State and local governments, municipalities, city councils, local law enforcement agencies, federal government agencies, and other government entities – collectively the government sector – are under attack from cyber criminals and nation-states. Threats from ransomware, business email compromise, phishing and other security threats are relentless, and 2019 was a banner year for various types of attacks against government.
A few examples:
Successful attacks hit four municipalities in Florida in April and June 2019, more than 20 local government organizations in Texas (August 2019), and two power utilities in India (August 2019). Two-thirds of more than 70 ransomware attacks in the United States during the first half of 2019 had local and state government organizations in the crosshairs. The ransomware attack on the City of Atlanta in March 2018 compromised approximately 150 applications, including mission critical services such as the court system and police. The Atlanta’s Attorney Office lost 71 of its 77 computers and a decade worth of documents in the attack.
The City of Naples, Florida was the victim of a spear-phishing attack in July 2019 that netted $700,000 for the cybercriminal(s); this occurred after Collier County suffered a similar attack in December 2018 that netted $184,000.
- Business Email Compromise
A public school in Portland, Oregon almost lost $3 million to a successful BEC attack, and a county in North Carolina was tricked into paying $2.5 million into the wrong bank account for a contractor working on a local project (some of which it was able to recover through quick action by the bank).
- Data Breaches
Mega-breaches include the US Office of Personnel Management in mid-2015 with 21.5 million sensitive data records breached, and the US Justice Department in 2016 with a data breach exposing contact details for more than 20,000 FBI and Homeland Security employees. A White House audit in 2015 discovered a cumulative 77,000 cyber incidents across government, with theft of data a common occurrence. In late October 2019, hackers breached the City of Johannesburg and claimed they had exfiltrated sensitive financial and personal data. The hackers said they would publish the data if a ransom payment was not made.
We have recently published a white paper focused on cyber security in government that discusses the problems in depth. It discusses a number of important best practices that government decision makers should seriously consider. You can download it here.
We have been asked many times how long businesses should retain their records, whether in email, files or other venues. The simple answer to the question is that there isn’t “an” answer. Instead, there are a number of issues to consider in determining how long you should retain your records:
- What does your legal counsel advise?
- What have court decisions in your industry revealed?
- What is your organization’s tolerance for risk?
- What are the consequences of disposing of records too quickly versus keeping them for too long?
- What do government and industry regulations require as minimum retention periods?
To address the last question, we are assembling a database of regulations focused on data retention. We published the first edition in December with 421 regulations, but will be publishing the next edition in March with approximately 1,000.
Here’s a sample of the types of data retention regulations that exist today:
- Manufacturers and importers of chemicals must retain documents related to notification of risk, contact information about entities to whom chemicals are distributed, production volumes and other information for three to five years (40 CFR 82.13).
- Entities that operate as swap data depositories must retain records related to swaps or related cash or forward transactions for a period of five years, the first two years in an easily accessible place, but records of oral communications may be kept for only one year (17 CFR 1.31).
- Underground mine operators must retain certifications for safety equipment for one year (30 CFR 57.4201).
- Anyone who imports nonroad and stationary engines must retain documents supporting the information required in EPA Declaration Form 3520-21 for five years (19 CFR 12.74).
- Entities that operate air curtain incinerators that burn yard waste must retain records about all opacity tests for five years (40 CFR 60.1455).
- Manufacturers of heavy-duty vehicles and engines must retain records estimating how their fleets will comply with GHG emissions standards; estimated vehicle configuration, test group and fleet production volumes; expected emissions and fuel consumption test group results and fleet average performance; and other information (49 CFR 535.8).
- The Canada Revenue Agency (CRA) requires entities subject to various sections of the Income Tax Act, the Employment Insurance Act and the Canada Pension Plan to retain for two to 10 years any books and records that will permit the CRA to determine taxation, the qualification of registered charities, permit the verification of various types of donations, etc. (CRA Information Circular IC78-10R5).
There are two key takeaways from this:
- There is no such thing as an “unregulated” industry or company in the context of data retention: every business in every industry must retain records for some length of time.
- Data retention is not easy, particularly in the context of being able to find archived records, disposing of them properly, and migrating them to new archives and other information platforms. The technology used to archive, search for and migrate records is critical.
For more information on our Data Retention Requirements Guide, click here.