Government Performance and Finance Committee - Regular Meeting

Okay. Alright. I'd like

to call to order

the government performance finance committee meeting of 11/18/2025. Clerk, please call the roll.

Vice chair Bushnell. Present. Deputy mayor Daniels. Here.

She's here.

Here. Sorry.

Absent.

And chair Heinz.

Here. Alright. That one, public comment.

Alright.

So let's we'll begin with the person who's in

the chamber. Is that okay? Correct?

Sit down

for two minutes. My name is Kit Burns. I live on Hilltop, and I'm here to speak on item four, which is talking about the month before the city finance. And the reason I wanna bring that up is that there are items to that that are related that I think the city council should do, especially for a government performance and finance.

And one of the things that

I think about is just the monthly report. This although this is the monthly report, I would like to know about the annual report. When I say the annual report, would like something like, for example, multifamily tax exemption. I believe the city should report, do a full report, and share that with the citizens on an annual basis. And I suggest that that would occur in February, then give them

the month of January to pull

them together. Also, because we have so much discussion on home and Tacoma, I think it would be very important to have the planning department director give a report on that. How many permits did you have? How many units did you provide? When I say units, there's a difference between, say, a thousand permits, and then we provided so many multifamily affordable housing.

So I would like to see the city take that off. The other thing I wanted to speak about is related to budget, and that's related to the the the streets initiative too. That was a big disappointment on our council. I don't know what sort of after discussion was had. I don't know if there was even an after discussion, but I've met several council members at the time it was put out. I said, I've sat through multiple agencies from planning commission trafficking. And I said, I've heard the presentation,

but I never understood it. And it wasn't till I heard it from

the neighborhood council, you know,

that I got a better idea. I did pick up some things that shouldn't have been in One was it was permanent. Had it passed, it would be permanent. I think the voters should have a chance to renew it like he did. I was really disappointed too because, honestly, I've tried to wrack my brain. I've not I don't recall anybody on the council, and that would be from the mayor and all the members on the council, have actually made the presentation. It was the politicians that made the presentation, not the director of public works.

I think it was handled badly.

Final thing, and I'll wrap this up, is that I found out I don't know how many ballots were counted because the post office has been kind of in a mess for four years. But all the ballots that were handed in, I don't know if they were all council. And that measure only meant lost by 1,600 votes out of 34,000. So it had a chance to pass, but it was really, in my opinion,

very, very poorly. Yeah. K.

So those are some of my concerns regarding budget numbers. So thank you. Thank you. Alright.

Got someone online. April said. April, you have two minutes.

Hi. I just wanted to bring up an issue that's happening right now where I cannot hardly hear you. It sounds like you're all whispering, so I don't know if the microphones or something are not on.

Yeah. Thank you for that, April. We'll see

what we can we can do to

Turn off the mics. Maybe we'll just talk a little bit louder. But thank you for the I'll be working with city clerk to try to get that addressed. Thank you, April.

Okay.

Well, we're just gonna try to talk a little bit louder. I'll try to project my voice a little bit more, but thank you for letting us know, Nicole. We'll see if we can fix this. Make sure

the recording picks things up

as we go ahead. Alright.

With that, we'll move on to briefing item number one, which is the amendments to Thomas Code chapter six a dot one zero, general tax provisions, and chapter six eight dot three zero, business and occupational tax. Let's call on Danielle Larson in control of finance. So, miss Danielle's gonna get the point.

She's make the point.

It's good.

Thank you, chair Hines. Danielle Larson, tax and license manager. And I am here today to go over some proposed amendments to section six a, the tax code. We need to update definite tax definitions, which are mandatory as required by RCW thirty five one zero two, which is the BNO tax model ordinance, and I'll explain that a little more. Also, a few cleanup items, removing language no longer statutory applicable, and adding a definition of mailing to match our licensing code.

Next

slide. To background. Just give you a little background. So we currently have 53 cities in Washington State that impose a local business and occupation tax on gross receipts of businesses that engage in business in their city. Since 2004, cities with local B and O taxes have been required to adopt RCW thirty five one zero two language, which is titled the b and o tax model ordinance.

This model ordinance is has mandatory uniform provisions related to minimum threshold, tax classification definitions, engaging in business definition, and allocation and apportionment for activities occurring in more than one jurisdiction. This is intended to provide an easier environment for businesses to engage in this in Washington State when they're crossing over into different jurisdictions with b and o tax requirements so that they don't have to you know, 53 different regulations. Next slide. Go two more slides. Hold on.

Thank you. So in two thousand twenty five state legislative session, there was a senate bill fifty eight fourteen that was passed. This bill changed the definition of sale at retail and which is one of the mandatory tax qualifications in the model ordinance. This was intended or it primarily is intended for the state to generate additional sales tax revenues. So what they did, the seven bill fifty eight fourteen did was add several services to a retail sale that were used to be classified as a service.

There's a list there. I include advertising services, website development services, security armored car services, etcetera. Next slide. Because the tax classification definitions are mandatory in the model ordinance, we also need to update the Tacoma municipal code, definition of sale at retail. So what the proposed amendments include are, in summary, adding a new subsection to incorporate the changes to professional services, updating language related to custom software and customization of prewritten software, updating language related to digital goods and digital automated services, moving misplaced language to correct a typo, And in the definition of sale at wholesale, there is a language that parallels updates to software, so we're updating that as well.

