The U.S. Cybersecurity Solarium Commission is taking inspiration from the 1950s era commission that studying nuclear strategy.

The 14 member Cybersecurity Solarium Commission will be comprised of:

• 4 current lawmakers
• director or deputy director of National Intelligence
• drector or deputy director of Defense
• director or deputy director of the FBI
• director or deputy director of Homeland Security
• academics
• industry representatives

Strategies to develop:

•  persistent engagement
• deterrence (which will include increasing resiliency)
• development of diplomatic norms — global rules of the road for cyber operations

AXIOS | New cybersecurity task force draws inspiration from ’50s

• 20% of Fortune 500 CISOs will be women by 2020
• 13% were women in 2017
• Capitol Hill hearings hear testimony from women 20% of the time on information security

Tech Target | Women in cybersecurity work to grow voice in US lawmaking

What additional information is protected:

• user name
• email address
• any other account holder identifying information
• + in combination with any password or security question and answer that would permit access to an online account

Can notice be given to a consumer electronically? Yes, unless it was the account that was breached

The bill: A-3245 (2019 | NJ)

National Law Review | New Jersey’s Data Breach Notification Amendment Signed into Law 

Inside NJ | Caputo & Murphy Bill Requiring Disclosure of Online Security Breaches Signed into Law

The legislation: HB 904 (2019 | NC)

How does it impact businesses: Creates a duty on businesses to maintain reasonable security procedures and practices

Notification time frame: 15 days

Free credit freezes, thaws and monitoring? yes, yes and yes

Consent: Requires consent to access a consumers credit report

NC Attorney General Talking Points on HB 904 

Where: San Francisco

What else does the ban on facial recognition tech by municipal entities and local law enforcement do ? 

• requires disclosure of surveillance technology they currently use
• requires approval from the Board of Supervisors on any new technology that either collects or stores someone’s data

What are supporters saying?

• “This is really about saying we can have security without being a security state.”
• “We can have good policing without being a police state.”

2 More cities set to consider the ban:

• Oakland, CA
• Somerville, Mass

Governing | San Francisco the First U.S. City to Ban Facial Recognition Technology

KQED | San Francisco Bans Police, Municipal Use of Facial Recognition Technology

• Facebook
  • The future is private
  • We will make your information private
• Google
  • What you get in return is more valuale
  • We make it wasier for you to navigate the world, so its all ok
• Microsoft
  • We can make your elections safer
  • “privacy is a human right”

What do they say to legislators? Trust US

What do they say to consumers? We won’t misues your data, AKA trust us

What are they saying to investors? There won’t be any regulations, trust us, returns will be great still

Fast Company | 3 Big Tech CEOs, 3 ways of spinning privacy

Bonjour to Kentucky Secretary of State Candidate Stephen Knipper. It’s an elected office in Kentucky.

The Knipper wants to improve data security and clean voter rolls of persons not eligible to vote.

Courier Journal | Stephen Knipper: As secretary of state, I would clean up voter rolls

Where is this proposal progressing? California

What is the proposed fee/tax? Data Dividend to be paid by businesses that hold.sell,track, sell data

The messaging: “We trade it away for so much of our experience on the internet. Money from a data tax could begin to counter this trade imbalance.”

Governing | Should Big Tech Be Taxed for Using Our Data?

• Carving out exceptions to the  California Consumer Privacy Act
  • The message: “addressing workability issues from a business compliance standpoint, to strengthening the law from a consumer and privacy protection standpoint”
• Coalition of business entities including:
  • Internet Association
  • TechNet
  • Consumer Technology Association
  • Chamber of Commerce
  • Large Tech Companies
  • Wireless Association,
• Plausible Deniability
  • Tech Companies and associations are not attending technical negotiations

Wired | TECH LOBBYISTS PUSH TO DEFANG CALIFORNIA’S LANDMARK PRIVACY LAW

Texas HB 2689 (2019 | TX)  would set a standard that all public schools should have a liaison that can communicate data security/cyber security issues with their local communities.

