On December 13, 2021, Governor Ralph Northam announced Virginia’s Division of Legislative Automated Systems, the state’s “information technology agency,” had been the victim of a ransomware attack. This attack led “to the shutdown of most of the websites for Virginia’s legislative agencies and commissions, including the Division of Legislative Services and the Division of Capitol Police.”

While the ransomware attack is not believed to have targeted consumer data, the incident highlights that, much like private companies, governments at every level are at risk of falling victim to ransomware.

The incident also highlights that state and municipal governments must ensure adequate protection of citizens’ data.

Concern about how governments store data is nothing new. Pew Research found that 64% of Americans were concerned about how much data governments were collecting on them, and 70% felt their data was less secure than five years ago.

Incidents like the recent attack against Virginia’s Division of Legislative Automated Systems will do little to alleviate these concerns.

A ransomware attack occurs when cybercriminals successfully install malware into a computer system that encrypts files rendering “any files and the systems that rely on them unusable.” Once the data has been encrypted and rendered unusable, cybercriminals will demand a fee to release the targeted data. For example, when the Colonial Pipeline was attacked in the summer of 2021, the company is reported to have paid $5 million to Russian hackers to recover its IT network the day after the attack.

Ransomware attacks are becoming increasingly common in today’s computer-dominated world and now account for approximately 10% of all data breaches. For example, between January and July 31, 2021, the Federal Bureau of Investigation (FBI) reported 2,084 ransomware attacks in just 211 days. That amounts to almost ten ransomware each day.

The ransomware attack on Virginia’s IT network is not an isolated incident, with municipal and state governments routinely being targeted. In 2020, 79 municipal governments were believed to be victims of cyberattacks, costing them “$18.88 billion in recovery costs and downtime.” Consumers ultimately pay for these costs in the form of increased taxes or lost public services.

Municipalities are the preferred target for cybercriminals because “they lag far behind their corporate counterparts in the digital revolution…their IT skills may be lacking or challenged” and “budgets are often tight, and there is frequently a gap in funding for new tech.”

While attacks on state governments are a rarer occurrence, Louisiana was also targeted in 2019 by a ransomware attack, highlighting the fact that states are also not immune from the threat posed by ransomware attacks.

Ransomware attacks on state and municipal governments are especially concerning because, much like private companies, they hold considerable amounts of sensitive information on citizens. Aside from addresses of citizens and employees, state and municipal governments likely also hold credit card information, bank account numbers, social security numbers, and driver’s license numbers. If these pieces of information fall into the wrong hands, identities could be stolen by cybercriminals and lives destroyed.

Despite the dangers, there are plenty municipal and state governments could do to mitigate the damage. States should pass laws banning ransom payments to disincentivize ransomware attacks. At least three states, New York, North Carolina and Pennsylvania,  have considered such measures. Additionally, states and the federal government could pass notification requirements, mandating those targeted by ransomware attacks notify those affected and the appropriate authorities so mitigation strategies can quickly be implemented.

Additionally, Congress and state legislatures should continue to provide finances through the budget process to enable state agencies and municipal governments to develop and invest in more robust cybersecurity measures.

Ransomware attacks against state and municipal governments, like the one that recently occurred in Virginia, will only become increasingly common in a world dominated by digital data. While these attacks may become more frequent and garner less press attention than attacks against private companies, they are no less damaging to citizens and consumers. Clearly, more needs to be done to protect citizens’ data entrusted to municipal and state governments. Failing to do so only leaves consumers in peril and less trust in government.