Last week, the First Judicial District of Pennsylvania shut down Philadelphia's court website, including its docket tracking and litigation filing features, and blocked court employees from accessing their work email. A city spokesperson said the shutdowns were a precautionary measure after a “virus intrusion” was found on court computers.

Meanwhile, Baltimore is facing its own cybersecurity woes as the city begins to go back online after city employees' work email, the property tax portal, and water bill and parking ticket payment systems were inaccessible for a nearly a month due to a ransomware.

The growing number of local governments targeted by cyberattacks highlights that data breaches are not just the problem of private entities but a threat to the public sector, too.

However, governments operate under different liability than other breached entities. Any civil litigation over a court system's data breach, after all, would most likely be tossed because of the immunity provided to state, federal and municipal governments.

“Cyberattacks on government agencies are increasingly a problem we are seeing, particularly with state and city government that may not have the same defenses to protect against such threats,” said Gibson, Dunn & Crutcher partner Alexander Southwell. Notwithstanding those challenges, Southwell noted federal and state governments have sovereign immunity and typically can't be sued for a data security incident.

“If a court is supposed to file something under seal and a court clerk messes up and puts a filing on the public record, there's no liability for the court system for that disclosure largely because of sovereign immunity,” and that immunity also extends to cyber-induced data breaches, he explained.

Likewise, municipalities have governmental immunity from tort suits, making the road toward legal action after a municipality's data breach just as daunting as prevailing against the state or federal government.

However, Gary Wickert, a Matthiesen, Wickert & Lehrer insurance trial lawyer and partner, noted that immunity is generally waived when a government agency is acting in a “discretionary” matter, such as when a government's action was deemed “less for the public good for everyone but more proprietary in nature.” Still, Wickert said it was unlikely a court would find a state, federal or municipal's data breach involved a discretionary act.

Although a suit against the government faces an uphill battle, such immunity doesn't extend to a government's outsourced cybersecurity vendors.

“Courts can say to Company X, 'You were responsible for protecting our systems and you failed; we will hold you liable,'” Southwell said.

While the cloak of immunity stretches across a wide assortment of government entities, the cyberthreats aimed at those agencies are only intensifying. Indeed, municipalities' trove of personal and sensitive information and their smaller cybersecurity budgets could lead to increased cyberattacks, said Fenwick & West of counsel Hanley Chew, who previously was vice president at Stroz Friedberg, a cybersecurity and risk management firm.

“I think there's a definite concern that computer systems and networks of local municipalities might be more at risk because they don't necessarily have the funds to properly update their system networks,” Chew noted. “That would be a concern because those municipalities probably have a lot of personal, private information.”