This bill would require the Department of Information Technology and Telecommunications (DOITT) to establish a Task Force to review information security protocols for City Agencies and issue an annual report with recommendations for the improvement of such protocols.
Int. No. 595
By the Public Advocate (Mr. Williams) and Council Member Holden
A Local Law to amend the administrative code of the city of New York, in relation to the creation of a task force on information security for city agencies
Be it enacted by the Council as follows:
Section 1. Chapter eight of title 23 of the administrative code of the city of New York is amended by adding a new section 23-803 to read as follows:
§ 23-803 Task Force on Information Security. a. For the purposes of this section:
Department. The term "department" means the department of information technology and telecommunications or any successor agency.
Personal Information. The term “personal information" means any information concerning an individual which, because of name, number, symbol, mark or other identifier, can be used to identify that individual; including an individual’s social security number, driver's license number or non-driver identification card number and credit or debit card number, in combination with any required security code, access code, or password which would permit access to such individual's financial accounts.
b. There shall be a task force to study information security protocols for city agencies that collect and store personal information about city residents and to make specific recommendations to the mayor and council for the improvement of such information security protocols.
c. The task force shall consist of nine voting members, five of whom shall be appointed by the mayor, and four of whom shall be appointed by the speaker of the council. The commissioner of the department or his or her delegate shall be a non-voting member. Each voting member of the task force shall serve without compensation and at the pleasure of the appointing official and any vacancy shall be filled in the same manner as the original appointment. The voting members shall choose a chairperson from among the voting members.
d. The task force shall meet with the commissioner or his or her designee prior to February first and prior to July first each year at which time the commissioner or his or her delegate may respond to any recommendations made by such task force pursuant to this subdivision. The location and time of such meeting shall be determined by the chairperson in coordination with the commissioner. The commissioner, chairperson or any three voting members of the task force may also schedule a meeting of the task force by providing notice of such meeting to all members of the committee at least ten calendar days before such meeting. Notice of all meetings shall be made to the members of the task force by electronic mail and via facsimile as available or via certified mail to the last known address of such member if neither electronic mail nor facsimile is available.
e. By December 31 of each year, the task force shall provide to the mayor and the council a report evaluating the status of the information security protocols used by city agencies including, but not limited to: (i) an evaluation of the current information security protocols used by each city agency; (ii) a description of the categories of personal information stored or collected by each agency; (iii) a description of any known breaches to city agency websites or databases where any personal information may have been stolen or compromised during most recent calendar year; and (iv) recommendations for improving the effectiveness of information security protocols for city agencies.
f. The task force may at any time make additional recommendations regarding information security protocols independent of the requirements provided for in subdivision d of this section.
g. Reports and recommendations of the task force pursuant to subdivisions d and e of this section shall be made available on the department’s website within ten days after the release of any such report, recommendation, or response.
§2. This local law shall take effect 90 days after it becomes law.
LS # 2183/Int 1003/2015