by Erica Siegrist & Anne Poulos
Tune in monthly for a curated collection of articles we found interesting on a broad range of topics; some which are directly related to records management and others which might share common themes.
No, we didn’t write these articles —hence the name of this series, “Off the Record”— but fortunately, we didn’t need to in order to share the knowledge with our subscribers.
This month we are focusing on security!
The unfortunate reality about security is that many of us do not pay it much attention until a breach occurs. We think “oh, IT has data security covered,” or, “of course employees are using the shred bins,” but it can be dangerous to make these assumptions when you’re not conducting regular audits and policy reviews. Gathered below are three cautionary tales about confidential government records that were retained too long, destroyed improperly, or stored insecurely. As you peruse these articles, think about the P.I.I. (personally identifiable information) your government is responsible for protecting, and what you are doing to make sure all your employees are all on board the security train!
Let’s see what folks in the RIM community have been saying about security…
“The NYPD Kept an Illegal Database of Juvenile Fingerprints for Years“ — The Intercept
This article presents us with a classic case of over-retention. The New York Police Department was maintaining juvenile fingerprints long past their retention periods, and the NYPD was not even the official custodian of these records. Ignoring the duty of governmental bodies to uphold the ideals of accountability and transparency, as well as the increased risk of legal action, we are faced with the common sense fact that the longer a government entity holds on to data, the greater chance there is for that data to be breached. Governments must follow retention periods not only because it is the law, but also because they have a responsibility as records custodians to safeguard the privacy of their citizens.
For more information about how long to retain juvenile fingerprints in Texas local governments, consult records series PS4225-06 and PS4225-14 on Schedule PS: Records of Public Safety Agencies.
“McAfee Finds County Websites in 13 States Lack Basic Security“ — Government Technology
The global software security company McAfee conducted a survey on the validity and security of the websites used by state and local governments. The article touches on the transparency and credibility government websites need in order to maintain the public’s trust against any use of disinformation. Furthermore, in the survey McAfee provided a list of the states that are deemed as “battlegrounds” for the upcoming election in November, and ranked each state’s website in terms of both encryption and domain provider security.
In short, government websites can achieve more integrity with an address ending with the domain “.gov”. Basically, the better the domain, the better the reliability.
“Hundreds of confidential Georgia case files discovered in Aiken County landfill” – The North Augusta Star
Two questions come to mind from this article on records disposal in the state of Georgia’s case file dump: How do state or local government agencies securely dispose of records? What kind of oversight and procedures exist to ensure the safe and effective destruction of records? These questions revolve around the prevailing actions and policies in transferring documents for destruction that contain sensitive, personally identifiable, or classified information. Reported as a one time incident, this event highlights the promptness of disaster recovery, and the laws regarding such actions on the expunction of documents on how and where destruction takes place. This also stresses the importance of accountable records managers upholding the privacy and security of the information and identities of private citizens.