The citymeetings.nyc logo showing a pigeon at a podium with a microphone.

citymeetings.nyc

Your guide to NYC's public proceedings.

QUESTION

What are the responsibilities in case of a cybersecurity incident resulting in a data breach involving the city or a vendor?

1:39:19

·

105 sec

The city and vendors share responsibility for data breaches involving the city's data, depending on the circumstances.

  • If an agency is directly impacted by an incident not involving a third party, the city's victim notification process would apply for regulated data elements.
  • For incidents involving third-party vendors that impact the city's data, the city has risk management strategies to ensure proper victim notification by the vendor.
  • In cases where a third-party private company has a breach involving the city's data, the company typically provides 1-2 years of identity monitoring services.
Jennifer Gutiérrez
1:39:19
In the event of a cybersecurity incident resulting in a data breach.
1:39:23
Who is responsible?
1:39:24
The city or the vendor?
Kelly Moan
1:39:27
So it depends.
1:39:30
I think that's a great question to unpack for a minute.
1:39:32
So we've seen and, again, the or writ large, this is all public information has seen a number of different types of attacks.
1:39:43
1 could be an incident that has been impacted in agency directly, not through a third party compromise, like a cloud service provider.
1:39:54
Right?
1:39:54
And so relevant victim of notification through our city wide contract would if the data impacted was regulated data.
1:40:02
Right?
1:40:03
Those particular data elements, then victim notification would be in effect and and take effect.
1:40:09
In the case of a third party are part of our 3rd party risk management strategy is not just, as I mentioned, the technical controls or the administrative controls, but also making sure we have a mechanism to understand and and have a relevant victim notification.
1:40:29
In place, should a third party be victim to a cybersecurity incident that then impacts New York City's data.
1:40:37
So what you'll see more broadly in the industry is that if, you know, a third party private sector company has their the data of New York City equities have been impacted.
1:40:51
Relevant victim notification will be sent out from that 3rd party directly.
1:40:55
And typically, depending on the provider, again, just industry trends typically is a 1 to 2 years of identity services monitoring, for example.

← Previous Chapter

Does New York City have an insurance policy against cyberattacks?

Next Chapter →

What is the nature of the agency's cooperation with NYPD and other entities regarding cybersecurity assessments and data protection?
Citymeetings.nyc pigeon logo

Is citymeetings.nyc useful to you?

I'm thrilled!

Please help me out by answering just one question.

What do you do?

Thank you!

Want to stay up to date? Sign up for the newsletter.