https://www.americancityandcounty.com/wp-content/themes/acc_child/assets/images/logo/footer-logo.png
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcast
  • Resources & Events
    • Back
    • Resources
    • Webinars
    • White Papers
    • IWCE 2022
    • How to Contribute
    • Municipal Cost Index – Archive
    • Equipment Watch Page
    • American City & County Awards
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Privacy Statement
    • Terms of Service
American City and County
  • NEWSLETTER
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcasts
  • Resources/Events
    • Back
    • Webinars
    • White Papers/eBooks
    • IWCE 2022
    • How to Contribute
    • American City & County Awards
    • Municipal Cost Index
    • Equipment Watch Page
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Privacy Stament
    • Terms of Service
  • newsletter
  • Administration
  • Economy & Finance
  • Procurement
  • Public Safety
  • Public Works & Utilities
  • Smart Cities & Technology
  • Magazine
acc.com

Commentaries


Commentary

Data breach notification statutes

Data breach notification statutes

Attorney Shannon T. O'Connor discusses why municipal governments should obtain data protection and understand how liability is affected in data breaches.
  • Written by contributor
  • 26th July 2017

By Shannon T. O’Connor

High-profile cyber-attacks and investigations into data breaches have brought more attention to the importance of data technology, from individuals’ daily lives up to the highest levels of government. Governments and government employees continually try to assess the risks of a cyber-attack or other data breach — but beyond the immediate risks of compromised data and disrupted services lies the risk of liability.

Governments should invest in data protection — but not without understanding potential liability in the event of a breach. Policymakers and executives must understand the legal duties of a city or county government in case of a security or data breach, existing policies and incident response protocols — including which departments are responsible for handling a breach — and state and federal statutes.

It is easy to allocate funds toward issues more visible than IT upgrades or cybersecurity; however, failure to comply with legal obligations following a data breach damages a government’s credibility — all while the government may be struggling to provide normal services.

All governments are subject to cyber threats, and the likelihood of a data breach increases daily. A breach should trigger an internal response, involving the team tasked with identifying, containing, fixing, and complying with the external requirements. The external requirements are simply what a city or county is obligated to do under the current law.

Currently, 47 states have in place mandatory data breach notification statutes specifying post-breach obligations that apply to local governments. All breach notification statutes cover several main topics, including:

  • A definition section describing the types of events that constitute a breach and what constitutes personally identifying information;

  • Who must be notified and the deadline to make that notification;

  • An outline of acceptable methods of notification, including whether written notice or electronic notice is required;

  • Penalties for noncompliance.

Some states include a provision to notify the Attorney General’s office based on a numerical threshold of a certain number of individuals affected.

Municipalities often look to other jurisdictions to emulate. This is a bad idea. Although similarities exist in terms of common elements covered by these state statutes, there are variations both obvious and nuanced. For example, many states include an encryption safe harbor in the definition section, which means the statutory notification requirement only applies when personal identifying information is not encrypted. However, notification may still be required even if the information is encrypted, if it’s reasonable to conclude that the encryption key was obtained in the hacking or breach event. Some states require an element of harm to be present before notification requirements kick in. 

The best place to look before drafting policies and protocols is the state statute itself. It would be prudent to adopt the definition section of the relevant statute into the policy. Notably, a municipality can draft a more restrictive policy, but must comply with the statutory requirements at a minimum. Any internal policy should include the deadlines for notification and assign which department or personnel will implement the notifications.

The response by a government following a data breach can assist in restoring credibility in the eyes of the public. Prioritizing cybersecurity demonstrates that a city or county understands the current threat, takes its obligations to protect the public seriously, and is engaged with 21st century issues and standards of municipal service. It is no longer simply about potholes, police, and fire services — a government must protect citizens’ private information. As technologies and threats evolve, so too must local governments in their understanding of duties and obligations to the public. 

 

Shannon T. O’Connor is an associate attorney at law firm Goldman Segalla, who focuses her practice on municipal and governmental liability and matters involving employment and labor. She is a Local Government Fellow of the International Municipal Lawyers Association (IMLA).

 

_____________

To get connected and stay up-to-date with similar content from American City & County:
Like us on Facebook

Follow us on Twitter
Watch us on YouTube

Tags: Public Safety Commentaries Commentary

Most Recent


  • MSPs
    The MSP downstream cyberthreat paradox: Understanding the city and county connection
    Recently the Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI, NSA, and international cyber authorities issued a cybersecurity advisory aimed at protecting managed service providers (MSPs) and their customers. This high-level advisory has been gestating for some time ever since the SolarWinds and Kaseya supply chain cyber-attacks. A software supply chain attack occurs […]
  • Report: Nearly 95 percent of America's mayors face harassment, threats and violence
    In today’s divided socioeconomic landscape—one that’s rife with political angst—harassment of mayors has become commonplace, especially against minority leaders. Women mayors and mayors of color face more frequent and acute incidents of harassment and violence, according to new research from the advocacy organizations Equity Agenda and the Mayors Innovation Project. Nearly half of all women mayors […]
  • Victims of Surfside condo collapse settle for nearly $1B in class action lawsuit
    Nearly $1 billion—that’s how much victims of last year’s Surfside, Fla. condo collapse will receive, lawyers representing victims in a class action lawsuit announced unexpectedly Wednesday in a courtroom hearing. It’s among the largest settlements from a single incident in U.S. history. “We all know there is no amount of money in the world that […]
  • Video: Axon drone demonstration at IWCE 2022

Related Content

  • How governments can keep employees safe as they return to work
  • Preventing cyber-attacks needs to be a priority for local governments
  • Building community and officer wellness through data sharing
  • California city combines advanced technology with dedicated public safety team for comprehensive emergency management

Twitter


AmerCityCounty

The MSP downstream cyberthreat paradox: Understanding the city and county connection dlvr.it/SQYVjs

17th May 2022
AmerCityCounty

Philanthropic group to launch assistance portal for local admins navigating federal bureaucracy dlvr.it/SQY16G

17th May 2022
AmerCityCounty

Report: Nearly 95 percent of America’s mayors face harassment, threats and violence dlvr.it/SQTn2z

16th May 2022
AmerCityCounty

The PIO’s Ultimate Guide to Social Media dlvr.it/SQTdCK

16th May 2022
AmerCityCounty

Gain Greater Visibility Into Your Public Works Fleet dlvr.it/SQSqXG

16th May 2022
AmerCityCounty

Report: Almost half of public sector retirees don’t touch their retirement plans for a decade dlvr.it/SQKMjp

13th May 2022
AmerCityCounty

Four steps to ensure your budget prioritizes equity dlvr.it/SQJgZz

13th May 2022
AmerCityCounty

Victims of Surfside condo collapse settle for nearly $1B in class action lawsuit dlvr.it/SQJffb

13th May 2022

Newsletters

Sign up for American City & County’s newsletters to receive regular news and information updates about local governments.

Resale Insights Dashboard

The Resale Insights Dashboard provides model-level data for the entire used equipment market to help you save time and money.

Municipal Cost Index

Updated monthly since 1978, our exclusive Municipal Cost Index shows the effects of inflation on the cost of providing municipal services

Media Kit and Advertising

Want to reach our digital audience? Learn more here.

DISCOVER MORE FROM INFORMA TECH

  • IWCE’s Urgent Communications
  • IWCE Expo

WORKING WITH US

  • About Us
  • Contact Us

FOLLOW American City and County ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X