As the dust still settles from a major ransomware attack in November that cost Delaware County taxpayers half a million dollars, a new legal consideration looms for county officials: notifying any persons or businesses who might have had personal or privileged information compromised.
Pennsylvania has a “Breach of Personal Information Notification Act” requiring any entity that stores computerized personal information to give notice if the data is breached.
“’Entity’ is broadly defined to include a Pennsylvania state agency or political subdivision, [or] an individual or business doing business in Pennsylvania,” according to a primer on the law from the firm Knox Law, which maintains several offices in the state.
“Except for delays requested to meet the needs of law enforcement or in order to take necessary measures to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay to Pennsylvania residents,” the Knox Law article further notes.
The county responded in generalities when Delaware Valley Journal asked where officials were in the process of making notifications, assuming that the breach was so wide it was likely to have compromised some personal data.
“The County has released several public and internal statements,” spokeswoman Adrienne Marofsky said. “The County is not releasing any further updates at this time. This is an on-going criminal investigation. We will be releasing public and internal communications as warranted.
“The County is aware of its legal obligations and is continuing to analyze the extent of the cyber intrusion,” she added. “The County has engaged technical and legal experts to assist it in this analysis.”
The attack happened 24 days ago, on Saturday, November 21.
“Each Pennsylvania resident whose unencrypted or un-redacted personal information was, or was reasonably believed to have been, accessed by an unauthorized person should be given notice of the breach,” the Knox Law article notes.
In the example of a small business, it might only have to email a few thousand customers on file.
But given the breadth of data assumed to have been accessed in Delaware County’s example, it may have to use other options of notification, including “conspicuous posting of the notice on the entity’s Internet website if the entity maintains one; and Notification to major statewide media.”
Much of the issue for the county could center on the phrase “unreasonable delay” in the law.
“Generally, notice of a security breach must be made ‘without unreasonable delay,’ yet another undefined term,” notes a different legal blog, this one from Wolf, Baldwin and Associates. “However, the notification required by the Act ‘may be delayed if a law enforcement agency determines and advises the entity in writing…that the notification will impede a criminal or civil investigation.’ In such a case, the notification must be made only after the law enforcement agency determines that notification ‘will not compromise the investigation or national or homeland security.'”
In the intervening days, the county has said little about the attack. But multiple media outlets confirmed the hackers demanded a $500,000 ransom which the county paid.
The expense will certainly far exceed just the ransom amount, however. Investigating the attack could initiate its own expenses, and the county is expected to upgrade computer networks and security systems.
Additionally, the county likely had to pay a deductible if it made a claim on its ransomware insurance, and the premiums on that insurance could be going up as well when it’s time to renew.
Ransom amounts have been steadily increasing over the last several years, greatly increasing the risk for governments.
For example, in 2019, the City of Baltimore was hit in a ransomware attack in which the criminals sought a payout of $76,000. Baltimore decided not to pay the attackers, and then had to spend hundreds of thousands of dollars rebuilding computer networks and recreating lost files.
Baltimore’s mayor, Bernard C. “Jack” Young, has been urging governments not to pay cyber ransoms, arguing that it only perpetuates and strengthens the criminal activity, making the cost greater to citizens across the country.