State : New York

Legislation: AB 6787 (2019 | NY)

What does this bill do? 

• Prohibit schools from using biometric software for 1 year
• Study the use and safety of biometric identifying software
• Make recommendations for the use of biometric software to further school safety

Lockport Union Sun Journal | Bill calls for study of facial recognition systems in schools 

What type of healthcare data breach? electronic health information was exposed online 

How did it happen? a misconfigured web setting

What went wrong with notification that caught the Michigan Attorney General’s attention? Patients were receiving notifications addressed to other patients and contacted the Attorney General

Health IT Security | Michigan Attorney General Looking into Inmediata Breach, Mailing Error 

Where: Maine

The legislation: LD 946 (2019 | ME) 

What would this bill do? Require Internet Service Provers to get Customers to OPT IN to sell cusotmer data

Government Technology | Maine Bill Would Force ISPs to Ask to Sell Customer Data

State: Washington

The bills that succeeded: HB 1071 (2019 | WA)

What does the data breach bill do?

• 30 days to notify the state Attorney General and consumers (down from the current 45 days)
• What information triggers a breach notification?
  • Social Security numbers
  • driver’s license numbers
  • state ID numbers
  • financial account information
  • full birth dates
  • health insurance ID numbers
  • medical histories
  • student ID numbers
  • military ID numbers
  • passport ID numbers
  • username-password combinations
  • biometric data

SC Magazine | Washington state legislature passes data breach law, but punts on privacy law

Washington State Legislature did not enact SB 5376, a GDPR like data privacy bill, here are some reasons why:

• Supporters, privacy advocates, started calling for a stronger bill
• Critics harped on the bill still permitting facial recognition software
• Negotiations did not include more than 1 Republican and no consumer advocates

SC Magazine | Washington state legislature passes data breach law, but punts on privacy law

• Ohio’s law doesn’t require action by businesses
• Ohio’s law incentives actions by businesses, by providing for liability protection

Tech Target | State data privacy laws, regulations changing CISO priorities

Who: Defending Digital Campaigns, the nonprofit spinoff of a Harvard cybersecurity project

What: FEC is considering allow campigns to get free cybersecurity help

Why? Elizabeth Warren, Kamala Harris are disclosing funds spent on cybersecurity and the retention of cybersecurity experts

The catch: the nonprofit is founded by Hillary Clinton’s campaign manager

Slate | This Nonprofit Wants to Offer Political Campaigns Free Help With Cybersecurity

State: Massachusetts

Legislation: H 4806 (2018 |MA)

What did Massachusetts enact?

• consumer consent before any third party can obtain the consumer’s credit report
• free credit freezes and thaws
• entieis that have suffered a data breach have enhanced reporting requirements
• free credit monitoring to affected consumers

Leominster Champion | Governor Signs Bill to Enhance Credit Data Security

What? SB 2373 (2019 | TX) 

What legal challenges would be allowed? Deceptive Trade Practices Act challenges

What does this mean? Know those press releases from the Attorney General Office about how much its collected in fines (hint: it is A LOT). Yes, it means business fines.

Texas Tribune | Texas bill would allow state to sue social media companies like Facebook and Twitter over free speech

Where: Georgia

The legislation: HB 392 (2019 | GA) 

What would this bill require:

• the state Secretary of State
• required to create security protocols for voter registration information
• follow and be consistent with standards set by national cybersecurity and election organizations

Atlanta Journal Constitution | New safeguards for Georgia election security await Kemp’s signature

The city: San Francisco

The proposal: 

• new regulations on the city’s process for acquiring surveillance equipment
•  total ban on municipal use of facial recognition software

How many other cities have done this? none

Opponents: law enforcement

The policy goal: ““The propensity for facial recognition technology to endanger civil rights and civil liberties substantially outweighs its purported benefits,”

Government Technology | Will San Francisco Ban Facial Recognition Technology?

State: Nevada

The legislation: SB 195 (2019 | NV)

Why did SB 195 die a legislative death?

