CA DOJ Begins Auditing Youth Organizations’ CORI Security

Live Scan and the information it may produce is critical to compliance with AB506, and the privacy rights of the persons whose information the church obtains is also of great importance. Learning how to deal with it is no small matter.

A little over one year into the matter of compliance with AB506, the California Department of Justice (CA DOJ) has recently begun administering compliance audits of the practices of Custodians of Record and the handling of confidential Criminal Offender Record Information (“CORI”). As I first indicated to churches in late 2021 and early 2022, compliance with AB506 was not going to be a simple matter, and the content of the “Audit Assessment #1" – a self-report of how an “Applicant Agency” handles its responsibilities under the law – confirms that my early guidance was accurate.

When churches first began contacting me about the steps needed to comply with the Live Scan requirements of AB506, I was telling them that this would require setting up a completely independent computer that would be stored separately under lock and key, and that a secure email account would be needed. The audit makes clear that those requirements are among the bare minimums. Much more is actually necessary.

Last week, I assisted a church in Yuba City to successfuly navigate the intricacies of its first such audit. Although the church was not entirely compliant with its responsibilities, it was close enough that there were only two relatively minor corrective actions or clarifications that needed to be implemented.

The Audit Assessment #1 is primarily concerned with the overall security of the data that churches receive and limiting access to it. This is no small matter. I would venture to guess that many, if not most, churches are far from compliant when it comes to that data and the written policies and procedures that need to be in place.

The Audit itself is arranged in nine sections. The first three are simple and administrative: Administrative Information (2 questions), Applicant Notification (1 question), Information Exchange Agreement (1 primary question + 4 subsequent questions). The remaining six are more specific and oriented toward actual practices as well as policies and procedures: Security Awareness Training (1 question), Incident Response (1 question), Access Control (2 primary questions + 1 subsequent question), Media Protection (3 questions), Physical Protection (1 question). Personnel Security (3 primary questions + 1 subsequent question). There are no “wrong” answers to this audit, but there are definitely preferred answers. Answering “No” to those questions specifically addressing practices and policies and procedures could result in a visit from a CA DOJ employee.

For example, your church may not be aware that a requirement of the CA DOJ relative to Live Scan is notification within five days when an employee or volunteer is “no longer working” for the church, or if an “applicant” for employment or a child-facing volunteer position is not “retained for the position applied for.” The church will be asked if such applicants or volunteers are provided with the required “privacy notice” prior to fingerprinting.

Other concerns have to do with “unescorted access” to the area where CORI is stored. If your church has not established a separate and secure location – such as using the main office computer to store CORI alongside routine church data – it obviously has a problem with “unescorted access” because the office is, effectively, open to all manner of persons. One question asks: “Does your agency ensure all personnel with unescorted access to CORI have completed security awareness training within six months of assignment and at least every two years thereafter?”

If the church office is where the CORI is stored, this means security training for every person who could enter that office . . . pastor, staff, and volunteers. Wouldn’t it be much simpler to have a separate, locked location to which no one else has access? Does your church even have such a place available?

You will be asked: “Has your agency established incident reporting procedures to ensure the protection of CORI?” Probably not. And then: “Does your agency allow personally owned devices to access, process, store, or transmit CORI?” If the answer to this is “Yes,” an additional question surfaces concerning the “documented procedures in place, outlining the terms and conditions for the use of these devices.” Does your church allow the Custodian of Records to operate from home, for example, using her own computer? What happens if that computer is stolen? How is it secured from unauthorized access? These are just a few of many concerns when the CORI is not on-site at the church in a separate locked room.

All three questions concerning “Media Protection” deal with written policies and procedures concerning protection and destruction of CORI media (hard copies) and for the “sanitization and destruction” of hard drives, thumb drives, and other digital media storage devices. These are things most churches may not have stopped to consider.

You will be asked: “Does your agency have a written policy that describes physical protections and procedures related to the implementation of a physically secure location or controlled area?” Is your CORI even housed in a “physically secure or controlled area?”

The final question in the Audit is: “Does your agency have a written policy for the discipline of personnel failing to comply with established information security policies and procedures (i.e. misuse of the system)?” Probably not.

When a question comes my way concerning how a church needs to deal with a certain challenge, I often ask, “What’s your written policy on that subject say?” Unfortunately, in most instances, the answer is, “We don’t have one.” Sometimes, the caller will add, “But everyone knows what the policy is.”

To that, I always reply, “If you don’t have it in writing, all you have are pleasant thoughts.” Ask ten different persons what the policy is, and you might get as many as ten different answers.

For many years, I have tried to guide churches and expose their need for written policies and procedures that govern how the church conducts its business. To their detriment, the overwhelming majority of churches don’t have a Policies & Procedures Manual. As a testament to this, I have only one sample of a church’s Policies & Procedures Manual in my files . . . and it’s the one from my former church that I converted from a collection of odds and ends into a single PDF more than five years ago. It wasn’t perfect then, and I’m sure it’s long since out of date . . . but it is a reasonable starting point.

I do have sample policies for “sanitization and destruction of digital media” and other Live Scan related items, and I can help guide your church when it comes to the other policies and procedures needed relative to Live Scan and the necessary AB506 General Operating Policies & Procedures for your Youth Organization in general, I can help with those, too.

For more information . . . just give me a call at 909-618-4841 or send an email to max@churchandministrycompliance.org. There is absolutely no cost for my help.