Baltimore's Three-Week Ransomware Is a Warning for Other Local Governments to Prepare for Cyberattacks

Cybersecurity and Privacy   |   Property & Casualty Insurance   |   May 31, 2019

The Baltimore city government's email and other systems have been offline for more than three weeks as the result of a ransomware attack in early May. This is not the first local government to have been the victim of such malware, and it won't be the last.

These attacks can risk human life by hobbling first responders, including police, fire, and ambulance services. If nothing else, the financial cost of these attacks is staggering. An estimate released this week in the Baltimore Sun put the cost of the Baltimore incident at over $18 million. A similar attack on the city of Atlanta cost an estimated $17 million. These costs can stem from the investigation and response to the attack, as well as lost revenues where payment systems are offline.

Of course, these costs could be in addition to civil liability associated with the attack. That civil liability may be — but is not always — limited by sovereign immunity or statute. At a minimum, these attacks typically carry with them significant political fallout.

Local governments are favorite targets for cyberattackers, because those governments often do not have as robust cyber defenses as private organizations or are running outdated or unpatched operating systems and software. Further, local governments may not have adequate backup systems, which may compel them to pay the ransom.

Given all of this, city and other local governments, as well as administrative agencies, should take these steps to mitigate their risk and prepare for these attacks:

  • Ensure that they have sufficient backups in place, that those backups are made regularly, and that the backups are "air gapped," or separated, from systems that can be infected with malware.
  • Limit access to the organization's most sensitive networks to those employees who need that access to perform their job functions.
  • Deploy strong email and systems passwords, changed often, with multifactor authentication for employees with more expansive system privileges.
  • Draft and test an incident response plan that outlines roles and responsibilities in the event of a cyberattack.
  • Work with risk managers and insurance brokers to determine whether they have sufficient coverage for cyberattacks and computer-based fraud.

Please contact Carlton Fields for more information on steps that you can take as a local government to protect yourself from ransomware and other cyberattacks.

©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.