Next slide. So the service activities are moving from service and other classification, which is a point 4% to the retailing classification, which is point 153%, are estimated to reduce the annual city b and o tax by approximately $600,000. However, the new retail sales tax the city will receive will negate the loss of b and o tax and provide a net positive in overall revenues to the general fund by approximately $2,000,000. So in addition to the increase in the general fund, the additional one tenth of 1% sales tax that the city has for mental health, affordable housing, to common crates, and the transportation benefit district, they will also each see an increase of approximately $200,000. With that, I am available for questions.

The plan would be to take this to first reading, December 2, the second reading, December 9, and an effective date of January 1.

K. Alright. Questions for Daniel. Bless you.

Thank you. The b and o tax on grocery receipts, is that all 52 cities do

it that in sick that same way as well, like, the collection?

They do. Yeah. It's all in grocery and stuff.

How many of those cities are also within Pierce County?

The Discessive Bureau tax? I have to I have to look at that for sure. I believe breast tumors. We have a mice that small rates. I have to look. I can get I can send you that information.

Yeah. I'm just curious. I've had I've had folks reach out that we're not super thrilled with the receipts

under the impression that we're the only city that doesn't. And I obviously, that's not the case. So I'm just curious about who and where. Maybe it's just geographic. So if you're only doing business in Pierce County, it would appear to be that case. We appear to be the case, but it sounds like there's

51 other cities that also do it.

So There are. There's 53 total across the state. And I will say that some cities generate the revenue in a different way. Now, for example, they do what's called per employee tax or license fee. Federal way does the same. So and that's a very high license fee based on the number of employees that are in the city. So there's some differences how to how cities generate the revenues through tax and licenses.

Okay. Great. Thank you. Great.

Deborah or Daniel, do have any questions?

I don't. I don't.

Okay. Thank you. So $600,000 decrease in tax, but 2,000,000 to the general fund, and then $800,000 to all the ones that we'll check the sales tax revenues. There's been a couple

lawsuits filed at the state

level about some change in sales tax. So when we make this change, those lawsuits go a certain

direction that would impact on these projections. Correct? It could. Yes. Alright.

And we're not, yeah, we're not doing anything other than just changing to match

what the statement has passed.

Yeah. Everything is mandatory other than my couple of cleanup Language. Okay.

Question. Thank you, chair. Just curious of a little

bit more context on lawsuits. Wasn't familiar with that.

There is one sale lawsuit over their security

company because security services did the sales act, but

they dropped that one.

It was one related to advertising. Was being filed. Oh, is it that that

like, all advertising is in the mail?

Online advertising.

Got it. Yeah. Okay. Right. So

that that one, what I'll do is we can once we start getting some revenues in and kind of understand we have a general idea what businesses are falling into this category and communicating with them. But once we kind of have an idea at the first of the year, we can give an estimate to budget of what the impact could be based on what they're already probably reporting sales tax wise and getting no tax. And so they can add to that if that happens.

And just for a reminder to myself, all sales taxes are made in the.

They give us our share back. Correct. Right.

So as the state raises changes the categories by

the sales tax, the percentage breaks out

still falls the same. Yes. Do do billboards have a sales tax when they when they go up?

I don't think so. I'd have to look.

Okay. Yeah. I the advertising one's a little quirky, and that portions of it are applicable to the sales tax and other portions aren't. So, like, the billboard itself would be. The artwork that goes into building it wouldn't be. So the way the rules are in DOR is written, it's really quirky, and it's not just as simple as everything applies or everything doesn't. Okay. And they've been changing their rules as they go since this was a pretty quick fix by the legislature, so we're trying to

keep up with exactly what all this means. Got it. My my mind immediately went down rapidly, So that's why

they're random questions. So thank you for that.

Yeah. And on top of the lawsuit that it's you know, potentially could change change how things are done, A lot of the rules that Department of Revenue created, some are temporary in nature. Some have given or they've given an extension to some people that contracts have already established prior to the change in law to April 1. There's a lot of

Messy.

Mess going on until April 1 and a little after. Right? Because the lawsuit, I'm sure, will take lots of

time to settle. So Thank you. Alright.

So with that, seeing no further questions,

I'll entertain the motion.

I move to forward the proposed amendments to Tacoma Municipal Code chapters six a point one zero and six a point three zero to

the full city council for consideration.

Second. Alright. Thank you. With that, we'll move on to our second agenda item, which is the SQF LLC telecommunications franchise agreement. Apologize for

the leaders in the office.

Thank you, chair Hines and GPFC members. Before you today is a 50 page franchise that Charles Lee and I negotiated with Sunny Austin, who's here from the Wireless Policy Group on behalf of her client, SQF LLC or Virta, as they will be doing business as. And we can go on to the next slide. SQF is a new provider here in the city of Tacoma and headquartered in Portland, Maine and operated in a number of Washington's already. Due to the Auburn case in 2001, state law does not allow us to collect franchise fees to be paid as part of this telecommunications franchise agreement.

Next page, please. This franchise has a ten year term, allows the provider to operate in the right of way and requires the necessary bonds, letter of credit, and insurance required by title 16 b and title 10. Next slide. And, Sunny, me if I'm wrong, but my research indicates that SQF also provides services under a separate name square foot in Marysville, Washington, and they own and develop telecommunication assets and public rights of way throughout The United States. Provides Sure

about that 1st Floor.

Oh, okay.

To look into

that. Alright.

