We put the IT in city®

CitySmart Blog

Wednesday, August 30, 2017
Mark Holbrook, Technical Account Manager

Mark HolbrookCompliance. One of those necessary operational activities that you know is working when nothing bad happens. When compliance doesn’t work, you open the door to significant risk. Maybe you violated open records laws like the city of Chicago and have to pay out $670,000 in lawsuits. Maybe an employee opened a spam email and hackers gained access to that employee’s email account, exposing sensitive and confidential information that the city was supposed to protect. Or maybe you lose eight years of criminal evidence from a ransomware attack, possibly affecting the sentences of defendants as lawyers present evidence for and against their cases.

Even if your lack of compliance seems less startling than the repercussions of these stories, it’s still an issue that opens you up to serious liability claims and lawsuits. Before we started working with one of our current city customers, they discovered that they were not meeting federal or state compliance regulations in several areas. For example, the city’s email was not secure and compliant with open records laws.

We’ve talked a lot in the past about the legal consequences of poor technology infrastructure and support. In this post, we want to highlight how specific areas of compliance can be impacted by your technology.

1. Tax information

Information related to property taxes, municipal income taxes, and other kinds of taxes that cities collect from citizens needs to be protected under law. Much of this information is considered confidential or sensitive (such as social security numbers). Also, the IRS requires that cities keep Federal Tax Information (FTI) secure according to Publication 1075. Secure data transfer, recordkeeping, secure storage, authorized access, and computer system security are all covered under federal law. According to the IRS, “The [Internal Revenue Code] defines and protects the confidential relationship between the taxpayer and the IRS and makes it a crime to violate this confidence.”

2. Public safety information

Too many public safety departments still have a shaky IT foundation with aging technology, obsolete software, and poorly maintained systems. This leaves open many security holes and risks the loss of critical information. At a federal level, there are strict Criminal Justice Information (CJI) laws covering information access, storage, and data integrity. Then, each state has laws pertaining to the security of information exchanged with local public safety departments.

For example, “The Rules of the [Georgia Crime Information Center] Council mandate performance audits of criminal justice agencies that access the Georgia CJIS network to assess and enforce compliance with the Rules of the GCIC Council, O.C.G.A. § 35-3-30 through 35-3-40, other relevant Georgia code sections and pertinent federal statutes and regulations.” That’s why our engineers are GCIC-certified to make sure that IT systems comply with the Georgia Bureau of Investigation as well as Criminal Justice Information Services (CJIS).

3. Payment information

Any city that offers payment services for tickets, fines, utilities, licenses, or other services needs to secure and protect payment information. That includes credit card, debit card, banking, and any other data that hackers can steal to commit financial fraud. Complying with PCI DSS standards is a must for cities when they provide payment services. In addition, any technology infrastructure that stores and processes payment needs to be modernized, monitored, and maintained by IT professionals.

4. Personnel information

You obviously know that personnel matters involve some of the most sensitive and confidential information. That’s because personnel information can include personal history, background checks, tests (such as drug tests), healthcare, and work performance. That information must be protected by law, and there are many federal, state, and local laws that you must follow.

5. Open records and FOIA requests

By law, your city must respond to open records and FOIA requests. Yet, many cities sometimes delay responding to those requests by claiming they can’t find the information. Sure, some cities may have poor email, document management, or paper filing systems that make tracking down information troublesome. But open records laws become more unforgiving with each passing year. Searchable email, records/document management systems, and databases need to give cities access to information quickly. Data backup and disaster recovery expectations mean that you can’t just “lose” information. And you must adhere to specific retention, archiving, and disposal schedules. Not modernizing your technology or backing up your data properly opens you up to fines, lawsuits, and unflattering front-page news stories.


These are five major areas within your city operations where complying with the law relies heavily on policy, best practices, and technology. At a minimum, you need:

  • Adopted policies and training
  • Basic cyber hygiene (such as regularly patching software, enterprise-grade antivirus, and IT professionals monitoring and maintaining your systems)
  • Data backup and disaster recovery
  • Modernized hardware, software, and infrastructure
  • Physical and information security policies and procedures
  • A secure, reliably hosted website
  • Disciplined vendor management

Worried about complying with the law? Reach out to us today.