,

   a.   The term "personal information" shall mean any information concerning an individual that because of a name, number, symbol, mark or other identifier, can be used to identify that individual.

   b.   The term "private information" shall mean either:

      (i)   personal information consisting of any information in combination with any one or more of the following data elements, when either the data element alone or the combination of such information plus the data element is not encrypted, or encrypted with an encryption key that has also been accessed or acquired:

         (1)   social security number;

         (2)   driver's license number or non-driver identification card number;

         (3)   account number, credit or debit card number, in combination with any required security code, access code, password or other information which would permit access to an individual's financial account;

         (4)   account number, or credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or

         (5)   biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, any of which is collected, retained, converted, stored or shared to identify an individual; or

      (ii)   a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

   "Private information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

   c.   The term "breach of security" shall mean the unauthorized access, acquisition, disclosure or use of computerized data that compromises the security, confidentiality or integrity of private information maintained by an agency. Good faith or inadvertent access, acquisition, disclosure, or use of any private information by an employee or agent of an agency for the legitimate purposes of the agency, and good faith or legally mandated disclosure of any private information by an employee or agent of an agency for the legitimate purposes of the agency shall not constitute a breach of security, but in such instances an agency must comply with the protocols issued pursuant to subdivision i of section 10-502.

   d.   The term "consumer reporting agency" shall mean any person that, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

(Am. L.L. 2021/151, 12/11/2021, eff. 4/10/2022)

   a.   Any city agency that owns, leases, or licenses data that includes private information shall promptly disclose to the chief privacy officer, office of cyber command and department of information technology and telecommunications any breach of security following discovery by a supervisor or manager, or following notification to a supervisor or manager, of such breach if such private information was, or is reasonably believed to have been, accessed, acquired, disclosed, or used by an unauthorized person.

   b.   Subsequent to compliance with the provisions set forth in subdivision a of this section, any city agency that owns, leases, or licenses data that includes private information shall disclose, in accordance with the procedures set forth in subdivisions d, e and f of this section, any breach of security following discovery by a supervisor or manager, or following notification to a supervisor or manager, of such breach to any individual whose private information was, or is reasonably believed to have been, accessed, acquired, disclosed, or used by an unauthorized person.

   c.   Any city agency that maintains but does not own, lease, or license data that includes private information shall disclose any breach of security following discovery by a supervisor or manager, or following notification to a supervisor or manager, of such breach to the owner, lessor or licensor of the data if the private information was, or is reasonably believed to have been, accessed, acquired, disclosed, or used by an unauthorized person.

   d.   The disclosures required by subdivisions b and c of this section shall be made as soon as practicable by a method reasonable under the circumstances, provided said method is not inconsistent with the legitimate needs of law enforcement or any other investigative or protective measures necessary to restore the integrity of the data system. Disclosures required by subdivision b of this section shall be made to each affected individual by at least one of the following means:

      1.   Written notice; or

      2.   Telephonic notification, provided that a log of each such notification is maintained by the agency that notifies the affected individuals; or

      3.   Electronic notification, provided that the affected individual has expressly consented to receiving such notification in electronic form and a log of each such notification is maintained by the agency that notifies affected individuals in such form; provided further, however, that in no case shall any city agency, individual, or business require an individual to consent to accepting notification in such form as a condition of establishing any relationship or engaging in any transaction.

   e.   Should disclosure pursuant to paragraph one, two or three of subdivision d be impracticable or inappropriate given the circumstances of the breach and the identity of the victim, such disclosure shall be made by a mechanism that is reasonably targeted to the individual in a manner that does not further compromise the integrity of the private information.

   f.   In the event that five thousand or more New York residents are to be notified at one time pursuant to this section, the agency shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected individuals. Such notice shall be made without delaying notice to affected New York residents.

   g.   Notice to affected individuals under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the agency reasonably determines, in accordance with the protocols established pursuant to subdivision i of this section, that such exposure will not likely result in misuse of such information, or financial, personal, or reputational harm to the affected individuals. Such a determination must be documented in writing and maintained for at least five years.

   h.   If notice of a breach of security is made to affected individuals pursuant to any law or rule of the state of New York, or pursuant to a law described in paragraph b of subdivision 2 of section 208 of the state technology law, nothing in this section shall require any additional notice to those affected individuals, but notice still shall be provided pursuant to subdivision a of this section.

   i.   The office of cyber command, in consultation with the chief privacy officer and the department of information technology and telecommunications, shall issue protocols for agency coordination and recordkeeping for any breach of security and any incident that is not a breach of security but involves the good faith or inadvertent access, acquisition, disclosure, or use of any private information by an employee or agent of an agency for the legitimate purposes of the agency. Such protocols may apply to all agencies or a subset thereof.

   j.   Notifications made pursuant to this section may overlap with notifications required pursuant to chapter 12 of title 23, including the regulations, policies and protocols issued by the chief privacy officer pursuant to such chapter. Nothing in this section or such chapter shall require duplicate notifications, as long as any notice provided meets any applicable requirements of both this law and such chapter.

(Am. L.L. 2021/151, 12/11/2021, eff. 4/10/2022)

An agency that discards records containing any individual's private information shall do so in a manner intended to prevent retrieval of the information contained therein or thereon.

(Am. L.L. 2021/151, 12/11/2021, eff. 4/10/2022)