That's what I found online on the SQF. But they're similar to Crown Castle in the sense that they build the infrastructure when they rent they rent it out, lease it out to your business providers. They're not residential. So next slide, please. So if your consideration approval today, we'll go to first reading on December 2 and final reading on January 6 due to the fact that there's no more meetings in after the sixteenth, and there has to be a fifteen day public comment period due to municipal code between the first reading and the final reading.

Publication with it began January 8, and the effective date would

be February eighth eighth of of twenty twenty twenty twenty six. '6.

And I can stand for any questions.

K. Any questions for Jack? This is

our seventh one this year.

Yeah. Somewhere in the fifth.

It's quite the hot market. Yeah. I know. All crazy.

Okay. Well,

get ready to answer any questions.

Okay.

No. Sorry.

Okay. So with that, I'll entertain the unless do you have a question

or or should chill? I I I have have a a

question. Question. Okay.

I was gonna I think I'm question it. Vice chairperson? I move

to forward the proposed telecommunications franchise agreement ordinance with SQF LLC to the Pol City Council for consideration.

Second.

Alright. So move the second. All those in favor signify by saying aye.

Aye. All

those opposed.

Alright. Motion carried out. Thank you. Thank you.

Okay. That completes our formal action of the meeting.

I'd like walk through the presentations. So item number three is our cybersecurity briefing.

Better reaching. Pretty good. Better reaching.

Better reaching. Very yeah. All better reaching the information technology department.

Good morning, councilmembers. Chairman Heinz. Here to present to you an update on our cybersecurity program, which I'm sure is the most exciting topic you'll hear today. Cybersecurity is a important part of IT technology, and it's a pleasure to share information with you about current state of cybersecurity and how we're addressing issues and the situations as we work through our IT agenda. Go ahead

and slip to the next slide.

The objectives for today is just to give you a quick cybersecurity program recap and update you on some of the twenty twenty five activities that we've been focused on, give you a picture of the current cybersecurity situation that we live in, and give you a heads up on our strategy and strategic plans. There's a lot of content in this deck that I'm probably going to lightly touch. So if you have any questions, feel free to interrupt me at any time and I'll take a deeper dive into those topic areas. Next slide. So just a recap of our information assurance program.

It's a IT line of business, and it has four products that we that our users consume out of our out of our program. Security assurance being the the engineering and the implementation of security technologies and controls and assisting with securing of new products and new projects that come into the organization. Our security operations folks are the ones that watch the wire, making sure that when events come up, they are handled, incidents that are addressed, and then if something is important to respond to, they dive in. They also look for threats that might exist in the environment and try to keep an eye on products that we already have that might contain bugs that somebody could exploit to get into our environment and manage the closure of those things. Another product is compliance coordination.

We help our departments to meet their compliance obligations, regulatory standards. We can assist with audits and assessments of our technical environment, and we develop policies and standards to meet any of those obligations. And then lastly, readiness and resilience is where we try to

teach

our folks in our organization about cyber security issues and prepare them to when those issues come to them address those things such as malicious emails that come in the organization and we also coordinate the practice of those things that we teach our employees and plan for the events that could occur if an incident were to hit us so that we're prepared to deal with those incidents. Next slide. We try to align our program with recognized standards and best practices. Famous quote I once heard is the wonderful thing about standards is that there are some to choose from. The couple that we try to focus on come from the National Institute of Standards and Technology.

They have a cybersecurity framework that we follow. Also, Center for Internet Security gives us a list of controls that are extremely effective or probably the most effective that most organizations need to implement their environment in order to be secure. And then, of course, our top priorities, keeping things operational and available, protecting data, confidentiality, integrity, and availability of information, meeting our regulatory and compliance requirements, and preparing to respond and recover should we get caught in an incident.

Next slide.

Highlights of the projects we've been working on for 2025. You can see security never sleeps. We're off awfully busy. And not to go into too much detail on all these, I am gonna point out just a couple of key ones. The Windows 11 upgrade was successfully completed in October.

All of our systems are previous Windows 10 version reached its end of support in October, and so we met that deadline by making sure that all of our systems have been upgraded so we can get bugs and security vulnerabilities fixed. Another, one I'd like to point out is our cybersecurity incident response plan project. We, brought in a consulting engagement to build that program. It was a citywide effort that involved general government, TPU folks, to make sure that we were had a plan in place in order to address major security event in my. And then the last one I wanna point out is our annual cybersecurity awareness training.

We all get to take it, and we reached our highest level of participation this year. 99% of all employees completed the annual training this year, so good milestone.

Let's go ahead

and move to the

next slide.

If

you were wondering why we still need to secure our environment, well, a good example is a city in Saint Paul, Minnesota. In July, they were hit with a ransomware attack. Group called the Interlock Ransomware Gang. This

is

a it's a criminal organization, and cybersecurity ransomware gangs are typically criminal organizations. It's not the person in their mom's basement, you know, that you might have a stereotypical thinking of. These folks make millions of dollars every year by extorting organizations. So you have Saint Paul. They claimed that they had stolen 600 or 60,000 records off of their file servers.

And after Saint Paul refused to pay, then they released those records to the public. In this particular case, they had to call out the Minnesota National Guard in order to help them investigate the incident. And their decision for not to pay the ransom was largely based on what the National Guard found, which was that there was really no critical information that was exposed.

So I think St. Paul was

particularly lucky in this in this event. However, they did have systems that were offline for a couple of months. I think when I built this slide, it was in back in September, and they still had systems that were offline. So that was, you know, almost a month and a half without the ability to pay bills online and so forth. Can you flip to the next slide, please?

