Cybersecurity & Tech

Know those calls to your mobile that look suspiciously like a number you know? Arkansas SB 514 (2019 |AR) would change the penalty for those calls.

The bill would increase the penalty for spoofing from a Class B misdemeanor to a Class D felony. That’s up to 6 years in prison &  a fine up to $10,000.

Telecom companies would have to:

• implement preventative measures
• report yearly to the Arkansas Public Service Commission concerning steps taken to identify and block the robocall perpetrators

Arkansas Democrat Gazette | Bill to steepen robocall penalty in Arkansas clears Senate, moves to House 

Debate over Michigan HB 4186 (2019 | MI) and HB 4187 (2019 | MI) focuses on the time period for notification.

The bills cut notification time in MI from 90 days to 45 days. Chamber of Commerce is as thrilled as a cat in the rain.

45 days is a standard adopted by 13 states.

An amendment proposal is for 75 days when the information is processed by a credit card processor.

Small Business Association of Michigan | New Data Breach Bill Moves Amid Latest Ransomware Attack

Marriott CEO testified before the Senate Committee on Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations and said that the hotel chain would now use encryptiona nd toeknization (blockchain, distributed ledger) to safely store data.

Security Boulevard | Marriott Could Have Prevented Privacy Data Breach with Tokenization

New Jersey AB 3245 (2019 | NJ) will:

• Expands Notification to include new data that would allow access to an online account, which includes answers to security questions.

The Daily Swig | New Jersey to expand data breach notification law 

Digitizing currency is moving tangible assets to the cloud and opening conversations on using crypto currency as collateral.

Bonjour new fintech, bitcoin and blockchain legislation.

Legaltech News | Crypto-Collateral? Securing Loans with Digital Currency 

Facebook has admitted to storing 10s of MILLIONS of passwords in plain text. Security Expertts say 600 Million passwords were stored in plain text.

Tech Crunch | Facebook admits it stored ‘hundreds of millions’ of account passwords in plaintext

What data do scooter companies want to protect from local government?

• real time data

Why do local governments want this data?

• to see if scooter comapnies are complying with rules
• pair it with service data for transportation efficiency

What enforcement actions have been taken?

• By refusing to hand over data, Jump received a shorter operational permit in Los Angeles

What data concerns exist?

• privacy of senstive data
• Bird company policies prioritize privacy 

Mother Board | Scooter Companies Split on Giving Real-Time Location Data to Los Angeles

New data breach lingo: The Internet of Medical Things (IoMT)

Why does this matter? Health care data breaches are thepriciest at $08 per record

What’s the latest breach of medical devices? ultasound equipment that can be hacked and have images swppaed by hackers

Dark Reading | Ultrasound Machine Diagnosed with Major Security Gaps

Politico | Why 2020 contenders need to worry about hackers now 

• Timely. All 6 US Senators running for President in 2020 are cosponsors of cybsercurity legislation
• History of federal Action. Standardizing cybersecurity practices at the federal level is difficult
• Agency infighting  is creating disparate standards
• State Success. State leaders have pushed legislative success to protect its citizens like:
  • TX, IL, WA and MA protecting biometric data
  • OH liability protection law
  • CA version of GDPR

The Hill | Why states should push forward with cyber laws

Vermont is subsidizing “last mile” for broadband access in rural areas that will:

• create a revolving loan fund
• provide access to fiber lines
• allowing towns to use general obligation bonds to finance similar projects

US News and World Report | In Vermont, High-Speed Internet for All Gets More Likely

 HB 4371 (2019 | TX) requires that digital currency (crypto currency)have a verified identity.

Texas would be the first state to prohibit anonymous cryptocurrency.

Crypto Globe | Texas Lawmaker Proposes Banning Anonymous Cryptocurrency Transactions 

Where: Pennsylvania

The legislation: HB 225 (2019 | PA)

The Cybersecurity Innovation Commission must:

• conduct cybersecurity audits
• improving security and privacy standards
• information for PA businesses concerning newest cyber technology

New Castle News | Under the Radar: Bill would aim to beef up state’s cybersecurity

Bipartisan S592 (2018-2019| Congress) would require businesses to disclose:

• in SEC filings
• whether a board member is a cybersecuity expert

Ripon Advance News Service | Sen. Collins’ bipartisan bill requires publicly traded companies disclose cybersecurity efforts

California’s SB 561 (CA | 2019)  would allow individuals to bring suit against a company for a data breach that includes their personal information.

The caveat: companies would have to have failed to provide reasonable security precautions.

Insurance Journal | California Bills Would Add More Punch to Consumer Data Protection Law

Nevada is considering Senate Bill 69 (NV | 2019) which will:

• Establish October as Cyber Security Awareness Month
• Clarifies that eh Governor can call in the National Guard for Cyber Incidents

3News | Cybersecurity, human trafficking among issues before Legislature this week

Georgia’s House Bill 197 (GA | 2019)  would create:

• a statewide data analytics center — the Georgia Data Analytic Center — under the Governor’s Office of Planning and Budget
• is in repsonse to Experian data breach
• aggregate data from all constituent services would be available to lawmakers, state agencies, academic institutions and public and private researchers.

