Vedder Thinking | Articles State and Local Governments At Risk: How Public Entities Can Reduce The Risk of a Data Breach
More than 94 million citizens' records, under the care of government agencies, are estimated to have been lost or breached since 2009.1 Multiply this figure by $194, which is the average cost per compromised record for organizations in the United States, according to the Ponemon Institute's Annual Study,2 and the numbers become astronomical: nearly $18.2 billion dollars' worth of damage.
The cost of an incident is not limited to the dollars spent to investigate and remediate the incident and possible subsequent litigation; it extends to the incalculable cost of regaining lost citizen trust. As public sector organizations face unprecedented risk from cyber attacks and high costs from data breaches, the focus on protecting sensitive and personally identifiable information is quickly becoming a top priority for state and local governments. Public officials are increasingly realizing that if they do not manage data security correctly and breaches occur, their departments and agencies will be perceived to be ineffective, and their citizens may suffer direct harm.
Indeed, the extraordinary amount of personal data that is collected by public entities makes them attractive targets for cybercriminals and hacktivists, as well as being at risk thru mere human error. The security posture of government entities is typically lower than commercial organizations. As the private sector increases its securities measures as a result of the high-profile breaches that struck Sony, Target and Home Depot, public entities—with their vast amounts of sensitive data—are perceived as "soft targets."
The significant risk faced by public entities has been underscored by the recent breaches hitting state and local governments. For example, the South Carolina Department of Revenue sustained a major breach, resulting in 3.8 million taxpayers and their 1.9 million dependents having their Social Security numbers exposed, along with credit cards and bank account information. The attack started when a targeted phishing e-mail that had been delivered to an employee allowed the hackers to gain access to 44 servers, installing 33 pieces of malicious software and utilities along the way, all undetected. The state estimates that it will pay up to $12 million to enroll affected individuals in a credit-monitoring service. The Montana Department of Public Health and Human Services notified 1.3 million current and former medical patients after a computer server was hacked. In early 2014, Indiana University said the personal information, including names, addresses and Social Security numbers, of approximately 146,000 students and recent graduates may have been exposed during a data breach, and the University of Maryland also reported last month that hackers stole records of more than 300,000 faculty, staff and students, including their names, Social Security numbers, dates of birth and university identification numbers.
As a result of these and numerous other incidents involving public governments and agencies, there is a growing trend toward public entities facing fines and penalties. After a breach involving the protected health information of 1,581 affected individuals, the Skagit County of Northwest Washington recently agreed to a $215,000 monetary settlement with the U.S. Department of Health and Human Services, Office for Civil Rights and agreed to enter into a corrective action plan. In announcing the settlement, the OCR noted that "This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size." The OCR further cautioned that state and local governments are not immune from future enforcement actions and that the "agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients' information."
Accordingly, in order to reduce the risk, public entities should immediately consider undertaking the following steps to reduce the risk of a data breach:
- Developing and periodically testing an incident response plan that identifies an incident response team (including key stakeholders and the forensic and legal team) BEFORE the incident;
- Assessing the adequacy of existing cyber-insurance coverage;
- Conducting regular risk assessments to identify potential cybersecurity threats, including evaluating the effectiveness of current controls in light of identified risks;
- Prioritizing resources, assets and systems corresponding to the nature and level of threats and vulnerabilities and revising procedures and controls, as necessary and appropriate, to address and mitigate areas of risk identified in the risk assessment;
- Evaluating potential third-party/vendor risk and indemnification provisions to ensure they cover the full costs of a data breach, including notification costs and credit monitoring;
- Conducting periodic employee training on privacy and security policies and incident response procedures; and
- Proactively and systematically identifying and deleting obsolete legacy data containing citizens' and employees' personal information, protected health information and other sensitive data.
1 Rapid 7 LLC, Data Breaches in the Government Sector (September 2012).
2 Ponemom Institute LLC, 2011 Cost of Data Breach Study: Global (March 2012).