And, of course, Tacoma is just as big a target as any other government agency. This is one of our metrics that we're able to pull off of some of our our security tools. This has to be for email messages. You can see that we had a volume of over 30,000 messages that were sent to our organization that were malicious, that contained some sort of malware, some sort of type of attack. We were able to, with the tools, at least address 99% of those messages that came through.

Nine actually, 99.96% of them, there were 13 messages that actually got through, which kind which tells us that we can't necessarily rely 100% on our tools. They're not 100% effective. And just to just to be clear, we were able to catch those last 13 before they had any impact on our environment. So, yeah, good takeaway from that. Next slide. A quick question on that one. Yeah. The

the ones that are caught is that someone reporting it to

you guys that didn't speak with a malicious nature or something that you guys have figured out yourself. We do rely on people to report messages. If they receive them and recognize them as being malicious, that's one of the one of the ways we do catch these things. In this case, we got an early alert from a sister organization. Actually, it's Mercer Island, I believe, where there were one of the accounts got taken over, and it was used to deliver more emails to using their distribution list and so forth.

That's how some of those messages ended up in Garmin. We did get early alert out of our system. And sometimes we do see those messages land. They actually get clicked on or executed through. And, fortunately, we have layers of tools that can catch the next step in that chain. Right? And we were our tools were able to catch the first one,

which informed us that we

can block all the rest of them.

Thank you. Yeah.

So what are they after? Most likely, they're after our credentials because it's much easier to to log in to our systems than it is to break in to our systems. So stealing our credentials, that's typically what they're after. Some of the message actually deliver ransomware or trigger some sort of remote access into our environment. But credential theft is the number one thing that we're that they were after.

So we are aware of this, and we address this largely through multifactor authentication. That's the use of the mobile app. You probably use it for your bank, and, certainly, if you are trying to remote into systems of the city, we have MFA tools in place to stop that or to to facilitate that.

Next slide.

So any when the attackers are successful, it does impact an organization. Currently well, IBM did a study, and they update this study every year. The current year, 2025, they're estimating it's average of a 168 per record that is breached. So if you count 280,000 utility customer records in our systems, That could potentially total to over $47,000,000 in in impact. And that impact can come in many forms.

Just hiring of professionals to help us through the breach. Post breach responses, we have to offer the victims credit monitoring, or we have to hire legal support to take legal actions taken against us. You have to notify affected parties, so notification, and then compliances can be fines or fees associated with that. The and then lost opportunity. We have to divert resources from important work that the city does in order to address these types of breaches.

Now that

number does not include any ransom payments. Payments. So some organizations choose to pay a ransom. More and more organizations are choosing not to pay a ransom simply because those ransoms often go to fund nation states in their activities. I think the Korean North Korean missile program is entirely funded by ransomware.

So it's it's very lucrative. So that's why many organizations choose not to pay the ransom. So it doesn't include ransom payments, and there are some other factors that it doesn't include as well. Also, other point I wanna make is our while the city does carry a certain amount amount of cyber insurance, it's certainly not enough to to account for the entire $47,000,000. Remember, the city is largely self insured.

So next slide.

Some trends that we're keeping an eye on and trying to address. Social engineering is, of course, the number one thread. I've already talked about those email messages, phishing messages. Smishing and vishing are just other forms of social engineering, very similar to to phishing, but smishing as SMS messages, and phishing is voice. And we're that is actually on

the

rise. There's at least one gang that has been very successful in convincing organizations. They'll call an organization's help desk pretending to be a person, an employee, say, I need my password reset, or they'll call an employee pretending to be the help desk saying, you need to let me in your computer. So very number one threat vector. Vulnerabilities, it is on the rise.

Missing software updates, patches, applications

that are end of support.

Your identity and permissions, I mentioned that attackers don't break in. They log in, and so grabbing those credentials and they don't necessarily have to grab through phishing. There's been so many data breaches recorded over the last ten or fifteen years if you think about all the notices you've got from your health care provider or Facebook just settled a big breach of millions of records that were stolen. All those collections of credentials that they have are all available on the dark web for people to utilize. And so those identities and permissions are often used as a way in trying to get away into an organization.

And then third parties, that is also on the rise. So they don't miss hackers aren't necessarily going after the organization itself. They will go after one of their suppliers. We use dozens of software applications such as Ariba, Acela, and so forth. And although there is a a lot of city data that is maintained in those applications, and that is a a good target for somebody who wants to attack the city to go after those those software applications.

And next slide. And, of course, AI makes everything worse. It makes it all more ease more easy for the attackers. It makes it faster. And as you can see up there, there are many ways to accelerate any of these particular threats that we see.

And AI itself becomes its own thread because when you enter information into an AI, that data could represent confidential information. And so attacking the AI is a way to get at city data or city information. And last slide, how we're going to be addressing this risk. They all take, you know, increased attention and investment in order to keep up with these trends. So with social engineering, we have to keep training our staff and our employees to recognize those phishing attempts and create playbooks where we recognize that how these attacks can take place.

We know how to respond when

they come in.

We have to broaden our scope when it comes to looking for vulnerabilities and keeping track of them and just being more particular about the kind of software and hardware that into our organization and making sure that it is actually of value and doesn't represent yet another place, an attack platform that that somebody can use to get in. Identities provisions, multifactor authentication, I've already mentioned. We can go on we can go further with that on premise logins and managing privileged accounts. Those are the admins, administrators that have the ability to get through a lot of systems and get access to a lot of data that not the ordinary user has access to managing those accounts is important. And then I mentioned third parties, supply chains, and so forth, keeping a good risk management program around this.

