Has your government experienced a cybersecurity issue? Here is when and how to report

Oct 7, 2020

Some security breaches are required to be reported to the Washington State Attorney General's Office (AGO), and sometimes you need to report various cybersecurity issues to the State Auditor's Office, too! Of course, we hope you have none, but if you find yourself in this spot – here is some important information that can help you comply with law.

Reporting to the Attorney General

If any single security breach affects more than 500 Washington residents, consider speaking with your legal counsel and then report it to AGO.To learn more about the reporting requirements and how to report, you can find guidance at the AGO website: www.atg.wa.gov/data-breach-notifications.

Reporting to our Office

You might recall that state law requires state and local governments to immediately notify our Office of known or suspected losses of public resources or other illegal activity. That means a government must report instances such as missing deposits or employee thefts. But this can also mean reporting cyber-related events involving financial records or finances. Unlike AGO reporting requirements, the number of citizens affected has no bearing on whether you need to report to us.

Here are some examples of when you should report cyber-related events to our Office:

  • Your government experiences a ransomware attack and makes a payment to the criminal actors to regain access to your data. This extortion payment is a financial loss as a result of illegal activity.
  • Your staff relies on a fraudulent email to change banking information and gets tricked into sending an ACH payment to a criminal, instead of to a vendor or employee.
  • Your computer system is hacked and the bad actors have accessed your financial records, even if those records were not harmed or impacted in any way.
  • You have a security incident that might have impacted your financial records or systems, but you are not certain.

You'll notice all of these examples involve the finances or financial records in some way, and they might have resulted in the government being defrauded resulting in a financial loss. Also, just like a typical fraud – you shouldn't delay reporting to our Office when you suspect there might be a problem, or potential loss.

An example of something you would not report is a cybersecurity issue completely unrelated to financial activity. For example, if you had ransomware on a non-financial system, and you didn't pay the ransom, you wouldn't report it. However, you need to have confidence that no financial systems or records were impacted.

How do you report to the State Auditor's Office?

State and local government employees should use the online Report a Suspected Fraud or Loss form at this web page: sao.wa.gov/report-a-concern/how-to-report-a-concern/fraud-program/

Additional resources

We know cybersecurity is complex, and that additional resources can help governments improve their cybersecurity posture. Check out some of our recent offerings: