![[Photo by Markus Spiske on Unsplash]](https://www.hernandosun.com/wp-content/uploads/2024/05/markus-spiske-iar-afB0QQw-unsplash-scaled.jpg "markus-spiske-iar-afB0QQw-unsplash")
The Hernando Sun reached out to the county to find out if they paid the ransom on the recent ransomware attack or if someone on their behalf paid the ransom. The response from Dominique Holmes, Hernando County Government Public Information Officer, was to reference several statutes and deny the request. Her response is below.
“The public records request below is confidential and exempt from public disclosure pursuant to the following statutes:
Section 119.0713(5), Florida Statutes
Section 119.0725, Florida Statutes
I am sure you are also aware of the statue 282.3186.”
The first statute cited, 119.0713 (5), allows the withholding of information that “if disclosed, would facilitate the alteration, disclosure, or destruction of such data.” The second statute cited, 119.0725, relates to an incident and allows the government to not disclose “Coverage limits and deductible or self-insurance amounts of insurance or other risk mitigation coverages acquired for the protection of information technology systems, operational technology systems, or data of an agency.” The final statue states, “a municipality experiencing a ransomware incident may not pay or otherwise comply with a ransom demand.”
Reading these laws, it still might have been possible for the county’s insurance to pay the ransom.
The lack of a response is not indicative of an affirmative since they have denied most of our public records requests. The county initially refused to say whether the IT outage was due to a breach or other type of failure. They cited that there was an active investigation and, therefore, they were not required to provide information on the incident.
The rules are different for private entities. The FCC requires that “covered entities must file individual, per-breach notifications for any breaches affecting 500 or more customers (or an indeterminable number of customers). Notice must be provided within seven business days after reasonable determination of a breach.” The SEC requires notification in four business days after a public company determines that they are the victims of a breach.
Whether or not there was a breach is important information for the county’s residents since a breach with information for sale on the dark web means that residents should be taking extra time to review their financial information. Credit cards could be fraudulently used, credit applications could be fraudulently applied for (especially for people who provided W-9 information to the county).
The Hernando Sun managed to find an auction on the dark web and confirmed that data was exfiltrated from the ransomware attack. Up to that point, the county had refused to confirm that it was a ransomware attack and if data was taken.