I think this is another thing that we will be addressing. And I think that's my last slide. If you do have any questions, I'm happy to take those. You can also reach out to me, any of those things, my office phone, my phone, my email, or Teams.

Do I shoot with you now?

It's good. Very thorough. I I think about this a lot. I don't really have any additional questions.

I I had thought about the insurance that you brought about. So,

yeah, I

think I I did the cybersecurity training,

I think, probably one of the last ones because I was procrastinating. And I thought it was pretty good and thorough, and I'm glad that we're continuing updating that. When I was with the the DOD, used the same cybersecurity awareness training for eleven years. Oh my. And and it was very antiquated. So yeah.

Well, and it was the same thing over and over again. So I I

just went to the paces to get it done. So I think it's it's good. And then as technology is changing, you got a yearly, yearly, definitely within, like, five year basis, then it's good to update this.

I don't have any questions. Thank you, sir.

Deputy Daniels?

I don't have any questions. Just thankful that we're staying on it and that we're considering invoice. I get so many calls that I just know are scams all day long about kinda my number has obviously made it to the dark web. So I'm glad that we are paying attention to what's going on here.

I think you didn't write an

answer or do I think you didn't write an answer?

Actually Vice chair.

Yes. Have we done a, like, internal intrusion tests? Like like, we'll send out our own phishing email to see who might click on it to provide educational opportunities, what's that

might be. So I think one

of the most vulnerable points is the actual end user and allowing them to get access to our critical systems. And so we're, like, you know, not constantly, but, you know, testing and probing. It gives it help us find our

weak points of, you know, shortcut. Yeah. We do send out we call it, phishing recognition practices. And we send those out about once a month, and we change it up to try to to make it fresh. And we vary the level of difficulty on each one of those as well because just about anybody can recognize a an Amazon delivery scam nowadays. But it's tough when you it's it's tough for them to recognize when you say, hey. This is the HR department, and we got new salary tables here. Why don't you open this messaging clip, you know, and see what your salary is gonna be. That that's a that one will catch a lot of people. Yeah.

It'll catch me. No deal.

Just building off the good work of the program and the comprehensive update on that vulnerability. Actually, third party. You may be aware that we're in the middle of a large program to upgrade our core business systems, and so you'll likely get a verbal report out tonight at

the council meeting from the city manager that we are imminent for

our goal this weekend. Everything is green and go. We're shutting down the business on Fridays for that generational update to ensure that we have supported software, better security practices, more efficient operations. And a big part of this program is getting all of the rest of our systems in a maintainable and sustainable place. So I just wanna highlight that, but one of our biggest upgrades ever is coming in the next three or four days.

So I can't get my email this week? No.

Email keeps going. Yep. It won't come out.

Get You might not get a reimbursement.

Oh, too bad. Just let me know.

Okay. I have just a couple of questions. Just and then alright. So the one question I've had around a lot

of this is how much data we have to keep in house versus exporting third parties for us and cybersecurity. So

meaning, we export much as data, we're out there

with third party. Right? Then they're responsible for the security services part of that.

And is

there a cost benefit analysis of doing that versus the other house?

Meaning, third party in all of our files from the

cloud is out there. And they get a

risk attack, and then our stuff gets stolen. We can then sue third party for lack of security purposes versus our records that we possess inside the house. So there's a data breach we're responsible for that. So So is that part of

the conversation about how much we hold internally versus how

much we export to a third party to handle some of data?

Not not directly. We we do typically look for, you know, third party software, we call it a software service or SaaS solutions as a a kind of a first place to look when it comes to comes to solutions simply because these third parties are some they're handling,

you know,

thousands, maybe millions of customers and are a lot better equipped to protect the information. It doesn't necessarily make them any less vulnerable. What they end up doing you know, we're handing our data to them, and what they are doing is building a system that includes other other parties. So there's a whole chain of solutions that back up that one SaaS solution. And so while we have in our contracts data protection clauses to ensure that they're doing their due diligence, we also try to make them responsible for the they work with.

So they may have a storage provider from another from another company, or they may have a feature of their application where they share data over to another company that gives them a service that they can use as part of a feature of their application. So these things can go pretty deep, and sometimes it takes a while to figure out where in that attack team the the the issue might live. And we've had at least two incidents this year where third parties did breach have breaches that included city data, contractor information, and and some employee information as well.

My question is mostly just related to this.

I know I know the answer. I don't know

if I can answer. Don't But

the answer is just, you know, my background in

the school district. Right? Like, there was a period of time where all the servers live inside

the basement. Right? And then the question is,

like, do we want the servers inside the basement?

What if, like, a flood happens at

the basement? So what do

we put on what do we put out into the world in these same party vendors? But there are sensitive documents to which we ask

to discuss on-site and policy.

So I imagine you're constantly looking at balancing those two things.

Because your Yeah. Is like

a company that's a multi billion dollar company or a million dollar company has multiple clients. They invest a lot more resources inside this community.

And because they're trying to protect multiple people and and parking, I guess, can be part of the arms race. But

I guess how are we looking at those things around that? And then do

we have state law requirements or local requirements of what? How we actually have to possess versus what

we can share about? Not state? So, yes, we do comprehensive review of a technology fit for purpose that accounts for both its functionality, its cost point, contract terms, security services around that, and then our own business continuity resiliency plans about what do we host, what do we rely on other people for, where is that infrastructure. All of that is considered, and then the appropriate compromise for the city is selected and evolved over time because those things change. We do have an information, data protection, policies, standards, information classification, and there is a category in that which we can provide a direct briefing or a report information on separately, that there's a category of confidential and special handling information that has specific prescriptive control requirements.

