What’s at Stake When Government’s Data Is Stolen

Cyber breaches can cost the taxpayers a lot of money. But the consequences aren't just financial.
May 23, 2017
By Shannon T. O'Connor  |  Contributor
Attorney with Goldberg Segalia who focuses on governmental liability

Cybersecurity is more than just an information-technology issue. It is a public-safety concern and an area of potential exposure to liability. As part of their daily operations, governments collect personal data to use to improve public services. With such large amounts of data housed on their servers, it is not a question of if but of when a government or one of its agencies will experience a data breach.

That's a reality that officials of Minnesota's Mille Lacs County are painfully aware of. Last year, the county settled a $1 million class-action lawsuit after an employee was accused of accessing driving records without authorization. Over a four-year period, according to the suit, a county child-support investigator accessed driver's license records of 379 county residents not associated with any family-services cases or investigations. Once made aware, the county notified these individuals in a letter acknowledging "unauthorized access" by a "former employee."

In their suit, the plaintiffs alleged that the county had insufficient policies and had "failed to put into place systems and/or procedures to ensure … class members' private data would be protected and would not be subject to misuse." The suit said those lapses amounted to a violation of the federal Drivers Privacy Protection Act (DPPA), which prohibits knowingly obtaining, using or disclosing personal information without a statutory purpose.

Notably, the Mille Lacs County settlement came just three years after Rock County, Minn., agreed to pay $2 million to settle a case involving one of its family-services employees improperly searching the same database.

Two million dollars is a lot of money, but the cost to taxpayers can be far higher when hackers target large government networks. In one substantial breach, hackers entered multiple databases and stole the personal identifying information -- including names, addresses, Social Security numbers, driver's license numbers and other demographic information -- of two million employees, students and prospective students of a community college system in Arizona.

In 2013, the FBI notified the 10-campus Maricopa County Community College District that the stolen information was for sale on the Internet. Multiple class actions were commenced alleging violations of both DPPA and the Federal Education Privacy Rights Act (FERPA). FERPA applies to all public and private schools that receive federal funding - essentially encompassing most elementary, secondary and post-secondary schools as well as local education agencies.

Taxpayers ultimately paid $26 million to settle the litigation and address the hacking event, including $9.3 million in attorneys' fees, $7.5 million in network upgrades, repairs and consulting fees, and $7 million to notify those impacted by the breach and pay for their credit monitoring.

The far-reaching financial consequences of the Maricopa County breach illustrate the necessity of proactively addressing system vulnerabilities. But public entities also are subject to enforcement actions and financial penalties from regulatory agencies for misuse or mishandling of private data.

In 2014, for instance, the U.S. Department of Health and Human Services (HHS) fined Skagit County, Wash., $215,000 for violations of the Health Insurance Portability and Accountability Act (HIPAA) and breach-notification rules that affected nearly 1,600 individuals. Initially, the county learned that it had mistakenly provided public access to seven individuals' electronic protected health information. But an investigation by HHS revealed that the county public health department had inadvertently uploaded the same type of information -- which included records on testing and treatment of infectious disease -- for 1,581 individuals to a county public server.

The county's settlement agreement with HHS included an extensive corrective-action plan that required the drafting of written protocols, implementation of new policies, training for all employees and new reporting requirements. It marked HHS' first settlement with a county government, and the federal agency's Office for Civil Rights used the occasion to call on all local governments "to adopt a meaningful compliance program to ensure the privacy and security of patients' information."

Clearly government officials have a responsibility to address cybersecurity threats to their networks from both inside and outside their organizations. Inaction is both costly and irresponsible, and failure to adequately address vulnerabilities can result in taxpayers footing the bill for costly litigation or regulatory enforcement. But something even more important is at stake: the public's trust.