This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
Compliance. One of those necessary operational activities that you know is working when nothing bad happens.
When compliance doesn’t work, however, you open the door to significant risk.
- Maybe you violated open records laws and risk a lawsuit after an inability to respond quickly.
- Maybe an employee opened a spam email and hackers gained access to that employee’s email account, exposing sensitive and confidential information that the city was supposed to protect.
- Maybe you lose criminal evidence after a ransomware attack, possibly affecting the sentences of defendants as lawyers present evidence for and against their cases.
A lack of compliance opens you up to serious liability claims and lawsuits. Before we started working with one of our current city customers, they discovered that they were not meeting federal or state compliance regulations in several areas. For example, the city’s email was not secure and compliant with open records laws.
In this post, we want to highlight how specific areas of compliance can be impacted by your technology.
1. Tax information
Information related to property taxes, municipal income taxes, and other kinds of taxes that cities collect from citizens needs to be protected under law. Much of this information is considered confidential or sensitive (such as social security numbers). Also, the IRS requires that cities keep Federal Tax Information (FTI) secure according to Publication 1075. Secure data transfer, recordkeeping, secure storage, authorized access, and computer system security are all covered under federal law. According to the IRS, “The [Internal Revenue Code] defines and protects the confidential relationship between the taxpayer and the IRS and makes it a crime to violate this confidence.”
2. Public safety information
Too many public safety departments still have a shaky IT foundation with aging technology, obsolete software, and poorly maintained systems. This leaves open many security holes and risks the loss of critical information. At a federal level, there are strict Criminal Justice Information (CJI) laws covering information access, storage, and data integrity. Then, each state has laws pertaining to the security of information exchanged with local public safety departments.
3. Payment information
Any city that offers payment services for tickets, fines, utilities, licenses, or other services needs to secure and protect payment information. That includes credit card, debit card, banking, and any other data that hackers can steal to commit financial fraud. Complying with PCI DSS standards is a must for cities when they provide payment services. In addition, any technology infrastructure that stores and processes payments needs to be modernized, monitored, and maintained by IT professionals.
4. Personnel information
You obviously know that personnel matters involve some of the most sensitive and confidential information. That’s because personnel information can include personal history, background checks, tests (such as drug tests), healthcare, and work performance. That information must be protected by law, and there are many federal, state, and local laws that you must follow.
5. Open records and FOIA requests
By law, your city must respond to open records and FOIA requests. Yet, many cities sometimes delay responding to those requests by claiming they can’t find the information. Sure, some cities may have poor email, document management, or paper filing systems that make tracking down information troublesome. But open records laws become more unforgiving with each passing year.
Searchable email, records/document management systems, and databases need to give cities access to information quickly. Data backup and disaster recovery expectations mean that you can’t just “lose” information. And you must adhere to specific retention, archiving, and disposal schedules. Not modernizing your technology or backing up your data properly opens you up to fines, lawsuits, and unflattering front-page news stories.
It’s important to document your records retention requirements and goals. Once you know where you keep your data and you classify it based on a sensitivity level, then it’s much easier to apply rules that dictate how long data must be kept and, maybe more importantly, when it needs to be destroyed.
These are five major areas within your city operations where complying with the law relies heavily on policy, best practices, and technology. At a minimum, you need:
- Adopted policies and training
- Basic cyber hygiene (such as regularly patching software, enterprise-grade antivirus and EDR, and IT professionals monitoring and maintaining your systems)
- Data backup and disaster recovery
- Modernized hardware, software, and infrastructure
- Physical and information security policies and procedures
- A secure, reliably hosted website
- Disciplined vendor management
Also, while you probably know which systems house credit card data, do you know the location of every record that may contain personally identifiable information (PII) or other sensitive information? Have documents with sensitive or confidential information crept out from your carefully structured folders and now reside on an employee’s local hard drive?
These unknowns can add to your challenges by making it hard to find information when required. Once you know where your data resides, technologies and processes can be put in place to keep your data where it belongs.