Ransomware Attacks for Local Governments and Public Agencies: A Primer

Public Finance Alert
April.03.2018

Background

The recent ransomware attack on the City of Atlanta highlights the fact that the threat of ransomware affects all organizations, regardless of the nature of their industry, business, or operations, and that political subdivisions and quasi-government entities face particular challenges in protecting themselves and responding to attacks. Counties, cities, political subdivisions, and nonprofit corporations have become a favorite target for cybercriminals because they are increasingly leveraging technology to collect, store, and use personal information to deliver services and programs to individuals, and because their networks tend to run on a complicated fabric and interconnectedness of legacy systems that are difficult to protect and defend. As a result, attackers are targeting emergency response systems, disaster response systems, public utilities payment and information systems, police department systems, election and voter information systems, medical information systems, and general operating systems of public entities. A recent International City-County Management Association survey of chief information officers found that about 44 percent of local governments reported experiencing daily cyber-attacks (without regard to type or threat vector), with about one-quarter of local governments reporting attacks at least as often as once an hour. Yet, less than half of the local governments surveyed said they had developed a formal cybersecurity policy, and only 34 percent said they had a written strategy to recover from breaches.

While public entities are often resource limited, there are basic steps that they can take to better lower and manage certain risks from cybersecurity attacks. Below, we review some of the basic attack vectors to which public agencies and sector industries are particularly vulnerable, and some of the best practices that resource-constrained organizations can implement.

Ransomware and Other Cyber-Attacks

Ransomware is computer code (malware) that is typically deployed into a network, often when an unsuspecting user clicks on a malicious link or opens a file in a phishing email. Once inside the network, ransomware typically self-proliferates and encrypts data inside the environment, rendering the data inaccessible and essentially, useless. A successful ransomware attack can result in the temporary or permanent loss of sensitive information, serious disruption to operations, financial costs of restoring systems and data, and possible reputational or brand impact to the enterprise.

Generally, the attacker will provide a decryption “key” only after the company pays a ransom (almost always in hard-to-trace Bitcoins). Other forms of ransomware can destroy or delete data, hide data by relocating it within the network, or even ex-filtrate data outside of the company’s environment.

In addition to ransomware, attackers are deploying a fairly standard array of attacks on public entities, in an effort to gain access to their systems and data, or simply to disrupt their operations, including:

Denial of Service: Disrupting operations by bombarding the network with commands/requests that overload the system, taking down the network; often accompanied by a ransom demand to stop the attack.
Computer Intrusions (Hacking): Gaining unauthorized access to a network and its data, usually by compromising some administrative or technical control.
Phishing: Typically an email embedded with malicious code or links that dupes the user into taking some action that compromises data or the security of the network.
Spear Phishing: Same as above, except that the email/attack specifically targets an individual (or small subgroup of individuals) with information about them to make the attempt more authentic.
Data Breach: The release or disclosure of data potentially to an unauthorized third party; can result from one of the above attacks or improper records disposal, inadvertent email/transmission of data to the incorrect recipient, public accessibility of protected information from a website or similar.

Not Just “Ransomware” Anymore

Historically, ransomware attacks were viewed primarily as a business continuity issue, with the primary post-ransomware workflow focused on getting back online and restarting operations. However, as cyberattackers have become more sophisticated, ransomware has become more than just the end-goal, with some attackers utilizing ransomware to mask or conceal other exploits. In other words, a ransomware attack may just be a sign of something worse, and thus merits a more sophisticated response. In particular, several regulators have articulated concerns that organizations should address in responding to a ransomware event.

Health Information Portability & Accountability Act (HIPAA): For HIPAA regulated entities, the Health and Human Services Office of Civil Rights (HHS OCR) issued guidance warning that the HIPAA Breach Notification Rule is a “fact specific” inquiry, and where Protected Health Information is “encrypted as the result of a ransomware attack, a breach has occurred because the PHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a disclosure not permitted under the HIPAA Privacy Rule.”

Federal Trade Commission (FTC): Although the FTC has very little jurisdiction over public entities, it is seen as the leader in data security enforcement, with many other regulators looking to it and its actions as the North Star for enforcement theories and priorities. The FTC recently reinforced the seriousness of ransomware, signaling that preventable ransomware attacks – ones that exploit known vulnerabilities – may violate Section 5 of the FTC Act. As then Chairwoman Edith Ramirez explained: “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.”

Federal Bureau of Investigation (FBI): The FBI recently urged companies to come forward and report ransomware attacks to law enforcement. Notwithstanding organizations' concerns with reporting ransomware to law enforcement, the FBI is calling on organizations to help in the fight: “Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. The FBI does not support paying ransom demands.” According to the FBI, some organizations never get a decryption key, even after payment. And, every payment “emboldens the adversary to target other victims for profit,” incentivizing similar conduct by other criminals seeking financial gain.

Moreover, U.S. state breach notification rules are generally triggered by an unauthorized “acquisition” to certain delineated types of unencrypted personal information. Ransomware that only encrypts data inside an environment, but does not allow an attacker to ex-filtrate it (e.g., download, email, transfer), is unlikely to trigger a notification duty under the statutes that define breach as the “unlawful and unauthorized acquisition” of personal data. However, for the small number of states that define a breach as the “unauthorized access” to personal information, ransomware could trigger breach notice if the attack resulted in the viewing of ex-filtrated personal information.

