The digital revolution has changed the way Long Islanders pay for government services ranging from property taxes to sanitation fees, but inconsistent internet security on municipal websites can attract hackers and challenge officials to balance convenience with security.
The Village of Northport recently launched online payments for real estate taxes using a secure third-party portal, joining other municipalities such as the City of Long Beach that offer digital services for residents. Other villages such as Head of the Harbor and Asharoken have decided the risks outweigh the benefits and maintain deliberately minimal websites.
Internet security issues have plagued many governments, including large cities with dedicated IT staff.
Last year, an online attack on Atlanta’s network cost the city government millions to upgrade its tech infrastructure after hackers crippled the municipal computer network and demanded to be paid more than $51,000 in cryptocurrency for restoration, according to news reports at the time.
In May, Baltimore's city network was similarly attacked by hackers seeking a $100,000 ransom.
In 2017, Brookhaven’s town website was hacked by a group that added a page with pro-ISIS messages to brookhavenny.gov. The pro-ISIS page was not visible to site visitors.
"Brookhaven Town has worked together with federal, state and cyber-law enforcement officials, and have taken a number of actions internally and with external vendors to provide security to our website and data,” town spokesman Jack Krieger said in an emailed statement. “For obvious reasons, we do not comment on the specifics of these actions."
Internet security experts say all government websites should make cybersecurity a top priority, no matter the extent of digital services provided.
“It's great to offer people convenience, but you have an absolute obligation for the PII — the personally identifiable data — of a constituency,” said Brian Rauer, general counsel for Metro NY Better Business Bureau, who has conducted internet security training for the Nassau County Village Officials Association. “The fact is, you can't sacrifice people’s security for convenience.”
That holds true even for small local governments that may not be able to pay for a dedicated IT department and must manage their websites themselves, he said.
“Whether it's municipalities or businesses, it's often with the best of intentions, [but] they simply don't know the breadth and the scope of what they have to do for proper security and proper privacy practices,” Rauer added. “They simply don't have the expertise.”
As Northport officials prepared to launch the real estate tax payment portal in March, they were unaware that the village's main website had security vulnerabilities.
“Your connection to this site is not secure. You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers,” a warning on Google’s Chrome browser read.
Northport trustee Mercy Smith, who is also the village's commissioner of information technology, said the village website was previously a simple digital billboard of information created and maintained by staffers, and updated internet security was considered unnecessary because the website did not gather personal data from visitors.
The new payment portal was added and operated by upstate-based Software Consulting Associates on a separate and secure website, Smith said. And the entire village website was upgraded to improved security by the time the tax portal was launched. The contract totaled $2,500.
“We are not collecting that data. We are not storing the personal info of the individual,” Smith said. “The [payment] link is going to a completely separate and secure website.”
Even small municipalities have purchased cybersecurity insurance in the event of data breaches or ransomware attacks.
Head of the Harbor village trustee Jeff Fischer, who is president of an IT company, said he asked the village board to pay $1,400 a year for cybersecurity insurance even though the village’s website simply lists information such as meeting calendars and permit forms.
“I wanted insurance for data breach and privacy security liability due to some sort of disaster, coverage for cyber extortion and hacker damage,” Fischer said. “We see it every day in the industry.”
Security experts say an unsecure government website could scare away potential users who want to protect their data.
“If I got a pop-up that said this website is not secure, I would be very leery of putting my credit card information into that site,” said Paul Hoffman, a senior program manager at the Center for Internet Security nonprofit near Albany where he advises governments on internet safety in partnership with the federal Department of Homeland Security.
“If you're going to be entrusting your financial data, your health data, anything that personally identifies you with your local government, you have to have faith that they can protect that data," he said.
Federal government websites are governed by laws and policies that regulate privacy and security. New York state policies require notification of privacy breaches. And any website that accepts payments must meet privacy regulations to protect consumer data. But regulators have to race to stay ahead of internet hackers who are constantly innovating new scams, security experts said.
“If you don't have a large IT department, you're dealing with hackers who've been doing this for a long time,” Rauer of the Better Business Bureau said. “There's this unfortunate little dance that goes on where you have the regulators try to make sure they stay ahead of the hackers.”
For some of Long Island’s smallest villages, offering digital services isn't worth the risk of potential security breaches.
Asharoken Mayor Greg Letica said his village’s website was intentionally low-tech, focusing on information about recycling and charity events.
“The system that we're using seems to be working fine, so we don't have a lot of motivation to change it. We don't really have a lot of clamoring from our residents to do it,” Letica said of the village with about 654 residents. “With all the hacking and stuff, it's really not such a bad thing.”
Fischer, the Head of the Harbor trustee, called his village's limited website “a useful information tool if you want to know about village code.”
But Smith said she has a vision of Northport residents and government enjoying all the advantages of digital connectivity. “The ultimate goal is to be extremely interactive,” she said.
“I do see a lot of municipalities have chosen to not be as technologically advanced, and maybe it’s because they don’t want to deal with the compliance. So sometimes 'keep it simple' is easiest,” she added. “I look at it as we need to be able to deliver on the latest technology but at the same time, really take a cautious pace so that we do everything right the first time.”
Still, the village would be introduced to this new frontier slowly, Smith said. “We have a constituency that loves to come in” to Village Hall, she said. “So we don't want that small village feel to be overrun by the technology.”