The Government Is Immune From Suits Arising From Breaches
Very interesting article regarding sovereign immunity protection given to a broad range of municipal, state and federal government agencies. The article discusses the First Judicial District of Pennsylvania, in Philadelphia, that “shut down their court website, including its docket tracking and litigation filing features, and blocked court employees from accessing their work email” due to a yet to be identified “virus intrusion”. The question was could a citizen sue the government if there was a breach of their data?
Let’s think this through for a minute because from a privacy perspective a public agency that provides services to citizens, i.e. water, gas, trash collection etc., is collecting customer information and deciding how to process that information so they act as a data controller and/or data processor. Depending on which state you live in, and I have lived in several, some of these services are non-negotiable. Here in Mansfield, TX, it’s the City of Mansfield I pay each month for water, trash, recycle and they have pretty much all of my information, so from a privacy perspective, I am a data subject. It’s fair to note that, I had a problem with a broken elbow joint in my irrigation system and had to file a report regarding water usage, I actually went to the municipal court building where the City of Mansfield offices were located, so they are in fact a municipal agency.
The point I am making here is, if I have no choice but to provide the City of Mansfield with my personally identifiable information in order to receive service and as a municipality, they are immune from suit when they have a breach, where is the accountability? What motivation does an organization have to address their cyber security and privacy issues when operating under sovereign immunity? This is what happens when I take the bait and follow Alice down the privacy rabbit hole…..
However, a pretty funny statement and important point is “immunity doesn’t extend to a government’s outsourced cybersecurity vendors.” If you are the vendor supporting the municipality and providing these data processing and/or data hosting services, your breach, your problem, no immunity! Let the finger pointing begin.