|
NYS Information Security Breach and Notification Act
Cornell University is covered by the New York State "Information Security Breach and Notification Act" (passed August 10, 2005 and effective December 8, 2005) as a business that owns computerized data containing "private information."
"Private information" means any personally identifying data (i.e., name, number, personal mark, or other identifier) in conjunction with one of the following data elements: social security number, driver's license (or non-driver ID) number, or an account number or credit card number in combination with the access code to that account or card.
Cornell must notify any New York resident whose "private information" was, or is reasonably believed to have been, acquired by a person without valid "authorization."
In general, the notice to the resident must be made in writing or by telephone (with notice log maintained) and as expediently as possible, without reasonable delay, consistent with law enforcement needs for investigation.
The notice must include contact information for the company making the notification and a description of the categories of information acquired, including specification of which of the elements of personal and private information were acquired.
Cornell is subject to large monetary fines if it does not notify individuals as required.
Here are specific points of guidance:
- Do not store personal identifiable information as described above
- Student grades are protected under federal law and should not be widely accessible
- Remove all local storage and processing of "private information" as soon as practicable
- Keep only the information that you currently require on your computer
- All other information should be moved to longer-term storage and removed from your computer
- Think very carefully about how you handle, store, and transmit data
- Everyone is responsible for appropriately protecting the data they have
- Social security numbers should never be used
|
