Report: City of Bakersfield

Comments 9

• CO1
  It is inconceivable that in this age of cybercrime, the City does not have written Policies and Procedures for dealing with data breaches and possible ransomware. A Policies and Procedures Manual will define and mandate the actions to deal with breaches and other information issues regarding sensitive information such as salaries, employee/retiree data.
• CO2
  Current City Finance and TS staff are in dire need of ongoing in-service training on quality control issues regarding the current TS system in use. COMMENTS: The Grand Jury would like to thank the City of Bakersfield for their participation, cooperation and assistance in being available for interviews and providing information for this report.
• CO3
  The City initially did not realize the magnitude of the erroneous filings until numerous employees and retirees informed them of the problem.
• CO4
  Because retirees were not informed until four months later, this put them at risk of unnecessarily paying extra taxes, not to mention the risk of identity theft. This is unsettling.
• CO5
  It is further troubling that the infrastructure of a city as large and prosperous as Bakersfield did not discover the internal source of the error for eight months.
• CO6
  It appears the City’s TS Department is understaffed, to adequately deal with the current onslaught of cybercrime. This places the City in jeopardy of further information breaches.
• CO7
  The City of Bakersfield should post a copy of this report where it will be available for public review.
• CO8
  Persons wishing to receive an email notification of newly released reports may sign up at: www.kerncounty.com/grandjury
• CO9
  Present and past Kern County Grand Jury Final Reports and Responses can be accessed on the Kern County Grand Jury website: www.kerncounty.com/grandjury RESPONSE DEADLINES:  REQUIRED WITHIN 90 DAYS FROM:  PRESIDING JUDGE KERN COUNTY SUPERIOR COURT 1415 TRUXTUN AVENUE, SUITE 212 BAKERSFIELD, CA 93301  FOREPERSON KERN COUNTY GRAND JURY 1415 TRUXTUN AVENUE, SUITE 600 BAKERSFIELD, CA 93301 Reports issued by the Grand Jury do not identify individuals interviewed. Cal. Penal Code § 929 requires that reports of the Grand Jury not contain the name of any person or facts leading to the identity of any person who provides information to the Grand Jury. 2021-2022 Kern County Grand Jury Report Appendix A: 2021-2022 Kern County Grand Jury Report 2021-2022 Kern County Grand Jury Report 2021-2022 Kern County Grand Jury Report 2021-2022 Kern County Grand Jury Report Appendix B: 2021-2022 Kern County Grand Jury Report Appendix C: 2021-2022 Kern County Grand Jury Report 2021-2022 Kern County Grand Jury Report Appendix D: California Civil Code §1798.29: “(a)Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquire by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” California Civil Code §1798.29(f) also states if the data breaches effect more than 500 persons, persons affected must be notified immediately and a report must be submitted to the California Attorney General’s Office. 2021-2022 Kern County Grand Jury Report CITY OF BAKERSFIELD RESPONSE TO ERRONEOUS IRS FILINGS GRAND JURY REPORT FINDINGS: F1. The City initially did not realize the magnitude of the erroneous filings until numerous employees and retirees informed them of the problem. The City agrees with this finding. However, the City would like to add that the first notification from the IRS came to our attention in the middle March 2021 and by the end of that month the City had obtained outside counsel to work with the IRS to help fully understand the extent of the issue. It was only after working with the IRS that the scope of this erroneous filing became apparent. F2. According to California Civil Code, §1798.29, a data breach did not occur. The City agrees with this finding. F3. The City’s response to the erroneous filing has been adequate, although they should have informed the retirees sooner. The City agrees with this finding. Though the City was not made aware of the total number of affected individuals until May 2021, information regarding the issue was only disseminated to current employees via emails. Retirees should have been notified sooner. F4. Because retirees were not informed until four months later, this put them at risk of unnecessarily paying extra taxes, not to mention the risk of identity theft. This is unsettling. The City disagrees with this finding. As mentioned, the City was not made aware of the full extent of the issue until May 2021 and a letter to all affected employees and retirees was sent out in July. During the three months between, the City received phone calls and visits from employees and retirees almost daily where staff let them know that no payments should be made. In fact, no payments were actually made by retirees directly to the IRS with regards to this matter. In addition, this was not a data breach and there is no evidence that this incident put any employees or retirees at more risk for identity theft. F5. It is further troubling that the infrastructure of a city as large and prosperous as Bakersfield did not discover the internal source of the error for eight months. The City partially disagrees with this finding. The amount of time it took to fully understand how this erroneous 1099 filing could have occurred is a function of very slow response times from the IRS, misinformation from the current financial software provider and an overall deficiency in that system due to its overall age, technologically speaking. City staff worked continuously during those eight months to both assist affected individuals and work with the IRS to understand how this occurred. The amount of time it took to resolve this is disconcerting, but the finding implies that extended period was both the City’s sole responsibility and that staff was not working daily to resolve the issue. F6. It is inconceivable that in this age of cybercrime, the City does not have written Policies and Procedures for dealing with data breaches and possible ransomware. A Policies and Procedures Manual will define and mandate the actions to deal with breaches and other information issues regarding sensitive information such as salaries, employee/retiree data. City partially disagrees with this finding. At the time of the investigation, the City was already in the process of developing a formalized written security incident management program. The City does have procedures for investigating possible cyber incidents and malware attacks and those procedures were followed to arrive at the determination that there was no breach of any systems. F7. It appears the City’s TS Department is understaffed, to adequately deal with the current onslaught of cybercrime. This places the City in jeopardy of further information breaches. City partially disagrees with this finding. The City would like to clarify and reiterate that there was no breach of any systems, as stated in Finding number 2. On staffing, the City has been investing in the development of the Technology Services Department with the addition of twenty new staff positions over the last three years (which is a 52% increase). Four of these positions have been utilized for the development of a security team dedicated to enhancing cyber and physical security of City assets. Ongoing identification of strategic staffing positions will be requested to bring the staffing of the department in line with other similarly sized cities over the next five years through the budgeting process. F8. Current City Finance and TS staff are in dire need of ongoing in-service training on quality control issues regarding the current TS system in use. City partially disagrees with this finding. Additional training for City staff is always preferable and beneficial. However, the careful review of this case indicated that training would have been unlikely to prevent this specific issue. This incident was related to an erroneous computer software setting which created an anomaly in staff processes. This incident prompted an immediate review of procedures and settings, which resulted in changes to prevent this type of situation in the future. The fact that this type of erroneous filing could have occurred was an unknown and only the chain of events that occurred revealed that changes were necessary. The City is aware of the overall deficiency in the current “TS system” (ERP or core financial software system) and is in the midst of an ongoing project to replace that system. Once implemented, the City expects a more robust quality control system related to the ERP operations that is indicative of a 21st century, modern product.