Josh P. Devaney
Associate Attorney
Kennedy & Graven, Chartered

No good cybersecurity article will omit the following quote from Robert Mueller, former director of the FBI, in a speech given at a cybersecurity conference in 2012: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” It bears repeating because it aptly describes the prevalence of cybercrime, which has only increased in the years since, as not something that happens to other people, but something that happens to you. While the COVID-19 pandemic that has forced people to work remotely poses a huge challenge to school districts and other entities, cybercriminals see only opportunity.

Preventing a Cybersecurity Incident

It is likely that by now, you have seen your fair share of phishing attempts — emails that appear on their face to come from someone within your organization or a vendor and ask you to click a link, download a document, or forward on some sensitive information, but are really from a hostile actor hoping to profit off your trust. Phishing attempts work because we are inherently trusting and want to be helpful, and they create a false urgency to respond so the recipient doesn’t take the time to double check the veracity of the email. The COVID-19 pandemic only amplifies those instincts, making organizations even more susceptible to attack, as business that was otherwise conducted in person may shift more to email.

The best short-term solution is to remind your employees that the threat of cybercrime is not taking a backseat during the pandemic. Studies on phishing have shown that employees who know what phishing is are less likely to fall for phishing attempts than those who don’t. Those who clicked links in phishing emails also believed that their institution had strong technological security measures in place that would prevent emails with bad links from coming through. Therefore, one of the easiest ways to reduce your likelihood of being breached is to send out information to employees explaining the threat of phishing and reminding them that your district cannot prevent all phishing emails from getting through, so it is each individual employee’s responsibility to be on alert.

Preparing for a Cybersecurity Incident

No amount of preventative measures will leave you completely safe, as the weakest link in the chain will always be your employees. People make mistakes, and cybercriminals exploit those mistakes. The key is to prepare for these eventualities to ensure that the financial and reputational harm to your district are minimized.

Preparation for a cybersecurity incident is a lot like preparation for a pandemic. School districts should prepare an Incident Response Plan (“IRP”), documenting the instruction and procedures for detecting, responding to, and limiting the consequences of a cyber attack. The IRP should: establish an Incident Response Team charged with handling all cybersecurity incidents; establish who will be the lead member of the team; dictate how the team will communicate with each other and with administrators, law enforcement, and lawyers; specify what actions the team may take without needing administrative approval and who should be contacted if approval is necessary; and outline the mission, strategies, and goals of incident response. The IRP should be reviewed by the district’s attorneys to ensure it complies with all state and federal regulations and privacy laws.

An organization that creates an IRP to prepare for cybersecurity incidents is better able to quickly and appropriately respond to these issues, and a fast, nimble, and effective response significantly minimizes the harm they cause. Now, more than ever, having the clarity of who is in charge, who else is involved, and what steps will be taken is invaluable.

Responding to a Cybersecurity Incident

When a cybersecurity incident occurs, it is important to quickly understand the extent of any breach, what files may have been accessed or taken, and to begin taking the steps necessary to comply with breach notification provisions and minimize the likelihood of legal liability.

The first step should always be to involve legal counsel. After a data breach, there is a good chance you will face a lawsuit. Involving legal counsel right away allows your attorney to coordinate the investigation and follow-up with this in mind, and the attorney-client privilege helps shield your communications, strategy, and other information from disclosure in any future litigation.

After engaging legal counsel, school districts should expedite their fact gathering and analysis in order to determine whether the incident requires breach notification under Minn. Stat. § 13.055. Under section 13.055, any government entity that “collects, creates, receives, maintains, or disseminates private or confidential data on individuals must disclose any breach of the security of the data following discovery or notification of the breach.” If non-public data has been accessed or obtained by someone who is not authorized to have it with the intent use the data for nongovernmental purposes, there has been a breach of the security of the data triggering the notification requirement. The school district may also need to comply with other states’ breach notification laws or breach notification provisions in federal statutes. A proper response will discover the extent of the attack, comply with regulations, and identify ways to prevent a similar attack from occurring again.

Although the COVID-19 pandemic deserves full attention, think about taking preventative action as soon as possible. While the need for social distancing will end, the need to prevent, prepare for, and respond to cybersecurity incidents will not.

This article is intended to provide general information with commentary. It should not be relied on as legal advice. If required, legal advice regarding this topic should be obtained from district legal counsel.

Josh Devaney is a cybersecurity and privacy law attorney and litigator with the law firm of Kennedy & Graven, Chartered. For more information, please contact him at (612) 337-9285 or http://www.kennedy-graven.com.

© Josh Devaney (2020). Used by permission.

Leave a Reply