• opponents say the bill was not beneficial to the crypto markets
• the bill would have implemented the ULC’s Uniform Regulation for Virtual Currency Business Act
• opponents say it doesn’t protect investors and traders enough

Read an opposition letter from the cryptocurrency industry.

CoinGeek | Nevada lawmakers scrap controversial Bitcoin bill

State: Oregon

The legislation: House Bill 2395 (2019 |OR)

What would HB 2395 require?

• require manufacturers to take implement a process for each device a unique password

Why? So that a hacker could access only 1 device in 1 hack.

Oregonian | Oregon House passes bill requiring security for online devices

What do I need to know about data minimization? It means that companies shouldn’t collect personal data “beyond what is adequate, relevant and necessary” for the product or service.

What’s an example? Your takeaway driver doesn’t need access to your photo library to scan your credit card

NextGov | Inside One Lawmaker’s Proposal for a Privacy Bill of Rights

North Carolina: the 1st State to pass the model legislation imposed the 72-hour notice requirement in the model.

Michigan:  opted for a 10 day notice requirement

Ohio:  allows licensees that have certain cybersecurity programs to use an affirmative defense against tort claims

Bloomberg | States Imposing New Cybersecurity Requirements on Insurers

Where: Missoula County, Montana

The County adopted rules for crypto miners that:

• health & safety. County is “protecting the health, safety, morality and general welfare of the people in the district” by ensuring electricity for local residents
• use limitation. crypto mining activities only in areas of light and heavy industry
• waste limitations. provide evidence that all e-waste generated will be processed by a licensed waste management company

The Cryptoo Currency Post | Montana County issued a decree obliging crypto miners to use renewable energy

Michigans HB 4103 (2019 | MI) would:

• add bitcoina nd blockchain into existing legal & financial statutes
• prohibit rackteering related to blockchain and bitcoin
• apply existing financial crimes to crimes utilizing blockchain, distributed ledger techniology and bitcoin

The definition of cryptocurrency used in Michigan: “digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, and that operates independently of a central bank.”

Detroit News | Bitcoin, blockchain crime bills clear Michigan House

Where: Australia

What group is recommending a Biometric Security Oversight Commission? The Parliamentary Joint Committee on Law Enforcement

In its report  the joint committee found that:

• need to protect biometric data collected and shared among law enforcement agencies
• increase IoT security awareness
• review of biometric and persoinal information security legislation to keep it up to date,
• consider hybrid storage facilities
• consider advanced techniques like  artificial intelligence for handling and analyzing large volumes of data

Biometric Update | Committee recommends Australia set up biometric data security oversight body

IOT legislation is the hot topic for 2019. Also known as how to keep your thermostat from being the way hackers hack your personal information.

So, what is the next hacker target? Indoor Garden sellers that offer a light source and temperature control gardening.

Tech Crunch | AeroGarden maker says hackers stole months of credit card data

Who: Facebook

What does Facebook want? It wants to know the rules of the game for political speech and the Constitution

Why? The government rather than a private comapny, like facebook shuld detemrine constitutional limitations

Variety | Facebook’s Mark Zuckerberg Says ‘We Need New Rules’ Regulating Political Speech

West Virigina HB 2452 (2019 |WV)  created the a new Cybersecurity Office within the Office of Technology.

Goals of the a new Cybersecurity Office:

• risk assessment across state agencies
• establish unifying security standards among state agencies
• will leverage a risk management approach
• provide for “apples-to-apples comparison of cyber-risk assessments across all agencies within the Executive Branch.”  

Stems from WV’s 2018 particiaption in the National Governors Association (NGA) cybersecurity policy academy.

Government Technology | W.Va. to Open Cybersecurity Office, Launch Unification Plan

The latest medical equipment suseptible to hackers are CT scans that would allow hackers access to alter images raising regulatory concerns about data security of medical equipment.

Washington Post | Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists

IN March 2019 hackers got into a small Colorado water utility.

