9 minute read
Ask the Experts
Cybersecurity Best Practices for Local Agencies
By Jennifer Saha, CEO, Technology Industry Association of California
Summer is nearing, and the Golden State is continuing to relax COVID-19 restrictions. In time, Californians will begin an exodus out of their homes and into campgrounds and state parks, enjoying the state’s natural wonders with a renewed appreciation.
But with such a transition period, there may be bad actors waiting to take advantage of unsuspecting Californians aiming to put 2020 behind them. Cybersecurity must become a greater priority to keep up with an influx of online transactions and exposure to new networks.
Agencies and constituents should take steps to learn more about threats, including finding resources to guide them toward safer cyber practices.
These actions alone are no substitute for consulting a trained professional who can help you navigate a specific scenario. Here are three ways to mitigate cybersecurity risks this summer:
Be Wary of Pineapple Devices
As COVID-19 restrictions continue to lift this summer, campers, vacationers, and just about anyone on the move will be accessing new Wi-Fi networks for the first time. However, not all these Wi-Fi networks are what they claim to be.
Enter the Wi-Fi pineapple. First released by tech company Hak5 in 2008, the Wi-Fi pineapple was designed to allow “penetration testers” to attack public Wi-Fi
networks and expose security risks for the benefit of the companies that hired them. But given the mass availability, low cost, and easy-to-use interface of the Wi-Fi pineapples, independent hackers are buying the devices and using them to impersonate a Wi-Fi network to obtain someone’s personal information or data illegally.
How do you protect yourself from attackers using Wi-Fi pineapples? The first step is to carefully vet all public Wi-Fi networks, as well as your own. Only use them when necessary or if a device has been verified. If you do end up using a public Wi-Fi network, consider accessing them using a virtual private network, better known as a VPN. A VPN will encrypt your data so that any virtual onlookers are unable to extract valuable information. Finally, after using a public Wi-Fi network, make sure your device “forgets” the network so that it doesn’t connect automatically the next time you are in range of its signal.
Stay Vigilant Against Email Phishing
Every day, our email and text inboxes are flooded with coupons, promotions, payment requests or confirmations. Most are legitimate, but plenty of others are sent by scammers that impersonate real, reputable companies to obtain personal information such as passwords, credit card numbers, or even social security numbers. It’s called phishing, and there are several ways to avoid falling victim to a scam.
One of the first steps to avoid being tricked by a phishing attack is to prevent phishing emails or texts from reaching your inbox. That means updating security software on your computer as well as setting your phone’s software to update automatically.
If a phishing email does reach your inbox, you can recognize a scam by hovering your mouse over any links. If the promotion is a scam, the links that appear over your cursor will not match the content of the email. Additionally, trust your suspicions when you receive an unexpected invoice and keep in mind that your bank will never ask you to access your account via a text message.
Monitor Transactions, Standardize and Backup Your Data Systems
Public-facing digital services, such as an online campground reservation system, increase cybersecurity risks for both customers and agencies. A system with large volumes of activity will be more attractive for hackers. Consumers should always use a designated credit card (not a debit card) and monitor it with guidelines from the Federal Trade Commission (FTC) to avoid fraudulent charges and identity theft.
Agencies with IT systems that contain data, either personal or financial, should take every precaution to keep it secure and reliably accessible. The best way to keep data safe and easy to access is by standardizing and backing up your department’s IT systems.
A strong backup and recovery system can help protect against ransomware, which attackers use to prey upon victims by encrypting their data and charging a hefty ransom to decode the information.
There are numerous reputable products and services to help protect against threats. Investing both time and resources into cybersecurity will benefit not just agencies but also those they serve.
By Christine M. Carson and Alondra Espinosa, Aleshire & Wynder, LLP
On July 31, 2019, Assembly Bill 756 became law, authorizing the State Water Resources Control Board (“SWRCB”) to order public water systems to monitor perfluoroalkyl and polyfluoroalkyl substances, commonly called “PFAS.” This article provides a summary of California’s notification and response rules for PFAS as of March 5, 2021.
Concerns Over PFAS
Perfluorooctanoic acid (“PFOA”) and Perfluorooctanesulfonic acid (“PFOS”) are fluorinated organic chemicals that are part of a larger group of chemicals referred to as per- and poly-fluoroalkyl substances (“PFAS”). These substances are found in products such as fire-retarding foam, carpets, fabrics, food packaging, and materials designed to be waterproof, stain-resistant or non-stick.
Perfluorobutane Sulfonic Acid (“PFBS”), developed to replace PFOS, is a type of PFAS. PFBS is a four-carbon fluorocarbon with a functional group that acts as anionic surfactant that can be used in commercial products to offer water- and stain-repellent properties.
