Back to the Jan-Feb 2025 issue

Can City Employees Accept Prizes When at Work-Related Events?

Gifts

Q: Can city employees accept prizes when at work-related events?

LMC: It’s unlikely. Elected and appointed “local officials” generally may not receive a gift from any “interested persons.” An interested person likely includes anyone who may provide goods or services to a city, such as engineers, attorneys, financial advisers, contractors, and salespersons. The state law definition of “gift” includes money, property (real or personal), or a service, given and received without the giver receiving something of equal or greater value in return. There are some exceptions, such as trinkets or mementos costing $5 or less. Cities can have more stringent gift policies than state law. All cities may accept gifts or donations that serve a public purpose with council approval.

Answered by Research Manager Amber Eisenschenk: aeisenschenk@lmc.org.

Leave Benefits

Q: What should cities look for as they update their leave policies to reflect the 2024 legislative changes to the earned sick and safe time law?

LMC: The earned sick and safe time (ESST) law received several updates during the 2024 legislative session. Starting Jan. 1, 2025, the ESST requirements (except for the requirements outlined in Minnesota Statutes, section 181.9446) have been expanded to other city-paid leave available to employees for personal illness or injury that exceeds the minimum ESST requirement amount.

A few factors to consider when reviewing city leave policies include, but are not limited to:

  • Eligible uses. Be sure that leave subject to ESST requirements is allowed for all ESST eligible uses outlined in Minnesota Statutes, section 181.9447.
  • Notice and documentation. For paid leave accrued before Jan. 1, 2024, employers have the option to apply their written notice and documentation requirements that were in place as of Dec. 31, 2023. Cities must ensure their benefits tracking systems are capable of isolating the leave accrued before this date and cannot require employees to use leave accrued after Jan. 1, 2024.
  • Sick leave. If your city has both a sick leave policy and ESST policy, beginning Jan. 1, 2025, the sick leave policy will need to meet or exceed the minimum ESST requirements, except for the accrual and carryover limits.

For more information, see LMC’s HR Reference Manual, Chapter 7 and the recently updated model personnel policy template at lmc.org/HR-Ch7-personnel.

Answered by HR Member Consultant Elise Heifort: eheifort@lmc.org.

Cybersecurity

Q: What are the different cybersecurity assessment options available for cities, and how can each option be used effectively?

LMC: Understanding cybersecurity preparedness and measurement options can be confusing, especially with varied vendor terminology. Here’s a quick guide to choosing the right method for your city, in order from least to most costly.

  • Vulnerability scans ($) — Computer controlled scans identify known vulnerabilities on network systems at a specific point in time. These one-time scans can quickly become out-of-date, so instead install a vulnerability scanning software or service that can perform automated scans on a routine basis. These are best used by IT staff on a weekly basis to prioritize updates and respond to critical risks.
  • Security maturity assessment ($$) — Similar to a financial audit, this assessment evaluates both technical controls and administrative policies on paper. Controls are benchmarked against industry best practices using frameworks like National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). The resulting analysis provides overall and category scores, which help leaders track improvement year-over-year and to prioritize cybersecurity investments. Consider performing self-assessments internally and hiring outside assessors to validate (or reset scores) every third year.
  • Network penetration test ($$$) — Penetration tests (pentests) simulate real-world attacks using human experts to target specific goals, such as accessing sensitive data or gaining administrator access. Types of pentests include white-box, gray-box, and black-box, each offering different levels of initial information to testers. Optional components can test physical security or employee susceptibility to social engineering. Pentests are most effective for prepared organizations with foundational security measures in place.

LMCIT offers expert consultant assistance in evaluating which cybersecurity services are best for your city. For support, contact Christian Torkelson at ctorkelson@lmc.org or (651) 281-1296.

Answered by Cybersecurity Loss Control Consultant Christian Torkelson: ctorkelson@lmc.org.