[BreachExchange] What’s at Stake When Government’s Data Is Stolen

Tue May 23 19:04:06 EDT 2017

http://www.governing.com/gov-institute/voices/col-cybersecurity-data-breach-
government-liability.html

Cybersecurity is more than just an information-technology issue. It is a
public-safety concern and an area of potential exposure to liability. As
part of their daily operations, governments collect personal data to use to
improve public services. With such large amounts of data housed on their
servers, it is not a question of if but of when a government or one of its
agencies will experience a data breach.

That's a reality that officials of Minnesota's Mille Lacs County are
painfully aware of. Last year, the county settled a $1 million class-action
lawsuit after an employee was accused of accessing driving records without
authorization. Over a four-year period, according to the suit, a county
child-support investigator accessed driver's license records of 379 county
residents not associated with any family-services cases or investigations.
Once made aware, the county notified these individuals in a letter
acknowledging "unauthorized access" by a "former employee."

In their suit, the plaintiffs alleged that the county had insufficient
policies and had "failed to put into place systems and/or procedures to
ensure … class members' private data would be protected and would not be
subject to misuse." The suit said those lapses amounted to a violation of
the federal Drivers Privacy Protection Act (DPPA), which prohibits
knowingly obtaining, using or disclosing personal information without a
statutory purpose.

Notably, the Mille Lacs County settlement came just three years after Rock
County, Minn., agreed to pay $2 million to settle a case involving one of
its family-services employees improperly searching the same database.

Two million dollars is a lot of money, but the cost to taxpayers can be far
higher when hackers target large government networks. In one substantial
breach, hackers entered multiple databases and stole the personal
identifying information -- including names, addresses, Social Security
numbers, driver's license numbers and other demographic information -- of
two million employees, students and prospective students of a community
college system in Arizona.

In 2013, the FBI notified the 10-campus Maricopa County Community College
District that the stolen information was for sale on the Internet. Multiple
class actions were commenced alleging violations of both DPPA and the
Federal Education Privacy Rights Act (FERPA). FERPA applies to all public
and private schools that receive federal funding - essentially encompassing
most elementary, secondary and post-secondary schools as well as local
education agencies.

Taxpayers ultimately paid $26 million to settle the litigation and address
the hacking event, including $9.3 million in attorneys' fees, $7.5 million
in network upgrades, repairs and consulting fees, and $7 million to notify
those impacted by the breach and pay for their credit monitoring.

The far-reaching financial consequences of the Maricopa County breach
illustrate the necessity of proactively addressing system vulnerabilities.
But public entities also are subject to enforcement actions and financial
penalties from regulatory agencies for misuse or mishandling of private
data.

In 2014, for instance, the U.S. Department of Health and Human Services
(HHS) fined Skagit County, Wash., $215,000 for violations of the Health
Insurance Portability and Accountability Act (HIPAA) and
breach-notification rules that affected nearly 1,600 individuals.
Initially, the county learned that it had mistakenly provided public access
to seven individuals' electronic protected health information. But an
investigation by HHS revealed that the county public health department had
inadvertently uploaded the same type of information -- which included
records on testing and treatment of infectious disease -- for 1,581
individuals to a county public server.

The county's settlement agreement with HHS included an extensive
corrective-action plan that required the drafting of written protocols,
implementation of new policies, training for all employees and new
reporting requirements. It marked HHS' first settlement with a county
government, and the federal agency's Office for Civil Rights used the
occasion to call on all local governments "to adopt a meaningful compliance
program to ensure the privacy and security of patients' information."

Clearly government officials have a responsibility to address cybersecurity
threats to their networks from both inside and outside their organizations.
Inaction is both costly and irresponsible, and failure to adequately
address vulnerabilities can result in taxpayers footing the bill for costly
litigation or regulatory enforcement. But something even more important is
at stake: the public's trust.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170523/97ccba5c/attachment.html>