Score: +4 (4/3/0)

Monterey County Grand Jury • 2013-2014

Privacy and Security of County On-line Data and Information Systems*

Published: June 13, 2014 10 pages

View Original PDF

⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.

⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.

Findings and Recommendations 8 findings

During the past eight or more years the Monterey County government has not devoted adequate attention to compliance with the California and Federal Privacy laws, and must now immediately change this attitude to strict attention and compliance, if it is to avoid serious financial consequences for potential violations.

Related Recommendations (1)

The Monterey County Board of Supervisors and their staff should carefully study this Report on Privacy problems, in conjunction with its CAO, the County Counsel and his Privacy Deputy, and the Director of County Information Technology and her Security Chief and other IT personnel. These are key people since they directly work in the field of privacy, prevention of data breaches, and in coordinating the design and operation of the County website. The study of these issues has a dual purpose of understanding the significant penalties and financial risks to the County government due to the complexity of the laws, and realizing that there are some expensive and complex technical issues in this aspect of County business operations.

The present old and defective Privacy and Data Breach Notification Policies are to be replaced immediately and the newly developed 2014 versions disseminated promptly to all Department heads now that they have been approved by the Board of Supervisors. This must be quickly followed-up by education of all County employees as to these new rules, and the appropriate conduct required when using or operating County IT and communication systems.

Related Recommendations (1)

The Board of Supervisors should consider the immediate need for additional funding to be provided both to County Counsel and the IT Department in order to improve existing and continuing compliance with California and Federal Privacy laws, rules and regulations. The CGJ believes funding at least one additional full time legal position for the County Counsel's office is imperative at this point, to help protect the County and its citizens. The IT Department also needs more funds to acquire and use various protective software packages that warn of impending attempts at data intrusion and stop them; and perhaps for one additional key person to head and direct the development and continuing maintenance of the County website on behalf of its many departments and agencies. Privacy & Security of County On-Line Data and Information Systems

County Counsel's office has not been adequately aware of these Privacy issues in the past, in part because of inadequate staffing and education of its lawyers, but it is now actively trying to change this situation within its budget limitations. However, it clearly needs additional funding to address these issues and to assist the IT Department and other County departments with this complex area of the law.

Related Recommendations (1)

County Counsel's office should promptly take all steps necessary to formally designate one of its lawyers as "County Privacy Law Counsel" and to provide for that person's continuing legal education in this extremely complex area of the law. This should include education to the point of certification of his or her knowledge in this field by the IAPP, the standard of this industry. We have been told portions of such proposed actions are currently underway.

The County IT Department needs to continue its active pursuit of software and hardware means of preventing intrusions, and to keep the Chief Administrative Officer (CAO) and his staff fully aware of the extent of this problem and the costs involved in complying. This activity may require that the CAO recommend changing some aspects of the Zero- based budgeting methods currently used to allocate funds to the IT Department to pay for necessary personnel and software. This possible change in budgeting methods is something that should not be postponed beyond the current fiscal year.

Related Recommendations (1)

The duties of such Privacy Counsel should encompass working closely on a continuous basis with the IT Privacy Directors and County Department managers on existing and future Privacy Policies, and on all proposed contracts where vendors may have access to County records, and on all software licenses with third-party vendors. Privacy Counsel also needs to monitor closely these ever-changing laws to be certain that when changes in such laws occur these modified legal obligations and requirements are promptly communicated to responsible County personnel; so that they can be reflected quickly in then existing Policies; and so that follow-up educational meetings can be made for County personnel who must comply with these new laws.

Everyone involved must realize that this area of the law is in a constant state of change, both at the state and federal level, and that there may even be some aspects of international Privacy laws that come into play at times, even for locally stored data.

Related Recommendations (1)

The County Information Technology Department Director and the Chief Security & Privacy Officer, working with the Security and Privacy Officers in other Departments, should be commended for the recent massive revision of Monterey County Privacy and Security Policies. This critical project has been on-going for more than for six years, in order to replace the existing, obsolete 2002-2004 versions. Unfortunately, these old Policies, as of May 2014, were still posted on the IT Department website, as well as a 2008 version which apparently still exists but is accessible only internally. In an effort to reduce County exposure for failure to comply with existing California and Federal Laws, and in fairness to Monterey County residents, prompt completion and dissemination of these revised Privacy and Security Policies should be a priority, especially since large amounts of Personally Identifiable Information ("PII") could otherwise be at risk of illegal disclosure.