Rome News Tribune | Legislation creating Georgia Data Analytics Center clears Crossover Day hurdle

• Special Purpose Depository Institutions will service blockchain industry in WY HB 74 (WY | 2019)
• Business FIlings using a blockchain system HB 70 (WY | 2019)
• Allow for Certified Stock Tokens (Bitcoin) HB 185 (WY | 2019)
• Allow digital assets in commercial laws and allow banks to serve as custodians for digital assets SF 125 (WY | 2019)  

California’s AB 953 (CA | 2019) would permit legal cannabis businesses to pay state taxes using cryptocurrency

Bitcoin Magazine | Blockchain Advocacy Coalition Sponsors Bill to Allow Crypto for Legal Cannabis Tax

What legislative provisions are getting push back from state data officials? require government contractors to install monitoring software

Is there a national group pushing back on this lobbying effort? National Association of State Chief Information Officers issued a statement opposing the bills

What is the opposition? It puts citizen information at risk

How many states have seen this language? 23

State Scoop | Nationwide lobbying push for contractor monitoring software alarms state CIOs

California is revising its first in the nation data protection bill by:

• include passport and government ID numbers as data that trigger notification after a data breach
• include biometric data, fingerprints, and iris and facial recognition scans, as data that trigger notification after a data breach

Tech Crunch | California to close data breach notification loopholes under new law

AB 1130 (CA | 2019)

City: San Francisco

The proposed ordinance would:

• ban facial recognition software
• require annual reporting and auditing of all use of surveillance technology

State Tech | San Francisco Considers Banning Facial Recognition Tech 

Oregon’s Senate Bill 703 will:

• label health data as the patient’s property
• require health care companies to obtain signed authorization from individual consumers before de-identifying their data for sale to a third party

Health Tech | What Oregon’s Move to Redefine Data Privacy Means for PHI

A 2018 Brookings study categorizes state blockchain legislation and regulation.

States Recognizing Innovation Potential:

• Illinois
• Arizona

States Actively Engaged:

• Pennsylvanai
• New York
• Florida
• Virigina
• Utah
• Wisconsin

States that are orgnaized:

• Wyoming
• Washington

States that are appreciative:

• California
• Colorado
• Oklahoma
• Kansas

States that are reactionary:

• Texas
• Missouri
• Illinois
• Ohio

States that are unaware:

• Arkansas
• Mississippi
• Minnesota
• oregon
• idaho

Consensys | Meet the American Legislators Bullish on Blockchain

Hawaii’s Public Land Trust Information System allows for searchable information such as:

• tenants on state lands and in state buildings

• rent paid for state land and buildings

• fees for encroaching on public property

• revenue from camping and wedding or event rentals

pltis.hawaii.gov

Government Technology | Hawaii Launches State Land Use Database

Hawaii joins the ranks of states implmenting a statewide Data Officer position to oversee data security.

SB 1001 (HI | 2019)

HB 532 (HI | 2019)

SF 0125 (WY | 2019) will allow crypto currency to have property rights outside third party storage.

What does this mean?

•  Wyoming is the 1st US state to allow private ownership of cryptocurrency
• Wyoming hopes blockchain and cyrptocurrency then partake in WY courts, business registrations
• Wyoming becomes the Delaware or Nevada of cryptocurrency, as Deleware and Nevada are for traditional corporate filings

Bitcoinist | WYOMING BECOMES FIRST STATE TO GIVE BITCOIN OWNERS FULL PROPERTY RIGHTS

Smartereum | Wyoming Just Passed a Bill That Gives Full Property Rights to Digital Currency Holders

Georgia uses exclusively paperless ballots. The November 2018 election produced high numbers of people not voting for Lt. Governor.

A lawsuit seeks to invalidate that race due to the low voting numbers in that specific race and calling for forensic examination of the electronic voting machines.

Politico | Another Georgia voting kerfuffle

Cisco is asking governmetns around the world to make data privacy a fundamental right.

The talking points:

• Security: Assign responsibility to protect the confidentiality, integrity, availability, and resiliency of data;
• Transparency: Explain how data is collected, used, transferred, and disclosed;
• Accountability: Ensure governance for data under the entity’s stewardship, including a data protection team, applying a risk-based approach;
• Innovation: Recognise multi-stakeholder-driven initiatives that enhance transparency and provide paths for implementation.

New Zealand Reseller News | Cisco calls on governments to make privacy a ‘fundamental human right’

WHAT: Cyber Security Exchange Act,”

Bipartisan? Yes, Senators Thune (R) & Klobuchar (D)

How does the Cyber security Exchange work?

• create an exchange program between the federal government and private firms
• to bring more cybersecurity expertise to the federal workforce
• The program would allow for a 2 year tours of duty with the federal government

The Hill | Bipartisan bill would create public-private cyber workforce exchange

After passing firs tin the nationa data privacy protection, to a GDPR level, here’s a roadmap of  the supporters and opponents :

• Against/Changing the state level GDPR-like standards:
  • California Chamber of Commerce
    • $2.2 million coalition that tried to scuttle the ballot initiative
    •  $1.6 million in lobbying
  •  tech-backed Internet Association
    • $200,000 on lobbying
• For the state level GDPR-standards:
  •  Common Sense Media
  • Electronic Frontier Foundation
  • Consumer advocates

Why does this matter? Other states are following suit- New Mexico, Massachusetts

MERCURY NEWS | Inside the lobbying war over California’s landmark privacy law

Jail time is being added to the list of potential penalties in data breaches. Under the proposal the FTC could impose fines on companies and could also impose criminal penalties on executives.

