Townships should assess their policies and practices related to controlling Township cyberattacks and inadvertent disclosure of data. With the growth in the internet and rise in identity fraud, Townships should secure data and minimize the risk of unauthorized access or inadvertent disclosures. In this E-Letter, learn the importance of assessing Township security risks, leveraging exemptions in the Open Meetings Act and Freedom of Information Act to prevent disclosure of sensitive information, and overall considerations for minimizing risks.
PROTECTING THE TOWNSHIP’S DATA FROM SECURITY RISKS
Cybersecurity addresses the need to increase protection for hardware, software and data connected to the internet. Townships should consider their own security to explore vulnerabilities in their computer system and physical record storage. Attacks are not limited to only private corporations, but also include federal government agencies, state agencies, and local units of government. Cyber attackers can gain valuable personally identifiable information, which can be used to commit financial harm to individuals whose information has been obtained. Cybersecurity analysis should assess Township policies and practices related to data storage and information access. Townships are also providing information publicly under the Michigan Open Meetings Act (“OMA”) and Freedom of Information Act (“FOIA”). In the 21st Century, identify theft and fraud are at an all-time rise, however, so Townships need to balance their obligations under Michigan law against the potential harm that can be caused by release of certain sensitive information.
WHY TOWNSHIPS SHOULD CARE ABOUT RELEASE OF SENSITIVE DATA?
Connectivity makes electronic data available everywhere. Information collected from Townships can be disbursed or sold anywhere in the world. Townships need to evaluate their policies and protocols for controlling access to sensitive Township data and personally identifiable information. Personally identifiable information allows a recipient of the data to identify a particular person through the information. This may include a full name, social security number, driver’s license number, bank account number, and telephone number. Personally identifiable information of this nature fuels the rise of identify theft and fraud. The United States Federal Trade Commission reported that three of the top 15 metropolitan areas for identify theft are in Michigan.
Townships should consider their current information technology systems (i.e., computers, servers, and network devices) for vulnerability. This includes assessing on-site storage hardware, cloud services, encryption protocols for transmission of sensitive information, and current network devices. As hardware and software ages, these items become more vulnerable to cyberattacks. Current products on the market also widely vary as to their security and encryption levels (compare Dropbox, AWS services, and Box enterprise cloud services).
Not all vulnerabilities for Townships are cyber-attacks, however. Townships maintain volumes of records that contain numerous personal details about Township residents, vendors, and other government agencies. Unlike for-profit and non-profit corporations, Townships must deliberate and make decisions in open meetings and must respond to public records requests consistent with the OMA and FOIA. Even so, the inadvertent or intentional release of this information can also pose costs to the Township:
1. Reputation and integrity harm,
2. Investigative costs,
3. Individual official or employee costs (i.e., disclosing records prohibited by statute that impose a penalty for such disclosure),
4. Lawsuits and settlements,
5. Rising insurance premiums, and
6. Security and access control capital contributions.
Although Townships may not have the amount of data of state agencies, cyberthreats and inadvertent disclosure create real impacts on individuals. The following large breaches over only the past four years showcase the importance for any Township to verify its current practices and protocols and further refine them:
- Michigan Department of Technology, Management and Budget and the Unemployment Insurance Agency: A software update to the unemployment benefits computer system allowed users of the Michigan Data Automated System (MiDAS) to access as many as 1.87 million Michigan resident’s social security numbers and their names from October 2016 – January 2017. See DTMB Notice: Click Here.
- Georgia Secretary of State: Georgia inadvertently included 6.2 million voters’ private information, including Social Security numbers on a statewide voter disc that included Georgia political parties and media outlets. See Georgia Secretary of State Notice:Click Here.
- U.S. Office of Personnel Management: The agency manages the U.S. government’s employment records. In 2015, the agency announced two separate intrusions obtaining unencrypted data impacting over 21.5 million people. The data included personally identifiable information of employees, contractors and certain civilian federal agencies.
The risk of data breaches is real for any entity and Townships may want to consider taking a proactive approach to minimizing the risk of cyberattacks and inadvertent disclosures. Townships should start with assessing their information technology systems and developing protocols and policies for data management.
LEVERAGE THE OMA AND FOIA TO GAIN CONTROL OVER PHYSICAL ACCESS TO TOWNSHIP RECORDS
Cyberattacks should remain a significant priority but controlling access to Township data during meetings and in response to FOIA requests is equally important. The OMA and FOIA facilitates disclosure of public deliberations, decisions, and public records to the public. These statutes are broadly interpreted by courts to allow public access to public records. Notwithstanding, the Legislature intended these statutes to provide disclosure of that information and public records that facilitates the public’s understanding of government operations and decision-making—not sensitive information and personally identifiable information. The OMA and FOIA provides numerous exemptions demonstrating this. These exemptions assist Townships in maintaining control over physical access of its public records.
No Need To Discuss Personally Identifiable Information In Public Meetings
Township meetings must be open to the public. And, Township must make all decisions at open meetings. Township deliberations leading to those decisions must be at open meetings. These general tenets drive monthly Township meetings throughout Michigan.
Importantly missing from the OMA are specific provisions regarding any substantive information that would require personally identifiable information or confidential information to be discussed in an open meeting. The OMA does not require Township Board members to discuss sensitive information in open meetings.
