DC
District Of Columbia Council Bill PR25-0355

District Of Columbia 2023-2024 Regular Session

District Of Columbia Council Bill PR25-0355 Compare Versions

OldNewDifferences
1- ENROLLED ORIGINAL
2-
3-
4-
5-
6- 1
7-A RESOLUTION
8-
9-25-199
10-
1+MURIEL BOWSER
2+MAYOR
3+July 5, 2023
4+Honorable Phil Mendelson
5+Chairman
6+Council
7+of the District of Columbia
8+John
9+A. Wilson Building
10+1350 Pennsylvania Avenue, NW, Suite 504
11+Washington, DC 20004
12+Dear Chairman Mendelson:
13+Enclosed for consideration and enactment by the Council
14+of the District of Columbia is an
15+emergency bill, the "Contract No. DCHBX-E-2023-0002 with Norton Rose Fulbright, LLC
16+Approval and Payment Authorization Emergency Act of2023," and the accompanying emergency
17+declaration resolution.
18+The legislation
19+will approve Contract No. DCHBX-E-2023-0001 between Norton Rose Fulbright,
20+LLC, and the District
21+of Columbia Health Benefit Exchange Authority, to provide legal
22+representation by outside counsel specializing in cybersecurity and privacy compliance, with a
23+focus on complex cybersecurity attacks and data breach investigations. In addition, the legislation
24+will approve payment for services received and to be received under the contract.
25+My administration is available to discuss any questions you may have regarding this legislation.
26+In order to facilitate a response to any questions you may have, please have your staff contact
27+Kenneth Wallington, Contracting Officer, DC Health Benefit Exchange Authority, at (202) 679-
28+5952.
29+I urge the Council to take prompt and favorable action on the enclosed legislation. 1
30+2
31+3
32+4
33+5
34+6
35+7
36+8
37+9
38+10
39+11
40+12
41+13
42+14
43+15
44+16
45+17
46+18
47+19
48+20
49+21
50+22
51+23
52+24
53+25
54+26
55+27
56+28
57+29
58+30
59+31
60+32
61+~~
62+Chairman Phil Mendelson
63+at the request of the Mayor
64+A PROPOSED RESOLUTION
1165 IN THE COUNCIL OF THE DISTRICT OF COLUMBIA
12-
13-July 11, 2023
14-
15-
16-To declare the existence of an emergency with respect to the need to approve Contract No.
17-DCHBX-E-2023-0002 with Norton Rose Fulbright, LLC, in the not-to-exceed amount of
18-$2.6 million, and to authorize payment for goods and services received and to be received
19-under the contract.
20-
21- RESOLVED, BY THE COUNCIL OF THE DISTRICT OF COLUMBIA, That this
22-resolution may be cited as “Contract No. DCHBX-E-2023-0002 with Norton Rose Fulbright,
23-LLC Approval and Payment Authorization Emergency Declaration Resolution of 2023”.
24-
25- Sec. 2 (a) There exists an immediate need to approve Contract No. DCHBX-E-2023-0002
26-for representation and litigation services between the District of Columbia Health Benefit
27-Exchange Authority (“DCHBX”) and Norton Rose Fulbright, LLC (“Norton Rose”), in the not-
28-to-exceed amount of $2.6 million and to authorize payment for goods and services received and
29-to be received under the contract.
30- (b) On March 6, 2023, DCHBX received notice that data for some DC Health Link
31-customers had been published on a data breach forum. DCHBX immediately launched a
32-comprehensive investigation, began working with law enforcement, and engaged a third-party
33-expert forensics firm to investigate.
34-(c) Norton Rose has a practice that focuses on complex cybersecurity attacks and data
35-breach investigations, involving sophisticated threat actor groups and advanced persistent threats
36-focused on critical infrastructure entities. To date, DCHBX is aware of 5 putative class action
37-complaints that have been filed arising out of the data breach.
38-(d) Because there was a need to mitigate the risk of harm to consumers as quickly as
39-possible, including providing notice to affected individuals immediately, conducting a
40-comprehensive review of the DCHBX information technology systems and processes, and
