https://www.americancityandcounty.com/wp-content/themes/acc_child/assets/images/logo/footer-logo.png
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcast
    • Latest videos
    • Product Guides
  • Resources & Events
    • Back
    • Resources
    • Webinars
    • White Papers
    • IWCE 2022
    • How to Contribute
    • Municipal Cost Index – Archive
    • Equipment Watch Page
    • American City & County Awards
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Privacy Statement
    • Terms of Service
American City and County
  • NEWSLETTER
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcasts
    • Latest videos
    • Product Guides
  • Resources/Events
    • Back
    • Webinars
    • White Papers/eBooks
    • IWCE Expo
    • Calendar of Events
    • How to Contribute
    • American City & County Awards
    • Municipal Cost Index
    • Equipment Watch Page
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Privacy Stament
    • Terms of Service
  • newsletter
  • Administration
  • Economy & Finance
  • Procurement
  • Public Safety
  • Public Works & Utilities
  • Smart Cities & Technology
  • Magazine
acc.com

Commentaries


Commentary

Data breach notification statutes

Data breach notification statutes

Attorney Shannon T. O'Connor discusses why municipal governments should obtain data protection and understand how liability is affected in data breaches.
  • Written by contributor
  • 26th July 2017

By Shannon T. O’Connor

High-profile cyber-attacks and investigations into data breaches have brought more attention to the importance of data technology, from individuals’ daily lives up to the highest levels of government. Governments and government employees continually try to assess the risks of a cyber-attack or other data breach — but beyond the immediate risks of compromised data and disrupted services lies the risk of liability.

Governments should invest in data protection — but not without understanding potential liability in the event of a breach. Policymakers and executives must understand the legal duties of a city or county government in case of a security or data breach, existing policies and incident response protocols — including which departments are responsible for handling a breach — and state and federal statutes.

It is easy to allocate funds toward issues more visible than IT upgrades or cybersecurity; however, failure to comply with legal obligations following a data breach damages a government’s credibility — all while the government may be struggling to provide normal services.

All governments are subject to cyber threats, and the likelihood of a data breach increases daily. A breach should trigger an internal response, involving the team tasked with identifying, containing, fixing, and complying with the external requirements. The external requirements are simply what a city or county is obligated to do under the current law.

Currently, 47 states have in place mandatory data breach notification statutes specifying post-breach obligations that apply to local governments. All breach notification statutes cover several main topics, including:

  • A definition section describing the types of events that constitute a breach and what constitutes personally identifying information;

  • Who must be notified and the deadline to make that notification;

  • An outline of acceptable methods of notification, including whether written notice or electronic notice is required;

  • Penalties for noncompliance.

Some states include a provision to notify the Attorney General’s office based on a numerical threshold of a certain number of individuals affected.

Municipalities often look to other jurisdictions to emulate. This is a bad idea. Although similarities exist in terms of common elements covered by these state statutes, there are variations both obvious and nuanced. For example, many states include an encryption safe harbor in the definition section, which means the statutory notification requirement only applies when personal identifying information is not encrypted. However, notification may still be required even if the information is encrypted, if it’s reasonable to conclude that the encryption key was obtained in the hacking or breach event. Some states require an element of harm to be present before notification requirements kick in. 

The best place to look before drafting policies and protocols is the state statute itself. It would be prudent to adopt the definition section of the relevant statute into the policy. Notably, a municipality can draft a more restrictive policy, but must comply with the statutory requirements at a minimum. Any internal policy should include the deadlines for notification and assign which department or personnel will implement the notifications.

The response by a government following a data breach can assist in restoring credibility in the eyes of the public. Prioritizing cybersecurity demonstrates that a city or county understands the current threat, takes its obligations to protect the public seriously, and is engaged with 21st century issues and standards of municipal service. It is no longer simply about potholes, police, and fire services — a government must protect citizens’ private information. As technologies and threats evolve, so too must local governments in their understanding of duties and obligations to the public. 

