This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
Compliance. One of those necessary operational activities that you know is working when nothing bad happens. When compliance doesn’t work, you open the door to significant risk. Maybe
you violated open records laws like the city of Chicago and have to pay out $670,000 in lawsuits. Maybe an employee opened a spam email and
hackers gained access to that employee’s email account, exposing sensitive and confidential information that the city was supposed to protect. Or maybe
you lose eight years of criminal evidence from a ransomware attack, possibly affecting the sentences of defendants as lawyers present evidence for and against their cases.
Even if your lack of compliance seems less startling than the repercussions of these stories, it’s still an issue that opens you up to serious liability claims and lawsuits. Before we started working with one of our current city customers, they discovered that they were not meeting federal or state compliance regulations in several areas. For example, the city’s email was not secure and compliant with open records laws.
We’ve talked a lot in the past about
the legal consequences of poor technology infrastructure and support. In this post, we want to highlight how specific areas of compliance can be impacted by your technology.
1. Tax information
Information related to property taxes, municipal income taxes, and other kinds of taxes that cities collect from citizens needs to be protected under law. Much of this information is considered confidential or sensitive (such as social security numbers). Also, the IRS requires that cities keep Federal Tax Information (FTI) secure according to Publication 1075. Secure data transfer, recordkeeping, secure storage, authorized access, and computer system security are all covered under federal law. According to the IRS, “The [Internal Revenue Code] defines and protects the confidential relationship between the taxpayer and the IRS and makes it a crime to violate this confidence.”
2. Public safety information
Too many public safety departments still have a shaky IT foundation with aging technology, obsolete software, and poorly maintained systems. This leaves open many security holes and risks the loss of critical information. At a federal level, there are strict Criminal Justice Information (CJI) laws covering information access, storage, and data integrity. Then, each state has laws pertaining to the security of information exchanged with local public safety departments.
For example, “The Rules of the [Georgia Crime Information Center] Council mandate performance audits of criminal justice agencies that access the Georgia CJIS network to assess and enforce compliance with the Rules of the GCIC Council, O.C.G.A. § 35-3-30 through 35-3-40, other relevant Georgia code sections and pertinent federal statutes and regulations.” That’s why our engineers are GCIC-certified to make sure that IT systems comply with the Georgia Bureau of Investigation as well as Criminal Justice Information Services (CJIS).
3. Payment information
Any city that offers payment services for tickets, fines, utilities, licenses, or other services needs to secure and protect payment information. That includes credit card, debit card, banking, and any other data that hackers can steal to commit financial fraud. Complying with PCI DSS standards is a must for cities when they provide payment services. In addition, any technology infrastructure that stores and processes payment needs to be modernized, monitored, and maintained by IT professionals.
4. Personnel information
You obviously know that personnel matters involve some of the most sensitive and confidential information. That’s because personnel information can include personal history, background checks, tests (such as drug tests), healthcare, and work performance. That information must be protected by law, and there are many federal, state, and local laws that you must follow.
5. Open records requests
By law, your city must respond to open records requests. Yet, many cities sometimes delay responding to those requests by claiming they can’t find the information. Sure, some cities may have poor email, document management, or paper filing systems that make tracking down information troublesome. But open records laws become more unforgiving with each passing year. Searchable email, records/document management systems, and databases need to give cities access to information quickly. Data backup and disaster recovery expectations mean that you can’t just “lose” information. And you must adhere to specific retention, archiving, and disposal schedules. Not modernizing your technology or backing up your data properly opens you up to fines, lawsuits, and unflattering front-page news stories.