Does the Rise of AI Mean Public Libraries Should Stop Posting Policies to Ensure Security?

The concerns raised by the member are valid: absolutely, Artificial Intelligence (AI) OR real people can use published documents, including policies, to exploit a target.

What’s interesting is that this issue actually pre-dates AI; it emerged early in the Internet era, when (often nefarious) people would use information published on websites—along with other techniques—to exploit targets.

Here is a fictional example:

A business’s website includes its protocol for visitors, photos of the interior of its office, and its fiscal policy. A would-be thief we’ll call “Cooper” reviews the protocol, assesses the office interior, and uses the information to gain access to a manager’s office, where Cooper acquires the serial number of a computer. Coopers then calls that office, pretending to be IT (the serial number aids this impersonation) and gets a username and password for the business’s online banking system, which Cooper uses to access accounts described in the fiscal policy.

Poof! Money gone.

To guard against this, many businesses take a careful risk management approach to what they publish (and hopefully admonish people who put their passwords on Post-its).

However, anyone who reads the news knows that financial fraud based on social engineering and computer intrusion is only going up and artificial intelligence is helping with those attacks.

So, is it time to stop publishing public library policies and other documents?

No.

Published policies—even fiscal controls that set out the process for validating checks and the maximum amount of cash to keep in a safe—are not a skeleton key for hackers (AI or otherwise).

Of course, public institutions have always had to be careful about what information they make available. Staging areas and other resources for responding to terrorism and active shooters must be restricted to avoid exploitation by would-be attackers. Bank account numbers and other account-specific information should not be published. Computer passwords, the location of servers, and other sensitive information should be restricted. These considerations should be made in the drafting phase, not when the policy is ready for publication.

That said, because many of their records are FOILable,[1] public libraries should not rely on restricting access to them for security.

Rather, all public library workers and trustees with any part to play in data, financial, and physical security should be trained in the following:[2]

• Never to provide their password to anyone;
• Follow fiscal controls at all times;
• Follow all IT security rules at all times;
• Notify the IT provider in the event of a suspected data breach, virus, or attack;
• Never allow unauthorized people into restricted areas;
• Report lost keys immediately;
• Secure password lists;
• Never access sensitive information on personally owned devices (like the bank accounts username and password on a director’s cell phone);
• Immediately report and document all outside requests for system and/or fiscal information (passwords, location of servers, banking information);
• Remember that big hacks/ransomware attacks usually start with human failure (giving a password, leaving things logged in, loss of device).

So, are the member’s concerns valid? YES. Exploitive people can use AI to find, copy, and use your library’s policies in attempt to gain access to critical systems.

BUT, if the policies are not published, such people can look up public grant information, building records, or meeting minutes to make themselves sound legitimate for a different social engineering scheme. And if your policies are not available to your community, your library runs the risk of being accused of a lack of transparency.

Instead of restricting access to policies, libraries should develop policies that help prevent the library’s financial exploitation.

For example, a public library’s financial policies should prescribe appropriate internal controls and appropriate use of technology to verify transactions prior to them being irrevocable. For this, the newly released (2025) local government guidance from the New York State Comptroller is excellent.[3] This is mandatory reading for all public library treasurers, controllers, CFOs, accountants, bookkeepers, and directors.

In the same vein, IT policy should include either adequate internal resources to routinely update security and train employees, or a contract with a provider that provides the same assurance (for many public libraries, this is the role of the library system, and it is an increasingly complex and costly role).

While care in drafting policy is important, the essential elements of avoiding ransomware and other attacks are routine updates to security measures and routinely training of people to NOT BE FOOLED.

With the right training and adequate security, AI-powered or good ol’-fashioned hackers will have a tough time getting through, even if they try to use your own policy against you.[4] Train your people, and you don’t have to worry (too much) about training AI.

Now, if we want to talk about putting things behind a log-in to avoid misappropriation of content for the general good of society, that’s another story…

… for another “Ask the Lawyer.”[5]

Thanks for a great question!