None

It's no longer a question of if a computer breach will happen

With computer hacking becoming an increasing threat, municipal officials must be aware of their potential liability for a breach of computer security and have a plan in place before a breach occurs.

Breaches occur when there is a loss, theft or other unauthorized access to data containing sensitive personal information that results in the potential compromise of the confidentiality or integrity of data.

Personal data generally includes information that can be used to locate or identify an individual's name, address, telephone number, Social Security number, driver's license number, account number, or credit or debit card number. It also includes more sensitive information, such as income, personal health records, military records, law enforcement investigatory records, and various disclosures made in connection with applying for government licenses or benefits.

In addition to personal data, government agencies often maintain extensive records regarding corporations, partnerships and individuals. This includes tax records and information submitted in connection with bids for government contracts and license applications.

Breaches happen when data is released intentionally, but in violation of law or regulations, or it can occur when data is released accidentally due to malfunctioning software or human error. It can be the result of physical media like laptops getting lost or stolen. It also can occur when an employee improperly accesses information without permission, or when a computer system is hacked or infected with a virus.

Cyber liability involves exposure for breach of private data (or personal identifying information) held on computer systems. Federal and state statutes provide privacy protection and outlaw identity fraud. South Carolina law requires both government agencies and businesses to notify consumers when their personal identifying information has been compromised. It requires notification to be made without delay and in compliance with the statutory requirements. Failure to provide proper notice carries statutory penalties.

The cost of computer data security breaches can be immense because of the large number of people who may be affected. The risks of cyber liability can be minimized by proactively putting strategies in place to avoid data security breaches. Additionally, having cyber liability insurance coverage is strongly encouraged because general liability coverage often does not cover cyber liability.

To that end, the SC Municipal Insurance and Risk Financing Fund, the property and liability program sponsored by the Municipal Association, gives its members access to NetDiligence, a cyber risk management firm. NetDiligence offers proactive and reactive services for data breach responses and cyber liability issues, according to Heather Ricard, director of Risk Management Services for the Municipal Association. 

NetDiligence offers information regarding breach laws by state, self risk-assessments, and a repository of articles related to breaches around the country. It also provides access to a Breach Coach to help guide a member city if it experiences a breach, and access to a team of breach response experts, including legal counsel, computer forensics, victim notification, victim call center support, and credit monitoring.

The SCMIRF board approved using the service in August. Ricard said NetDiligence has worked with the National League of Cities Risk Information Sharing Consortium to develop the members-only content then shared it with other NLC-RISC participating risk pools.

Private entities often invest more in cybersecurity measures, but governmental entities are subject to the same level of risk, according to Dave Chatfield of NetDiligence.

The bulk of the information, such as white papers and legal studies, on NetDiligence's eRisk Hub is intended to be proactive, Chatfield said. "It may trigger an appreciation of the risks that may be in their environment." It also may prevent a security breach.

One such risk involves credit card transactions, Chatfield said. If a municipality accepts credit cards for fines and fees, it is subject to the same regulations and bears the same responsibility as private retailers in protecting cardholder data.

Cities and towns also may have varying levels of information security skills and competence, Chatfield said. Municipal governments simply may not have a dedicated, in-house information security person and may need to reach out to private vendors to ensure their computer security is adequate.

VC3, the Municipal Association's technology partner, provides information technology services, including security audits, to cities and towns.

"Minimizing risk is primarily about understanding what your risks are," according to Brant Hale, a certified information systems security professional for VC3. "Without an understanding of what is at risk you cannot address it."

Recommendations

  • Follow vendor guidelines on securing servers and devices.
  • Encrypt files and computers, especially laptops.
  • Remove guest or default passwords.
  • Create passwords with at least 12 characters, including letters, numbers and symbols.
  • Install antivirus and antimalware software on computers.
  • Train employees to resist social engineering. Social engineering is a nontechnical intrusion of a computer system. Its success relies on people not being careful about protecting information.
  • Train employees to limit the sensitive information that they store.

Hale conducts security audits to review the security in place to protect a workplace. Security audits should include a review of existing policies, industry regulations or compliance, and controls in place to prevent a cyberattack. 

At its conclusion, the audit should provide a list of issues and suggest ways to address and remediate them, he said. He also recommended training employees to recognize risks that can affect computer systems and be aware of and avoid phishing scams.

"User training is essential to raising awareness and is a critical area often overlooked.  Thousands of dollars of hardware and software are useless when a user makes bad choices and compromises security," Hale said.