Vendor Information Security Posture - Arkansas Surveillance Wiki

# Vendor Information Security Posture The set of claims a surveillance vendor makes about the security of the data it collects and stores on a customer agency's behalf — security certifications, breach history, vulnerability handling — together with how those claims are distributed and contested. In the corpus the posture is [[Flock Safety, Inc.]]'s. It matters because the agency holds the vendor's assurances rather than an independent assessment, and because elected officials asked about it directly. ## How it appears in the corpus - **The "Security Claims and Facts" one-pager.** When the [[Conway City Council]] asked Conway PD in April 2026 "specifically about information security and if Flock has ever had any data breaches," the agency turned to the vendor; Flock CSM [[Gena Hatch]] replied with talking points and an attached "Flock Safety Security Claims and Facts" PDF ([[Flock Cameras Apr 2026 City Council QA Thread]]). The one-pager asserts ISO 27001 certification, SOC 2 Type II, NIST 800-53, "Secure By Design" alignment with CISA principles, multi-factor authentication as a default since November 2024, and — centrally — that "Flock has not experienced a data breach or been hacked." - **Proactive political-defense messaging.** [[Vendor PR and Political Communications]] documents Flock distributing the same defensive content proactively as broadcast emails — most notably "Fact Check: No Hack" — rebutting an independent researcher's vulnerability claim. The corpus thus shows the vendor's security posture circulating in two forms: proactive PR broadcasts and reactive talking points handed to a customer facing public questions. - **The vendor's framing of the FOIA pathway.** In the same Council reply, Flock characterized media coverage of Flock data as "based on audit-log information that certain agencies themselves released in response to public-records / FOIA requests" — locating the disclosure pathway with the agency rather than the vendor. - **Insurance as a financial backstop.** Flock's Certificate of Liability Insurance, attached to [[Flock Safety Past Due Balance INV-81961]], carries Errors & Omissions / Cyber coverage — the financial-liability layer behind the security assurances. ## Stakeholders - **[[Flock Safety, Inc.]]** — the vendor making the claims. - **[[Conway City Council]]** — the elected body that asked the data-breach question. - **[[Conway Police Department]]** — the agency that relayed the vendor's answer rather than producing an independent assessment. ## Timeline - 2024 — an independent researcher's disclosure of a Flock camera vulnerability (the "YouTuber" claim Flock obliquely rebuts); not independently verified within the corpus. - 2024-11 — Flock makes multi-factor authentication a default for all users (per the vendor one-pager). - 2025 — Flock's "Fact Check: No Hack" broadcast circulates to customers. - 2026-04 — the Council's questions and Flock's "Security Claims and Facts" reply. ## Notes - Every security claim recorded here is **vendor-asserted** and is not independently verified within the wiki. The corpus documents what Flock said; it does not establish that the claims are accurate. Independent verification — public CVE databases, the substance of the researcher disclosure, news coverage — is a Tier-2/3 web-research task outside the scope of this corpus-internal page. - The posture sits adjacent to [[CJIS Compliance]] (the criminal-justice-information security regime) and to [[Flock Audit Logs and Retention]] (the audit-log changes Flock framed in security terms).