Some of those are where the information lives. Those are generally things like critical infrastructure of power grid or financial information on payment card processing or protected health records and emergency medical services. And so when information is classified in that place, it is put in a system specifically to meet those criteria. Things broadly around the right of the business is more of a balance of the risk versus reward.

K. That is kind of my question. My last one that you brought up was AI as part of this conversation. Right? And I I I think Armstrong's surrounding that as a whole thing.

So how are we are we listening to our our processes through our third party AI and which we can try off the AI that's

trying to attack us at the same time?

That's

probably the most effective way we're gonna address AI risks is with AI. Yeah. We're seeing those those features being built into the tools that we already deployed in our environment. They're they're being adopted just as fast as the

as the as any other feature that's rolling out in any other. Before AI came, AI and branding, Juggernaut, it was machine learning Yeah. And other things. And those tools have been part of our suite, and we've evolved alongside.

Expert system. Yes. That was under.

That was. Yeah. That's taking it away. I'm yeah.

Yeah. I'm I'm picturing

the seat for games from the computer place itself, and then it figures out that it can't land.

Like, maybe one day, the next two to

get to that point. The guys will play each other.

Yeah. It's like, alright.

We're gonna watch.

I'll be

impressed when we accept the answer from that. For sure. I think

right now, our our our stance is to make sure that there's a. Yeah.

That's

good. Okay. Well, with that, thank you all for the rest

of your standing. You know, I'll be having a question for you.

I'll be here. Yep. Okay.

Thank you.

Thank you, Ryan.

Alright. And now for the time that we came here for, which is the monthly budget update.

Thank you, chair Eisen, members of committee. I'm Andy Trudeau, the finance director. Kimmy, you can hit the next slide. Jumping right into it. Again, you're fairly familiar with this view. This is, year to date revenues through October. If you look down in that bottom right hand corner, you can see we're up $3,600,000 over our projection, so that's the good news. Wouldn't be a presentation with me if I can give you the bad news that goes with this. We know that in our business license and permit line down there, there's about a million and a half, that is overcounted, overstated. So that brings our 3.6 down to about 1.6, over.

The other bad news on that, if you look at the top of that graph in our four big revenue collections in the general fund, our property tax, sales tax, utility tax, and business tax, three of the four are still under projections. So, of our big four legs of the stool, three are still not performing as well as we would like, which is an interesting thing. So the next slide, please. This shows, the last six months of our big four property tax collections. So we we decided to take

a look and say how, you

know, this underperformance and how how's it going so far this year. So if you look kinda back in the May, June window, all four were below projections and fairly significantly. When you look, they were averaging over $3,000,000 collectively below average. As the year goes on, you can see it's kinda kinda trending downward. It's a little different to kinda take a trend out of this fund. You can see, like, there's a month like July where it dropped way down, but then look at September, it's starting to back up to a $3,000,000 variance. But the important part of this graph, the takeaways you should get, is there shouldn't be any red on this. We should be over projections, and on our big four, it is all red except for a few months here. You have a question, Jared?

Yeah. And just for the viewing audience, it's not cumulative. It's not like we're 3,000,000 dozen May, and then No. Adds on top. So we're, like, 12 or 13,000,000. It's Yeah.

Our projection

across, it's it's over time.

It was just that much. Gotcha. How far off were we in that month? Gotcha. And when we did

the budget in 2024 or May, we

were pretty concerned with our projections. Correct, Andy?

We were conservative, and that's our concern. Is that our hope would be we do conservative projection and beat them. We did conservative projections, and we're not beating them. And like I say, on sales tax in particular, we've adjusted that down three times pretty significantly, and we still quite haven't found the bottom of that one yet. And that's surprising. Sales tax is another interesting one here. It's fairly consistent. When you look at kind of it's always been around a million two, a million one off. We're just consistently every month missing our mark, fairly consistency. Utility tax is kind of in that world, as well as far as if you look at the average, it's about $400 we're missing our mark on.

The July variance, it's on there any the do business taxes pay quarterly?

So business taxes, there are some quarterly influences. Business taxes also get influenced by refunds and penalties. So if we catch someone and they pay us a big penalty, we could get a an uptick in collection. If someone asks for a refund and we process it, we could give out a big refund, and those just process the month they happen. So it skews our business tax data a bit. If we gave out, like, a $250,000 refund, our number falls 250,000 that month, not because of anything going on in the trend, but just because we gave a big fat refund that month. So it's a trickier one to look at. Rambaugh.

Hi. I'm here today right now. Thank you. I'm sorry I was late. On the property taxes, okay, that's that's really concerning for me, these numbers. I'm glad to see it went up a little bit. But I guess my question for you is, does that mean people are in arrears on their property taxes? Because we're based on a like, we put together what we believe is gonna be and it's been historical. That does that I mean, would we be able to go and find that people are in arrears on paying, and that's why we are what can you talk a little bit about that?