Townships cannot require registrations or prohibit audio or video taping at their meetings, further supporting why these items should not be discussed in open meetings. Moreover, Townships must allow the opportunity for public comment, but they are not required to answer or respond to public comment. Certainly, many Townships provide feedback and further information during public comment, which can be very effective and efficient in administering Township governance, regulations, policies, and ordinances. Township Board members, however, should refrain from discussions that would lead to disclosure of sensitive information—whether about the Township’s practices, Township officials and employees, or residents.
Townships can also engage in closed sessions to handle issues that would involve sensitive information, including personally identifiable information. These may include the following:
- “To consider the dismissal, suspension, or disciplining of, or to hear complaints or charge brought against, or to consider a periodic personnel evaluation of, a public officer, employee, staff member, or individual agent, if the named person requests a closed hearing;”
- “For strategy and negotiation sessions connected with the negotiation of a collective bargaining agreement if either negotiating party requests a closed hearing;”
- “To consult with its attorney regarding trial or settlement strategy in connection with specific pending litigation;”
- “To review and consider the contents of an application for employment or appointment to a public office if the candidate requests that the application remain confidential;”
- “To consider material exempt from discussion or disclosure by state or federal statute.”
The last exemption may be the most important in leveraging the OMA exemptions. Under Section 8(h), closed session is appropriate to consider material “exempt from . . . disclosure by” state statute. Clearly, the FOIA is such a statute that provides for materials exempt from disclosure (albeit permissive in some respects). See Michigan Attorney General’s Open Meetings Act Handbook (applying FOIA exemptions as proper purpose to enter closed session) (Click Here). Accordingly, when considering how to control access to Township data and prevent inadvertent disclosure, Townships should know that information exempt from disclosure by the FOIA is similar information that need not be discussed in open session. This same exemption allows for convening a closed session to discuss sensitive information in confidential written legal opinions.
No Need To Disclose Personally Identifiable Information In Response To FOIA Requests
The FOIA provides citizens with access to public records. It was adopted April 13, 1977, and thus implementation of its provisions must be considered in light of current world dynamics. The World Wide Web was not available to the public until August 6, 1991—nearly a decade and a half later. By 1995, less than a half of a percent of the world had access to the internet. By 2017, almost 60% of the world population was connected through the internet. Information is now readily available throughout the world to a vast number of individuals almost instantaneously.
Until 2017, Townships had no clear direction on how to avoid disclosure of personally identifiable information. For most, Townships heavily relied upon Section 13(1)(a) that permitted exemption of records of a personal nature where the release of the records would constitute a clearly unwarranted invasion of an individual’s privacy. This supported redaction of names, addresses, signatures, phone numbers, e-mails, bank account numbers, employee files and other information. But the plain language of the provision was fraught with peril, causing numerous case decisions decided by the Michigan Court of Appeals and Michigan Supreme Court.
The following sections also supported protection of sensitive information and personally identifiable information:
- Certain public records part of active law enforcement investigations and records of the Township police department (Section 13(b), (s));
- Trade secrets or commercial or financial information (Section 13(f));
- Information or records subject to attorney-client privilege (Section 13(g));
- Bids and proposals not yet made public (Section 13(i));
- Frank communications within a public body of an advisory nature that are preliminary to a final determination (Section 13(m)).
By 2017, the Legislature took note of cybersecurity threats and amended the FOIA to include Section 13(z), which expressly exempts “information that would identify or provide a means of identifying a person that may, as a result of disclosure of the information, become a victim of a cybersecurity incident.” In evaluating FOIA requests, Townships should consider the applicability of this provision when records may contain any of the following:
- Health and medical information
- Personal contact information
- Bank accounts
- Driver’s license numbers
- Emergency contact information
- Receipts and collections
- Confidential information
- Personally identifiable information on past due payments
- Account numbers and personal contact information for community members
In addition to considering the records listed above, the FOIA allows for exemption of information or records that would disclose the social security number of an individual or those records that are otherwise exempt from disclosure by statute. Townships should consider these other statutes when reviewing FOIA requests:
- Certain election and voter information and records (MCL 168.509gg; MCL 168.522a; 168.759a(11));
- Records regarding applications for self-insured status, benefits paid to injured employees, and information or forms concerning the issuance of insurance policies to employees (MCL 418.230(1));
- Social Security numbers including any sequence of more than 4 digits (MCL 445.85);
Moreover, MCL 15.233(3) provides that “[a] public body may make reasonable rules necessary to protect its public records and to prevent excessive and unreasonable interference with the discharge of its functions.”
OVERALL CONSIDERATIONS FOR GOOD TOWNSHIP PRACTICES
Townships assessing their policies and practices should identify weaknesses and limit inadvertent disclosure of records. Townships can follow current document retention schedules. Records that are not required to be kept should be shredded and properly disposed. Township files can be physically secured with access limited to only authorized individuals. Townships should also consult with their technology specialists regarding their electronically stored information. Moreover, Townships should minimize discussing personally identifiable information and other sensitive Township information in open meetings. Townships can further protect such data by adeptly applying exemptions provided in the FOIA to minimize the risk of identity theft and cybersecurity incidents.
– Chris Patterson
Click here for a PDF Version of this publication.
Fahey Schultz Burzych Rhodes PLC, Your Township Attorneys, is a Michigan law firm specializing in the representation of Michigan townships. Our lawyers have more than 150 years of experience in township law and have represented more than 150 townships across the state of Michigan. This publication is intended for our clients and friends. This communication highlights specific areas of law and is not legal advice. The reader should consult an attorney to determine how the information applies to any specific situation.
Copyright © 2019 Fahey Schultz Burzych Rhodes PLC