In February 2016, a computer hacker sent an e-mail infected with a “ransomware virus” to an employee of the town of Medfield, Massachusetts. When the e-mail was opened, the virus spread throughout the town’s computer network, locking up the servers and preventing officials from accessing municipal data. A week of consultation with law enforcement and information technology experts brought only fruitless efforts to unlock the files. The town’s officials then gave in to the hacker’s demand: they paid a ransom by transferring funds (in the form of bitcoins, an electronic currency) per the intruder’s instructions.
The town was lucky. In exchange for the payment, the hacker provided a software key that allowed the town to regain access to its files. Upon inspection, the files were untouched, and no data had been stolen.
Municipalities Are Especially At Risk Of Data Breaches
It is no surprise that a municipality would make an attractive target for a malicious hacker looking to steal or ransom valuable information. For taxation and other purposes, local governments routinely collect and maintain files of private and confidential information about their residents. Personally identifiable information abounds in public records, including names, addresses, dates of birth, and Social Security numbers. When left exposed and taken up into the wrong hands, that information can be used to perpetuate identity theft and other fraudulent activity.
Modern technology utilized by local governments also provides opportunities for hackers. The federal government has warned that utilities are a major target for both independent and foreign, state-sponsored intruders. Smart city platforms, traffic control devices, and emergency notification networks offer hackers openings to steal data or disrupt infrastructure and daily life in cities and towns.
But it is not only sophisticated computer hackers that pose risks for local governments. Most data exposure events happen not due to theft, but through ordinary loss or inadvertent exposure. In early 2016, a local tax agency in Breckville, Ohio announced that it had lost a data storage device containing the names, addresses, Social Security numbers, and dates of birth of more than 50,000 taxpayers. Similarly, the county government in Dallas, Texas notified residents in December 2015 that a security flaw had left the same types of information, belonging to tens of thousands of those residents, exposed on a public website for more than a decade.
Legal Obligations For Protection Of Data
The primary legal obligation arising when a data breach occurs is the duty to notify all individuals whose records were exposed. While there is no federal law addressing data breaches, forty-seven states and the District of Columbia now have laws requiring data security breach notifications.1
In most states, the requirement to notify affected persons that their information has been exposed to unauthorized third parties extends to any entity that maintains, stores, or manages computerized data, including municipalities and political subdivisions. 2
Personal information is most commonly defined to include an individual’s name, in combination with any of the following: (1) Social Security number; (2) driver’s license or state identification number; or, (3) financial account information, such as credit or debit card or bank account numbers, in combination with a security code or password. 3
Increasingly, that definition has been broadened to encompass other categories, including medical information4 and biometric data5 such as fingerprints and retina images. 6
Generally, an entity storing computerized data is required by these state data breach notification laws to provide notice whenever it discovers or reasonably believes that unauthorized persons have accessed and acquired unencrypted files containing unredacted personal information. 7
In a few states, however, notification is required as soon as unauthorized access is detected, regardless of whether there is any proof that the information has been acquired by third parties.8
Some state laws, however, provide that an entity need not provide notice if it can determine that there is no reasonable likelihood that the information July/August 2016 Vol. 56, No. 3 15 has been or will be misused. Responding to a data breach therefore requires careful scrutiny of the notification requirements of multiple states, as each state’s law governs the notification that must be provided to its residents. A breach of a county government in New York, for example, may expose information of county employees who commute from New Jersey. Privacy attorneys must ensure that various divergent requirements of state law are met, which may require distribution of multiple notices. Some states require not only that notice of the breach be sent to the individuals affected, but also to the state attorney general’s office, consumer affairs division, or police agencies.
The Costs Of Data Exposure
While notification alone can be an expensive endeavor when thousands of records are involved, the expense of mailing notices is not the only direct cost of a data breach. A municipality that is hacked will need to pay IT experts to investigate, repair, and secure the breached data network, and likely need to pay attorney’s fees for outside privacy counsel. While...
