Over just the past month, there’s been a major cyberattack in one city and the potential for a warning siren breach in another. The potential has always been there, but now the threats are becoming an increasingly real. And the consequences can be even worse.
We asked the attorneys at Ice Miller, a Council Associate Partner, to provide some short thoughts on the legal implications of failing to take cybersecurity seriously. If anyone in your organization doubts the threats are real, show them this. — Kevin Ebi
By Matt Diaz, Attorney, Ice Miller LLP
Cyberattacks are on the rise in the United States, and cities have become a prime target for hackers. The FBI has reported that malware attacks have increased each of the last three years, accounting for losses of over $2.4 million in 2016 alone. This brief article will survey two cyber-threats plaguing two U.S. cities and will assess some of the legal implications cities may face as a result of these security vulnerabilities.
Ransomware attack on Atlanta
In late March, the city of Atlanta was hit with a ransomware attack that crippled municipal operations. With city online services down, the municipal court couldn’t see cases, residents couldn’t pay bills online, and police officers were forced to resort to writing police reports by hand. Ransomware is a kind of malware that infiltrates a computer network and subsequently locks it down, with the attackers demanding a “ransom” in return for the key to unlock the computer network. In the case of Atlanta, the attackers demanded the equivalent of $51,000 in digital currency for the “key” to unlock their computer network.
This is not a new trend however. A school district in Montana was attacked by a ransomware attack twice since 2016. In Los Angeles and Buffalo, hospitals have been the target of such attacks. In the end, no entity – including cities – is safe from ransomware attacks.
Warning sirens hijacked in San Francisco
Just this week, news emerged that researchers at a security firm discovered a vulnerability that affects warnings systems developed by ATI Systems in the City of San Francisco. Fortunately, this was not an instance where a bad actor was trying to infiltrate emergency alert sirens. The security firm that discovered the vulnerability provided the City of San Francisco and ATI Systems three months’ notice prior to their announcement of the vulnerability in order to give them time to develop and deploy a patch.
The security firm explained that since radio protocol used to control sirens are oftentimes unencrypted, this allows attackers to exploit emergency alert sirens. This vulnerability can be exploited remotely via radio frequencies and is cheap – requiring only a $30 handheld radio and a computer.
Unfortunately, this is not a new cyber vulnerability. One year ago, hackers infiltrated Dallas’ emergency alert sirens and triggered all 156 of them at once. It took the Dallas Office of Emergency Management almost two hours to figure out how to regain control of the system.
Legal implications for cyber vulnerabilities
Aside from the administrative challenges associated with a cyberattack, there are serious legal implications that can result from these and other types of attacks. Here are just a couple of rules and regulations that might be implicated if a city’s computer network is compromised:
Federal Communication Commission’s (“FCC”) Emergency Alert Rules
The FCC regulates the nation’s Emergency Alert System (“EAS”) and has prescribed rules regulating testing protocols, EAS messages, and many other matters. Cities may find themselves the subject of an enforcement action if they do not comply with FCC rules and regulations.
Federal Educational Privacy Rights Act (“FERPA”)
FERPA is a federal law that protects the privacy of student education records. FERPA applies to all public and private schools that receive federal funding. If a city’s education network were compromised, the school district might be subject to investigation by the U.S. Department of Education, which could result in the withholding of federal funds.
State Data Breach Notification Laws
All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have data breach notification laws that cover both private and governmental entities. For example, the state of Virginia’s data breach notification law defines the term “entity” to include “governments, governmental subdivisions, [and] agencies . . . .” [VA Code § 18.2-186.6 (2018)]. The law requires an entity that experiences a data breach to notify affected individuals and the state attorney general. Cities in Virginia and throughout the country may fall under their respective state’s breach notification laws and would be required to comply with all statutory requirements therein.
These are just a few of the kinds of cyberattacks plaguing U.S. cities and the legal implications associated with these attacks. Cities need to begin to take cybersecurity threats seriously and develop robust protections for their networks before they are the next city on the news as a victim of a cyberattack.
Matthew “Matt” Diaz is an attorney in Ice Miller’s Internet of Things practice and the Firm’s Data Security and Privacy Group. Ice Miller provides legal solutions for clients, including those involved with Smart Cities, Connected Autonomous Vehicles (CAV), the Industrial Internet of Things, the Internet of Health Things, Intelligent Transportation Systems, and many other connected businesses. Ice Miller guides and counsels municipal leaders as they seek to develop the infrastructure, to understand the technology, and to implement financial and legislative solutions needed to build a smarter city. For more information, please visit: icemiller.com/IOT