The impetus for this bill? Facebook

Government Technology | Oregon’s Wyden Pitches Jail Time for Breaches

Utah’s  HB 57 (UT | 2019) would require a warrant before police can access data shared with an app or third party, like cloud storage.

Supporters say:

• Applies the rules to paper to the digital world. If it was on paper, would a warrant be required should be the standard.
• Based on language in a constitutional amendment to protect digital privacy passed in Missouri in 2014.

Salt Lake Tribune | A Utah lawmaker is pushing a digital privacy bill that would bar warrantless searches of data uploaded to apps or cloud platforms

Washington State is considering SB 5376 and HB 1854 (WA | 2019) will:

• Consumer Access to data collected on them
• Consumers can delete data collected on them
• Consumers can correct their data
• Consumers can restrict access to their data
• Consumers can get a copy of their data
• Consumers can object to their data for marketing
• No profiling based on data
• Comapnies collecting data have 30 days to respond to consumer requests, with an extention of an additional 60 days for voluminous requests

The bills build on parts of the California data privacy law, builds on lessons learned from California, and uses from GDPR standards.

New York Department of Education is proposing new rules  that will:

• Parent’s Bill of Rights applicable to 3rd party vendors and setting standards on disclosing student data
• The National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”)
• Annual training for school district employees
• A Data Protection Officer in every school
• Notice of a school data breach must be given to the Department of Education within 10 days
• Civil Penalties that accrue per individual affected for 3rd party vendors.

National Law Review | NYS Education Department Proposes to Significantly Strengthen Data Security and Privacy Protocol 

• Privacy. Who owns the data. Who gave consent to collect the data.
• Security. What data should be protected from transfer.
• Public Safety. How can the data be used to protect the public and transportation systems in smart cities.

How can governments use data from self driving cars?

• managing traffic
• urban planning
• allocating public funds 

phys.org | self-driving cars and geospatial data: Who holds the keys?

What entity is ranking states on student data protection?  Parent Coalition for Student Privacy

Best State for student Data Protection? Colorado with a B

Worst states for student data protection? 11 way tie with Fs for Alabama, Alaska, Massachusetts, Minnesota, Montana, Mississippi, New Jersey, New Mexico, South Carolina, Vermont, Wisconsin

The populous states?

• California C
• New York B-
• Illinois C+
• Texas D+
• Florida D+
• Pennsylvania D-

Lingering Education Data Security Issue for all states: Teacher Data Protections

EdScoop | Controversial report shows many states fail on student data privacy

• Use risk limiting audits for elections and voting practices
• replace direct recording electronic systems with systems using voter-marked paper ballots 
• No unfounded mandates for local election officials
• train local and state election officials on cyber security
• establish statewide cybersecurity practices

Blue Ribbon Commission on Pennsylvania Election Security (January 2019)

Let’s take a peak at what the National Assocaition fo Realtors spent on cyber security lobbying in 20198?

• $19million in spending on the last quarter on 2018 on cyber security lobbying
• Including a bill For Small Business Development Centers to offer cyber security training
• And a bill that would  strengthen data breach notification

Politico | Morning Cyber Security

Pennsylvania Supreme Court rules that all employers must exercise reasonable care to protect worker data.

How did they get there? A health care provider employee data breach led to a lawsuit. Lower courts sided with the employer that there was no data security requirements for employee records. The PA Supreme Court disagreed. 

Pittsburg Post Gazette | PA Supreme Court rules UPMC — and all employers — must protect workers’ data. Doing so is harder

Why is procurement key?

• Procurement contracts can set the tone for state data security standards

• Telecom infratructure is key to data security

• States should offensively say what the data standards are, rather than what cannot be done

• Private-public cooperation is the key for leading global solutions

• Strengthen cyber security workforces

• Contracted cloud solutions can fill in when funding does not exist for state data security experts

The Kosciuszko Institute| CYBERSEC 2018 RECOMMENDATIONS AND KEY TAKEAWAYS

State: Minnesota

Bill: SF 17 (MN | 2019)

What does it do?

• reworks state voter registration to secure it better
• federal funds
• all specifics of how the new voter registration will protect voter data is determined by the state secretary of state

Tim Cook (Apple) is recommending a Data Broker Registry.

What’s a data broker? they buy and sell data from third parties

So how would it work?

• every consumer can opt into their data being collected or not
• consumers would be able to remove their data from the registry
• the FTC would house the registry and consumers could see what info is being collected and by whom

Why does this sound familiar? Because in 2018 informed:intel told you about the first in the nation data broker state law in VT, and we gave you the bill text to create one in your state

Wired | How Tim Cook’s Data Broker Registry Might Actually Work

1. Election Security
2. Data privacy and Security think Marriott and Equifax Breach fixes to protect consumer data
3. Infrastructure Protection
4. Cyber Security Workforce 

The Hill | Four cybersecurity priorities for Congress to confront active threats

• 30 days to provide notification to consumers
• Greater disclosures to consumers about data collected and where it is stored
• Free credit freezes and unfreezes for a year
• 4 years of credit monitoring- free
• Applies Deceptive Trade Practices Act penalties to Businesses (these accrue daily and per incident)

Who is backing this bill: North Carolina  State Attorney General 

What impact does this have to businesses?

