The Perfect Compliance Storm
COVID-19 presented new challenges for the city of Durham, NC and their police department (PD), like it did for most organizations. New coronavirus-related policies and procedures only added to the 100+ memos they already send out on a yearly basis.
Being in the public sector, their staff are on the front lines, making it even more important to have a reliable method of creating, distributing, and tracking crucial information.
But then, as if the challenges of a pandemic weren’t enough, the city and PD suddenly found itself in the middle of a perfect compliance storm. A rare combination of circumstances that would be, in many ways, an accreditation manager’s worst nightmare.
On March 9, 2020, the Durham Police Department had an onsite compliance assessment scheduled. Just three days before that, on Friday March 6th, the city and county’s network got hacked.
In the middle of a pandemic, just three days before an onsite assessment, the city of Durham, NC suffered a malware attack.
In the aftermath of the attack, with zero access to phone lines, computers, and email, Durham PD was still able to host a successful onsite assessment. In the absence of email, they even found a way to communicate with employees until everything was back online.
How did they do it? While everything else was disabled, PowerDMS was not impacted by the ransomware.
In the rest of this article, we will explore how they did it, and how you too can protect your organization from the unknown. We will examine this in two parts:
Part 1: Durham PD’s compliance challenges and solution before the malware attack
Part 2: The City of Durham’s challenges and solution after the malware attack
Setting the Stage
Meet Diana, the accreditation manager for Durham PD. As the master administrator, she manages her department’s policies, procedures, and onsite assessments. Meaning she was at the tip of the spear when the city was hacked, along with the IT department.
Having used PowerDMS previously at the University of Delaware, Diana understood the benefits it could bring to Durham PD, who relied on paper, emails, and meetings to manage their accreditation process.
Challenges, Part 1: The Conventional Accreditation Process
Paper
With a paper-based system, all aspects of Durham PD’s accreditation process were manual. Common daily tasks like updating and collaborating on policies, getting sign-off, and accessing archived policies added time and effort to Diana’s already busy schedule.
The outdated system affected their Field Training Program (FTP) as well. Durham PD would experience backlogs of evaluation reports that needed to be reviewed and approved.
The process was slowed down by their manual workflow—the filing of reports and cyclical hand-offs between trainees, officers, and supervisors. Sometimes reports would even get misplaced, resulting in frustration and double work.
By relying on email, Durham PD’s ability to access, track, and collaborate on policies was limited. On any given day, Diana or her subject matter experts (SME) could receive upwards of 100 emails. If there was any lag in communication, or if an SME’s email account was disorganized, they had to filter through hundreds of emails to find the document.
Lawsuits
These challenges would reach a climax when a lawsuit was filed against Durham PD. The city attorney’s office would issue an RFPD (Request for Production of Documents), and the PD would have to provide evidence like the exact policy from a specific date, who signed off on it, etc.
This meant digging through file cabinets, binders, and old emails to find the requested documentation, hoping nothing had been accidentally deleted or misplaced.
Without a structured policy management system acting as a single source of truth, Durham PD was putting itself at risk of noncompliance, lawsuits, and security breaches. Fortunately, they were able to implement a secure compliance program long before the malware attack.
Solution, Part 1: The Modern Accreditation Process
Moving From Paper & Email to a Digital Solution
Durham PD and its 600+ users implemented PowerDMS in 2015. Since then, it has changed the way they manage accreditation.
Here are some of Diana’s favorite PowerDMS features and how they helped Durham PD leading up to the malware attack on the city:
Document Editing: Diana loves how her team can collaborate on the same, shared document without the hassle of combining edits from multiple sources.
Side-by-Side Comparison: Her SMEs often want to review past changes, who made them, and how they compare to the current draft. With revision tracking and side-by-side comparison, Durham PD can create simple and referenceable audit trails.
Automated Workflows: Diana likes having a single source to manage her crucial documents, which used to get lost in her busy inbox. Now she and other users can save time by assigning staff to approval workflows. With this feature, approvers are automatically notified when it’s their turn to review a document.
Policy Tracking: When distributing content to select groups, Diana can now track receipt and sign-off on each document, which protects the department from liability and employees from noncompliance.
Custom Groups: Diana has created hundreds of groups in the system, some overlapping, so she can easily distribute policies to the right people and track who has E-signed each one.
“The workflow process in PowerDMS makes [compliance management] a lot easier, particularly when doing a lot of heavy changes to documents…it makes it easier to pull separate pieces together into one complete picture.”