41-litigation ensued within 10 days of the incident, it was necessary to acquire expert legal services
42-without delay and there was insufficient time to submit the contract to the Council in advance.
43-(e) Council approval of the contract is required pursuant to section 451 of the District of
44-Columbia Home Rule Act, approved December 24, 1973 (87 Stat. 803; D.C. Official Code § 1-
45-204.51). Council approval is necessary to continue receiving these critical services.
46- ENROLLED ORIGINAL
47-
48-
49-
50-
66+To declare the existence of an emergency with respect to the need to approve Contract
67+No. DCHBX-E-2023-0002 with Norton Rose Fulbright, LLC, in the not-to­
68+exceed amount of $2.6 million, and to authorize payment for goods and services
69+received
70+and to be received under the contract.
71+RESOLVED, BY THE COUNCIL OF THE DISTRICT OF COLUMBIA, That
72+this resolution may be cited as "Contract No. DCHBX-E-2023-0002 with Norton Rose
73+Fulbright, LLC Approval and Payment Authorization Emergency Declaration Resolution
74+of 2023".
75+Sec. 2 (a) There exists an immediate need to approve Contract No. DCHBX-E-
76+2023-0002 for representation and litigation services between the District of Columbia
77+Health Benefit Exchange Authority ("DCHBX") and Norton Rose Fulbright, LLC
78+("Norton Rose"), in the not-to-exceed amount of $2.6 million, and to authorize payment
79+for goods and services received and to be received under the contract.
80+(b)
81+On March 6, 2023, DCHBX received notice that data for some DC Health
82+Link customers had been published on a data breach forum. DCHBX immediately
83+launched a comprehensive investigation, began working with law enforcement, and
84+engaged a third-party expert forensics firm to investigate.
85+1 33 (c) Norton Rose has a practice that focuses on complex cybersecurity attacks and
86+34 data breach investigations, involving sophisticated threat actor groups and advanced
87+35 persistent threats focused
88+on critical infrastructure entities. To date, DCHBX is aware of
89+36 5 putative class action complaints that have been filed arising out of the data breach.
90+3 7 ( d) Because there was a need to mitigate the risk
91+of harm to consumers as quickly
92+38
93+as possible, including providing notice to affected individuals immediately, conducting a
94+39 comprehensive review
95+of the HBX information technology systems and processes, and
96+40 litigation ensued within
97+10 days of the incident, it was necessary to acquire expert legal
98+41 services without delay and there was insufficient time to submit the contract to the
99+42 Council in advance.
100+43 ( e) Council approval
101+of the contract is required pursuant to section 451 of the
102+44 District of Columbia Home Rule Act, approved December 24, 1973 (87 Stat. 803; D.C.
103+45 Official Code § 1-204.51 ), and section 202
104+of the Procurement Practices Reform Act of
105+46 2010, effective April 8, 2011 (D.C. Law 18-371; D.C. Official Code§ 2-352.02), and
106+4 7 Council approval is necessary to continue receiving these critical services.
107+48 Sec.
108+3. The Council determines that the circumstances enumerated in section 2
109+49 constitute emergency circumstances making it necessary that the Contract No.
110+DCHBX-
111+50 E-2023-0002 with Norton Rose Fulbright, LLC Approval and Payment Authorization
112+51 Emergency Act of 2023 be adopted after a single reading.
113+52 Sec. 4. This resolution shall take effect immediately.
51114 2
52-Sec. 3. The Council determines that the circumstances enumerated in section 2 constitute
53-emergency circumstances making it necessary that the Contract No. DCHBX-E-2023-0002 with
54-Norton Rose Fulbright, LLC Approval and Payment Authorization Emergency Act of 2023 be
55-adopted after a single reading.
56-
57-Sec. 4. This resolution shall take effect immediately.