• healthcare comapnies would see their notifcation timeline cut from 60 days to 30 days

Have other states shortened notification timelines? Yes, in 2018 Colorado also went to 30 days. Iowa went to 45 days.

Health IT Security | North Carolina Reintroduces Strict Data Breach Notification Law

What are states doing to train their employees to protect data?

• Michigan, Oklahoma and Wyoming encourage but don’t require training
• Idaho Governor Excutive order requires training for all executive staff
• Illinois in 2017 made cybersecurity training mandatory for state employees
• Indiana’s CIO has authority to make training mandatory for state employees
• Utah sends out phony phishing emaisl to state employees to test them
• CT offers voluntary training every 2 months
• Alabama offers daily cybersecurity trivia games with prizes to employees, 1000 employees play a day

GCN  | As states lag on cyber training, agencies are fertile phishing grounds

SB273 (OH |2018) does the following:

• Adopts the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law
• OH becomes the 2nd state after South Caroline to adopt the model law
• Requires licesees develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to protect nonpublic information and the licensee’s information system within 1 year of the effective date of the Act;
• Perform a risk assessments 
• Develop a formal incident cyber response plan 
• Require their third-party service providers to implement security measures within 2 years
• Report data breaches to the head of its Department of Insurance  within 3 business days after determination tof a cyber event;
• Certify compliance to the  the head of its Department of Insurance
• 5 year retention of all records supporting the certificate of compliance 

Cybersecurity experts favor:  hand-marked paper records processed by optical scanners

What did Georgia’s voting security commission recommend? paper records but not hand marked and processed by optical scanners

politico | GEORGIA GOES ANOTHER DIRECTION

Paper products rejoice! South Carolina legislature will consider requiring paper ballots. S374 (2019 |SC)

Politico | Two states are placing election security on their agenda this week. 

Anatomy of a white hacker on construction equipment:

• Accessed 14 construction locations
• hacked into devices that not only controlled:
  • cranes
  • excavators
  • scrapers
  • other large machinery

The solution: Move equipment away from “esoteric custom protocols” and to “modern, standardized tech” that can be easily upgraded for security

Forbes | Exclusive: Hackers Take Control Of Giant Construction Cranes

What is special about Rhode Island’s newly implemented risk limiting audits?

• the gold standard of ballot audits
• Rhode Island is the 2nd state to adopt risk limiting audits in elections

Rhode Island Assembly | General Assembly passes Sheehan, Ajello bill that would establish a post-election audit program | (2017-S 0413A, 2017-H 5704A)

• data helps create more efficient permitting processes
  • CT allows local governments to get occupational licensing data directly form the state
• overdose data helps first responders and hospitals prepare for epidemics
• Prevent fraud 
  • IN adopted its Indiana’s Management and Performance Hub to “integrate” data from several agencies to build custom analytics solutions.” Its addressing issues from car crashes and infant mortality to Medicaid optimization.
  • TX shared data across agencies during Hurricane Harvey. Data was shared in real time to support first responders, law enforcement and others. 

StateTech | How States Benefit from Appointing a Chief Data Officer

Why is statutorily protecting business email correspondence increasingly important to law makers?

Data.

What does the FBI data say about business email hacking?

• 136% increase in identified global losses between December 2016 and May 2018
• losses from business email total  $12.5 billio

Are there other terms I need to watch for in legislation/from clients?

• cyber-enabled financial fraud

National Law Review | Privacy and Cybersecurity Issues to Watch in 2019

IN 2018, Vermont became the first state to regulate data brokers.

What is a data broker? 

• A business that
• knowingly collects and sells or licenses to third parties
• brokered personal information of a consumer
• with whom the business does not have a direct relationship

What business guidance did the Vermont Attorney General offer?

• If Vermont courts do not have jurisdiction, then this law does not apply to a business
• Does it establish an opt out requirement for consumers? no
• Will businesses have to change their practices to opt out? no
• A business that collects data for its own use only is not a data broker

Los Angeles City Attorney filed suit against the Weather Channel App for not properly disclosing that the app retains user location data.

Where would I see this in legislation? in fraud, deceptive trade practices, competititve practices, cybersecurity bills that protect geolocation

Engadget | LA sues Weather Channel app owner over ‘fraudulent’ data use

 Senate Bill 2110 (2019 | ND) would give a North Dakota state agency, Information Technology Department, the power to:

•  “advise, oversee and regulate cybersecurity strategy” for:
  • state agencies
  • higher education
  • cities
  • counties
  • school districts

What’s the state argument for a unified cybersecurity approach? the local govenrments and entities are connected at some point to a state network

Local government support? Yes, the North Dakota League of Cities supports the initiative because of (1) ransomware threats and (2) small cities with part time auditors

Grand Forks Herald | Bill looks to standardize North Dakota cybersecurity for public entities

Ohio was the first state to create a safe harbor for business in its 2018 cybersecurity legislation. SB220 (OH | 2018)

How did Ohio craft its liability protection for businesses? A business has to do 1 of these:

(1) Create, maintain, and comply with a written
cybersecurity program that contains administrative, technical,
and physical safeguards for the protection of personal
information and that reasonably conforms to an industry
recognized cybersecurity framework, as described in section
1354.03 of the Revised Code; or

      (2) Create, maintain, and comply with a written
cybersecurity program that contains administrative, technical,
and physical safeguards for the protection of both personal
information and restricted information and that reasonably
conforms to an industry recognized cybersecurity framework, as
described in section 1354.03 of the Revised Code.