Are there regualtory parallels that can be made to secure the water and waste water systems? Yes, Water utilities & power distributors share similar industrial control systems

Which states have taken water security measures forward? NJ, NY 

E& E News | Hackers force water utilities to sink or swim

Maryland HB 397 (2019 | MD) would increase telecom fees to harden the state 911 system.

Why the legislation? the Maryland 911 system has overloaded and resulted in death of injured residents

Why is data security an issue with 911?

• to conenct to cell phones and via text message, it exposes 911 systems to the internet
• 337 successful attacks (on public safety networks) across 49 states and DC in the past 24 months
  • 186 %increase over the previous 24 months

Baltimore Sun | Modern 9-1-1 system will increase state and local fees

Facebook CEO is the latest tech CEO calling for adoption of GDPR standards.

CNBC | Mark Zuckerberg says he wants stricter European-style privacy laws — but some experts are questioning his motives

The Coalition: Organizations representing accountants, techNet, AGC, engineers and technology professionals, + ALEC. Separate opposition stems from National Association of Chief Information Officers

The coalition opposes: state legislative efforts to require contracts install monitoring software

What sparked this? 30 states have a legislative push by TransparentBusiness that claims to ahve software that stops contractors from over-billing their clients

State Scoop | Industry groups urge state legislators to oppose tracking software bills 

Nevada’s Uniform Regulation of Virtual-Currency Businesses Act SB 195 (2019 | NV) would require:

• crypto currency to register with the state  Department of Business and Industry
• blockchain groups oppose the legislation since the industry is nascent and the legislation could inhibit growth

Are other states considering uniform bitcoin legislation? Yes, CA, HI and OK

Bitcoin Exchange Guide | Nevada Bill Regarding Multiple Uniform Standards Sees Pushback from Blockchain and Crypto Proponents 

D.C. Attorney General new proposal  would add the following to the list of information that would trigger notification in a data breach:

• passport numbers
• military IDs
• biometric data
• health information
• taxpayer identification numbers
• health insurance info
• genetic information
• DNA profiles

Security Week | D.C. Attorney General Introduces New Data Security Bill 

Know those calls to your mobile that look suspiciously like a number you know? Arkansas SB 514 (2019 |AR) would change the penalty for those calls.

The bill would increase the penalty for spoofing from a Class B misdemeanor to a Class D felony. That’s up to 6 years in prison &  a fine up to $10,000.

Telecom companies would have to:

• implement preventative measures
• report yearly to the Arkansas Public Service Commission concerning steps taken to identify and block the robocall perpetrators

Arkansas Democrat Gazette | Bill to steepen robocall penalty in Arkansas clears Senate, moves to House 

Debate over Michigan HB 4186 (2019 | MI) and HB 4187 (2019 | MI) focuses on the time period for notification.

The bills cut notification time in MI from 90 days to 45 days. Chamber of Commerce is as thrilled as a cat in the rain.

45 days is a standard adopted by 13 states.

An amendment proposal is for 75 days when the information is processed by a credit card processor.

Small Business Association of Michigan | New Data Breach Bill Moves Amid Latest Ransomware Attack

Marriott CEO testified before the Senate Committee on Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations and said that the hotel chain would now use encryptiona nd toeknization (blockchain, distributed ledger) to safely store data.

Security Boulevard | Marriott Could Have Prevented Privacy Data Breach with Tokenization

New Jersey AB 3245 (2019 | NJ) will:

• Expands Notification to include new data that would allow access to an online account, which includes answers to security questions.

The Daily Swig | New Jersey to expand data breach notification law 

Digitizing currency is moving tangible assets to the cloud and opening conversations on using crypto currency as collateral.

Bonjour new fintech, bitcoin and blockchain legislation.

Legaltech News | Crypto-Collateral? Securing Loans with Digital Currency 

Facebook has admitted to storing 10s of MILLIONS of passwords in plain text. Security Expertts say 600 Million passwords were stored in plain text.

