August 4, 2020

How regulatory agencies can avoid two dreaded words: data breach

It’s the kind of newspaper headline that public officials dread: “Fired unemployment director says administration didn’t respond quickly to data breach.”

It’s also the kind of headline GL Suite helps regulatory agencies prevent.

The headline and story appeared July 30 on the website of the Lexington Herald-Leader.  They relate to legislative testimony provided by Kentucky’s former unemployment office director, Muncie McNamara, who was fired in May after months of system backlogs generated by COVID-related claims.

According to McNamara, officials at the state’s Education and Workforce Development Cabinet failed to respond quickly to a data breach in the unemployment system in April. The breach, he claimed, allowed some users to see other people’s sensitive information.

Keeping sensitive data secure is a high priority for public agencies, whether they process unemployment claims, license physicians or oversee complex foster care systems. Agencies must ensure that only people with appropriate access can view confidential and personally identifiable information. And when breaches do happen, state security protocols usually require the notification of managers, who can then take appropriate mitigation measures.

The potential harm to those your agency regulates is significant, as is the potential harm to your agency’s reputation.

GL Suite, developed by former Oregon regulatory officials, is designed to prevent data breaches and to notify officials when certain records are viewed or modified.

How GL Suite prevents breaches

Standard GL Suite functionality allows the creation of a user group for each staff role and the establishment of precise security access for each user group.  Agencies decide which groups can create, view, edit and otherwise manipulate screens, fields and other data.

When role-based security isn’t enough, GL Suite also offers entity-level security. This higher level of security allows agencies to give users permission to access only specific entities within the system, such as a business or enforcement case. Key features of entity-level security include:

  • Users may access only specific entities within the system.
  • Main-screen search results will list only entities to which user has access.
  • All system outputs, including reports, exclude data for restricted records.

GL Suite also can be configured to send notifications automatically if designated records are viewed or modified. Notifications can occur in several formats, including email and employee dashboard notices.

How one GL Solutions client uses entity-level security

The Virginia Department of Behavioral Health and Developmental Services assigns regulated providers to staff according to geographical location. The agency uses entity-level security to ensure that staff see only case data related to those providers they have been assigned. By assigning providers and setting security in this fashion, the agency shields sensitive data from those who shouldn’t see it while reducing confusion for staff members. 

Related content