In addition to the direct damage caused by a breach, a cyber-attack in some cases could potentially cause a public entity’s credit rating to be downgraded. While no government yet has been downgraded because of a cyberattack, an S&P Global Ratings analyst has said that a cybersecurity incident could affect a public entity's credit rating. This is not only due to the financial cost of a cyberattack, but also the accompanying loss in taxpayer trust and the ability to raise taxes. The risk increases “particularly for smaller governments with less financial flexibility.”

What to Do?

The ransomware landscape dictates that organizations should consider proactive and reactive measures.

Proactive: On the proactive front, the focus should be on reasonable defenses and training. Among other things, organizations should consider:

Cybersecurity awareness training for employees, contractors, local elected officials, including specific training around phishing, incident response, ransomware, and password management and best practices.
Improvements to patch and vulnerability management programs, incorporating periodic penetration and vulnerability assessments. Automatic updates to antivirus and anti-malware solutions and conduct regular scans.
Managed use of privileged accounts.
Disabling macro scripts from office files transmitted over e-mail.
Implementing software restriction policies or other controls to prevent programs from executing from common ransomware locations.
Enhancing business continuity and disaster recovery programs to account for ransomware attacks, to ensure regular back up of data and systems, and verification of the integrity of those backups.
Procuring cybersecurity, network interruption, and related insurance.
Re-assessing proactive encryption at-rest strategies to take advantage of notification safe harbors.
Incorporating ransomware attacks into incident response planning, with special attention paid to additional forensic analyses, PR/communications work streams and notification considerations into enterprise incident response plans (and/or security team field guides).

Reactive: On the reactive side, the key is not to treat a ransomware event as simply that, but to conduct a reasonable investigation to determine whether other data/information was subject to unauthorized acquisition and/or access. The post-incident response workflows should consider (1) examining the nature and extent of personal information involved, including the sensitivity of the information and likelihood that it will be accessed; (2) whether the personal information was actually viewed, accessed, acquired or ex-filtrated; and (3) the extent to which the risk to the personal information has been mitigated.

Authors

Marcus Deitz Partner, Public Finance, Banking & Finance

Houston

See my bio

D:+1 713 658 6420
E: [email protected]

Practice:

Finance Sector
Public Finance
Banking & Finance
General Obligation Bonds
Revenue Bond Financing
Swaps and Other Hedges

vCard

See full bio

Marcus Deitz Partner

Houston

Marcus’ experience includes the representation of school districts, municipalities, counties, junior colleges, universities, special authorities and other political subdivisions in a variety of roles, including bond counsel, disclosure counsel and issuer’s counsel. In addition, he regularly represents underwriters and purchasers of both public and privately placed debt, regularly serving as underwriters’ counsel and bank counsel.

Complementary to his core practice, Marcus is also able to provide his clients guidance on derivative transactions and liquidity facilities, election law matters, and municipal and school law issues.

Before joining Orrick, Marcus clerked for the Colorado Court of Appeals and subsequently practiced as an associate and then a partner with several international law firms.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Amanda Stephens Partner, Public Finance, Banking & Finance

Houston

See my bio

D:+1 713 658 6412
E: [email protected]

Practice:

Finance Sector
Public Finance
Banking & Finance
Nonprofit Corporation Financing
Charter School Finance
School Finance

vCard

See full bio

Amanda Stephens Partner

Houston

Amanda has advised on more than $4 billion of both publicly-offered and privately-placed charter school financings. Her work on these financings extends across the country, including Texas, Florida, Tennessee, California, Arizona and New York, among many others. Amanda works with a first-of-its-kind nonprofit social impact fund that leverages private charter loans to the public market. Since their creation in 2018, Amanda has worked on documenting more than $1 billion in loans to high-performing charter schools who do not otherwise have access to long term, low cost financing. Amanda and team are tasked with working with the local borrower’s counsel for each new borrower and each new state to create a financing structure that meets the long term needs of the borrower, while conforming with state charter law and the clients lending requirements. Amanda has also created structures to help with taxable refundings, to finance around existing new market tax credit structures and many other needs of the borrowers.

Amanda also represents banks and other financial institutions in connection with direct purchases of tax-exempt bonds and the issuance of letters of credit and other liquidity facilities in connection with tax-exempt transactions.

Over the course of her career, Amanda has prepared, negotiated and reviewed contracts, loan documents, amendments, closing documents, default letters, demand letters, payoff and buyout agreements, intercreditor subordination agreements, and federal tax lien subordinations. She also has reviewed client contracts and MSA agreements in the oil and gas, construction, medical, retail and transportation industries, and she has addressed regulatory and compliance issues for the finance industry and oil and gas industry. Amanda previously served as an in-house attorney for a national financial services company. She also has served as a staff attorney for Judge Jaclanel McFarland of the 133rd Civil District Court in Harris County, Texas, and as assistant district attorney for the Harris County District Attorney’s office.