Greg Van Wormer speaks about data security. |
A lot of media
attention is focused on big data security breaches where thousands, or even
millions, of credit card numbers become compromised. With a focus on credit
card security, it can be easy to forget that there are other types of data that
can be vulnerable to potential security breaches.
To help clarify what
cities need to protect, and how breaches can happen in cities of any size. Greg
Van Wormer, LMC’s Assistant Technology Services Director, recently presented
some scenarios demonstrating potential data security issues.
Read through the
scenarios below and see if you can spot how the Data Practices Act is being
violated.
Scenario #1:
A night custodian is
on his/her rounds when they notice that the city clerk’s computer has been left
on. This clerk also manages human resources, and displayed on the computer
screen is a letter of reprimand. The custodian reads the letter, learning who is
being reprimanded and what they are being reprimanded for.
What security risks
are in this scenario? There are multiple issues. The fact that the clerk’s
computer is on and not password protected violates the Data Practices Act. The
night custodian also violates the act by reading the letter because he or she
is accessing data they don’t have permission to access. A further consequence
is that the subject of the letter of reprimand could sue the city. To avoid
these issues, make sure all computers are password-protected and automatically
log-off if they haven’t been used in a
designated amount of time.
Scenario #2:
A city manager is
sending out an email to residents who signed-up to be notified when there is a
snow emergency. The email list is relatively small, and the city manager sends
the email through their city email account. The city manager copies all the emails
into the email and hits send.
How did this violate
the Data Practices Act? When the city manager sends the email, the email
addresses are visible to all the recipients. This unintended disclosure
violates the act by sharing information that is not for the public. A solution
to this problem is to use a third-party email service that will send it to your
list without showing other recipients’ emails.
Want to know more
about how to protect your city’s data? Here are some resources you can explore:
- Check out the Information Analysis and Policies Division of the Minnesota Department of Administration's website
- Read more on NetDiligence—LMC's new resource to help cities protect data
- Contact LMC’s Research Department if you have a specific question by emailing research@lmc.org