PELRAS Update | October 2022 – Ransomware Attacks Present Unique Risks for Public Employers

Joshua C. Hausman, Esq., Campbell Durrant, P.C. | October 2022

While the threat of ransomware is nothing new in the public sector, municipalities continue to be a primary target for these attacks due to an all-too-common combination of antiquated cybersecurity measures, inadequate training, and the potential for a devastating disruption to essential public services in the event such an attack is successful.  In an effort to disincentivize the targeting of public sector organizations, in April of this year North Carolina became the first state to prohibit municipalities from paying the ransom in response to a ransomware attack, and the Pennsylvania Senate passed a bill in January which would have done the same for Pennsylvania municipalities.  The continuing prevalence of public sector ransomware attacks and these recent legislative efforts are an important reminder that Pennsylvania municipalities should reexamine their recordkeeping practices to ensure compliance with legal obligations and, where resources allow, engage information technology experts to improve cybersecurity protocols.

Ransomware is a form of malware which, when executed on a target computer, can lock or encrypt the files on any system which the computer can access.  The perpetrators of these attacks will then demand the payment of a ransom in order to, hopefully, restore access to the files.  Commonly, ransomware attacks are carried out by fooling an unsuspecting member of the targeted organization into voluntarily disclosing security information such as a password or into downloading malicious software under false pretenses.  These methods—known broadly as “phishing” and “spoofing”—can be highly effective if employees are not adequately trained and prepared for such attacks.  As a consequence, perhaps the most effective way for a public employer to reduce the risk of a successful ransomware attack is to develop and enforce information technology policies which require employees to adhere to safe security practices, particularly where remote working is prevalent.  Employees should be trained on the requirements of such policies and held accountable for noncompliance which might compromise the cybersecurity of the municipality.

According to information released by the Federal Bureau of Investigation’s Cyber Division in March, local government entities in 2021 were second only to academic institutions in the number of ransomware attacks carried out. Local governments are a common target in these attacks due to a combination of limited resources to devote to cybersecurity protocols and employee training, and the significant consequences associated with a successful ransomware attack which might, in some cases, incentivize the payment of a ransom. The FBI and other cybersecurity experts do not recommend the payment of a ransom in the event of an attack because there is no guarantee that file access will be restored following payment and further attacks—including possible repeat attacks on the same target—will be incentivized. Pennsylvania Senate Bill 726 would have further eliminated an incentive for targeting local governments by prohibiting municipalities from using public money to pay a ransom in the event of an attack unless otherwise authorized by the Governor as part of an emergency declaration. Municipalities would not be prohibited from purchasing insurance to pay the costs associated with a ransomware attack. However, recovery from a ransomware attack is an expensive and time-consuming proposition regardless of whether the ransom is paid. The City of Baltimore, despite refusing to pay a ransom following an attack, is estimated to have incurred costs of up to Eighteen Million Dollars ($18,000,000) in remediation efforts and lost and/or deferred revenue in responding to a ransomware attack in 2019. More recently, a ransomware attack in Bernalillo County, California resulted in the closure of government buildings and even the lockdown of a prison facility when employees lost access to automatic doors and security cameras. While the County did have cyber liability insurance in place, County commissioners approved Two Million Dollars ($2,000,000) in recovery funding and reported spending One Hundred and Ninety-One Thousand Dollars ($191,000) in laptop replacement costs alone. The lockdown at the correctional facility even caused the County to fall out of compliance with a settlement agreement over conditions at the jail, requiring the County to file an emergency notice in federal court.

As employers already know, employee medical information must be kept confidential on a “need to know” basis in separate medical files apart from an employee’s personnel file under the recordkeeping and confidentiality requirements of the Americans with Disabilities Act (“ADA”) and the Family and Medical Leave Act (“FMLA”).  In addition, in the 2018 case of Dittman v. University of Pittsburgh Medical Center, the Pennsylvania Supreme Court held that employers have a duty to exercise reasonable care to safeguard the sensitive personal and financial information of employees.  An employer who fails to exercise reasonable care may be liable to employees who suffer damages as a result, and while municipalities are entitled to immunity under the Political Subdivision Tort Claims Act (“PSTCA”) from most forms of tort liability, an exception exists for liability arising from “[t]he care, custody or control of personal property of others in the possession or control of the local agency.”  In conjunction with another prior decision of the Pennsylvania Supreme Court which recognized an individual’s right to “informational privacy” under the Pennsylvania Constitution—described by the Court as “as much property of the individual as the land to which he holds title and the clothing he wears on his back”—the potential exists for a court to craft an exception to local governmental immunity based upon damages resulting from a political subdivision’s failure to take reasonable steps to safeguard the personal information of employees. 

Should that occur, in addition to the direct costs associated with operational disruption and the restoration of public services after a ransomware attack, public employers could also face indirect costs associated with the harms suffered by employees whose personal information is compromised.  Given the continuing risks presented by ransomware attacks and proposed legislation which would restrict the options available to a public employer in the event of an attack, municipalities should not wait to be named a defendant in a lawsuit by an enterprising plaintiff’s attorney before taking steps to improve recordkeeping and cybersecurity practices, and to hold employees accountable for noncompliance.