Evaluating Government’s Cyber Risk Through A Legal Lens

August 17, 2017

This editorial was developed in coordination with the Center for Technology in Government at the University at Albany and Albany Law School graduate assistants studying under Dean Antony Haynes, in which the students explored public sector technology innovations through a legal lens.

The Internet of Things is increasing government's cyber risk

By now, seemingly everyone is either using the Internet of Things (IoT) or is, at the very least, aware of its capabilities. Fitness tracking bracelets, security cameras, and even a pacemaker that sends alerts about your heart-rate to your smartphone all comprise a growing network of devices, connected to one another by sensors that transmit and store data. Similar to people, IoT devices communicate with one another; by using the internet to send data across a network. And, it’s not just individuals rushing out to purchase the latest and greatest IoT device; governments are increasingly taking notice too, and considering how they and their citizens might also benefit. Many municipalities have found IoTs, such as “smart” LED streetlights, to have increased efficiencies, improved public safety, and have a positive economic impact.

However, as with any technology innovation, IoTs don’t come without risk and they aren’t the solution to every problem. While governments strive to capitalize on the latest emerging technologies, their pursuit of staying at the cutting edge can sometimes cloud the real issues or even cause officials to lose sight of the problem at hand. Many governments do a great job of leading their investment decision with the issue, while others jump to technologies that hold the promise of addressing the issues yet fall short.

Perhaps even more important is that IoT devices were created more with fast communication and less with security in mind, though they are just as susceptible to hacking as any other system (some may even argue they are more susceptible) and therefore require the same level of safeguards. Governments should proceed with caution and recognize that not only could a security breach create a real headache, but depending on the severity and scope, it could even result in legal trouble.

Working together with Albany Law School, the Center for Technology in Government at the University at Albany sought to take a look at the issue of government innovations in the context of legal issues. Here are some of the considerations.

Your citizens' data has been hacked: expensive to remediate and your liability is increasing

As far as hackers are concerned, the vast amounts of data government possess, such as employee records, property records, public service records, and credit card data (just to name a few) are a treasure trove. Governments, though responsible for good information security, are not immune to data breaches; even the most seemingly well secured entities experience attacks. But what are the legal consequences for government if a breach occurs? Previous court cases on this matter tell us – “it depends.”

To examine the issue of liability in the context of cyber-attacks, let’s look at a 2012 case that resulted after the South Carolina Department of Revenue experienced a catastrophic breach when, according to Bloomberg Law, an employee inadvertently opened a phishing email that hackers used to install malware.

3.6 million social security numbers, 387,000 credit card numbers and 657,000 business tax records were released. However, even though the state provided the affected citizens with free credit monitoring and protection services, identity-theft insurance, and lifetime credit fraud resolution to help mitigate the dangers of the breach, it wasn’t because it was legally required to or because a lawsuit was filed against them. Rather, a lawsuit was filed against Trustwave Holdings, the data security company contracted to maintain the security of the Department’s system. In Strautins v. Trustwave Holdings, Inc., the plaintiff makes two arguments. First, they say the delay in notifying victims of the breach (from early September to mid-October) caused “imminent, immediate, and continuing increased risk of identity theft and fraud.” Second, they argued that information was “stolen and compromised” because of the fact that the Department had been cyber-attacked and the plaintiff had filed a tax return in the state. The Court dismissed the case, citing precedent: the controlling rule in a previous case, Clapper v. Amnesty International, stated the injury must be “concrete, particularized, and actual or imminent.”

The court strictly defines the term “imminent” as requiring harm to be “certainly impending” and therefore, the mere possibility of harm (in this case, the possibility of the plaintiff’s data being stolen and compromised) is not sufficient for legal punishment. The court in this case emphasizes that factors that could cause liability are:

  1. Proof data was actually taken from the individual during the breach,
  2. Proof the data was sold or transferred,
  3. Proof the victims’ data was obtained and someone attempted to use it, or
  4. Proof that someone succeeded in taking their data.

Even though it was not held legally liable, South Carolina incurred significant costs. The free credit monitoring offered to South Carolinians and cybersecurity upgrades cost $21 million, with another $10 million later added for a one year extension of free credit protection. A quick calculation suggests that $31 million may have been able to have been saved if better cyber security prepared measures were in place.

Additionally, courts and the law are slowly adapting to this changing environment by building their understanding of how to interpret cyber security. Another court case, Federal Trade Commission v. Wyndham Worldwide as explained by Harvard Law Review, is an example of the understanding evolution occurring. In this case by which the FTC sued Wyndham Worldwide, a hospitality company, for failing to protect its computer network, the court interpreted whether 15 USC 45 (Unfair methods of competition unlawful; Prevention by commission) can be used against businesses with weak cybersecurity, and if so, whether Wyndham had fair notice that its cybersecurity practices fell short of that provision when it was hacked.

