The question is not if a municipality will have a cyber-attack, the question is when it will occur.

Victims of a cybersecurity attack are no longer just those which have been traditionally seen as the likely targets, such as large-scale financial institutions or other high-profile gatekeepers of valuable information. Today, all municipalities, regardless of scale, should be prepared for a cybersecurity incident.

Municipalities are subject to The Freedom of Information and Protection of Privacy Act (Manitoba) ("FIPPA"), which includes specific obligations with respect to safeguarding the personal information a municipality collects and notification of individuals in the event of a security breach. As of January 1, 2022, failure to comply with FIPPA's breach notification requirements may result in a fine of up to $50,000.00.

Is your municipality ready to respond in an organized and timely manner to a discovery that its information system has been breached, confidential data and personal information has been accessed and its systems are no longer functioning properly? Does it have a formal plan to restore system functionality, identify the information that has been accessed, engage with the applicable regulators, and contact and respond to those whose personal information may have been accessed?

The hours after discovering a security breach are crucial. A timely cybersecurity incident assessment and response is crucial. Beyond being an important factor in restoring functionality to your systems expeditiously, having proper policies and plans in place will help your municipality ensure its compliance with the legal requirements relating to data protection and cybersecurity breaches in a timely manner and mitigate against potential legal liability. Having a regularly tested incident response plan in place means that, in the event of a security breach, required steps are taken and no time is wasted.

All municipalities should have policies and procedures in place to deal with cybersecurity incidents. This is an area that is constantly evolving, so these policies and procedures should be regularly reviewed and tested to ensure they remain effective and compliant with legal obligations. If your municipality does not have these policies and procedures, or if they have not been recently reviewed, the questions below will highlight some key considerations to help your municipality ensure that its legal obligations are being met:

  • Can your municipality identify its data protection and cyber security compliance obligations?
  • Is your municipality aware of the relevant privacy laws that govern it (e.g. FIPPA)?
  • Does your municipality apply security safeguards, both technological (such as firewalls, anti-malware and intrusion detection system) and physical (such as locked doors, access cards and security cameras), appropriate to the sensitivity of the data it holds?
  • Does your municipality know all the types of data it holds, where it holds the data, how the data is protected, and who has access to the data?
  • Does your municipality have the appropriate policies, procedures, and processes in place to address its privacy, data protection and cyber security risks and compliance obligations?
  • Do your employees have the appropriate degree of awareness, knowledge, skill and training to effectively deal with the sensitivity of the data being held and address the applicable privacy, data protection and cyber security risks?
  • Does your municipality evaluate and manage privacy, data protection and cyber security risks arising from its use of third-party contractors or service providers?
  • Do your contracts require your service providers to assist you in complying with your regulatory obligations if they suffer a security breach that impacts the personal information for which your municipality is responsible?
  • Does your municipality have a formal incident response plan to deal with a breach of security safeguards that it regularly tests and updates?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.