More than 94 million citizens' records, under the care of government agencies, are estimated to have been lost or breached since 2009.1 Multiple this figure by $194, which is the average cost per compromised record for organizations in the U.S., according to the Ponemon Institute’s Annual Study2, and the numbers become astronomical: nearly $18.2 billion dollars’ worth of damage.
The cost of an incident is not limited to the dollars spent to investigate and remediate the incident and possible subsequent litigation, but extends to incalculable cost of regaining lost citizen trust. As public sector organizations face unprecedented risk from cyber attacks and high costs from data breaches, the focus on protecting sensitive and personally identifiable information is quickly becoming a top priority for state and local governments. Public officials are increasingly realizing that if they do not data security right and breaches occur, their departments and agencies will be perceived to be ineffective, and their citizens may suffer direct harm.
Indeed, the extraordinary amount of personal data that is collected by public entities makes them attractive targets for cybercriminals and hacktivists, as well as being at risk thru mere human error. The security posture of government entities typically is lower than commercial organizations. As the private sector increases it securities measures as a result of the high-profile breaches that struck Sony, Target and Home, public entities-with their vast amounts of sensitive data and —are perceived as "soft targets."
The significant risk faced by public entities has been underscored by the recent breaches hitting state and local governments. For example, the South Carolina Department of Revenue sustained a suffered a major breach, resulting in 3.8 million tax payers and their 1.9 million dependents having their Social Security numbers exposed along with credit cards and bank account information. The attack started when a targeted phishing e-mail delivered to an employee allowed the hackers to gain to 44 servers, installing 33 pieces of malicious software and utilities along the way, all undetected. The state estimates that it will pay up to $12 million to enroll affected individuals in a credit-monitoring services. The Montana Department of Public Health and Human Services notified 1.3 million of current and former medical patients after a computer server in the was hacked. In early 2014, Indiana University said the personal information, including names, addresses and Social Security numbers, of approximately 146,000 students and recent graduates may have been exposed during a data breach, and the University of Maryland also reported last month that hackers stole records of more than 300,000 faculty, staff and students, including their names, Social Security numbers, dates of birth and university identification numbers.
As a result of these and numerous other incidents involving public governments and agencies, there is a growing trend that public entities are facing fines and penalties. The Skagit County of Northwest Washington recently agreed to a agreed to a $215,000 monetary settlement with the U.S. Department of Health and Human Services, Office for Civil Rights and agreed to enter into a corrective action plan after a breach involving the protected health information of 1,581 affected individuals. In announcing the settlement, the OCR noted that "This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size." The OCR further cautioned that state and local governments are not immune from future enforcement actions and that the "agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients' information."
Accordingly, in order to reduce the risk, public entities immediately should consider undertaking the following to reduce the risk of a data breach:
- Developing and periodically testing an incident response plan that identifies an incident response team (including key stakeholders and the forensic and legal team) BEFORE incident;
- Assessing the adequacy of existing cyber-insurance coverage;
- Conducting regular risk assessments to identify potential identify cybersecurity threats, including evaluating effectiveness of current controls in light of identified risks;
- Prioritizing resources, assets and systems corresponding to the nature and level of threats and vulnerabilities and revise procedures and controls, as necessary and appropriate, to address and mitigate areas of risk identified in the risk assessment;
- Evaluating potential third-party/vendor risk and indemnification provisions to ensure they cover those full costs of a data breach including notification costs and credit monitoring;
- Conducting periodic employee training on privacy and security policies and incident response procedures; and
- Proactively and systematically identifying and deleting obsolete legacy data containing citizens and employees’ personal information, protected health information and other sensitive data.