After it invested millions of dollars into upgrading its technology to offer a virtual-only platform for the start of the 2020-21 school year in the wake of COVID-19, Miami-Dade County Public Schools (“MDCPS”), the fourth largest school district in the United States, earned an F from students and parents for the first three days. Teachers and students were either unable to log in or, after logging in, were kicked off the system after a few frustratingly slow minutes.
The Superintendent first blamed MDCPS’s technology partner, with which it had built the platform. But when the technology company launched a forensic investigation into the system failures, it discovered that MDCPS’s Internet provider was the victim of several simultaneous cyber attacks known as “distributed denial of service,” or “D-DOS.” The MDCPS attacks were textbook D-DOS—a malicious attempt to disrupt a server or network’s normal traffic by overwhelming the server or network, or its infrastructure, with a flood of internet traffic. On Wednesday, September 2, 2020, law enforcement arrested a sixteen-year-old Miami high school student in connection with some of the cyber attacks. MDCPS’s bandwidth was designed to accommodate all students logging in at the same time, but not the massive influx of extra data associated with D-DOS attacks.
Aside from the immediate failure to deliver its product to students during the first week of this extraordinary new school year, MDCPS has had to involve law enforcement such as the FBI and the Secret Service, spend money on investigating and stopping the attacks, and walk back public comments about its technology partner. In other words, MDCPS has encountered all of the real-world consequences that every cyber attack victim does.
The D-DOS attack on MDCPS could just as easily have been a different type of attack that exposed students’ private information. This is a reminder that implementing expensive technology does not guarantee security. At a minimum, all companies that receive and transmit significant amounts of data should hire counsel to advise them on best practices--both for preventing and responding to data security incidents. Companies that rely on outside vendors must also familiarize themselves with their vendors’ data security practices, and negotiate terms in their vendor contracts to require data security best practices and indemnification or other loss prevention measures for vendor security failures.
Finally, upon discovering that it is a victim of a cyber attack in any form, a company should first call its counsel. Counsel can retain trusted professionals to conduct forensic investigations, notify and liaise with cyber liability insurance carriers, control the narrative for the public about the breach and its consequences, and navigate the notification of affected individuals or governing authorities.
In 2012, when Robert Mueller was still the Director of the FBI, he said, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” Proactive measures, and the guidance of counsel, will determine into which category your company will fall.