Media Center

July 11, 2017
Publications

A Wealth of Information: The Importance of Data Security for Local Government

Originally published by International Municipal Lawyers Association (IMLA) in Municipal Lawyer. Copyright © 2016 IMLA and redistributed with permission of IMLA.

By Devin Chwastyk

In February 2016, a computer hacker sent an e-mail infected with a “ransomware virus” to an employee of the town of Medfield, Massachusetts. When the e-mail was opened, the virus spread throughout the town’s computer network, locking up the servers and preventing officials from accessing municipal data. A week of consultation with law enforcement and information technology experts brought only fruitless efforts to unlock the files. The town’s officials then gave in to the hacker’s demand: they paid a ransom by transferring funds (in the form of bitcoins, an electronic currency) per the intruder’s instructions.

The town was lucky. In exchange for the payment, the hacker provided a software key that allowed the town to regain access to its files. Upon inspection, the files were untouched, and no data had been stolen.

Municipalities Are Especially At Risk Of Data Breaches

It is no surprise that a municipality would make an attractive target for a malicious hacker looking to steal or ransom valuable information. For taxation and other purposes, local governments routinely collect and maintain files of private and confidential information about their residents. Personally identifiable information abounds in public records, including names, addresses, dates of birth, and Social Security numbers. When left exposed and taken up into the wrong hands, that information can be used to perpetuate identity theft and other fraudulent activity.

Modern technology utilized by local governments also provides opportunities for hackers. The federal government has warned that utilities are a major target for both independent and foreign, state-sponsored intruders. Smart city platforms, traffic control devices, and emergency notification networks offer hackers openings to steal data or disrupt infrastructure and daily life in cities and towns.

But it is not only sophisticated computer hackers that pose risks for local governments. Most data exposure events happen not due to theft, but through ordinary loss or inadvertent exposure. In early 2016, a local tax agency in Breckville, Ohio announced that it had lost a data storage device containing the names, addresses, Social Security numbers, and dates of birth of more than 50,000 taxpayers. Similarly, the county government in Dallas, Texas notified residents in December 2015 that a security flaw had left the same types of information, belonging to tens of thousands of those residents, exposed on a public website for more than a decade.

Legal Obligations For Protection Of Data

The primary legal obligation arising when a data breach occurs is the duty to notify all individuals whose records were exposed. While there is no federal law addressing data breaches, forty-seven states and the District of Columbia now have laws requiring data security breach notifications.¹

In most states, the requirement to notify affected persons that their information has been exposed to unauthorized third parties extends to any entity that maintains, stores, or manages computerized data, including municipalities and political subdivisions. ²

Personal information is most commonly defined to include an individual’s name, in combination with any of the following: (1) Social Security number; (2) driver’s license or state identification number; or, (3) financial account information, such as credit or debit card or bank account numbers, in combination with a security code or password. ³

Increasingly, that definition has been broadened to encompass other categories, including medical information⁴ and biometric data⁵ such as fingerprints and retina images. ⁶

Generally, an entity storing computerized data is required by these state data breach notification laws to provide notice whenever it discovers or reasonably believes that unauthorized persons have accessed and acquired unencrypted files containing unredacted personal information. ⁷

In a few states, however, notification is required as soon as unauthorized access is detected, regardless of whether there is any proof that the information has been acquired by third parties.⁸

Some state laws, however, provide that an entity need not provide notice if it can determine that there is no reasonable likelihood that the information July/August 2016 Vol. 56, No. 3 15 has been or will be misused. Responding to a data breach therefore requires careful scrutiny of the notification requirements of multiple states, as each state’s law governs the notification that must be provided to its residents. A breach of a county government in New York, for example, may expose information of county employees who commute from New Jersey. Privacy attorneys must ensure that various divergent requirements of state law are met, which may require distribution of multiple notices. Some states require not only that notice of the breach be sent to the individuals affected, but also to the state attorney general’s office, consumer affairs division, or police agencies.

