...Explanation
1. BACKGROUND
This ordinance authorizes the Director of the Department of Technology, through the City Attorney, to enter into a second contract modification and first amendment to the general terms of engagement with Dinsmore & Shohl LLP (“Dinsmore”), Vorys, Sater, Seymour and Pease LLP (“Vorys”), and the cybersecurity expert, Haystack, to enter to allow for the incorporation of a Federal Bureau of Investigation (“FBI”) Criminal Justice Information Services (“CJIS”) Security Addendum as required for the continued investigation into the cybersecurity incident of July 2024 (“Incident”).
On July 18, 2024, the city's Department of Technology discovered evidence of an abnormality in its system, one that was unrelated to a co-occurring global IT outage. The city took swift action to significantly limit potential exposure, including severing internet connectivity, to reduce the threat to the city's systems.
On July 30, 2024, Mayor Ginther executed a Mayor’s Emergency Letter and declared the incident a clear and present danger to public health, safety, welfare or property. The City Attorney entered into a legal professional services contract with Dinsmore to provide breach counsel services in response to the Incident. The Department, through the City Attorney, chose Dinsmore due to its being a law firm with a national reputation for data breach response excellence that also has a strong presence in Ohio. Dinsmore's attorneys have decades of experience in cybersecurity incident response.
In October 2024, the contract with Dinsmore was modified in order to add funding to cover additional costs that were required to be incurred due to the Incident. Ordinance 2579-2024 was passed by Council on October 7, 2024.
In September 2024, the City Attorney entered into a legal professional services agreement with Vorys to provide legal services to the City in connection with litigation arising from the Incident including cases pending in the Franklin County Court of Common Pleas, captioned as Doe, et al. v. City of Columbus, Case No. 24cv006195 and Doe, et al. v. City of Columbus, Case No. 24cv006428. In November 2024, the contract with Vorys was modified in order to add funding to cover additional costs of the ongoing litigation. Ordinance 2804-2024 was passed by Council on November 4, 2024.
2. CONTRACT COMPLIANCE
The contract compliance number for Dinsmore is CC004121 and expires 9/11/2026. Vorys, Sater, Seymour and Pease LLP, Vendor Number is 006042.
3. FISCAL IMPACT:
There is no fiscal impact as a result of this legislation.
4. EMERGENCY DESIGNATION
Emergency action is requested so that the investigation into the Incident response can continue unabated.
...Title
To authorize the City Attorney, on behalf of the Director of Technology, to enter into a second contract modification and first amendment to the general terms of engagement with Dinsmore, Vorys, and Haystack to allow for the incorporation of an FBI CJIS Security Addendum; and to declare an emergency. ($0.00)
...Body
WHEREAS, in order to safeguard the public health, safety, welfare, and property, and Mayor Ginther executed a Mayor’s Emergency Letter dated July 30, 2024 regarding the Incident; and
WHEREAS, it was necessary for the Department of Technology, through the City Attorney, to enter into contracts with Dinsmore and cybersecurity experts including Haystack for legal and incident response services in regard to the recent cybersecurity incident; and
WHEREAS, Ordinance 2579-2024 was passed by Council to address the additional expenses incurred necessitating additional funds to respond to the Incident; and
WHEREAS, it was necessary for the Department of Technology, through the City Attorney, to enter into contract with Vorys to provide legal services to the City in connection with litigation arising from the Incident; and
WHEREAS, Ordinance 2804-2024 was passed by Council to address the additional expenses incurred in the legal representation necessitating additional funds to respond to the litigation pertaining to the Incident; and
WHEREAS, during the course of the continuing investigation into the Incident, the City has been made aware that certain information contained within backup databases which are believed to have been compromised during the attack may contain CJIS such as to require any city contractors who access the data to be bound by the terms of an FBI CJIS Security Addendum; and
WHEREAS, an emergency exists in the usual daily operations of the Department of Technology in that it is immediately necessary to authorize the City Attorney to modify the contracts with Dinsmore, Vorys, and Haystack to incorporate the FBI CJIS Security Addendum to allow the Incident response to continue unabated thereby preserving the public health, peace, property, safety, and welfare; NOW, THEREFORE,
BE IT ORDAINED BY THE COUNCIL OF THE CITY OF COLUMBUS:
SECTION 1. That the City Attorney, on behalf of the Director of the Department of Technology, is hereby authorized to enter into contract modifications with Dinsmore & Shohl LLP, Vorys, Sater, Seymour and Pease LLP, and Haystack to incorporate the terms of the FBI CJIS Security Addendum.
SECTION 2. That for the reasons stated in the preamble hereto, which is hereby made a part hereof, this ordinance is hereby declared to be an emergency measure and shall take effect and be in force from and after its passage and approval by the Mayor or ten days after passage if the Mayor neither approves nor vetoes the same.