      (B) A covered entity's cybersecurity program shall be
designed to do all of the following with respect to the
information described in division (A)(1) or (2) of this section,
as applicable:

      (1) Protect the security and confidentiality of the
information;

      (2) Protect against any anticipated threats or hazards to
the security or integrity of the information;

      (3) Protect against unauthorized access to and acquisition
of the information that is likely to result in a material risk
of identity theft or other fraud to the individual to whom the
information relates.

      (C) The scale and scope of a covered entity's
cybersecurity program under division (A)(1) or (2) of this
section, as applicable, is appropriate if it is based on all of
the following factors:

      (1) The size and complexity of the covered entity;

 (2) The nature and scope of the activities of the covered
entity;

      (3) The sensitivity of the information to be protected;

      (4) The cost and availability of tools to improve
information security and reduce vulnerabilities;

      (5) The resources available to the covered entity.

1st state to adopt model insurance data security law: South Carolina

2nd state: Ohio legislation with 8 modifications SB 273 (OH | 2018)

The model law: NAIC

National Law Review | Ohio Moves on Insurance Cybersecurity

In 2018, Vermont passed a data breach notification bill to address the Equifax data breach.

Vermont’s Attorney General is Recommending the following additional legislative fixes:

• Create a new statewide office, Chief Privacy Officer,  charged with ensuring the state establishes best practices for handling Vermonters’ personal information
  • the position would advocate for additional privacy protections for citizens & hear concerns
• Stronger protections for student data by educational technology
  • The model: a 2016 California law that prohibits education technology companies from selling student information or disclosing it for purposes unrelated to education

VT Digger | AG says Vermont should take more steps to protect data privacy

New Jersey is looking to save costs by moving to exclusively digital records, making the state government paperless. 

The caveat: data security risks

What was the legislative plan to get to a paperless NJ state government?

• The Govenror made it a goal for his administration
• Legislation creates a task force to make recommendations and suggestionts to address concerns, like data security
• Task Force 15 person membership includes:
  • secretary of state
  • state treasurer
  • director of the New Jersey Division of Taxation
  • head of cybersecurity in the Office of Homeland Security and Preparedness
  • other members with expertise in such areas as government information technology, revenue collection and voting

Government Technology | New Jersey Bill Would Push State Government to Go Paperless

• California Privacy Act.  Will other states replicate it? Is it the US solution for GDPR?
• Federal Preemption. Will Congress pass federal data breach notification standards?
• Data Privacy Requirements for Internet of Things.  Privacy standards for your home thermostat, etc… See California’s SB 327 (2018)
• Will small businesses get a carve out bill? See S770 (115th Congress)
• Federal Preemption of Data Encryption Standards for Business

Sc Media | Top cybersecurity legislation of 2019

According to lawyers wirting in the Harvard Business Review, a data security regulatory system should:

• focusing more on systemic ways to address cyber threat
• not treat businesses punitively 
• require the federal government to take a more active role in cyber defense
• require the federal government to share cybersecuity knowledge with the private sector
• require agencies to “issue pragmatic, cost-effective operational guidance to companies on how to defend against evolving risks”
• incentivizing security improvements
•  provides greater confidentiality concerning security measures
• provide liability protections
• create a public-private collective cyber defense

Harvard Business Review | Stopping Data Breaches Will Require Help from Governments

• Thinking on these laws is backwards. Laws should switch from punishing coporations to realizing in data breaches, companies are most likely also victims of criminal activity
  • it is not a fair framework to punish companies
  • and it is not effective enforcement
• Limited cyber experts. It is impossible for “every company in America to have sufficient internal cyber expertise to manage the risk.”
• The robbery analogy. When a bank is robbed, do we blame the bank? No.

Harvard Business Review | Stopping Data Breaches Will Require Help from Governments

Stanford researchers and other professors looking at this federal definition of cybersecurity:

Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation

think that the definition is outdated and needs to reflect the use of disinformation.

The list of cybersecurity legislative changes that are being bandied about:

• including disinformation campaigns
•  prohibiting the use of digital bots to impersonate people
• more tansparency on how the algorithms used by social media sites work

Lawfare | Cybersecurity: Time for a New Definition

The New Jersey Senate passed a Block Chain Task Force bill S2297 (NJ |2018) that will determine whether:

• NJ should be using Blockchain technology to modernize government systems
• it would safeguard personal data is good for NJ
• if it would help with service delivery
• whether it would be good for local governments

Touted benefits of blockchain/distributed ledger storage? could also help safeguard government systems from cyber-security attacks

Insider NJ | Kean/Beach Blockchain Task Force Passes Senate  

What did the Michigan Chamber of Commerce tout as reasons to support a Data Security bill, HB 6405 (MI | 2018) that required businesses to do certain new tasks concerning data breaches:

• The Chamber likes a specific time frame to notify affected persons
  • The chamber did not like phrasing, within a reasonable time
• Is ok with “reasonable mandates” on businesses
• The Chamber supports “.. a consumers’ right to know that their personal identifying information was compromised”

Michigan Chamber of Commerce | Michigan Chamber Applauds Senate Action on Data Breach Notification Legislation

S3288 (115th Congress) creates an offense of Aggravated damage to a critical infrastructure computer & allows for forfeiture of assets related to bots.

