Loading...
HomeMy WebLinkAboutOIG No. 26-08 Policies on the Use of City Equipment and Resources Joseph M. Centorino, Inspector General Page 1 of 3 To: Eric Carpenter, City Manager From: Joseph M. Centorino, Inspector General Re: Review of Policies on the Use of City Equipment and Resources OIG No.: 26-08 Date: June 23, 2026 PREFACE This memorandum reviews the City’s policies regarding acceptable use of the City’s computer equipment, comparing the current policy (IT.01.02, Adopted 11.07.2025) with the previous policy (IT21.01, Adopted 09.2005, Updated 09.24.2018). The Office of the Inspector General (OIG) review raises concerns about the reduction of explicit guidelines for employees and the lack of internal controls in the current policy compared to the previous one. BACKGROUND The OIG has issued several investigative reports that led to the voluntary resignations of employees who operated or worked in private businesses during City work hours and/or used City resources, often including City computers, to support those businesses. These actions violated the City’s previous policy (IT.21.01) regarding the use of the City’s Email, Internet, Computer Systems, and Software Access, which explicitly prohibited conducting personal business or profit- making activities using City systems and included a penalties section outlining progressive discipline and potential civil and criminal consequences. The current policy (IT.01.02), issued in November 2025, updates provisions on cybersecurity, Bring Your Own Device (BYOD) segmentation, and Artificial Intelligence, but lacks explicit language prohibiting the use of City resources for personal business or profit-making activities. It also omits a penalties section, which makes enforcement uncertain. Similarly, the previous policy provided detailed information on protecting confidential information and restrictions on using City logos, insignias, uniforms, and vehicles on personal websites or social media without authorization, but this information is not clearly presented in the current policy. COMPARISON OF POLICY LANGUAGE The prior policy (IT.21.01) prohibited conducting personal business while using City resources, mandated approval for posting City logos or insignias on social media, and included detailed penalties. In contrast, the current policy (IT.01.02) only prohibits “personal commercial content or advertising,” without explicitly banning the operation of a business or profit-making activities using City resources. It lacks a dedicated governance section for City identifiers. Docusign Envelope ID: 9E6CBA5F-E7AC-8401-800D-560F5DA48952 Page 2 of 3 omits a penalties section, leaving only scattered references to disciplinary action for credential exposure or unlawful use. CONSEQUENCES OF OMITTING SPECIFIC PROVISIONS The absence of clear prohibitions and enforcement language poses significant risks. Employees might interpret these omissions as implied permission to run side businesses during work hours or to misuse City resources, leading to productivity loss, ethical violations, and damage to the City’s reputation. Unauthorized use of City logos or insignias on personal websites or social media can mislead the public and harm the City’s brand integrity. Additionally, the lack of a penalties section weakens deterrence, creates operational confusion for supervisors and HR, opens the door for defenses by wrongdoers, and makes disciplinary actions and/or litigation more complicated. CONFIDENTIALITY The current Acceptable Use policy includes general statements about confidentiality but omits specific operational safeguards from the previous policy. These omissions create risks of data breaches, compliance issues, and reputational damage. Key gaps include missing encryption rules for confidential emails and removable media, inadequate handling of personal identification information (PII), insufficient physical security measures, and unclear social media confidentiality policies. The policy also lacks a retention schedule, a clear privacy disclaimer, and penalties for confidentiality violations. These gaps increase the risk of violating federal and industry data-protection standards, and Florida privacy laws cause operational confusion and elevate legal risk. OIG RECOMMENDATIONS To address both acceptable use and confidentiality gaps in IT.01.02, the OIG recommends the following: • Clearly prohibit operating a personal business, engaging in profit-making activities, or participating in any unauthorized private enterprise using City time, systems, or resources. • Require prior written approval before posting City logos, insignias, uniforms, or images of City vehicles on personal websites or social media. • Require encryption for confidential emails and removable media, along with secure storage of sensitive data. • Prohibit sharing confidential or sensitive information on social media or personal websites. • Restrict the storing of City data on personal devices; enforce password complexity and MFA requirements. • Remind users that they have no expectation of privacy on their City computers or other City devices, and that all communications may be monitored and disclosed to the City Administration and law enforcement. • Ensure compliance with Chapter 119, Florida Statutes, and adhere to retention schedules for all electronic communications. • Add a section on penalties stating that violations may lead to progressive discipline, including termination and referral for civil or criminal investigation. CONCLUSION The lack of clear prohibitions on conducting personal business during City work hours, unauthorized use of City identifiers, and the absence of comprehensive confidentiality safeguards, along with the omission of a defined penalties provision, create significant compliance, operational, and reputational risks. Although some recommendations from the OIG may also apply to other City policies and may be referenced in other policy directives, IT.01.02 is especially important because it is the only policy that all new employees must review and acknowledge Docusign Envelope ID: 9E6CBA5F-E7AC-8401-800D-560F5DA48952 Page 3 of 3 during onboarding, and the only one that requires annual reaffirmation through mandatory IT training. Because of its key role in establishing universal expectations and holding employees accountable, the inclusion of these provisions in IT.01.02 is crucial for preventing misconduct, protecting City resources, safeguarding sensitive information, and upholding public trust. Respectfully submitted, _________________________________ __________________ Joseph M. Centorino, Inspector General Date _________________________________ _________________ Dylan Hughes, Investigator Date cc: Mark Taxis, Assistant City Manager David Martinez, Assistant City Manager Maria Hernandez, Assistant City Manager Ricardo Dopico, City Attorney Rafael Granado, City Clerk Frank Quintana, Director, Information Technology Marla Alpizar, Director, Human Resources OFFICE OF THE INSPECTOR GENERAL, City of Miami Beach 1130 Washington Avenue, 6th Floor, Miami Beach, FL 33139 Tel: 305.673.7020 • Fax: 305.587.2401 • Hotline: 786.897.1111 Email: CityofMiamiBeachOIG@miamibeachfl.gov Website: www.mbinspectorgeneral.com Docusign Envelope ID: 9E6CBA5F-E7AC-8401-800D-560F5DA48952 6/23/2026 | 12:52 PM EDT 6/23/2026 | 9:55 AM EDT