cover
TO: Mayor Richard C. Ivin
FROM: Michael R Pegues, Chief Information Officer
Leela Karumuri, Director Cyber & Technology Risk
Mark Taghap, Chief Information Security Officer
DATE: December 9, 2024
SUBJECT:
A Resolution requesting to implement Privacy Readiness Review by Class-LLC, Atlanta, GA for a total amount not to exceed $100,000.00
PURPOSE:
To ensure the management of Personal Identifiable information systems owned or controlled by the City complies with the State, national, and global privacy regulations governing the collection, processing, and sharing of personal information.
BACKGROUND:
The key benefits of a Privacy Readiness Review (PRR) include improved security, reduced risk of data breaches, the ability to easily detect and respond to threats, improved data protection, simplified operations and increased trust and transparency between organizations and their customers.
According to the Criminal Justice Information Services (CJIS) Technical Security Audit Cycle 24 completed by the Aurora Police Department (APD), the City required to comply with State and local privacy rules and ensures appropriate controls are applied when handling PII extracted from Criminal Justice Information Services systems.
Resolution R22-218 approved a Payment Card Industry (PCI) compliance assessment completed by Crowe, LLC. The results of that assessment recommended the City establish and implement a Data Privacy Program regarding all sensitive information, including cardholder data. Crowe recommended that this program should include an assigned team, privacy impact assessments, policies, and procedures for protecting sensitive data, continuous monitoring of privacy controls and be visited and updated.
DISCUSSION:
City IT staff engaged Marketplace.city to find a suitable partner to perform a PRR. Staff desired to find a leader that could guide the development and deployment of a global privacy strategy for the City of Aurora. Details of the selection process can be found in the briefing packet attached to this resolution.
The Marketplace Clearbox process sequence was followed to find a partner:
-- Marketplace created Market Landscape with a dozen potential companies.
-- Drafted RFQ document based on the needs of the IT Department and the Director of Cyber & Technology Risk.
-- Based on the market landscape and City Stakeholder review, Marketplace.city publicly posted and distributed the Opportunity and Scope Document for vendors to complete in order to be included in the reporting and selection process.
-- The RFP was posted and distributed on 5/10/23 and closed 5/31/23.
-- There were 8 responses completed by the deadline
-- Several submissions were far beyond projected budget or had very long implementation timelines. Upon city IT staff further review of the submissions, three vendors were invited to meet: CLASS-LLC, Kuma, and QurityTech.
-- Post - demonstrations, the team reconvened and determined the strongest proposals were from CLASS-LLC & Kuma.
The project team confirmed with both finalists the ability to segment the engagement into distinct phases: 1) an Assessment of Aurora’s current landscape and 2) the standing up of a privacy program. Expensive ongoing maintenance was deemed unnecessary. With this confirmed, both vendors were given the opportunity to clarify final pricing structure.
The project team submitted final scoring and selected CLASS-LLC.
This resolution requests that CLASS-LLC be engaged to conduct a Privacy Readiness Review to evaluate the effectiveness of documented controls and the overarching program required to protect personal information as required by all applicable contracts and regulations.
Similar to what was performed after the PCI compliance assessment, the Privacy Readiness Review will provide city staff with a current assessment of CoA systems and potential remediation. Services will include:
-- Inventory of all COA systems that interact with PII
-- Privacy impact assessment on all COA systems with PII
-- Audit of current procedures and controls against applicable legal requirements
-- Documentation of Identified Deficiencies
Staff will return to Council with results and recommended Phase 2 Management Activities.
Continued discussions with Marketplace since the initial RFQ have shown no substantial change to the landscape of potential partners in this space and CLASS-LLC guarantees the same pricing and services as provided in the original RFQ. City IT staff is confident that the expertise CLASS- LLC provides will be invaluable, especially in the field of privacy, where the US is still working to establish comprehensive policies similar to the General Data Protection Regulation (GDPR) of the European Union. GDPR sets strict rules for handling personal data, and staff is confident in CLASS-LLC's capabilities to support the City's Privacy Management Program effectively.
CLASS-LLC is an expert in privacy program management and is an official training partner of the International Association of Privacy Professionals (IAPP). CLASS-LLC has performed Privacy Readiness Review for local, national, and international organizations.
CLASS-LLC was also instrumental in the design and delivery of the cybersecurity program implemented that city staff follow today. Familiarity exists between CLASS-LLC staff and key stakeholders at the City after numerous security and emergency management presentations provided during the past few years.
A full Privacy Program Management solution aligns with data governance efforts and ensures that the City is managing personal information in a way that complies with State, federal, and international privacy laws.
This expense has been approved as part of the 2025 budget. Funds will be available in account 101-1283-419.32-80 Professional fees/Consulting.
IMPACT STATEMENT:
If a data breach occurs and the City is not compliant, the City is at risk of fines and penalties of up to $500,000 per incident.
Reputation of City of Aurora will be impacted if any data breach occurs, and personal information is exposed.
RECOMMENDATIONS:
That the proposed resolution be adopted.
cc: Infrastructure & Technology Committee
CITY OF AURORA, ILLINOIS
RESOLUTION NO. _________
DATE OF PASSAGE ________________
title
A Resolution requesting implementation of a Privacy Readiness Review by Class-LLC, Atlanta, GA for a total amount not to exceed $100,000.00.
body
WHEREAS, the City of Aurora has a population of more than 25,000 persons and is, therefore, a home rule unit under subsection (a) of Section 6 of Article VII of the Illinois Constitution of 1970; and
WHEREAS, subject to said Section, a home rule unit may exercise any power and perform any function pertaining to its government and affairs for the protection of the public health, safety, morals, and welfare; and
WHEREAS, the management of Personally Identifiable Information (PII) in systems owned or controlled by the City are required to comply with the State, national, and global privacy regulations governing the collection, processing, and sharing of personal information; and
WHEREAS, According to CJIS Technical Security Audit Cycle 24, the City is required to comply with State and local privacy rules that ensures appropriate controls are applied when handling PII extracted from Criminal Justice Systems; and
WHEREAS, During the PCI audit, Crowe LLC recommended to establish and implement a Data Privacy Program regarding all sensitive information, including cardholder data. This program should include an assigned team, privacy impact assessments, policies and procedures for protecting sensitive data, continuous monitoring of privacy controls and be visited and updated regularly; and
WHEREAS, City staff enlisted Marketplace.city to perform both a Request for Qualifications and a follow-on Request for Proposal and this process resulted in CLASS-LLC being chosen as the firm to perform a Privacy Readiness Review; and
WHEREAS, This expense has been approved as part of the 2025 budget and funds will be available in account 101-1283-419.32-80 Professional fees/Consulting for this purpose.
NOW, THEREFORE, BE IT RESOLVED by the City Council of the City of Aurora, Illinois, as follows: the Director of Purchasing is hereby authorized to issue purchase orders for services described in this resolution and as more fully set forth in the contract attached hereto.