The Costs Of Data Exposure

While notification alone can be an expensive endeavor when thousands of records are involved, the expense of mailing notices is not the only direct cost of a data breach. A municipality that is hacked will need to pay IT experts to investigate, repair, and secure the breached data network, and likely need to pay attorney’s fees for outside privacy counsel. While not legally required, many entities that suffer a breach make offers to provide identity theft monitoring and protection to the affected persons, which also can be expensive. ⁹

Several reliable studies have examined these costs of responding to a data breach. Those findings demonstrate that the average cost for a public sector entity to respond to a data breach is approximately $80 per individual record exposed.

Let’s revisit the example of Dallas County, Texas. Because of an error, files containing the names and Social Security numbers of tens of thousands of residents were left unencrypted, unredacted, and open to public exposure. Assuming a cost of $80 per record, a breach of this extent will almost certainly cost a municipality millions of dollars to respond to the incident, remediate, and secure again its computer systems. Those costs increase exponentially if more records are involved.

And these substantial costs are incurred even before any litigation commences. When a data breach becomes public, the entity that failed to secure personal information often finds itself the target of class action lawsuits. ¹⁰

A town then might find itself defending allegations that it negligently failed to secure the information that it collected and maintained about its taxpayers. In 2013, vulnerabilities plagued the network of the Maricopa County, Arizona, Community College District, which held Social Security numbers and other data be-longing to nearly 2.5 million former students, employees, and vendors. That information was available for access by unauthorized third parties for several years, while the District failed to take any steps to improve its data security. Importantly, there were never any reports of actual identity theft or fraud tied to the breach.

Nonetheless, the District was hit with multiple class action lawsuits. At last count, administrators estimated that the District had paid more than $20 million in notifications, legal settlements, credit monitoring costs, and network security upgrades.

For public entities battling tight budgets, such costs of responding to a data breach could be crippling. And the impact of a breach is not just financial. Victims of identity theft spend an average of nearly 100 hours working to resolve the situation. Just as a hacked business must regain credibility with its customers, a local government that fails to protect the information provided by its residents will need to work hard to rebuild public trust and confidence in the wake of a breach. Steps To Limit The Risk Of Data Breaches Municipalities therefore must proactively seek to limit the risks of data breaches and the ensuing liabilities. Privacy lawyers and IT professionals agree that data breaches are nearly inevitable, and so entities must seek to be “compromise ready.” This can be accomplished through training and education, security assessments and IT support, strong data security policies, appropriate breach response plans, and attention to insurance and indemnification issues.

Training and education of employees about the importance of data security and risks of data breaches must be increased in the public arena. A 2015 poll of local government employees revealed that almost half were unaware of their employer’s IT security practices. By comparison, in the private sector, a survey by the New York Stock Exchange found that data security is addressed at most or all board meetings of publicly-traded companies. Employees must be instructed about the importance of strong passwords, and systems should require the same. Training employees to recognize “phishing” attempts and avoid opening emails or attachments from unfamiliar addresses will greatly reduce the opportunity for hackers to introduce malware or ransomware into government computer networks. For attorneys and IT staff, organizations for privacy professionals offer training and certification with regard to and federal privacy laws and industry best practices.

While IT costs can burden already strained municipal budgets, the importance of devoting adequate funds to internal IT staff and resources, together with appropriate third party vendors, cannot be overstated. Most hackers gain access to computer systems when inadequate attention is devoted to their upkeep. Internal IT staff must have the resources to ensure that anti-virus, anti-spyware, and monitoring software, along with and software patches and firmware updates are kept current. Outside vendors, meanwhile, can conduct independent penetration testing and probe the network for files that may inadvertently have been left unencrypted and accessible to the public.

The process of creating a data security policy can force an entity to confront the categories and amount of personal information that they are collecting and storing. The best way to avoid a breach that exposes such information is not to collect it at all, or to retain it only so long as necessary to serve a necessary purpose.

A properly-devised data security policy will be written, will be disseminated throughout the organization so that all employees are familiar with the policy, and will address certain key topics.

