citymeetings.nyc

Your guide to NYC's public proceedings.

QUESTION

What are the responsibilities in case of a cybersecurity incident resulting in a data breach involving the city or a vendor?

1:39:19

·

105 sec

Video Player is loading.

Current TimeÂ 0:00

DurationÂ 0:00

Loaded: 0%

Stream TypeÂ LIVE

Remaining TimeÂ 0:00

Â

The city and vendors share responsibility for data breaches involving the city's data, depending on the circumstances.

If an agency is directly impacted by an incident not involving a third party, the city's victim notification process would apply for regulated data elements.
For incidents involving third-party vendors that impact the city's data, the city has risk management strategies to ensure proper victim notification by the vendor.
In cases where a third-party private company has a breach involving the city's data, the company typically provides 1-2 years of identity monitoring services.

Jennifer Gutiérrez

1:39:19

In the event of a cybersecurity incident resulting in a data breach.

1:39:23

Who is responsible?

1:39:24

The city or the vendor?

Kelly Moan

1:39:27

So it depends.

1:39:30

I think that's a great question to unpack for a minute.

1:39:32

So we've seen and, again, the or writ large, this is all public information has seen a number of different types of attacks.

1:39:43

1 could be an incident that has been impacted in agency directly, not through a third party compromise, like a cloud service provider.

1:39:54

Right?

1:39:54

And so relevant victim of notification through our city wide contract would if the data impacted was regulated data.

1:40:02

Right?

1:40:03

Those particular data elements, then victim notification would be in effect and and take effect.

1:40:09

In the case of a third party are part of our 3rd party risk management strategy is not just, as I mentioned, the technical controls or the administrative controls, but also making sure we have a mechanism to understand and and have a relevant victim notification.

1:40:29

In place, should a third party be victim to a cybersecurity incident that then impacts New York City's data.

1:40:37

So what you'll see more broadly in the industry is that if, you know, a third party private sector company has their the data of New York City equities have been impacted.

1:40:51

Relevant victim notification will be sent out from that 3rd party directly.

1:40:55

And typically, depending on the provider, again, just industry trends typically is a 1 to 2 years of identity services monitoring, for example.

← Previous Chapter

Does New York City have an insurance policy against cyberattacks?

Next Chapter →

What is the nature of the agency's cooperation with NYPD and other entities regarding cybersecurity assessments and data protection?