• Students
• Faculty & Staff
• Systems Administrators Resources

• Resources
• Alerts/Advisories
• Digital Self Defense
• Safe Practices
• Standards & Policies
• About Us/Contacts

RIT and the NYS Information Security Breach and Notification Act

The New York State Information Security Breach and Notification Act provides New York State residents with the right to know when a security breach has resulted in the exposure of their private information. You can read more about the act at http://www.oag.state.ny.us/consumer/tips/id_theft_law.html.

What is a Security Breach?

A security breach is defined as an unauthorized acquisition of computerized data which compromises the security, confidentiality or integrity of private information. The loss of portable media such as CDs, DVDs, or USB memory constitutes a security breach if there is reason to believe private information may have been acquired by an outside or unauthorized party.

What is Private Information?

As defined by New York State, "private information" is any personal information concerning a natural person combined with one or more of the following data elements: Social Security number, driver’s license number, account number, or credit or debit card number in combination with any required security code.

Private information includes instances where either the personal information or the data element is not encrypted, or encrypted with an encryption key that is included in the same record.

How does the act impact RIT?

The Information Security Breach and Notification Act requires that RIT notify:

• Affected consumers following discovery of the breach in the security of computerized private information.
• Consumer reporting agencies if more than 5,000 New York residents are to be notified.
• The Attorney General's office, the Consumer Protection Board and the NYS Office of Cyber Security & Critical Infrastructure Coordination of the timing, content and distribution of the notices and approximate number of affected persons.

How can RIT comply with the act?

All RIT departments must treat all information defined as private by the NYS Information Security Breach and Notification Act as RIT Confidential information.

There are a few specific events that are potential security breaches and require notification of affected parties:

• Whenever private information may have been disclosed.
• Loss or misplacement of a laptop, PDA, Smartphone, or portable media, such as CDs, DVDs, USB memory, etc., containing unencrypted private information. (If you are reasonably sure that the information was encrypted or destroyed, the loss may not require notification. This determination will be made by the RIT Information Security Office).
• Compromise or sharing of a password that allows access to private information and failing to change the password in a timely manner.
• Discovery of certain types of malware, such as viruses, worms, spyware, keyloggers, backdoor/remote administration software on a computer containing or with access to private information. If you detect malware through a system scan, contact your support organization for instructions.
• E-mail containing private information sent to the wrong addressee.

If you suspect a security breach involving RIT Confidential information or private information, contact your support organization AND the RIT Information Security Officer, Jim Moore, at 585-255-0809.