Agenda

Return

C. 81

To:	Board of Supervisors
From:	Karen Caoile, Director of Risk Management
Date:	October 4, 2022

Contra

Costa

County

Subject:

Contract with Tracepoint, LLC

APPROVE	OTHER
RECOMMENDATION OF CNTY ADMINISTRATOR	RECOMMENDATION OF BOARD COMMITTEE

Action of Board On: 10/04/2022

APPROVED AS RECOMMENDED

OTHER

Clerks Notes:

VOTE OF SUPERVISORS

AYE:

John Gioia, District I Supervisor
Candace Andersen, District II Supervisor
Diane Burgis, District III Supervisor
Karen Mitchoff, District IV Supervisor
Federal D. Glover, District V Supervisor

Contact:

Karen Caoile 335-1400

I hereby certify that this is a true and correct copy of an action taken and entered on the minutes of the Board of Supervisors on the date shown.
ATTESTED: October 4, 2022
Monica Nino, County Administrator

BY:	, Deputy

RECOMMENDATION(S):

APPROVE and AUTHORIZE the Director of Risk Management, or designee, to execute a contract with Tracepoint, LLC, in a amount not to exceed $14,500, to perform digital forensics and cyber incident response services, effective September 26, 2022.

FISCAL IMPACT:

Costs are paid through the County's ISF Public Liability Program.

BACKGROUND:

Between September 19, 2022 and September 20, 2022, an email account of an employee with In Home Support Services - Public Authority was accessed by an unauthorized source. That unauthorized source then used the affected email account to send phishing emails to approximately 120 additional email addresses (both County internal and external email addresses). It is unknown whether any emails or attachments in the accounts were accessed or downloaded by the unauthorized source.

BACKGROUND: (CONT'D)

The County's Cyber Insurance carrier was contacted and both the carrier and counsel for the carrier recommended entering into an agreement with Tracepoint, LLC ("Tracepoint"). Under the terms of the agreement Tracepoint will provide a forensic analysis of the unauthorized access to determine the actual number of email addresses affected, what information was accessed/downloaded, and provide a report of its findings to the County and its carrier. The agreement requires the County to indemnify Tracepoint in the event of any alleged infringement of copyrights, patent rights and/or unauthorized use of Tracepoint's software, and includes a limitation of liability from Tracepoint to the County.

CONSEQUENCE OF NEGATIVE ACTION:

Failure to approve the agreement could result in the County being unaware of whether potentially sensitive information was exposed to/accessed by unauthorized users, thus preventing the County from providing notifications to those potentially affected.