Village adopts cyber security policy.
Warwick We’ve all read the stories or heard them on news programs: People having their personal information stolen, either in cyberspace or through records that have not been stored or disposed of properly. Yes, there are shredders and software to protect us, but the thieves work hard to break through those fire walls taking with them our precious identities. The New York Conference of Mayors (NYCOM) Bulletin of Jan. 31 lists some of the bigger incidents: Marriott Vacation club lost computer tapes containing credit card account information, Social Security numbers and addresses of nearly 206,000 time share owners, customers and employees; LaSalle Bank Corporation in Chicago lost a computer tape containing the names, addresses, and Social Security numbers of two million mortgage customers. Effective December 2005, the state enacted the Information Security Breach and Notification Act, protecting residents from unauthorized access to their personal information that is stored electronically. The state requires that every local municipality must adopt its own policy by April 6. Jacque Mongelli, the village of Warwick’s clerk, discovered this information while reading the NYCOM Bulletin, which is mailed to the Village Hall. “Jacque is our sleuth,” said Mayor Michael Newhard. The Village Board adopted the state’s policy, a 45-page guide describing the notification criteria passed by the Legislature. It documents in detail procedures to prevent information from being compromised and what to do if that does happen. “The most critical information we have on hand is personal information,” said Mongelli. That includes information on the village’s employees. Although the village accepts credit cards for tax payments, it is done through a third party so credit card information is not part of the village’s computer system. The new law provides information on ensuring that critical data and recovery plans are backed up and kept at a secure, off-site facility. It tells that user IDs and passwords must be authentic. It also states that each person in the municipality must protect against unofficial activities by not leaving computers on and available. Computer users in municipalities should be trained to know the procedures if they suspect their system has been compromised. According to the law, once an incident has been identified, the following procedures must be followed: Report the action to Cyber Security and Critical Infrastructure Coordinator. Identify the underlying cause of the incident. Identify procedures the village will employ to resolve the problem. Identify procedures the village will employ to prevent the same or similar incident from occurring. Track the response procedure from initial report through follow-up for review and audit purposes. Provide adequate follow-up to ensure that individuals involved or affected by the incident understand what took place and how the incident was resolved. There also are provisions to determine if information is allowed to be released to an outside agency. These include evaluating and documenting the sensitivity of the information in question and identifying up front the responsibilities of each party for protecting the information. Information sharing is limited. There are regulations for using e-mail and the Internet. If any information is compromised, the village must notify the employee or resident. The village also must notify the Cyber Security and Critical Infrastructure Coordinator, the Attorney General’s office, as well as the state’s Consumer Protection Board. If more than 5,000 residents are involved, consumer reporting agencies will also be notified.