Procedures and Methods for Notification

Once it has been determined that a security breach has occurred, the following steps shall be taken:

1. If the breach involved hard copy or computerized data owned or licensed by the BOCES, the BOCES shall notify those New York State residents whose private information was or is reasonably believed to have been accessed or acquired by a person without valid authorization. The disclosure to affected individuals shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system. The BOCES shall consult with the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) to determine the scope of the breach and restoration measures.

 2. If the breach involved hard copy or computer data maintained by the BOCES, the BOCES shall notify the owner or licensee of the information of the breach immediately following discovery, if the private information was or is reasonably believed to have been accessed or acquired by a person without valid authorization.

The required notice shall include (a) BOCES contact information, (b) a description of the categories of information that were or are reasonably believed to have been accessed or acquired without authorization and (c) which specific elements of personal or private information were or are reasonably believed to have been acquired.  The telephone number and website of relevant state and federal agencies that provide information on security breach response and identity theft protection and prevention. This notice shall be directly provided to the affected individuals by either:

1. Written notice

2. Electronic notice, provided that the person to whom notice is required has expressly consented to receiving the notice in electronic form; and that the BOCES keeps a log of each such electronic notification. In no case, however, shall the BOCES require a person to consent to accept such notice in electronic form as a condition of establishing a business relationship or engaging in any transaction.

3. Telephone notification, provided that the BOCES keeps a log of each such telephone notification.

However, if the BOCES can demonstrate to the State Attorney General that (a) the cost of providing notice would exceed $250,000; or (b) that the number of persons to be notified exceeds 500,000; or (c) that the BOCES does not have sufficient contact information, substitute notice may be provided. Substitute notice would consist of all of the following steps:

1. E-mail notice when the BOCES has such address for the affected individual;

2. Conspicuous posting on the BOCES website, and

3. Notification to major media

However, the BOCES is not required to notify individuals if the breach was inadvertently made by individuals authorized to access the information, and the BOCES reasonably determines the breach will not result in misuse of the information, or financial or emotional harm to the affected persons.  The BOCES will document its determination in writing and maintain it for at least five years, and will send it to the State Attorney General within ten days of making the determination.

Additionally, if the BOCES has already notified affected persons under any other federal or state laws or regulations regarding data breaches, including the federal Health Insurance Portability and Accountability Act, the federal Health Information Technology for Economic and Clinical Health (HI TECH) Act, or New York State Education Law §2-d, it is not required to notify them again.  Notification to state and other agencies is still required.

Notification of State Agencies and Other Entities

Once notice has been made to affected New York State residents, the BOCES shall notify the State Attorney General, the State Department of State the State Office of Information Technology Services as to the timing, content, and distribution of the notices and approximate number of affected persons.

If more than 5,000 New York State residents are to be notified at one time, the BOCES shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and the approximate number of affected individuals.  A list of consumer reporting agencies will be furnished, upon request, by the Office of the State Attorney General.

If the BOCES is required to notify the U.S. Secretary of Health and Human Services of a breach of unsecured protected health information under the federal Health Insurance Portability and Accountability Act (HIPAA) or the federal Health Information Technology for Economic and Clinical Health (HI TECH) Act, it will also notify the State Attorney General within five business days of notifying the Secretary.