In Wyndham, hackers were able to use the same method on three separate occasions during a one year period. The court held that a cost benefit analysis would decide whether consumers could have reasonably avoided the breach and whether the breach was reasonably foreseeable to the company. The courts recommend looking to the FTC guidebook, “Protecting Personal Information: A Guidebook for Business” to discern whether a breach is reasonably foreseeable. As more cases of cyber breaches make their way to the court system, the judges and lawyers are faced with increased real-time learning in all areas of cyber liability.

It’s clear that cybersecurity and the law are still very much evolving, though the trajectory appears to suggest there could be further liability for entities who hold on to individual’s information or possibly government/trade secrets. Still, whether or not a government or company is liable – financially and legally – for a breach is dependent on many variables, such as whether or not the vendor contract incorporates shared language requiring a manufacturer to pay for damages.

Regardless, these cases are reminders of the importance of effective cybersecurity practices for governments at all levels. Lastly, a trickle-down effect could occur where state courts begin to apply a “reasonable security” standard. This is important, because the costs which the South Carolina Department of Revenue accrued did not include legal remedies and therefore the potential for damages could have been significantly worse.  This is an example of why proper cybersecurity in government is vital not only for the protection of sensitive information, but to protect governments from harsh monetary and reputational damages.

Cyber Insurance: Read the fine print

As governments continue using technology in ways previously not possible, they are also looking to protect themselves in ways never needed before. We use car insurance, health insurance, home insurance, and now: cyber insurance. These relatively new policies, offered by many big-name insurance companies, are designed to cover an organization’s liability in the event of a breach.

It’s important to note that cyber insurance is not a preventative measure against breaches; it is a form of cost mitigation when breaches do happen - and they likely will. Just as with any type of insurance policy, cyber insurance premiums and coverage vary but there are some standard features.

One company offers “Optional Broadened Cyber Breach Coverage” under “General Liability Coverage Features,” providing “$50,000 to cover costs affiliated with data restoration & recreation, credit monitoring and notification of affected parties to comply with state and federal requirements.” It’s also advisable that a government pay attention to specific state and federal laws prior to purchasing a policy. For example, the latter portion of this coverage example is particularly important for New York State’s municipalities because technology law in the state requires that municipalities follow local law with regard to notification requirements following a breach.

As no two municipalities are the same, there are several items that should be taken into consideration when evaluating cyber insurance policies, according to cybersecurity experts Paul A. Ferrillo & Christine Marciano:

  1. The budget;
  2. The coverage;
  3. Exactly what events will trigger the policy;
  4. What the policy excludes;
  5. The kind of data covered; the response costs and services covered by the policy; and
  6. If vendor selection and/or legal counsel selection is possible.

When thinking about how much insurance is necessary, the answer is “as much as possible.” Ferrillo and Marciano also advise that “Using industry benchmark data from companies in your industry or sector that may have experienced a data breach can help determine the appropriate amount of coverage to purchase.”

Additionally, local governments in particular should understand that there are two specific categories of cyber liability exposures that will trigger their insurance: first-party and third-party exposures. First-party exposures include the loss, damage, or theft of data and/or software programs, and interruption as a result of network downtime, attempts of cyber extortion. Third-party exposures cover the fallout associated with security breaches, notification to affected third parties, and loss or theft of third-party data. While some of this may seem obvious, a panoptic view of all the moving pieces involved in cyber insurance helps to understand what is/can be insured and what to look for when purchasing a cyber insurance policy.

Those with knowledge about cyber insurance also express that without a full understanding of the worth of a local government’s data, it is hard to quantify the risk. Taking another government’s assessments is a fine place to start, but analyzing your own data that exists within your government systems is the only way to get a true picture of the financial risk. With that said, this isn’t as straightforward as it seems and can be costly to do, but buying insurance without this level of understanding can also set a government up for failure – right after they have been breached.

The Internet of Things presents both governments and citizens with opportunities that are impossible to ignore, and many cities around the world have been met with transformative success. While the opportunities are undoubtedly exciting and show real potential, that potential for success should not be overshadowed by the very real challenges that the IoT presents. As more and more governments are learning, many of these challenges include the potential for legal trouble.

Kelsey Butz, Communications Manager, and Brian Burke, Managing Director, are from the Center for Technology in Government (CTG) at the University at Albany. CTG is a world-renowned applied research center that works with governments at all levels and all over the world to improve public service through innovations in technology, policy, and management.

Tyler Stacy is entering his third year at Albany Law School where he is an Associate Editor for the Albany Law Review, a teacher's assistant, and a research assistant for Dean Antony Haynes. Tyler graduated from Fordham University as an English Literature major. His interests include Cybersecurity, Bioethics, and the Humanities.

Marina Chu is entering her second year at Albany Law School where she is a member of Albany Law Review, President of the Asian Pacific American Student Law Association, and a research assistant for Dean Antony Haynes. Her research interests include Cybersecurity and Family Law. Prior to Albany Law, Marina graduated from the University at Albany.

Ryan Slattery is entering his second year at Albany Law School where he is a research assistant for Dean Antony Haynes. He is from Nanuet, NY.

Overlay Init

Curated By Logo