Search Our Catalog

Data Breach Preparation, Prevention, and Response Policy

Purpose

To promote OWWL Library System’s mission, operate in harmony with the ethics of the American Library Association and New York Library Association, and ensure compliance with applicable laws, the System shall follow the below-stated policy and procedure regarding data breach preparation, prevention, and response.

This policy and System practices shall be reviewed and updated on a regular basis to adapt to legal changes regarding data security and exposure created by potential security threats.  

Conditions

The System is a cooperative library system that operates and provides the following data-related services under the following conditions to member libraries:

ServiceRole of SystemSet by
Integrated Library System (“ILS”) – Evergreen Owner and responsible party for local data concerns.State law, regulation, third-party contracts, and the “Systems Access and Confidentiality of Library Records Policy.”
Reporting ToolOwner and responsible party for local data concerns.State law, regulation, and the “Systems Access and Confidentiality of Library Records Policy.”
E-mail Service to Member Library EmployeesService provider to Member Libraries for email services.System procedures, third-party contract, and “Systems Access and Confidentiality of Library Records Policy.”
Member Library Self-Contained Computer NetworksService provider to Member Libraries for initial setup; Member Libraries assume responsibility for established networks. This responsibility includes, but is not limited to, security and maintenance. System procedures.
Access to OWWL Library System contracted databases (OverDrive, Ancestry.com, Mango Languages, Consumer Reports, etc.)Supports the establishment of third-party connections as determined by vendor contracts. State law, regulation, third-party contracts, third-party privacy and data policies, and the “Systems Access and Confidentiality of Library Records Policy.”
Access to Member Library contracted databases (Individual Member Library contracts with vendors such as Hoopla, etc.)Supports the initial configuration if approved. Member Library assumes responsibility for vendor relationships, maintenance, security, etc.System procedures and “Systems Access and Confidentiality of Library Records Policy.” 
IT PurchasingMediated purchasing provider for desktop and laptop computers to Member Libraries. System procedures, PC Order form on OWWL Docs, System “Procurement Policy,” “Computer Support Policy,” and “Systems Access and Confidentiality of Library Records Policy.”

For the avoidance of doubt:

  • The aggregated content and operating system of the ILS is a System asset; the System owns and is responsible for the security of the contents;
  • The System provides E-mail services to Member Libraries; the Member Libraries own and are responsible for the contents of their e-mail accounts;
  • The System does not assume responsibility for third-party data breaches or improper data practices by third-party entities; and
  • Member Library self-contained computer networks are the responsibility of the Member Library. The System may provide support services in specific situations; however, this support does not transfer responsibility for maintenance or security.

Data Security Practices

As a small business that owns or licenses computerized data, which includes private information of a resident of New York, the System develops, implements, and maintains reasonable safeguards to protect the security, confidentiality, and integrity of the private information.

To accomplish this goal, the System maintains a data security program that includes the following:

  1. Designates one or more employees to coordinate the security program;
  2. Identifies reasonably foreseeable internal and external risks;
  3. Assesses the sufficiency of safeguards in place to control the identified risks;
  4. Trains and manages employees in the security program practices and procedures;
  5. Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
  6. Adjusts the security program considering business changes or new circumstances; 

and implements reasonable technical safeguards such as the following, in which the person or business:

  1. Assesses risks in network and software design;
  2. Assesses risks in information processing, transmission, and storage;
  3. Detects, prevents, and responds to attacks or system failures; and
  4. Regularly tests and monitors the effectiveness of key controls, systems, and procedures;

and implements reasonable physical safeguards such as the following, in which the person or business:

  1. Assesses risks of information storage and disposal;
  2. Detects, prevents, and responds to intrusions;
  3. Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
  4. Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Data Breach Disclosure Practices

A. Data Breach Impacting the System’s Services to Member Libraries

With respect to services it provides to Member Libraries as a vendor (meaning that, as contemplated by General Business Law 39-F, the System maintains a member’s “computerized data which includes private information which the System does not own or control”), the System shall notify the Member Library who owns the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.

B. Data Breach Impacting System-Owned and System-Controlled Data

The OWWL Library System shall disclose any breach of the security of a system it owns, operates, and controls following discovery or notification of the breach in the security of the system to any person whose private information was, or is reasonably believed to have been, accessed or acquired by a person or entity without valid authorization. 

The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the integrity of the system.