That's really good question. So, again, our property taxes, do do a projection, and, again, we're fairly conservative. You guys just approved the ones for next year. Again, we had it in our budget. We do know that on average, about two and a half percent of people don't pay, and we don't collect that money. So we always adjust our estimate now. We don't take a 100% of what we project. We take 97 and a half because, historically, that's been fairly consistent on the people that don't pay. In the month to month, some of this is again how it's programmed and money comes in. And, hey, we program money coming in in May, and it actually came in in June. And so sometimes we just get

some of the state then? Or

No. Because, again, typically, we think property taxes are two big months in the year. Right? Yeah. They pay two big spikes. They get paid every month as people kinda catch up and pay and do stuff. So those are the trickier things to come in. And so usually when our two big spikes come in, it washes some of this out.

I guess that's so this is I just wanna say that when you see things like this and know people aren't paying their taxes on time, And we know that rates are up on repossessing cars. People are taking more. They're not paying the debt down on their Visa cards. I mean, these are signs of a shake I love having this because it's a shaky it's showing me the shaky economy on in real time. So I appreciate all of this. With the sales tax, remind me again, when we buy things online and you pay taxes, you still are the the you're still getting the sales tax here in Tacoma if I'm buying something online, right, in Tacoma?

We do.

Okay.

Years and years ago, when online shopping first came, it wasn't true. Yeah. And you can go online and buy something, might have sales tax charge. Again, every taxi jurisdiction that had sales tax and had a problem with that, eventually, it got fixed. And there's a clearing house where I'm not gonna say a 100%, but we're really good at collecting most of the stuff coming in online to say yes. If you buy something on the Internet, they do know you where typically, it's the address you're getting it delivered to. They will double that tax rate and

charge you with.

Is it is it possible, and this sounds strange, to compare us with another city the same size that is somewhere not in Washington to know if there's similar things happening?

It's really hard because there's not a great apple to apple comparison on other states and what they charge in their sales tax and what they don't. Some states exempt clothing, some exempt food, and some exempt and so when you start trying to compare what It's apples to oranges. An apple to orange thing

Okay.

It gets it gets really tricky.

I'm just curious how this how this appears in other states Yeah. And if they're having similar I mean, I I believe they are, but I just

Going back to your point, there are signs that consumer is being stressed of, you know, they borrowed maybe block too much and spent some of them in a car and can't keep up with the payments, and they used their credit cards. And now, again, with interest rates, you know, hovering around 20 some percent, those monthly payments are getting trickier to pay.

Okay. Well, thank you for explaining all that. Appreciate that. Yeah.

Sure. Thank you, Mayor. It's a really interesting graph. That's why we looked at them.

Did you want me to ask my questions now, or did you want to wait till the end?

I've got some now. Go for it.

Okay. Because I I didn't think it would help be helpful because I'm just trying to make sure I understand the chart. So the the number at the very bottom is an accumulation of the entire year. So would are we do we add all of these numbers up? Somebody asked this in the beginning, but I wanna make sure I really understand. The totals at the bottom, are those what if are we adding those up, or is it which the last one that we come to when it gets to December is what that number will actually be in in the negative for the whole year.

Yeah. So we do not add up these numbers on this chart across the bottom. It just shows that particular month how much we we're off in these four tax categories. So it's not a

Got it. Thing.

So in December, it could possibly be back black, and that will be the final kind of number, but we get pretty low in here or, yeah, pretty low in some months.

We do. And, again, looking at the trend back in May and June, it seems we were missing our mark of over $3,000,000. And if you look at October, we missed it by a million, which one could say, hey. Maybe we're getting a little better. But, again, the six months of data, it's really hard to pick trends out with such a small set. But our hope would be that our

variance is

shrinking. But

Okay. Then I have two other kind of questions. One is similar to council member Rambaz in terms of, like, property tax, which seems like it would be set for the most part, or it doesn't it doesn't seem like it should fluctuate so much, but I guess it's really not fluctuating that much if you think about the whole city. The utility tax, where are we getting like, that seems like something that would be almost set if not coming in high and low, maybe at just, like, different seasons. What how where how are we seeing what is the variance there?

So the utility tax variance is based on our power utility and their trading that they do Oh. Selling market, and they have not been able to make what they had estimated they thought they would. So a lot of that

variance is coming from wholesale trading.

The

trade. Okay. That makes more sense because our bills are for the most part, it seems like they would be pretty predictable, but I didn't think about the trade aspect. Okay. That makes sense. And then on the business tax, what is our biggest, what is our biggest industry that contributes to to that and, I guess, sales tax?

So, yeah, on on the sales tax, again, it's the retailing is probably the biggest thing in there. You think your car dealers and stuff tend to be some of our bigger sales tax payers. It's kinda it kinda mirrors some of that up business tax. It's very confusing because they have similar categories with wholesaling and retailing and manufacturing and business tax. So we see some of that mirroring there. We can get you some more detail on that as well. I I can follow-up and give you some more detail so you can see it.

Yeah. I think that would be helpful. I think just trying to understand, like, if there's a main business that's bringing in majority of these taxes and they have and maybe it's a business that's either seasonal. Like, those are the kind of things that that I just am curious about. Seasonal or maybe we are doing something in another area that is making that's putting pressure on that industry, and maybe that's why we're not seeing things. So that's I guess that's just what I was curious about, but thank you for, showing this. This is helpful.

We can do that. We can't tell you what any individual taxpayer pays, though.

So Right.

Right. Right. Right. Right. We can break it down by industry category, so we can do that. Great.

Alright. Wish you're welcome. So just to be clear, for the six months represented up there, we're 12,000,000 under the amount of

revenue we thought we'd collect about six months if you add up the bottom.

