Data Security and Privacy Best Practices for Ohio Political Subdivisions

The COVID-19 crisis has created challenges for local governments who need to continue serving their communities, yet need to do so in a remote environment and to do so safely and while meeting the requirements of existing law. The following represent a few data security and privacy best practices for Ohio political subdivisions, including townships, villages, cities, counties, and school districts, as well as other political subdivisions (collectively “Ohio Political Subdivision(s)”) to consider as they transition to working and administering government services remotely. Please be aware that these best practices will not guarantee complete privacy and security for the Ohio Political Subdivision; however, they will help mitigate risks related to your offices functioning remotely.
 

1. Storing Confidential Documents: Employees administering government services may remotely review documents with confidential personal information, such as social security numbers, driver’s license numbers, and other types of sensitive information. To maintain the privacy and confidentiality of this information, your Ohio Political Subdivision should consider acquiring secure cloud storage to which only authorized employees are permitted access. Such employees should then be required to store all confidential documents and notes on the secure cloud storage platform. Note that documents on an employee’s home computer or in a private email account may still be public records for purposes of Section 149.43 of the Revised Code. Requiring cloud storage of such documents helps to mitigate that issue.
2. Transmitting Confidential Documents: If employees are required to transmit confidential documents over email, your Ohio Political Subdivision should consider requiring employees to encrypt the confidential documents, as well as the corresponding email(s). PDFs, Word documents, and Excel spreadsheets all have tools that allow users to create an encryption with a password. This password should be provided to email recipients by phone or other secure methods.
3. Handling Physical Copies of Confidential Documents at Home: Even at home, employees should ensure that physical copies of confidential documents and notes are securely stored and retained in accordance with existing document retention policies and statutory requirements. Statutory requirements will vary for each specific Ohio Political Subdivision and can be found within ORC 149, as well as any applicable local rules regarding document retention requirements. Confidential documents and notes should not be left out in the open, but should be stored in a secure location, such as a locked cabinet or drawer. Additionally, employees should ensure all confidential documents and notes are appropriately destroyed in accordance with record retention requirements as necessary.
4. Confidential Phone Conversations: Employees will likely participate in confidential phone conversations and conference calls at home where family members may be present. Confidential personal information may be shared during these calls. As a result, employees should take calls in a private room away from other people and consider using headphones.
5. Beware of Phishing Emails: Phishing emails are the primary tool for hackers to gain access to confidential personal information. In emergency situations, such as the COVID-19 pandemic, employees can be even more susceptible to social engineering and fraudulent communications. Consider circulating a reminder to employees to stay vigilant on evaluating phishing emails and working with your Information Technology (IT) team to enhance staff spam and phishing filters.
6. Secure Home Internet Routers: Employees should also assess their personal network security. Internet routers oftentimes come with default manufacturer passwords as simple as “0000.” Employees should consider changing their default passwords to something at least eight characters in length in order to prevent unauthorized access to their networks.

In addition, it is important to be aware of Ohio’s data breach notification law (O.R.C. § 1347.12), which requires Ohio Political Subdivisions that experience a data breach to notify individuals affected by the breach. This is even more relevant when considering the range of confidential personal information (e.g., social security numbers, financial account information, driver’s license numbers, etc.) that Ohio Political Subdivision employees may handle while administering government services remotely during COVID-19.

Ohio Political Subdivisions still need to adhere to the Ohio Open Meetings Act/Sunshine Law requirements generally within ORC 149 and ORC 121.22, with the exception of any changes stemming from the recently passed Amended, Substitute House Bill 197 (the “Bill”). Within the Bill, there are temporary changes to Ohio’s Open Meetings Act, effective until the end of the declared emergency or Dec. 1, 2020. A summary of those changes and answers to frequently asked questions can be found here on the Ohio Attorney General’s website.

Ice Miller has put together a COVID-19 Task Force to address growing concerns about the outbreak of COVID-19 and provide resources for employers, employees, and other interested parties. Our team is happy to assist with developing and administering work from home policies and trainings, and navigating the challenges of transitioning to a remote workforce. Please do not hesitate to contact Chris Miller (christopher.miller@icemiller.com), Greg Dunn (gregory.dunn@icemiller.com), Lindsay Miller (lindsay.miller@icemiller.com), or Jessica Voltolini (jessica.voltolini@icemiller.com) from our Government Law Group or Rachel Spiker (rachel.spiker@icemiller.com) from our Data Security and Privacy Group for more information.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.