First, the policy should designate an employee to coordinate the organization’s data security efforts, including implementation, training, and testing of the policy.

Second, the policy should limit the categories of personal information that will be collected, limit access to those records to the employees whose duties require such access, and require that such records be destroyed or deleted at the earliest opportunity (consistent with organizational needs and legal retention requirements). The policy should include or reference a document retention policy that addresses the full gamut of records the organization may collect or create. The data security policy must also provide for levels of disciplinary measures to be imposed if employees break or ignore the mandates addressing information security.

Third, the policy should address technical requirements, such as the updating and patching of software and firewalls, strong password requirements, and mandatory use of anti-virus protections. It is also crucial to prohibit the transfer of unencrypted personal information by e-mail or to portable devices, including storage media. All of the requirements regarding the security of electronically-stored personal information apply equally to the storage of such information in paper records and files.¹¹

In addition to a data security policy, local governments should have in place a data breach response plan. When a breach occurs, the plan will designate the key decision makers, including public officials and legal and IT staff members. The plan should refer these leaders to a preselected forensics firm that can identify the scope of the compromise and repair the system without compromising digital evidence. And it will walk them through a decision tree that touches upon issues including contacting law enforcement, retaining outside counsel, determining notification obligations, documenting response steps, and addressing public relations. The breach response plan should require occasional drills to simulate a breach, with follow-up to refine the plan and for training purposes.

Insurance for data breaches should be a significant area of attention for municipal lawyers. It should be emphasized nearly all general commercial liability policies exclude coverage for data breaches. An insured must select requisite endorsements or separate policies for cyber-liability coverage. Coverage under an appropriate cyber-liability policy should include the costs of forensic analysis, repair of systems, data breach notifications, offers of credit monitoring, and, if necessary, legal defense of claims arising from a breach.

In addition to adequate insurance coverage, exposure also can be limited through inclusion of appropriate indemnification provisions in contracts with vendors. If any contractor is provided access to a municipality’s physical office spaces, computer systems, or stored information, the contractor should be required to indemnify the municipality if their negligence (or intentional acts of their employees) results in any exposure of government data.

Herbert A. Simon, a Nobel laureate political and computer scientist, is known for his contributions in fields of study including artificial intelligence, organizational structures, and information processing. He wrote that a “wealth of information creates a poverty of attention and a need to allocate that attention efficiently …”¹²

For municipal governments, the wealth of personal information they must collect and maintain about their residents requires that substantial attention be devoted to the security of their computer networks and to preparation for the creeping inevitability of a data breach.

Software and Technology Licensing for Municipalities – Fine Print, Big Impact

By Brian Gregg

EULA, SaaS Agreement, SLA, MSA, PSA…what do all of these have in common?  These all refer to the types of legal documents that govern a modern software license, service agreement or software development engagement.  They are the fine print in which an organization and a vendor describe what is going to be done, how much it will cost and how payment will be made and, importantly, who bears the risk if things do not go as planned.  The fine print also governs what happens when you change providers or the contract ends.  The reality is that most of the time the vendor does all the drafting, and the organization simply signs off, perhaps after a little haggling over the price.

However, the rest of that small type deals with the risk part of the vendor/organization engagement and a municipality’s reliance on software and services provided by vendors comes with a whole host of risks.  There is the obvious risk that the software will fail and impact the operation of the municipality, but other risks are less obvious.  Organizations trust vendors with the safety and security of their data, they rely on software vendors to seamlessly integrate and implement complex software systems, they expect vendors to provide assistance when the organization goes through transition, they expect the vendor to assist with upgrades, they believe they own and can upgrade the software they had developed, and they anticipate the vendor will defend them if the software creates liability for the users.