Tech Crunch | Facebook admits it stored ‘hundreds of millions’ of account passwords in plaintext

What data do scooter companies want to protect from local government?

• real time data

Why do local governments want this data?

• to see if scooter comapnies are complying with rules
• pair it with service data for transportation efficiency

What enforcement actions have been taken?

• By refusing to hand over data, Jump received a shorter operational permit in Los Angeles

What data concerns exist?

• privacy of senstive data
• Bird company policies prioritize privacy 

Mother Board | Scooter Companies Split on Giving Real-Time Location Data to Los Angeles

New data breach lingo: The Internet of Medical Things (IoMT)

Why does this matter? Health care data breaches are thepriciest at $08 per record

What’s the latest breach of medical devices? ultasound equipment that can be hacked and have images swppaed by hackers

Dark Reading | Ultrasound Machine Diagnosed with Major Security Gaps

Politico | Why 2020 contenders need to worry about hackers now 

• Timely. All 6 US Senators running for President in 2020 are cosponsors of cybsercurity legislation
• History of federal Action. Standardizing cybersecurity practices at the federal level is difficult
• Agency infighting  is creating disparate standards
• State Success. State leaders have pushed legislative success to protect its citizens like:
  • TX, IL, WA and MA protecting biometric data
  • OH liability protection law
  • CA version of GDPR

The Hill | Why states should push forward with cyber laws

Vermont is subsidizing “last mile” for broadband access in rural areas that will:

• create a revolving loan fund
• provide access to fiber lines
• allowing towns to use general obligation bonds to finance similar projects

US News and World Report | In Vermont, High-Speed Internet for All Gets More Likely

 HB 4371 (2019 | TX) requires that digital currency (crypto currency)have a verified identity.

Texas would be the first state to prohibit anonymous cryptocurrency.

Crypto Globe | Texas Lawmaker Proposes Banning Anonymous Cryptocurrency Transactions 

Where: Pennsylvania

The legislation: HB 225 (2019 | PA)

The Cybersecurity Innovation Commission must:

• conduct cybersecurity audits
• improving security and privacy standards
• information for PA businesses concerning newest cyber technology

New Castle News | Under the Radar: Bill would aim to beef up state’s cybersecurity

Bipartisan S592 (2018-2019| Congress) would require businesses to disclose:

• in SEC filings
• whether a board member is a cybersecuity expert

Ripon Advance News Service | Sen. Collins’ bipartisan bill requires publicly traded companies disclose cybersecurity efforts

California’s SB 561 (CA | 2019)  would allow individuals to bring suit against a company for a data breach that includes their personal information.

The caveat: companies would have to have failed to provide reasonable security precautions.

Insurance Journal | California Bills Would Add More Punch to Consumer Data Protection Law

Nevada is considering Senate Bill 69 (NV | 2019) which will:

• Establish October as Cyber Security Awareness Month
• Clarifies that eh Governor can call in the National Guard for Cyber Incidents

3News | Cybersecurity, human trafficking among issues before Legislature this week

Georgia’s House Bill 197 (GA | 2019)  would create:

• a statewide data analytics center — the Georgia Data Analytic Center — under the Governor’s Office of Planning and Budget
• is in repsonse to Experian data breach
• aggregate data from all constituent services would be available to lawmakers, state agencies, academic institutions and public and private researchers.

Rome News Tribune | Legislation creating Georgia Data Analytics Center clears Crossover Day hurdle

• Special Purpose Depository Institutions will service blockchain industry in WY HB 74 (WY | 2019)
• Business FIlings using a blockchain system HB 70 (WY | 2019)
• Allow for Certified Stock Tokens (Bitcoin) HB 185 (WY | 2019)
• Allow digital assets in commercial laws and allow banks to serve as custodians for digital assets SF 125 (WY | 2019)  

California’s AB 953 (CA | 2019) would permit legal cannabis businesses to pay state taxes using cryptocurrency

