Obviously, private businesses must secure information for many reasons: establishing trust for customers, protecting against lawsuits, and following regulations. And, with some exceptions (such as Equifax), businesses usually operate with information that customers have agreed to hand over.
Cities operate quite differently. They are part of the fabric of our country. And citizens are required to interact with cities if they want to live somewhere.
That means you are given sensitive and confidential information to protect. Yet, cities still fail to protect electronic information appropriately—leaving that information open to hackers, risking stolen information, and increasing the chance of permanent data loss.
Let’s take a tour through a typical city’s information and analyze why it’s so important to protect.
1. City records
The records you must retain for specific periods of time vary depending on the information. Employee accident reports will differ from visitor logs. Business licenses will differ from meeting minutes. Plus, different city records will vary in confidentiality and sensitivity, leading to different processes related to releasing those records in case of Open Records Requests.
While a city can often retain and eventually find records if sought, instances of chaos occur when records are hard to find or remain paper-based. Best practices for securing city records include:
- Creating authorization policies that only allow specific people to edit or delete city records.
- Protecting access to the overall document management system with a strong password policy and other security features.
- Keeping the document management system software patched and updated.
- Ensuring that files are encrypted and protected, as needed.
- Tracking all document interactions and changes while creating an audit trail (which is especially useful for compliance or legal issues).
At the most foundational level, these security tips will help you protect city records along with other specialized information.
2. Financial information
Your city’s financial information includes all operational finances, tax information, and online payment information. Over the past few years, we’ve seen cities relentlessly targeted for their financial information—with hackers seeking to take over bank accounts, steal money, and sell financial data on the black market. Preventing threats to your financial data requires information security strategies such as:
- Replacing older software that is unsupported by the original vendor and lacks up-to-date security patches.
- Shoring up any security vulnerabilities related to financial system access—from weak passwords to misconfigured servers.
- Training employees about phishing, social engineering, and scamming techniques that hackers use to acquire financial information.
3. Personnel information
There’s a reason why city council meetings keep personnel discussions confidential. Many extremely sensitive details are included with personnel information such as personal history, background checks, tests (such as drug tests), healthcare, and work performance. Similar to points made above, you need to protect that information with special care. Information security is especially important here because you are legally required to protect personnel details.
4. Personally identifiable information (PII)
PII includes information such as a person’s name, physical address, email address, race, sex, date of birth, social security number, driver's license number, and other personal details. This recorded information, in paper or digital form, is used by individuals to identify themselves when conducting transactions with entities.
Not protecting this information leaves it open for theft by hackers, and this information is used and sold to commit identity theft. There is risk and liability in maintaining PII, so confirm if you need to keep it and securely purge what PII you don’t need to keep. To protect the PII you do keep:
- Secure access and encrypt it.
- Don’t put PII on a laptop or portable device.
- Identify and address any security vulnerabilities related to PII.
- Follow state records retention schedules.
- Destroy expired PII.
- Notify appropriate personnel in the event of an incident.
5. Public safety information
Public safety departments need to keep information secure with modernized technology, up-to-date software (that receives regular security patches), and proactive monitoring and alerting of your technology systems for issues. Otherwise, your lack of information security risks exposing sensitive case and investigation data to a hacking incident that may lead to severe financial, legal, and operational repercussions.
As stewards of important citizen and city business information, cities need to treat electronic information just as they would treat valuables locked up in a vault or locking the doors of buildings. How secure is your information? If you have concerns, reach out to us today.
Original Date: 7/10/2019