Ohio Auditor of State Dave Yost has taken a hard stance against cybercrime and has made it a priority to provide cybersecurity education to government entities across the state. To that end, Auditor Yost offered a series of free training seminars aimed at helping local government leaders and businesses in Ohio combat cyberattacks.
“This problem isn’t going away. It’s getting worse,” Yost said in a release. “We know many local communities are strapped for resources, and some haven’t taken steps to protect their digital assets. We in the Auditor’s office have the ability to help local leaders prevent personal information from getting into the hands of evildoers.”
I had a chance to attend a session, which were led by Nicole Beckwith, an investigator and digital forensic analyst for the Auditor of State and highly regarded expert on cybersecurity, policy, cyberterrorism, computer forensics, network investigations and network intrusion response. The presentation focused on many of the complications entities encounter during a breach with emphasis placed on Ransomware attacks. The following information was particularly insightful.
Read Also: How To Survive A Ransomware Attack
Legal Considerations & Ramifications
Beckwith emphasized the following state and federal statues, which govern the loss of secured information by a security breach. All organizations should be aware of the following:
- Federal Computer Fraud & Abuse Act (CFAA): The CFAA carries criminal and civil penalties for what is commonly known as hacking. Originally passed in 1985 to combat hacking, the CFAA has been amended to prohibit “knowingly accessed a computer without the authorization or exceeding authorized access” of another’s computer. Violating the CFAA carries up to ten years in prison. Additionally, victims are permitted to pursue civil actions against perpetrators. However, damages awarded are limited to economic damages. Pain or suffering or punitive damages are not awarded.
- Ohio Legal Requirements
- Ohio Revised Code 1347.12 states that a breach of any State agency or political subdivision security system requires the public office to notify victims if their personal information is hacked. Unlike the CFAA, there is no private right action and the statute must be enforced by the Ohio Attorney General’s Office. Additionally, public offices must notify credit reporting agencies if more than one thousand residents’ personal information is stolen. Finally, public offices and businesses must disclose the loss of personal information by a security breach.
- Ohio Revised Code 1349.19 says any person who owns or licenses computerized data that includes personal information must disclose any breach of the security of the system, following its discovery or notification of the breach, to any resident of Ohio whose personal information was, or is reasonably believed to have been accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed till cause a material risk of identity theft or other fraud to the resident.
- Ohio Revised Code 1349.192 mandates that for each day the state agency, agency of a political subdivision, or person has intentionally or recklessly failed to comply, a civil penalty of up to $1,000 for each day the agency or person fails to comply with the section will be assessed. The penalty increases to $5,000 per day for each day over sixty days and $10,000 per day for every day over 90 days.
IMPORTANT: If you feel you may have had your entity’s sensitive information breached and/or stolen, you will want to contact your attorney as soon as possible to determine which laws will apply to you.
Needless to say, the stakes are pretty high. So, to prepare, the Ohio Auditor of State encourages you to do the following to prepare for a cyberattack:
- Create a response plan and team
- Ensure that your response plan includes, at minimum, the following team members:
- The office holder or the head of the organization
- Public Relations
- Establish clear action items
- Identify key contacts
- Know your reporting guidelines
- Encrypt sensitive data
- Map locations of critical data
- Restrict access
- Follow a retention policy
- Purge old employee accounts
Bitcoin Or Bust
Because of the widespread occurrence of Ransomware, some businesses and entities appear to be adopting a new preparation method – investing in bitcoin.
To be honest, I found this approach amusing when I first learned of it. After all, I like to think I would never give in to the demands of cyberscum. However, because of the rapidly increasing threat of Ransomware many law enforcement groups, businesses and other organizations and agencies have started to consider payment to be a rational way to recover their organization’s data. That being said, just because you’ve purchased bitcoin doesn’t mean you should start slacking on proper backup protection – on the contrary. Once you’ve paid up once, it’s likely you will be targeted again. Sooner or later, your bitcoin supply (and the funds you used to pay for the bitcoin) will run out.
I recommend that your time, attention and resources go toward the backup/restore process instead of paying the criminals off. But if you must purchase Bitcoin, consider the Coinbase bitcoin exchange, which is the most trusted digital currency available. Coinbase is operated within the U.S. and is bound by the laws of the U.S.
Upcoming Cybersecurity Training Sessions
Due to the success of these Cybersecurity training sessions, the Auditor of State will present a second educational series. I found the event to be very informative and valuable and would encourage others to attend – especially if you have concerns with regard to a data breach and/or Ransomware attack in your own business. We are still waiting on the dates for the second installment of the series to be announced. However, in the meantime, you can monitor the Training & Conference Registration web page regularly for updates about this education seminar as well as other opportunities for your entity.
By Brian Garland, CPA (Dublin office)