Morning Cybersecurity | Sen. Sheldon Whitehouse, meanwhile, complained that the Trump administration hasn’t collaborated with him on bipartisan legislation (S. 3288) to take down botnets. 

• Libaility for the school, the school distric,t the principal, and the superintendent
• Legal requirements schools retain records like, HIPPA records, that has certian legal requirements
• Disruptions to Education When a school is subject to a hack, it can suspend learning
• Student Records. A cyber event may not only want to steal information, it may want to change information. Integrity of school records is crucial
• Reputation of the school, its educational system, and its leadership

EdScoop | Five reasons schools need to address cybersecurity now

The allegations of fake constitutent support:

• Comments to the FCC over net nuetrality rules
• Of 20 million comments, almost 50% were provided without consent

The investigations:

• FBI issuing subpoenas
•  New York Attorney General with support of Attorneys General of Massachusettes and the District of Columbia

Targets of the subpoenas:

• 14 organizations
• 11 of which are either politically conservative or related to the telecommunications industry and opposed net neutrality, and three of which supported

BuzzFeed | Millions Of Comments About The FCC’s Net Neutrality Rules Were Fake. Now The Feds Are Investigating

• More attention at the state level. States have been targets of hackers and that fuels their regulatory structures
• Agility. States can respond more quickly legislatively
• More to Lose. States are closer to local level data breaches and are as impacted by local breaches
• Business Accountability State resources also support businesses that have been impacted by hackers

Baltimore Post Examiner | Why is State Cybersecurity better than Federal Cybersecurity?

HR7283 (115th Congress) requires devices purchased by the federal government to be:

• Sets contractor minimum security requirements
• Agencies will set baseline secueity standards for procurements
• Standards must be “based on technology-neutral, out- come-based security principles”

Text of HR7283 (115th Congress)

NextGov | Upcoming Bill Would Lock Down Agencies’ Internet-Connected Devices 

Is this bipartisan? Yes, Sen. Rob Portman, R-Ohio, and Maggie Hassan, D-N.H.

What’s the bill called? The Public-Private Cybersecurity Cooperation Act

What would it do?  Creates a vulnerability disclosure program, crafted by the Department of Homeland Securty,  to allow hackers to report problems to the proper authorities without being prosecuted 

S3707 (115th Congress)

NextGov | Senators Introduce Bill to Let Hackers Reports Bugs to DHS

• Fees charged by bitcoin processor.  Do the fees exceed fees in other payment options
• Fraud there is a well known Canadian bitcoin tax scam
• Unnecessary  who wants bitcoin payment? the information according to the state will not be available until after a few months into the program
• Safety. Is it safe?

Nextgov | Is this about grabbing some of the sizzle that comes with all things blockchain and crypto

New Jersey legislature is moving A3245 (2018 |NJ) which is in repsonse to the Marriott data breach and will:

• Expands the state data breach notification requirements to include disclosure of:
  • usernames
  • email addresses
  • any passwords
  • security questions and answers
• The authors say prompt notification is required for people to keep their online acocunts protected

Insider NJ | Assembly Panel Clears Caputo & Murphy Bill Requiring Disclosure of Online Security Breaches 

• Lots of potential Texas impact.  potentially 100s of 1000s of Texans “vulnerable to the nightmare of identity theft”
• massive hack.  “compromising the personal information of up to 500 million guests”
• enforcement actions include:
  • ​serving an investigative subpoena
  • encouraging affected texans to file a complaint at  https://www.texasattorneygeneral.gov/cpd/file-a-consumer-complaint

Texas Attorney General Office | AG Pax­ton Begins Inves­ti­ga­tion Into Mar­riott Data Breach Affect­ing 500 Mil­lion Cus­tomers Worldwide

HB 747 (2018 | OH) will estalish the Ohio Cyber Reserve to protect Ohioans from cyber terrorists.

Authors tout that the Reserve will also help cities with cyber inititatives.

How many aspects of cybersecurity will the reserve have its fingers in?

• election security
• local governments
• critical infrastructure
• businesses

Like the national guard, the reserve will act by Governor action.

Fox 8 | Ohio House passes bill to establish cybersecurity team

Government Technology | Ohio House Passes Cybersecurity Team Bill

The Pennsylvania Supreme Court has ruled that employers have a duty to protect employees from cyberattacks by setting:

• Employer Duty: “a legal duty to exercise reasonable care to safeguard”
• Remedy: a recovery for negligent behavior under the economic loss doctrine

Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018)

White & Williams | Pennsylvania Supreme Court Holds Employers Have Duty to Protect Employee Data from Cyberattacks 

Norway is changing the way it taxes bitcoin miners.