Of particular concern should be those Privacy laws relating to health records used or maintained by County agencies like Natividad Medical Center and the County Health Department since the provisions of the Federal HIPAA law are particularly burdensome and the penalties very expensive if violated.

Related Recommendations (1)

Finally, the CGJ strongly recommends that the subject of education about compliance by all County employees and their departments with California and Federal Privacy and Security laws be taken more seriously. We understand that existing County Policies call for such education efforts in the form of providing and requiring attendance at biennial educational programs. Several CGJ members actually attended the current educational program, which was well presented and current. However, employees from the highest to the lowest level of County government must be made to realize that, while these Policies, rules and laws may seem burdensome and inconvenient, failure to comply may not only result in loss of their jobs, but also in massive and punitive penalties and legal fees Privacy & Security of County On-Line Data and Information Systems incurred by the County if any such violations were to be litigated. This educational process is not an easy, nor inexpensive, task, but it must not be minimized.

County departments and those agencies and personnel involved in acquisition of communications, software and almost every other type of goods and services, must insist both contractually and in practice that all vendors at every level comply with required Privacy and Breach Notice laws when dealing with County owned or controlled personal Privacy & Security of County On-Line Data and Information Systems data and information. Unfortunately, many commercial vendors and businesses are not currently in compliance, worldwide, as can be seen from the numerous data breaches recently reported in the U.S. news media.

No recommendations for this finding

Finally, Monterey County is not unique in dealing with these critical Privacy problems, according to a story in the IAPP newsletter in late May 2014. This publication reported that the Los Angeles (LA) County Board of Supervisors recently voted to direct its county staff to promptly develop a plan to require third-party contractors hired by the County to "encrypt sensitive information on their computers as a condition of their contracts." This followed the February 2014 breach of data on eight computers holding 342,000 patients' medical records taken from the offices of contractor Sutherland Healthcare Solutions. LA County already mandates that county laptops be encrypted. These new rules now also require that all county department's computer workstations' hard drives are to be encrypted.

No recommendations for this finding

Agency Responses 5

Government agencies' official responses to this report's findings and recommendations. Click on a response to see the structured breakdown.

Monterey County Board of Supervisors to Report No. 1 – Chualar Sewer System

July 24, 2014 • 9 pages • 1 response • Score: +1 (+1, 0, 0) View Details ▾

PDF

Monterey County Board of Supervisors to Report No. 2 – Public Safety and Cost Reduction Consideratio

July 24, 2014 • 7 pages • 2 responses • Score: +1 (+1, 1, 0) View Details ▾

PDF

2 responses to findings and recommendations

Response: Will Implement

Score: +1

R-3: The recommendation has not yet been implemented but will be implemented in the future, in the event that the state funds a project.

Response: Implemented

Score: 0

R-5: This recommendation has been implemented.

Monterey County Board of Supervisors to Report No. 5 - Privacy and Security of County On-Line Data a

August 26, 2014 • 9 pages • 5 responses • Score: +2 (+2, 2, 0) View Details ▾

PDF

5 responses to findings and recommendations

Response: Implemented

Score: 0

R-1: This recommendation has been implemented, although there is no current post of "Privacy Deputy" in the County Counsel's Office.

Response: Will Implement

Score: +1

R-3: This recommendation will be implemented, in part, in that attorney(s) with the County Counsel's office will be undergoing training in the area of data security and privacy by the International Association of Privacy Professionals (IAPP).

Response: Will Implement

Score: +1

R-4: This recommendation will be implemented as circumstances require.

Response: Implemented

Score: 0

R-5: This recommendation has been implemented.

Response: Unknown

Score: 0

R-6: This recommendation is being implemented.

Monterey County District Attorney to Report No. 2- Public Safety and Cost Reduction Considerations

June 26, 2014 • 11 pages View Details ▾

PDF

Monterey County Sheriff to Report No. 2- Public Safety and Cost Reduction Considerations

June 13, 2014 • 10 pages View Details ▾

PDF

* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.