While all the haggling over price might have been time well spent, organizations are often shocked to learn that agreements with their vendors do not obligate the vendors to provide the kind of assistance needed to address these and other critical issues.  In many cases, vendor agreements are not reviewed by anyone that is thinking about the possible risks.  For example, if your municipality gets sued by a third party for using software they claim was pirated by the vendor, will the vendor defend the municipality?  If the vendor hosts sensitive data and experiences a data breach, will they assist you with (and pay for) the breach response your client is legally required to undertake?  By the way, who owns that data, or new data derived from the data?  Who can use the data being shared or created and for what purposes?  Does the agreement address those issues? When a vendor/organization relationship breaks down it is your clients that will face an uphill battle if they signed an agreement that does not require the vendor to take the actions that need it to take.  The result can be lost productivity, lost data, reputational damage from leaks of sensitive data, costly litigation and other damages.

The attorneys at McNees Wallace and Nurick LLC can help you and your clients avoid these kinds of problems.  We regularly assist our clients with the review and negotiation of software license, development, implementation and services agreements.  We take the time to explain the implications of the agreement, spot risk points and negotiate more favorable terms for our clients.  Not only are we able to negotiate more favorable terms, but by working through the issues presented with a new software implementation, our clients are able to think more deeply about how to anticipate and reduce risks like software failure and data loss or exposure.

Working in conjunction with our Privacy and Data Security group, we can advise you and your clients on how to navigate the increasingly high-stakes practice of collecting, transmitting and storing sensitive data.

© 2017 McNees Wallace & Nurick LLC
McNees Advocate Alert is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.

Notes
1. Only Alabama, New Mexico, and South Dakota have no breach notification law.

2. Some state breach notification laws limit the entities who must give notice to those “engaged in commerce” or “conducting business,” or otherwise expressly do not include political subdivisions as subjects of the breach notification requirements: Arkansas; Colorado; Connecticut; Delaware; District of Columbia; Maine; Maryland; Michigan; Minnesota; Mississippi; Montana; Nebraska; New York; Rhode Island; Texas; Wyoming.

3. See, e.g., Pennsylvania’s Breach of Personal Information Notification Act, 73 Pa. Cons. Stat. § 2302 (2016).

4. See, e.g., Fla. Stat. § 501.171 (2016).

5. See, e.g., Iowa Code § 715C.1 (2016).

6. The increasingly expansive legal conception of personal information is expressed in the European Union’s revised General Data Privacy Regulation, which will become effective in the spring of 2018. That regulation, which applies to companies that collect or process personal information of EU residents, extends the concept of personal data to encompass IP addresses, online identifiers, and nearly any other information that could be used to identify a person. See Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on The Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) 2016 O.J. ( L 119/2).

7. See, e.g., 73 PA. Cons. Stat. § 2303 (2016) (“An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and un-redacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.”). Along with businesses, “entity” includes “a political subdivision of the Commonwealth.”

8. This is the case in Connecticut, New Jersey, Pennsylvania, and Puerto Rico.

9. Only one state, Connecticut, requires by law that a breached entity offer one year of identity theft prevention and mitigation services to its residents. See Conn. Gen. Stat. § 36a-701b (2016).

10. Because most fraud losses are refunded by banks and credit card companies, plaintiffs’ privacy claims have been limited by holdiing that they lack standing because they have failed to suffer actual injury. See Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 365 (M.D. Pa. 2015) (“Allegations of increased risk of identity theft are insufficient to allege a harm.”); In re Zappos.com, Inc., 108 F. Supp. 3d 949, 955 (D. Nev. 2015) (collecting cases). Some courts have held, however, that plaintiffs can state a claim arising out of a data breach. See In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1159 (D. Minn. 2014) (“Plaintiffs have alleged … injuries, including unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”). These contrasting holdings have created a split of decisions between the federal circuits. The Supreme Court may be asked soon to resolve whether plaintiff’s have Article III standing when injury is expressed as an increased risk of future fraudulent charges or other “imminent” harm.

11. Breach notification laws in eight states extend to paper as well as electronic records (Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, Washington, and Wisconsin).

12. Herbert A. Simon, Designing Organizations for an Information-Rich World, Computers, Communication, andthe Public Interest, 40–41 (Martin Greenberger ed., 1971).