The current tax structure for cryptocurrency miners: 

• the lower rate for power intensive industries (capacity of more than 0.5 megawatts)
• the rate: $0.00056 per kilowatt hour
  • 2.8% of the standard tax rate

The new rate tax structure for bitcoin in Norway:

•  $0.019 per kilowatt hour

CryptoCurrency 365 | Norway Decided to Impose Normal Electricity Tax on Miners

The Nevada Legislature will consider SB69 (2019 | NV) which is:

• backed by the Division of Public Safety’s Division of Emergency Management
• defines significant cyber events like invasions, disasters and riots
• require schools, cities, counties and resorts to have emergency response plans
• designates October as “Cybersecurity Awareness Month”
• allows the governor to call on the national guard during a significant cyber event

Nevada Independent | New pre-filed bills take aim at education, cybersecurity ahead of upcoming legislative session

• Ohio is the 1st state to accept bitcoin for tax payments
• On OhioCrypto.com 23 Ohio taxes can be paid via bitcoin
• Bitcoin tax payments will be limited to Businesses
  • After a successful pilot with businesses, then the bitcoin tax payments will open for individual OH taxpayers

Crypto Currency News | Ohio Accepts Bitcoin for Tax Payments: A Much-Needed Silver Lining. 

States have taken different approaches to how to regulate hacking by research, or white hat hackers, who identify and report data security vulnerabilities.

An example of this is a researcher who discovered in 2017 that USPS had left open all user information of the usps.gov website. There was no response from USPS, and the breach was disclosed this week. 

Tech Crunch | U.S. Postal Service Data Breach Exposes Data of 60M Customers 

• Texas is a leader. Texas should lead in regulating false information spread by bots
• Texas has been impacted by misinformation. Both these Texas events were followed by false information:
  • Austin bombings in March
  • Santa Fe High School shooting in May
• Model Legislation should include:
  • ​the 1st amendment should be respected for individuals and corporations
  • Bots should be labeled and identified
  • Outreach to encourager fact checking
  • Media Literacy in Schools

Jared Schroeder | Assistant professor of journalism, Southern Methodist University | Trib Talk | Texas needs legislation to combat bots — yesterday

Intel has drafted model data privacy bill that includes these 6 points:

•  comprehensive, technology neutral and support the free flow of data
•  risk-based accountability approaches
• Automated decision-making should be fostered while augmenting it with safeguards
• promote access to data, supporting the creation of reliable datasets available to all, fostering incentives for data sharing, and promoting cultural diversity
• Funding research in security
• Algorithms can help detect unintended discrimination and bias, identity theft and cyber threats.

The Intel Model Legislation

Press Release from Intel

New Hampshire voters approved a state constititional amendment to protect from government intrusion personal and private information.

The constitutional language: An individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent.

The passage rate: 80% of votgers supported it

Reason | N.H. Constitution Now Protects “Right to Live Free from Governmental Intrusion in Private or Personal Information”

How do consumers hold manufacturers of internet of things products, like a connected refrigerator, liable for a data theft or property damage from a hack?

That is part of what California’s SB 327 (2018 | CA) seeks to clarify to protect consumers.

CNN Wire | WE NEED STRONGER CYBERSECURITY LAWS FOR THE INTERNET OF THINGS

South Carolina Department of Revenue had a data breach impacting tax payers in 2012.

Then-Governor Nikki Haley promised those impacted life time credit mornitoring. 

The Legislature de-funded the program effective OCtober 31, 2018.

Government Technology | South Carolina Lawmakers Vote to End Post-Hack Credit Protections

• 2018 Vermont became the 1st state in the nation to regulate data brokers.
• Unintended consequences on small businesses is unknown, especially as it relates to small businesses that:
  • rely on technology platforms to reach rural customers
  • rely on cloud based storage

Vermont Digger | Christopher Minott: Protect small businesses from overly aggressive tech policy

Where: New Jersey

Who: New Jersey Attorney General Gurbir Grewal

What: In a settlement of a data breach  of medical records, New Jersey Office of Attorney General banned those responsoible for the breech from owning or operating a business in New Jersey. 

Gov Info Security | Breach Settlement Has Unusual Penalty 

Activists are promoting an Internet bIll of Rights, the kind of bill state legislatures love. What would it do?

• Keeping your “browsing history” private
  • ​Except: fraud or potential crimes  
• Full disclosure when being monitored, and the right to opt out
• Preserving the privacy of your social media accounts.
• Ownership of your personal, digital content
• Notification of injurious data breaches
• Fair play on social media platforms and/or internet providers
• Protecting children on social media
• Protection from “unfunded government mandates” on data-mining:
•  Keeping your health and fitness data private
•  Safeguarding email and text communications

Connecticut Post | We Need an Internet Bill of Rights

•  California Consumer Privacy Act (AB375 | 2018 | CA)
  • 2 year grace period
  • follows the EU’s GDPR
• Vermont ( H764 | 2018 | VT)
  • toughest data collection disclosure bill in the US
  • Data Broker Bill
• Colorado (HB11-1128 | 2018 | CO)
  • Strengthened its protections of “personal identifying information”
• New Jersey  (S1913 | 2016 |NJ)
  • Shopper Privacy Bill
  • limits retailer retention of consumer data
• Washington (HB1493 | 2017 | WA)
  • Protects more health data

The Hill | States are leading the way on data privacy

• Caution: Conflicts of Interest.  Virtual asset trading platforms often engage in several lines of business that would be restricted or carefully monitored in a traditional trading environment.
• Account for Abusive Trading Behavior
• Consumer Protetctions needed

NY Attorney General | Virtual Markets Integrity Investigation 

Activists are promoting an Internet bIll of Rights, the kind of bill state legislatures love. What would it do?

