For the better part of 5 years, I have been speaking about data privacy, security and risk within the public sector.
For all the talk of bank and hospitals and other entities protecting your data, one of the richest pools of data to be stolen exists at the municipal level.
Think about it. Your city/township/borough/village/county knows your:
- Phone number
- Children’s names and above data
- Many know your SSN for county tax purposes
and school identification of above children
- Place of work
I could go on, but you get the picture. Your municipality holds a wealth of your information and those charged with protecting it (from the top down: Mayors, County Executives, Municipal Councils, …) are not only doing little to protect it, but several have been actively resisting the call to transparency and disclosing these breaches.
Let’s understand something first. We, as a citizen, expect to know when our information has been compromised. You may be asking yourself, ‘This is a good thing. I heard that my state has a breach notification law, so if my personal information is compromised, they’ll notify me…. right?’. And the answer may surprise you. All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. There’s the magic word…OR!
While all 50 states and several territories have laws requiring affected parties be notified in the event of a breach, many of these laws only pertain to business OR commercial entities and these laws mandate that these business or commercial entities notify the affected parties. Many of these states define what constitutes an “organization” that does business within the state, but don’t address municipalities within the state. Take the State of Mississippi.
Mississippi Code Annotated § 75-24-29 states:
(section 1) This section applies to any person who conducts business in this state and who, in the ordinary course of the person’s business functions, owns, licenses or maintains personal information of any resident of this state.
While I’m sure one could argue that a municipality in the State of Mississippi “does business” within the State of Mississippi. But one could also argue that the law clearly states, “conducts business” and “business function” and that does not necessarily pertain to municipal functions. I’m not picking on Mississippi. I’ve been tracking school/K-12 security incidents with the help of the K-12 Cybersecurity Resource Center and there have been only 3 documented cybersecurity ‘incidents’ reported in Mississippi since January of 2016. With the number breaches that are disclosed daily, 3 in one state, in over 2 years seems shockingly low. Could it be that the laws of the state of Mississippi don’t require a known breach to be disclosed?
And then there’s Kansas:
2014 Kansas Statue – Chapter 50 – Article 7a – Section 1:
(h) ”Security breach” means the unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or a commercial entity and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer.
Like Mississippi, one could argue a municipality could fall under the ‘individual’ clause or make a stretch to say a municipality is a ‘commercial entity’. But when you have a state the size of Kansas with only 2 noted K-12 cybersecurity incidents since January of 2016, one must wonder: Is the entire state that good at protecting against cybersecurity issues or are they not reporting it to affected parties?
In the last month alone, there have been 10 publicized cybersecurity incidents in the United States, affecting local municipalities, where personal information of their constituents could have been compromised. Two high profile cases happened in Minnesota. In both of those cases, the persons affected where notified that their data could have been compromised. Unfortunately, the municipalities affected were not as forthcoming as one would have hoped:
Ramsey County, MN:
In August 2018, there was an outside party that gained unauthorized access to Ramsey County Social Services and the actors attempted to divert 28 employees’ paychecks. In October 2018, a security firm did an assessment and discovered that the Ramsey County systems were compromised in October and about 500 of their client’s data could have been exposed. On or about December 10th, 2018, Ramsey County officials sent notifications of the breach to the affected parties. Four months after the breach and two months after it was discovered, were the affected parties finally notified.
Wright County, MN:
In March 2018, an IT worker for Wright County innocently took work home with him. What he took home had unencrypted information on many of the residents of Wright County that contained information like names and social security numbers of a wide range of citizens. The number of ‘records’ compromised was about 72000. Almost HALF of the residents of Wright County. These kinds of breaches happen all the time. The failure to have policy in place to allow personal data to go home with someone, to not encrypting it, or enforcing a work from home policy to prevent certain kinds of data from being taken off campus is sadly a common issue. What was alarming to many of the residents is that a search warrant dated April 13th, 2018 clearly showed that county officials knew of the breach. That means it took 8 months from the execution of the search warrant to when the county notified its citizens of the breach.
These two cases didn’t happen within the last month, these two cases were publicized and letters sent to affected citizens within the last month.
Our…YOUR municipality must do better. You, the citizen, should talk to your local legislators and ask that there be more transparency and a heightened awareness to cybersecurity problems on the municipal level. We go about our daily lives, hoping places like our banks and the bank accounts we have with those banks won’t get compromised, only to have our own local governments compromised and our personal information exposed. Then to add insult to injury, the municipality then drag their feet notifying us. Many in these municipal positions were elected to office. Even worse, they are your neighbors!
What’s your thought on municipalities doing more to protect their constituents, citizens and neighbors from cyberthreats out there? Is 4, 6, 8, 12 months an acceptable amount of time to notify you that your personal data could have been compromised? Leave your comments below and let us know what you think.