Minnesota Cities Magazine
More from Jul-Aug 2018 issue

Ask LMC: Computer Security—Always Change Vendor Defaults

Cybersecurity (Part 4 of 4)
Q: I work in a small city and do not have technical support staff. What are some things I can do to keep our computer systems more secure?

LMC: There are three low-cost actions all cities should take. In the last three issues of Minnesota Cities magazine, we addressed password usage, updates, and backups. In this month’s bonus entry, we will cover vendor access accounts.

By leaving default passwords, you give hackers the Golden Ticket to your systems. Always change vendor-supplied defaults, and remove or disable unnecessary default accounts before installing a system. If you have computers that operate systems such as your city’s heating/ventilation, water, wastewater, security cameras, sirens, and doors, you’ll want to make sure the vendor-supplied passwords are changed. Software like this often comes with a default password, allowing someone to log in and set them up. Keep in mind hackers will download the same software and try to use the default password to enter into your systems and cause great harm. If you contract for systems or software installation, it’s OK to require the default access to be changed and even ask the vendor to show you when it’s complete. Don’t forget to document the passwords and keep them in a safe place. To learn more, see the LMC information memo at www.lmc.org/cybersecurity.

Answered by Chief Information Officer Melissa Reeder: mreeder@lmc.org

Respectful Workplace
Q: We have a vendor who comes into city hall and makes sexually inappropriate remarks to our front desk staff. Would the city be liable for this if the front desk staff complained, even though it’s not our employee who is making the inappropriate remarks?

LMC: The city could be held liable for a hostile environment created by vendors or other nonemployees if the city could have taken reasonable steps to resolve the issue but did not. The best practice in this situation would be to have a member of city management or human resources call the vendor’s manager to let him or her know what is happening and request that the behavior stop or that another person be assigned to the city’s account. Even if your front desk staff have not yet complained, there is a very good chance they might do so in the future. Taking quick action to stop inappropriate behavior helps create a positive workplace culture. For more information and resources to help your city prevent sexual harassment, visit the League’s website at www.lmc.org/preventharassment.

Answered by Human Resources Director Laura Kushner: lkushner@lmc.org

Data Practices
Q: What is the classification of lodging tax data under the Minnesota Government Data Practices Act?

LMC: Minnesota summers bring many tourists to cities across the state to visit and explore, and they often stay in a local lodging establishment. Some cities impose a lodging tax on lodging businesses located in their jurisdiction. Cities may receive a request for data surrounding the lodging tax. However, according to Minnesota Statutes, section 13.495, data collected from taxpayers under a lodging tax ordinance is nonpublic data (except for basic taxpayer identification data).

“Nonpublic data” is not accessible to the public, but it is accessible to the subject of the data, which in this case, would be the local lodging establishment. Prior to responding to a data request for lodging tax data, cities should work with their attorney to ensure proper compliance.

Answered by Research Manager Jeanette Behr: jbehr@lmc.org

Got questions for LMC? Send your questions to choffacker@lmc.org.

Read the July-Aug 2018 issue of Minnesota Cities magazine

* By posting you are agreeing to the LMC Comment Policy.