Diana - Accreditation Manager, Durham PD
Field Training Program
Durham PD moved the FTP evaluation and documentation process to PowerDMS as well, saving the training unit time and frustration. Officers now use workflows to process evaluation reports more efficiently. As a result, Durham PD was able to make reports immediately accessible when a trainee completes the program.
Protection From Lawsuits
With features like auto-archiving and version tracking, Durham PD can stay organized with a single, published version of each policy, knowing that all old versions are archived and available for future reference.
To save even more time, Diana gave two of their city attorneys access to PowerDMS, so they can go into Durham PD’s account and pull policies when necessary.
Challenges, Part 2: The Malware Attack
In the middle of a pandemic, just three days before an onsite assessment on March 9, 2020, the city of Durham suffered a ransomware attack.
What did the hackers want? You guessed it—money. But Durham refused to pay. Instead they went through their servers and reset the entire system to the latest uninfected backups.
But until everything was rebooted and secure, Durham had to pull their network down. Every single phone line, server, and computer was taken offline for the entire city and county. Every computer in the city had to be reimaged, and IT temporarily disabled everyone’s email.
What did this mean for Diana? For the duration of the onsite assessment, Diana didn’t have access to email, phone lines, digital calendars, WiFi, photocopiers, and more.
Everything was down. Except cloud-based systems like PowerDMS. Thanks to some quick thinking and a secure, digital platform for accessing and managing documents and accreditation files, Diana was able to lead a successful onsite assessment. How did she do it?
Solution, Part 2: Responding to Ransomware & COVID-19
On Monday morning after the Friday attack, the city held a meeting with employees to develop a response plan.
The city wasn’t using PowerDMS, just the police department. But Diana reminded everyone in the meeting that, as a policy communication platform, PowerDMS could help the city weather the storm.
“We still have PowerDMS,” Diana said in the meeting. “It’s a [policy] communication platform…people can access it from their phones and tablets without touching the network, and since PowerDMS hasn’t been compromised, we can use it to access and push out information.”
Diana - Accreditation Manager, Durham PD
With PowerDMS still secure and operational, city and county employees could access it from their phones and tablets without touching the network.
Diana created a Malware Response folder in PowerDMS, limiting editing access to certain groups like the Public Affairs team and executive staff. With these permissions, department leaders could upload, publish, and disseminate crucial documents to all their employees.
Once the city of Durham saw the benefits, the folder was repurposed to include their COVID-19 response as well. That way all vital announcements, policies, and procedures related to the malware attack and coronavirus could be easily distributed and tracked.
Two weeks after the attack, only half of the police department had email access. After about a month, everyone regained access. But with over 1,000 computers needing to be re-imaged, the IT department was backed up. This meant that, even a month out, many officers still didn’t have computers in their police vehicles and had to rely on their phones. During this time, they found the PowerDMS mobile app to be extremely helpful.
Field Reporting
Durham PD’s police reports, evidence, and more was processed through the records management system. With the network down, they needed to return to a paper-based system temporarily. Fortunately, they were able to access the form templates through PowerDMS, so the PD could still log evidence and reports via paper.
Daily Watch Reports
At the end of every shift, Durham PD’s Watch Commanders issue a Daily Watch Report, documenting the significant events that happened during their shift.
Before the malware attack, they would fill out the report in a Word document and email it to all relevant parties. PowerDMS integrates with Adobe and Microsoft Office, making it easy for them to create and edit documents with their preferred applications.
But without email access and without Microsoft Word on their phones and tablets, Durham PD had to find a workaround. Instead of using Word templates to fill out the Daily Watch Report, they created an HTML template and built drafts off of it to file and issue the daily reports.
Return on Investment
Before PowerDMS, Durham PD relied on meetings, email, and paper to manage compliance. Fortunately, they prepared for the unknown by implementing PowerDMS in 2015.
With COVID-19 disrupting in-person meetings and the malware attack disabling email (along with the entire network), Diana was able to keep essential operations running at her department, as well as the rest of the city and county:
Police officers were still able to access crucial policies and procedures in the field
The PD was still able complete required forms
Watch Commanders could still issue Daily Watch Reports
The PD could still communicate effectively with a remote workforce that needed to know how to respond to the malware attack and COVID-19
All of this helped the Durham Police Department keep their employees informed, healthy, and safe. And you can’t put a price on that.
In the middle of a perfect compliance storm, PowerDMS helped Durham PD stay afloat. If you want to protect your organization from the unknown—whether that’s a pandemic, a malware attack, or a lawsuit—learn more about PowerDMS today.