Yeah. I don't add up the bottom. It's a month on month thing. So it's not cumulative.

Go back to can you can you

go come back to the other slide, the first slide?

Nope.

One more in front of that one, our regular one. So this one really Sorry.

Sorry. Sorry. Hear you're not happy.

This is where we

are right now.

This is where we are sitting right now. So, again, when we look at this point, not the year October, we thought we would be at $279,000,000, almost $280,000,000 in revenue collected.

Right.

We were actually, when you look at the next column, at $283,000,000. So, again, at the end of the day, where we are sitting this month cumulatively for the course of the year is we're up 3,600,000.0. You can see cumulatively for the course of the year in each of these where our variances from that.

She goes So on the next slide then I just did that. Those are cumulative amount.

Those were that month. So how much did we miss the mark in that particular month?

For those different taxes.

For those particular taxes. Tax.

He just took it off all

the time.

Snapshot of that. Which is interesting, though.

Right. Because those were our big Our biggest ones could be off consistently that month month after month. Yeah. And yet, overall, we're still

We're still doing this. Jump back to the first slide, Katie. Sorry for this one. No. So, again, when you look at some of the places we're we're over again, you look at license and permits, and we're over. But, again, some of that revenue we know we're not gonna collect. Right. Because we build it. It's kinda like sometimes the utility world, you bill someone, not everyone pays their utility bill. So you bank in something for that. Our miscellaneous revenues down there, about a million over, a lot of that's interest earnings on the balances we have in it. So, again, we're beating what our estimates were on our interest earnings.

Just on property, for January through

Through October.

April, we must have been killing it because then the on the next slide, you see or red for the next six months.

Yep. Until you hit October, then you can see cumulatively across the year. We're good. So so it's just interesting. We were looking at the various month to month. And, again, the point of, Kimmy, the the other slide, that slide shouldn't be red every month. It should Right. Our projections, we should be meeting Or meeting the more black. And there should be a lot more black in that one.

So so it's a

yeah. I I get foreshadowing. Yeah.

Yeah. Yep. Thank you. Yes.

Thank you for all the questions, though. That's what this is supposed to do with this presentation. People love math. It's so rapid. Next slide, Kimmy.

From the teacher.

This one, again, just shows our expenditures year to date. And, again, if you look at, your budget actuals, varies in the bottom right hand corner. You see a positive 13,000,000, which means we are underspent by 13,000,000. I'm gonna caveat this one as well. We know some of that money is gonna get spent in contracts like an NCS. The library's on there at 2 and a half million dollars. Again, that's the library money, so we can't take that money and give it to somebody else at the libraries. So you make those adjustments, I'd get down to really probably around $8,000,000, which is still good. But the other caveat on this slide is this is right after midmod. So we took what you guys appropriated in midmod and put it in everyone's budget that they get to spend now for the rest of the year.

Again, our expectation is folks like the fire department, depending on what overtime does, potentially could be negative again relatively soon, which would require, again, a fix toward the end of the year, '26. So but, again, these things change typically, but at this point in the year, on the revenue front, again, it looks like, again, that we're over our projection cumulative, which is a good place to be. And in spending, again, we're under spent a bit. So, again, a little bit of breathing room on some of these things. And this is, again, only the general fund, so it's not everything. Can

I ask an unpopular question? When

I say it's unpopular

before you ask.

I guess, I'm just trying to understand where staffing fits in some of

these numbers when we see, like, a

variance that's is that from staffing? Or

A lot of what the variance you see on here in many departments that are staff heavy, like the city attorney's office, most of their budget is people because they hire attorneys to do the work. So most of the savings, when you see that on there, is related to people that they didn't hire or there was a delay in three months of getting the position filled, that vacancy savings that builds. Other places like NCS that are they also have contracts, and they're contract heavy. Some of that is just, again, they don't have the contract in place or the vendor we hired to provide the service hasn't billed us for something. So there's a mix in there of those.

But, you know, the city attorney's office, city manager finance, library, they're really people heavy places. So a lot of that's driven by people. Other things, not so much. Good question.

Any other questions?

Yeah. I that's the last slide in this one. Great.

Okay. Any final questions?

Alright.

Seeing none, we'll move on to our fifth agenda item, which is topics record meetings.

As you can see from calendar here, December 2, we had a couple items that moved off recently, so we don't have anything filling in on that date yet. Oh, don't wait. But wait. We may. I don't know. Okay. And then the sixteenth, we have board of ethics interviews, and I will be back again for another monthly budget update. Those are our last two meetings of the calendar here. So yeah.

Yeah. Yes. So I'm just gonna at this point in time, we said we would be doing interviews

for the next quarter. Okay.

Let's get prepared for that one.

And then we'll report the next interviews. Already looked at that. We only we have one position that's could be reappointed, and there's one open position for ethics.

So there's and we're working to identify the candidates right now.

And then there's the January 6 date. I know that's next year. And, again, council committees, might change a bit, but we certainly can get a briefing item on there. It's my understanding is, the committee that is sitting at that point runs business until the new committee's appointment. So Yes. Maybe have that meeting or cancel depending on what I'd cancel this one. Okay.

Because it more sounds a headache.

Alright. Brother will be happy with

his birthday. There you go.

Are there any other items of interest? Seeing that, I'll entertain the final motion of

the meeting.

Move to adjourn.

Second.

So we've been seconded. All those in favor, please signify by saying

aye. Aye.

Opposed? Please stand adjourned. Thank you.