People are exposed to PFAS through food, food packaging, consumer products, household dust, and drinking water. Exposure through drinking water has become a concern due to the tendency of PFAS to accumulate in groundwater. Such contamination is typically localized and associated with a facility where these substances were manufactured or used.
Notification and Response Levels
Health and Safety Code Section 116271 delegates to the Division of Drinking Water’s (“DDW”) Deputy Director the authority to issue a notification level (“NL”) under Health and Safety Code Section 116455. NLs are health-based advisory level standards that are established for chemicals not formally regulated through maximum contamination levels (“MCLs”). When contaminants exceed the NL, DDW requires the public agency to make certain notifications. When contaminants exceed the response level (“RL”), DDW recommends removing the drinking water source from service.
In August, 2019, the DDW NLs were set at 5.1 parts per trillion for PFOA and 6.5 parts per trillion for PFOS. In February 2020, the RLs for these contaminants, were set at 10 (for PFOA) and 40 (for PFOS) parts per trillion individually or combined.
On March 5, 2021, DDW set an NL of 0.5 parts per billion (“ppb”) and an RL of 5 ppb for PFBS. water system must provide notification within 30 days after it is informed of a confirmed detection that is in excess of the NL or RL as follows: • Wholesale System: If the public water system is a wholesale system, the operator of the wholesale system must notify the wholesale system’s governing body and the water systems that are directly supplied with that drinking water. If the wholesale system is a water company regulated by the California Public Utilities Commission (“CPUC”), the wholesale system must also notify the CPUC. The CPUC may order further action not inconsistent with the regulations of the SWRCB. • Retail System: If the public water system is a retail water system, the operator of that system must notify the retail system’s governing body and the governing body of any local agency whose jurisdiction includes areas supplied with drinking water by the retail system. If the retail water system is a water company regulated by the CPUC, then the retail water system must also notify the CPUC. The CPUC may order further action not inconsistent with the regulations of the SWRCB.
PFAS Exceeding Response Level: When PFAS tests exceed an RL, a public water system must (1) take the water source out of use or (2) provide public notification within 30 days of the confirmed detection. Public water systems must: • Mail or directly deliver notice to each customer receiving a bill, including those that provide drinking water, and to other service connections to which water is delivered by the water system;
continued on page 14
Notification Requirements
The law requires public water systems to report the presence of PFAS as follows:
Order: If the SWRCB issues a testing order, the public water system must submit the results electronically to the SWRCB as stated in the order.
Consumer Confidence Report Notification: If the test results confirm a detection, a public water system must report that detection in its consumer confidence report, unless the water source is taken out of use or subsequent data shows the RL is no longer being exceeded.
Section 116455 Notification: PFAS that reaches NL or RL must be reported pursuant to Health and Safety Section 116455. Section 116455 states a public
BETTER BUDGETING BETTER RESULTS
GET THE SPECIALIZED EXPERTISE YOU NEED
•Budget Preparation and Assistance •Long Range Financial Planning and Modeling •Outsourced Accounting and Finance Functions •Interim and Project Accounting Assistance •Financial and Utility Billing Systems Implementations
eidebailly.com
• Email a notice to each customer of the water system; • Post a notice on its website; and • Use one or more of the following methods to reach persons not likely to be reached by the notice provided by mail:
1. Publish a notice in a local newspaper for at least seven days; 2. Post a notice in public places served by the water system for at least seven days; 3. Post a notice on an appropriate social media site for at least seven days; or 4. Deliver a notice to community organizations.
Information to Be Contained In Notices
AB 756 outlines information that must be contained in the above required notices, including but not limited to the following: • A statement that there was a confirmed detection above the RL, the numeric level of the applicable RL, and the level of the confirmed detection; • A description of the potential adverse health effects as identified by the SWRCB in establishing the NL or RL; • The population at risk, including subpopulations particularly vulnerable; • The name, business address, and phone number of the water system owner, operator, or designee, as a source of additional information concerning the notice; • A statement encouraging the recipient to distribute the notice to others served, using standard language from the statute. • The notice must contain information in English and Spanish and not contain language that minimizes or contradicts the information provided.
Additional information on the federal response, as well as California and other states’ responses to PFAS, was provided at the CSDA April 20, 2021 panel discussion we moderated on PFAS. The recording to this webinar, “A Legislative, Legal and Local Response to PFAS 2021” is available on-demand at csda.net under the “Learn” tab.
Greg Stepanicich Jim Markman Roxanne Diaz Ginetta Giovinco Craig Steele Dave Fleishman
Representing California public agencies for over sixty years.
Construction Eminent Domain Energy Environmental General Counsel Labor & Employment Litigation Public Agency Law Public Finance Real Estate Special Districts Telecommunications Transportation Waste Management Water Law
