February 17, 2020

February 17, 2020

Subscribe to Latest Legal News and Analysis

February 14, 2020

Subscribe to Latest Legal News and Analysis

Baltimore's Three-Week Ransomware Is a Warning for Other Local Governments to Prepare for Cyberattacks

The Baltimore city government's email and other systems have been offline for more than three weeks as the result of a ransomware attack in early May. This is not the first local government to have been the victim of such malware, and it won't be the last.

These attacks can risk human life by hobbling first responders, including police, fire, and ambulance services. If nothing else, the financial cost of these attacks is staggering. An estimate released this week in the Baltimore Sun put the cost of the Baltimore incident at over $18 million. A similar attack on the city of Atlanta cost an estimated $17 million. These costs can stem from the investigation and response to the attack, as well as lost revenues where payment systems are offline.

Of course, these costs could be in addition to civil liability associated with the attack. That civil liability may be — but is not always — limited by sovereign immunity or statute. At a minimum, these attacks typically carry with them significant political fallout.

Local governments are favorite targets for cyberattackers, because those governments often do not have as robust cyber defenses as private organizations or are running outdated or unpatched operating systems and software. Further, local governments may not have adequate backup systems, which may compel them to pay the ransom.

Given all of this, city and other local governments, as well as administrative agencies, should take these steps to mitigate their risk and prepare for these attacks:

  • Ensure that they have sufficient backups in place, that those backups are made regularly, and that the backups are "air gapped," or separated, from systems that can be infected with malware.

  • Limit access to the organization's most sensitive networks to those employees who need that access to perform their job functions.

  • Deploy strong email and systems passwords, changed often, with multifactor authentication for employees with more expansive system privileges.

  • Draft and test an incident response plan that outlines roles and responsibilities in the event of a cyberattack.

  • Work with risk managers and insurance brokers to determine whether they have sufficient coverage for cyberattacks and computer-based fraud.

©2011-2020 Carlton Fields, P.A.


About this Author

Joseph Swanson Cybersecurity Privacy Attorney

Joe Swanson is a former federal prosecutor who advises clients on a variety of issues related to cybersecurity and privacy. He has investigated and responded to data breaches and similar cyber incidents, and he has defended clients in litigation stemming from those incidents. In addition, Joe advises on best practices for interacting with law enforcement, regulators, and other constituencies in the event of a cyber incident. Joe also assists clients with drafting incident response guides and related cyber policies and procedures, as well as complying with privacy laws and regulations, such...

Jack Clabby Attorney Carlton Fields Law Firm Tampa FL

Jack Clabby’s practices focus on corporate governance, fraud, and shareholder litigation, including the defense of securities fraud class actions and derivative lawsuits. A former Assistant U.S. Attorney, he also represents companies and special litigation committees in connection with internal corporate investigations. 

As a former cyber prosecutor, Jack also advises corporate boards and management on legal issues regarding cybersecurity and represents companies in litigation, including class actions, concerning breaches and data loss incidents. Jack serves as a “breach coach,” guiding clients through the loss or suspected loss of personally identifiable information, business interruption, and other system compromises.
Jack also provides governance, safety, and risk management advice to colleges and boarding schools, conducts internal and independent investigations of such institutions, assists universities with matters pertaining to Title IX, and represents education clients in litigation.

Jack began his career as an associate at the litigation firm Williams & Connolly LLP in Washington, D.C. He leads the firm's Securities and Derivative Litigation Practice Group and is the firm's Hiring Chair.