Bitcoin Magazine | Blockchain Advocacy Coalition Sponsors Bill to Allow Crypto for Legal Cannabis Tax

What legislative provisions are getting push back from state data officials? require government contractors to install monitoring software

Is there a national group pushing back on this lobbying effort? National Association of State Chief Information Officers issued a statement opposing the bills

What is the opposition? It puts citizen information at risk

How many states have seen this language? 23

State Scoop | Nationwide lobbying push for contractor monitoring software alarms state CIOs

California is revising its first in the nation data protection bill by:

• include passport and government ID numbers as data that trigger notification after a data breach
• include biometric data, fingerprints, and iris and facial recognition scans, as data that trigger notification after a data breach

Tech Crunch | California to close data breach notification loopholes under new law

AB 1130 (CA | 2019)

City: San Francisco

The proposed ordinance would:

• ban facial recognition software
• require annual reporting and auditing of all use of surveillance technology

State Tech | San Francisco Considers Banning Facial Recognition Tech 

Oregon’s Senate Bill 703 will:

• label health data as the patient’s property
• require health care companies to obtain signed authorization from individual consumers before de-identifying their data for sale to a third party

Health Tech | What Oregon’s Move to Redefine Data Privacy Means for PHI

A 2018 Brookings study categorizes state blockchain legislation and regulation.

States Recognizing Innovation Potential:

• Illinois
• Arizona

States Actively Engaged:

• Pennsylvanai
• New York
• Florida
• Virigina
• Utah
• Wisconsin

States that are orgnaized:

• Wyoming
• Washington

States that are appreciative:

• California
• Colorado
• Oklahoma
• Kansas

States that are reactionary:

• Texas
• Missouri
• Illinois
• Ohio

States that are unaware:

• Arkansas
• Mississippi
• Minnesota
• oregon
• idaho

Consensys | Meet the American Legislators Bullish on Blockchain

Hawaii’s Public Land Trust Information System allows for searchable information such as:

• tenants on state lands and in state buildings

• rent paid for state land and buildings

• fees for encroaching on public property

• revenue from camping and wedding or event rentals

pltis.hawaii.gov

Government Technology | Hawaii Launches State Land Use Database

Hawaii joins the ranks of states implmenting a statewide Data Officer position to oversee data security.

SB 1001 (HI | 2019)

HB 532 (HI | 2019)

SF 0125 (WY | 2019) will allow crypto currency to have property rights outside third party storage.

What does this mean?

•  Wyoming is the 1st US state to allow private ownership of cryptocurrency
• Wyoming hopes blockchain and cyrptocurrency then partake in WY courts, business registrations
• Wyoming becomes the Delaware or Nevada of cryptocurrency, as Deleware and Nevada are for traditional corporate filings

Bitcoinist | WYOMING BECOMES FIRST STATE TO GIVE BITCOIN OWNERS FULL PROPERTY RIGHTS

Smartereum | Wyoming Just Passed a Bill That Gives Full Property Rights to Digital Currency Holders

Georgia uses exclusively paperless ballots. The November 2018 election produced high numbers of people not voting for Lt. Governor.

A lawsuit seeks to invalidate that race due to the low voting numbers in that specific race and calling for forensic examination of the electronic voting machines.

Politico | Another Georgia voting kerfuffle

Cisco is asking governmetns around the world to make data privacy a fundamental right.

The talking points:

• Security: Assign responsibility to protect the confidentiality, integrity, availability, and resiliency of data;
• Transparency: Explain how data is collected, used, transferred, and disclosed;
• Accountability: Ensure governance for data under the entity’s stewardship, including a data protection team, applying a risk-based approach;
• Innovation: Recognise multi-stakeholder-driven initiatives that enhance transparency and provide paths for implementation.

New Zealand Reseller News | Cisco calls on governments to make privacy a ‘fundamental human right’

WHAT: Cyber Security Exchange Act,”

Bipartisan? Yes, Senators Thune (R) & Klobuchar (D)

How does the Cyber security Exchange work?