• Keeping your “browsing history” private
  • ​Except: fraud or potential crimes  
• Full disclosure when being monitored, and the right to opt out
• Preserving the privacy of your social media accounts.
• Ownership of your personal, digital content
• Notification of injurious data breaches
• Fair play on social media platforms and/or internet providers
• Protecting children on social media
• Protection from “unfunded government mandates” on data-mining:
•  Keeping your health and fitness data private
•  Safeguarding email and text communications

Connecticut Post | We Need an Internet Bill of Rights

Ohio’s  SB 220 (2018 | OH), signed by the Governor, will establish these blockchain standards:

• blockchain transactions are legitimized as enforceable electronic transactions
• applies to electronic records using blockchain
• applies to electornic signatures using blockchain
• amends the definition of “electronic record” to include blockchain
• amends the definition of “electronic signature” to include blockchain

SB 220 would apply to state contracting and state procurement.

Ohio’s  SB 220 (2018 | OH)

If a business’ cybersecurity procedures reasonably conform to any of these:

State law: California which passed the strongest net nuetrality law has agreed to put its regulations on hold while the legal fights and federal regulations are revisited

The DOJ & internet service provider trade associations lawsuit against California: Also put on hold

What are they waiting to play out? 

• February 2019 lawsuit filed by  20 states’ attorneys general along with public interest groups and private businesses filed a lawsuit against the Federal Communications Commission when it rolled back net nuetrality

What are the feds saying? our case is so strong

What is California saying? Californians can still enjoy unlimited data plans

San Francisco Chronicle | California agrees to pause net neutrality rules amid messy legal battle

The report is by: maritime law firm Jones Walker LLP

What did the report find?

• Hacks are happening at ports. 80% of large maritime industry companies (400+ employees) report cyber attack in the last year
• Unprepared. 64% say their own companies are unprepared to handle the far-reaching business, financial, regulatory and public relations consequences of a data breach
  • 6% of small companies are prepared for a cyberattack (1-49 employees)
  • 19% of midsize companies are prepared (49-400 employees)
• Not Insured.
  • ​92% small firms no cyberattack insurance
  • 69% midsize  no cyber insurance
• Legacy Software many companies operate lagacy software that cannot be modified with cyber protections​

WaterWays Journal | Report Sounds Cybersecurity Alarm 

WHO has to pay $5.79 Million? Uber

WHAT is the $5.79 million settlement for?

• a breach exposed personal information, including drivers licenses for 13,000 uber drivers
• the company waited roughly 372 days to provide notice
• failed to notify the state attorney general within the then required 45 days
• $170 will be awarded to each driver

WHERE: Washington State

Washington State Attorney General Office | AG DATA BREACH REPORT FINDS 3.4 MILLION WASHINGTONIANS’ PRIVACY COMPROMISED BY DATA BREACHES

The State Attorney General, who recommended that Washington State require breech notification when more than 500 Washingtonians are impacted, recommends the following changes to the law after data breeches increase by 26% in the last year:

• Reduce the deadline to notify affected individuals of a breach to 30 days after the breach is discovered;
• Require preliminary notification to the Attorney General’s Office of a breach within 10 days after the breach’s discovery; and
• Expand the definition of personally identifiable information to include:
  • full dates of birth
  • usernames in combination with passwords
  • digital signatures
  • DNA profiles
  • other forms of biometric data
  • identification numbers from passports and other sources.

Wasington State Attorney General Office | AG DATA BREACH REPORT FINDS 3.4 MILLION WASHINGTONIANS’ PRIVACY COMPROMISED BY DATA BREACHES

Washington State State Attorney General annual Data Breach Report found that:

• July 2017 to July 2018 3.4 million Washingtonians affected by data breeches
• 26% increase
• leading cause: mailicious cyberattack

What information is the satte Attorney General using in his statutorily required annual report?

• breach notifications WA requires notice to the Attorney General when a breach impacts 500+ 

Wasington State Office of Attorney General | AG DATA BREACH REPORT FINDS 3.4 MILLION WASHINGTONIANS’ PRIVACY COMPROMISED BY DATA BREACHES

• In 2018 it passed mandatory post election audits  HB 2406 (WA | 2018)
• Utilizing national guard during election day that also hold day jobs in the state’s largest cyber security companies
• Requires voting vendors to disclose breaches of their equipmen.

Tech republic | State of Washington has new laws and the Air National Guard to help secure 2018 midterm election

• #1 Google at  $16.4 million year to date in 2018
  • online advertising
  • data privacy
  • data security
  • self driving cars
• Facebook $9.8 million
  •  high-tech visas
  • government surveillance overhauls
  • tax
  • trade
  • privacy legislation
  • regulation of online election ads

Roll Call | Google Still K Street’s Top Tech Spender