Back to the May-Jun 2021 issue

Legal Requirements for Avoiding and Responding to Cyberattacks

By Joline Zepcevski

A dark, hooded cyber attacker at a laptopThe City of Oldsmar, Florida, recently found itself at the center of national attention, when a hacker temporarily increased the levels of lye in the drinking water over 110 times the normal amount. It could have poisoned residents and corroded the pipes.

Oldsmar was lucky, though. According to Forbes, a plant operator saw the hacker’s remote access in real time, and quickly fixed the levels.

While Oldsmar was able to avert disaster, this network breach should serve as a warning. Cyberattacks on cities are increasing. The National League of Cities estimates that, on average, a successful attack will cost a city over $6 million. When confronting and responding to cyberattacks, cities are subject to regulatory and statutory requirements that differ from private enterprise.

State requirements

Minnesota Rules, part 1205.1000 requires cities to appoint a single employee as the city’s responsible authority. That employee is responsible for all data collected, used, and released by the city.

The responsible authority is also required to create policies and procedures to safeguard nonpublic, private, and confidential data. The League of Minnesota Cities recommends reviewing this data access policy yearly.

Cities must conduct an annual comprehensive security assessment of any personal information they retain. This security assessment should be well-documented.

Personal information is information that combines an individual’s name with a social security number, driver’s license, Minnesota ID card number, or banking information. During the security assessment, data should be categorized and isolated. If there is no reason to keep it, the city should get rid of it.

If a data breach occurs, the city must notify anyone whose private information was accessed in the breach. The city must investigate the breach and prepare a report explaining what happened. Anyone notified of the breach must have access to the report, unless law enforcement believes releasing the information would impact an active investigation.

Cyberattack could lead to lawsuit

Lawsuits against victims of cyberattacks are becoming more common. Even if a city follows all the requirements, it may face lawsuits related to invasion of privacy, violation of the Minnesota Government Data Practices Act, or negligence.

Like any other organization, cities may be liable for negligence if they have not exercised reasonable care. Reasonable care includes carefully following the policies and procedures that have been developed and distributed by the responsible authority.

The city should have a policy stating that software updates must be applied within a space of time. But if the city does not update the software, that could allow hackers to breach the system.

Timely software updates can prevent breaches and reduce the potential for damages because of a breach. Following established data policies and procedures and documenting data security assessments will help ensure the city has clearly taken reasonable care to protect its data.

All are responsible

Having the correct policies and procedures, as discussed above, is key. But the responsibility for network security is wider than just the city’s information technology department; it is a responsibility for all employees. And if nothing else, remember, don’t click that link. It probably isn’t really a video from your childhood friend’s sister-in-law.

Joline Zepcevski is a law clerk with the League of Minnesota Cities. Contact: jzepcevski@lmc.org or (651) 281-1219.