A Cyber Breach Contingency Plan is Not Just the CIO's Responsibility

On March 22, CBS News reported that the City of Atlanta was hit with a ransomware attack. Four days later, some city applications were still down. The New York Times called the incident, “one of the most sustained and consequential cyberattacks ever mounted against a major American city.”

When a governmental entity experiences a cyber attack, an entire city or state can come to a grinding halt, but having a contingency plan in place can prevent a breach from going from bad to worse.

“The interruption of governmental systems is so detrimental to not only the economy but the citizens of the United States. I think [a cyber threat] is something that state, county, and local governments need to not only pay attention to but be proactive in addressing,” says Stewart Roll, principal at Climaco, Lefkowitz, Peca, Wilcox & Garofoli Co., LPA.

Roll, who will be presenting Cyberattacks and Cybertheft: Legal Obligations and Mitigation Strategies at IT industry event, Interop ITX, this spring, says, “Every governmental entity should take an active role in creating a contingency plan to address what happens when and if an attack occurs, and what things should be done to prevent that attack from doing damage to data that should be kept private.”

If you’re an IT manager or CIO and believe building a cyber breach action plan and responding to a cyber attack is all on your shoulders, don’t fret, because it's not true.

Image: Shutterstock

In order to create an effective contingency plan, Roll says, your first step should be to get leadership involved. “The leader of the entity has to be aware of cybersecurity issues and has to mandate what the CIO or other people in charge of sensitive data need to do to protect the data.”

Next, Roll says to make sure you have a lawyer involved, so you’re crossing all T’s and dotting all I’s. “The CIO’s job, in my mind, would include having the organization’s lawyer involved in the process so that the lawyer can appropriately advise the CEO [or leadership] of the entity.”

If there’s no in-house legal team, Roll says he believes it’s necessary and appropriate for a CIO to speak with their CEO about the appropriateness of hiring legal counsel to help build that contingency plan.

Another aspect of managing cyberattack damage is to think through the ways you can limit liability. “One of the things lawyers can do for their IT people is [to] prepare terms and conditions that require the user of the governmental system to agree to in connection with the use of that system,” says Roll.

Those conditions can address issues like the lack of liability unless there’s gross negligence on the part of the governmental entity, no liability if the governmental entity applies with the governmental law, and no liability if the user gives out their password and allows a person to access the data in question, says Roll.  

Liability isn’t just on the plate of IT department or the governmental entity. Roll says that when IT managers and CIOs buy software, they can require the vendor of that software to provide appropriate contractual protections and indemnification for the governmental entity.

Lastly, Roll urges IT to work with their purchasing departments to buy insurance in case claims are made against their entity for not following regulations in their particular state. While holes do exist in the insurance offered today, Roll says he'll address how those holes might be addressed during his presentation at Interop ITX.

Once an attack occurs, Roll says there are a lot of resources out there to help IT figure out the issue.  

Roll suggests disaster preparedness training, which is offered by the Department of Homeland Security (DHS). “DHS, they’re there to help, it really does apply here. The computer emergency readiness team (US-CERT) set up by DHS is obligated by law to help people that are subject to attacks,” says Roll.