 

Shannon T. O’Connor is an associate attorney at law firm Goldman Segalla, who focuses her practice on municipal and governmental liability and matters involving employment and labor. She is a Local Government Fellow of the International Municipal Lawyers Association (IMLA).

 

_____________

To get connected and stay up-to-date with similar content from American City & County:
Like us on Facebook

Follow us on Twitter
Watch us on YouTube

Tags: Public Safety Commentaries Commentary

Most Recent


  • disasters
    10 Safest Cities from Natural Disasters
    September is National Preparedness Month, which helps to raise awareness about the importance of preparing for disasters and emergencies. This year’s theme is “Take Control in 1,2,3,” focusing on preparing older adults for disasters, specifically those that live in areas impacted by all-hazard events. As a way to mark National Preparedness Month, Gutter Gnome recently […]
  • City advocacy organizations applaud establishment of White House Office of Gun Violence Prevention
    Every day, an average of 327 people in the United States are shot and 117 are killed, according to the gun violence advocacy organization Brady. Gun violence is an epidemic that has affected every city, county and region in the nation. Municipal and county administrators often find themselves on the frontlines, responding to tragedies and […]
  • Report: Modern construction techniques, building codes protected structures that survived Lahaina fire
    More than a month after wildfire ripped through the historic community of Lahaina, Hawaii, emergency responders continue working to get a more comprehensive picture of what triggered the tragedy. The death toll remains at 115 people. A recent report from the Insurance Institute for Business and Home Safety’s research division unpacks why the fire was […]
  • asthma
    The top 10 Asthma Capitals for 2023
    September is Asthma Peak Month thanks to ragweed pollen peaking, higher mold counts, the start of cold and flu season, and kids headed back to school. The Asthma and Allergy Foundation of America (AAFA) has released its 2023 Asthma Capitals report, which analyses data from the 100 most populated cities and reveals the most challenging […]

Related Content

  • How governments can keep employees safe as they return to work
  • Preventing cyber-attacks needs to be a priority for local governments
  • Building community and officer wellness through data sharing
  • California city combines advanced technology with dedicated public safety team for comprehensive emergency management

WHITE PAPERS


7 Resources to Level-up Your Federal Grants Administration and Compliance

5th September 2023

Elevator Phone Line Replacement Strategy | A Guide to Reliable, Code-Compliant Solutions

29th August 2023

2023 State of Public Sourcing Report: The Bright Future of Public Procurement

23rd August 2023
view all

Webinars


Grant Preparedness: Unlocking Funding Opportunities for Your Success

10th August 2023

2023 State of Public Sourcing: Taking Local Governments into a Bright Future

1st August 2023

Stop Playing with Fire: How to Manage Infrastructure Asset Risk So You Know You’re Covered

20th June 2023
view all

Podcast


Young Leaders Episode 4 – Cyril Jefferson – City Councilman, High Point, North Carolina

13th October 2020

Young Leaders Episode 3 – Shannon Hardin – City Council President, Columbus, Ohio

27th July 2020

Young Leaders Episode 2 – Christian Williams – Development Services Planner, Goodyear, Ariz.

1st July 2020
view all

GALLERIES


10 Safest Cities from Natural Disasters

29th September 2023

Gallery: Hottest temperatures recorded in American cities during July

12th September 2023

The top 10 Asthma Capitals for 2023

7th September 2023
view all

Twitter


Newsletters

Sign up for American City & County’s newsletters to receive regular news and information updates about local governments.

Resale Insights Dashboard

The Resale Insights Dashboard provides model-level data for the entire used equipment market to help you save time and money.

Municipal Cost Index

Updated monthly since 1978, our exclusive Municipal Cost Index shows the effects of inflation on the cost of providing municipal services

Media Kit and Advertising

Want to reach our digital audience? Learn more here.

DISCOVER MORE FROM INFORMA TECH

  • IWCE’s Urgent Communications
  • IWCE Expo

WORKING WITH US

  • About Us
  • Contact Us

FOLLOW American City and County ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.