The notification may be delayed if a law enforcement agency determines that such notification impedes a criminal investigation; if such delay is required, notification shall be made after such law enforcement agency determines that such notification does not compromise such investigation.  

Regardless of the method by which notice is provided, such notice shall include contact information for the System, the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information, and a description of the categories of information that were, or are reasonably believed to have been, accessed or acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so accessed or acquired.

In the event that any New York residents are to be notified, the System shall notify the State Attorney General, the Department of State, and the division of State Police as to the timing, content, and distribution of the notices and the approximate number of affected persons and shall provide a copy of the template of the notice sent to affected persons. In the event that more than five thousand New York residents are to be notified at one time, the System shall also notify consumer reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected persons.

Data Breach Response Practices

In the event of a “data breach,” “data compromise,” “identity theft,” “computer attack,” or “cyber extortion threat” insured under the System’s Cyber Liability Insurance, in addition to the notification response outlined in “Data Breach Disclosure Practices” above, the System will:

  1. Notify the police if a law may have been broken. 
  2. Notify its insurance carrier as soon as practicable, but in no event more than 60 days after the “personal data compromise,” “identity theft,” “computer attack,” or “cyber extortion threat.” This will include a description of any property involved. 
  3. As soon as possible, give the carrier a description of how, when, and where the “personal data compromise,” “identity theft,” “computer attack,” or “cyber extortion threat” occurred.

These practices shall be reviewed on an annual basis to ensure the System is considering the requirements of the carrier in crafting its response.

Definitions

This policy uses the following definitions: 

Personal information 

Personal information shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.

Private information 

Private information shall mean either:

  1. Personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
    1. social security number;
    2. driver’s license number or non-driver identification card number;
    3. account number, credit, or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account;
    4. account number, credit, or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
    5. biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity;

OR

  1. A username or e-mail address in combination with a password or security question and answer that would permit access to an online account.

“Private information” does not include publicly available information lawfully made available to the general public from federal, state, or local government records.

Breach of the Security of the System

Breach of the System’s security shall mean unauthorized access to or acquisition, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by the System. Good faith access to, or acquisition of, private information by an employee or agent of the System for the purposes of the System is not a breach of the security of the System, provided that the private information is not used or subject to unauthorized disclosure.

In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, the System may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.

In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, the System may consider the following factors, among others:

  1. Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information; or
  2. Indications that the information has been downloaded or copied; or
  3. Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.

Unauthorized Access Incident

An unauthorized access incident means the gaining of access to a “computer system” by:

  1. An unauthorized person or persons; or 
  2. An authorized person or persons for unauthorized purposes. 

Affected Individual 

Affected individual means any person who is the System’s current, former, or prospective customer, client, patron, member, owner, student, director, or employee and whose personally identifying information or personally sensitive information is lost, stolen, accidentally released, or accidentally published by a personal data compromise described in this policy. 

“Affected individual” does not include any business or organization. Only an individual person may be an “affected individual.” 

Computer Attack

Computer attack means one of the following involving the “computer system”:

  1. An “unauthorized access incident”; or
  2. A “malware attack.”

Computer System 

A computer system is a computer or other electronic hardware that is owned or leased by the System and operated under the System’s control. 

Cyber Extortion Threat 

Cyber extortion threat means a demand for money from the System based on a credible threat, or series of related credible threats, to:

  1. Launch a “denial of service attack” against the “computer system” for the purpose of denying “authorized third party users” access to your services provided through the “computer system” via the Internet; 
  2. Gain access to a “computer system” and use that access to steal, release, or publish “personally identifying information,” “personally sensitive information,” or “third party corporate data”; 
  3. Alter, damage, or destroy electronic data or software while such electronic data or software is stored within a “computer system”; or 
  4. Launch a “computer attack” against a “computer system” in order to alter, damage, or destroy electronic data or software while such electronic data or software is stored within a “computer system.” 

Malware Attack 

Malware attack damages a “computer system” or data contained therein arising from malicious code, including viruses, worms, Trojans, spyware, and keyloggers. “Malware attack” does not mean or include damage from shortcomings or mistakes in legitimate electronic code or damage from code installed by the System or a member. 

Personal Data Compromise 

A personal data compromise means the loss, theft, accidental release, or accidental publication of “personally identifying information” or “personally sensitive information” as respects one or more “affected individuals.”

Last Updated by the OWWL Library System Board of Trustees on August 14, 2024