Liability Is Another Critical Reason to Be Prudent About Cybersecurity
Posted on June 1, 2021 by Karyn Henry, J.D.
Cyberattacks should be on the radar of every agency in the public-safety/justice community. One of the most prevalent attacks involves ransomware, which is a specific type of malware that cyberattackers use to exploit a system vulnerability and then launch a program that encrypts the organization’s data files, essentially locking them and rendering them unusable. The cyberattacker then demands a ransom—hence the name—to provide the key that unlocks the files.
The Federal Bureau of Investigation (FBI) indicates that it rarely sees anything other than ransomware attacks these days, and the reason is that it has become big business for the hacker community. Billions of dollars are paid annually to cyberattackers by organizations in both the private and public sectors. Public-safety agencies are especially vulnerable to cyberattacks because of the data they target—when this data is compromised, mission-critical systems—e.g., 9-1-1 call-handling and computer-aided dispatch—can be rendered inoperable, which would have a severely negative impact on emergency response, perhaps bringing it to a halt, at least temporarily. This is the ultimate nightmare scenario for a sector whose business is saving lives.
Even more intimidating, according to the Cybersecurity & Infrastructure Security Agency (CISA)—which works closely with the FBI and other security entities to defend against cyberattacks—cyberattackers regularly sell extricated data, often on the dark web, to other bad actors with malicious intent if the ransom is not paid. This scenario creates compromising liability issues for public-safety and justice agencies given the personal and/or sensitive information in their possession. Thus, every agency needs to protect itself from potential liabilities if a cybersecurity breach were to occur.
Prudence is Key When it Comes to Cybersecurity Incident Response
Statutes, regulations and policies regarding incident response vary greatly from jurisdiction to jurisdiction including how cybersecurity breaches should be mitigated and how those affected should be notified. It is prudent then for every agency to become familiar with the governance that exists where they are located. Even if the theft causes no harm to stakeholders—meaning that the data was compromised but not stolen—some courts have held that organizations still be liable for damages. “Legal standing,” sometimes referred to as “standing to sue,” is the federal law doctrine that focuses on whether a prospective plaintiff can show that some personal legal interest has been invaded by the defendant. Federal circuit judges have been divided as to what establishes adequate standing to bring a cybersecurity breach case; accordingly, comprehensive interpretations may increase the risk of cybersecurity breach liability claims.
As the adage goes, an ounce of prevention is worth a pound of cure. Avoiding a cyberattack altogether is the best approach, but if one does occur, being able to demonstrate that your agency took appropriated prevention and mitigation actions prior to the attack will strengthen your agency’s defense if litigation occurs.
MCP’s lifecycle management services business has a comprehensive cybersecurity monitoring suite with endpoint protection recently added. This is important because network and system endpoints, (i.e., workstations and servers,) are the most vulnerable network and system elements due to their position of directly interfacing with the applications that we use. Those applications act as gateways into those endpoints and thus are used by cyberattackers to deliver the malware that will enable them to carry out their nefarious missions—like ransomware attacks.
Our cybersecurity experts would love the opportunity to talk with you about protecting your networks, systems, and more importantly, your data. In the meantime, we urge you to participate in our second-annual Conference for Advancing Public Safety (CAPS), a two-day virtual conference that will be held June 15-16, 2021. (Click here for more information.) During the conference, a session entitled “Cybersecurity and Public Safety: What We’ve Learned,” will be presented from 11:00 a.m. - 12:00 p.m. Eastern on June 15th. MCP assures that you will find it to be time well spent.
Karyn Henry J.D. is an MCP communications consultant that brings years of wireless and telecommunications group leadership towards legal and regulatory initiatives. She brings policies and procedures expertise to MCP projects to develop for innovative solutions.