Cyber security and data privacy continue to challenge public-sector employers, as the nature of local government presents unique issues.
For starters, government agencies and municipalities collect massive amounts of sensitive data about their citizens. Examples include:
- Financial information and social security numbers for state and local taxes, including income amounts, bank account numbers, and credit card numbers used to pay tax on income;
- Wage and salary data for unemployment insurance;
- Automobile VIN numbers, license plate numbers, and driver’s license numbers for taxes on automobiles and for traffic enforcement;
- Medical and personal information for social services assistance;
- Locations, including home addresses and other information, for fire and police departments;
- Criminal records for convicted citizens;
- Names, addresses, and card numbers of citizens who use a library.
On top of this, local governments may have open access to state records, making a local government’s data footprint much larger than just the citizens residing within its boundaries.
Secondly, a local government may lack the resources to manage large swaths of data. Small towns or special districts may only have rudimentary controls in place. Instead of an in-house technology department, they may be forced to rely on over-extended contractors. The resources are not commensurate with the value of the data.
Thirdly, government data are especially attractive to wrongdoers trying to gather personal information for nefarious purposes. As a result, government workers are bound to be the targets of phishing attacks and ransomware. Phishing attacks involve employees receiving an email with an invitation to click on a link or respond to the email. If the employee takes the bait, malware takes over their computer system in order to capture and steal data to use in cyber-crimes. Ransomware shuts down the town, city, county, or other governmental entity, such as a fire department, and criminals demand a ransom to return the data.
Finally, states such as Colorado are passing laws to impose obligations on local governments to create policies for data-protection and information security, and to notify affected parties when there is a data breach. An explanation of the Colorado laws is available on our members-only website. Those in human resource functions may believe that this is a technology problem, and certainly there are technological aspects, but employees have access and are often responsible for protecting the data using good data hygiene.
What’s an over-strapped local government agency or municipality to do? Admitting that you have a problem is often the first step, as the old trope goes. Understanding where data are can help assess its vulnerability. Once it is clear where data reside, it becomes apparent what controls exist.
If a small governmental entity does not have the budget to protect the data or have the wherewithal to properly train employees on sensible controls, a call to the state government agency tasked with protecting data is in order. Larger cities with good controls in place may be willing to share their expertise and policies. Whenever a smaller entity reviews a larger entity’s policies, caution in adopting them wholesale is advised. They may list requirements that will create a larger burden than is necessary to carry out the objective of adequately protecting data. Those human resource and technology professionals with small budgets wanting to understand how to protect data have a free resource a click away at https://www.cisecurity.org. This information is more easily understood by a technology professional, but it should be reviewed with those responsible for human resources.
For a comprehensive view of this topic attend Employers Council’s Employment Law Update at any Colorado location. You can easily register or learn more about the conference.