By Frank Chmelik of Chmelik Sitkin & Davis, P.S. – February 2019
We have all heard accounts of a hacker breaking into a computer system and stealing data or locking out the system until a ransom is paid to regain access. This month, we will focus on what actions ports must take if there is an attack on the port’s computer system that could result in a release of “personal information”. We will also look at other prudent actions a port may consider to avoid or mitigate a cyber-attack.
Personal Information Defined. RCW 42.56.590 defines “personal information” as an individual’s first name or first initial and last name in combination with any one or more of the following data elements:
(a) Social security number;
(b) Driver’s license number or Washington identification card number; or
(c) Full account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual’s financial account.
Ports may hold a variety of “personal information” in employee files, automated payroll deposit files, customer information files and automated customer payment information. Moreover, this information can be held on a variety of port servers.
Duty to Notify. RCW 42.56.590 provides that a Washington government (including a port district) must notify any Washington resident if it discovers or is notified of a breach of its computer system and it determines that anyone’s “personal information” was or is reasonably believed to have been acquired by an unauthorized person. Except for very narrow statutory exceptions, written notice must be hand delivered or sent in the mail to each person that suffered a release of personal information. The notice must be written in plain language; and at a minimum, contain the following information:
- The name and contact information of the port;
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
- The toll-free telephone numbers and addresses of the four major credit reporting agencies if the breach exposed personal information. Each bureau is required to contact the other three if an individual requests a fraud alert.
If the breach effects more than 500 people a sample copy of the notice must be submitted to the Washington Attorney General.
In addition to complying with the requirements in RCW 42.56.590, a port may consider some of the following issues with regard to cyber security:
Insurance. Many insurance policies now cover losses from cyber-attacks. These may include the cost to restore data, the notification costs and even credit protection for a period of time for people who have had their personal data compromised. Check your port’s insurance policies and see if your port already has this coverage. If not, your port may want to investigate the cost of adding this coverage.
Cyber Hardening. Cyber hardening usually occurs after the attack. Your port may want to consider a cyber audit now to see how the port’s system could be strengthened. For example, it is possible to “encrypt” personal information. RCW 42.56.590 provides that a breach of encrypted data is not a release unless the hacker also gets the encryption keys or passwords.
Cyber Recovery. Some hackers merely lockup the computer system and then demand a ransom. Is your port prepared with backup data and hardware so that it can avoid paying these ransom demands and get back up and running in short order? Ports may want to consider identifying the cyber-attack expert now that they will call if there is an attack.
Data Control. Ports routinely collect information on tenants. It may be worthwhile to review what personal information your port is collecting and whether or not your port actually needs that data. For example, if your port is collecting social security numbers for all its marina customers, you may want to ask why.
Social Security Information. If social security information is disclosed, it is important to move quickly. The IRS can be contacted at http://www.irs.gov/uac/Identity-Protection. One can also call 1-800-908-4490. This will prevent tax-fraud thieves from filing fraudulent tax returns and collecting refunds.
Port Employees. The RCW 42.56.590 notification is the minimum that is required by the law. However, if your port system is hacker and employee personal information is stolen you may want to consider an all employee meeting to explain all the appropriate steps, including the report to a credit bureau.
Police Reports. In the past, a police report was a prerequisite to insurance claims. However, some insurance policies no longer require a police report to trigger coverage. Frankly, a local police department or sheriff’s department is probably unable to offer much help. Nevertheless, ports are public agencies that should operate with some amount of transparency.