City Council:
AN ORDINANCE ADOPTING A COMPUTER SYSTEM
SECURITY BREACH NOTIFICATION POLICY IN
COMPLIANCE WITH NEW YORK STATE
TECHNOLOGY LAW SECTION 208
Whereas, by correspondence dated October 3, 2025, the Commissioner of the Department of Management Services requested that the City Council authorize the formal adoption of a policy establishing procedures to be followed by all City departments, agencies, and employees in the event of a computer system security breach, pursuant to the requirements of Section 208 of the New York State Technology Law; and
Whereas, the City of Mount Vernon recognizes the importance of protecting the personal and confidential information of its residents, employees, and all persons whose data may be collected or maintained by the City; and
Whereas, Section 208 of the New York State Technology Law mandates that municipalities adopt and implement a computer system security breach notification policy to ensure timely and appropriate notification to affected individuals in the event that personal information is compromised; and
Whereas, the City of Mount Vernon seeks to establish clear procedures to define and respond to data security breaches, ensure compliance with State law, and safeguard the integrity of municipal operations; and
Whereas, adopting this policy will ensure that all City departments follow uniform standards and procedures in the event of a security breach, coordinate properly with law enforcement and state agencies, and provide prompt and transparent notification to affected residents; and
Whereas, the City Council finds it in the best interest of the City and its residents to adopt a formal Computer System Security Breach Notification Policy in order to comply with applicable law, protect the public from potential identity theft, and reinforce the City’s commitment to data security and accountability; Now, Therefore, Be It Resolved That
The City of Mount Vernon, in City Council convened, does hereby ordain and enact:
Section 1. Title. This Ordinance shall be known and may be cited as the “City of Mount Vernon Computer System Security Breach Notification Policy Ordinance.”
Section 2. Purpose. The purpose of this Ordinance is to formally adopt a policy governing the procedures to be followed by all City departments, agencies, and employees in the event of a computer system security breach, in accordance with the requirements of Section 208 of the New York State Technology Law.
Section 3. Adoption of Policy. The City Council hereby adopts the “City of Mount Vernon Computer System Security Breach Notification Policy,” as prepared by the Department of Management Services and attached hereto as Exhibit A and made part of this Ordinance as if fully set forth herein.
Section 4. Policy Requirements. The adopted policy shall include, but not be limited to, the following key provisions:
(a) Definitions of “personal information,” “private information,” and “security breach.”
(b) Procedures for identifying, reporting, and assessing potential or actual security breaches.
(c) Timelines and responsibilities for notification to affected individuals, the New York State Attorney General, the Division of State Police, and the Office of Information Technology Services, as required by law.
(d) Coordination protocols with law enforcement and other governmental agencies.
(e) Acceptable forms and methods of notification to affected persons.
(f) Recordkeeping and documentation requirements for all incidents.
(g) Training and education obligations for City staff handling personal information.
Section 5. Departmental Compliance. All departments, offices, boards, and commissions of the City of Mount Vernon shall comply with the provisions of the adopted Computer System Security Breach Notification Policy. Department heads shall be responsible for ensuring compliance within their respective areas.
Section 6. Administration and Oversight. The Department of Management Services, in coordination with the City’s Information Technology Division, shall administer the policy, provide guidance and training to City staff, and ensure that procedures remain current with applicable State law and best practices.
Section 7. Severability. If any provision of this Ordinance shall be adjudged invalid or unconstitutional by a court of competent jurisdiction, such judgment shall not affect, impair, or invalidate the remaining provisions thereof, but shall be confined in its operation to the provision directly involved in the controversy.
Section 8. Effective Date. This Ordinance shall take effect immediately upon its passage and approval by the City Council in accordance with law.