• create an exchange program between the federal government and private firms
• to bring more cybersecurity expertise to the federal workforce
• The program would allow for a 2 year tours of duty with the federal government

The Hill | Bipartisan bill would create public-private cyber workforce exchange

After passing firs tin the nationa data privacy protection, to a GDPR level, here’s a roadmap of  the supporters and opponents :

• Against/Changing the state level GDPR-like standards:
  • California Chamber of Commerce
    • $2.2 million coalition that tried to scuttle the ballot initiative
    •  $1.6 million in lobbying
  •  tech-backed Internet Association
    • $200,000 on lobbying
• For the state level GDPR-standards:
  •  Common Sense Media
  • Electronic Frontier Foundation
  • Consumer advocates

Why does this matter? Other states are following suit- New Mexico, Massachusetts

MERCURY NEWS | Inside the lobbying war over California’s landmark privacy law

Jail time is being added to the list of potential penalties in data breaches. Under the proposal the FTC could impose fines on companies and could also impose criminal penalties on executives.

The impetus for this bill? Facebook

Government Technology | Oregon’s Wyden Pitches Jail Time for Breaches

Utah’s  HB 57 (UT | 2019) would require a warrant before police can access data shared with an app or third party, like cloud storage.

Supporters say:

• Applies the rules to paper to the digital world. If it was on paper, would a warrant be required should be the standard.
• Based on language in a constitutional amendment to protect digital privacy passed in Missouri in 2014.

Salt Lake Tribune | A Utah lawmaker is pushing a digital privacy bill that would bar warrantless searches of data uploaded to apps or cloud platforms

Washington State is considering SB 5376 and HB 1854 (WA | 2019) will:

• Consumer Access to data collected on them
• Consumers can delete data collected on them
• Consumers can correct their data
• Consumers can restrict access to their data
• Consumers can get a copy of their data
• Consumers can object to their data for marketing
• No profiling based on data
• Comapnies collecting data have 30 days to respond to consumer requests, with an extention of an additional 60 days for voluminous requests

The bills build on parts of the California data privacy law, builds on lessons learned from California, and uses from GDPR standards.

New York Department of Education is proposing new rules  that will:

• Parent’s Bill of Rights applicable to 3rd party vendors and setting standards on disclosing student data
• The National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”)
• Annual training for school district employees
• A Data Protection Officer in every school
• Notice of a school data breach must be given to the Department of Education within 10 days
• Civil Penalties that accrue per individual affected for 3rd party vendors.

National Law Review | NYS Education Department Proposes to Significantly Strengthen Data Security and Privacy Protocol 

• Privacy. Who owns the data. Who gave consent to collect the data.
• Security. What data should be protected from transfer.
• Public Safety. How can the data be used to protect the public and transportation systems in smart cities.

How can governments use data from self driving cars?

• managing traffic
• urban planning
• allocating public funds 

phys.org | self-driving cars and geospatial data: Who holds the keys?

What entity is ranking states on student data protection?  Parent Coalition for Student Privacy

Best State for student Data Protection? Colorado with a B

Worst states for student data protection? 11 way tie with Fs for Alabama, Alaska, Massachusetts, Minnesota, Montana, Mississippi, New Jersey, New Mexico, South Carolina, Vermont, Wisconsin

The populous states?

• California C
• New York B-
• Illinois C+
• Texas D+
• Florida D+
• Pennsylvania D-

Lingering Education Data Security Issue for all states: Teacher Data Protections

EdScoop | Controversial report shows many states fail on student data privacy

• Use risk limiting audits for elections and voting practices
• replace direct recording electronic systems with systems using voter-marked paper ballots 
• No unfounded mandates for local election officials
• train local and state election officials on cyber security
• establish statewide cybersecurity practices

Blue Ribbon Commission on Pennsylvania Election Security (January 2019)

Let’s take a peak at what the National Assocaition fo Realtors spent on cyber security lobbying in 20198?

• $19million in spending on the last quarter on 2018 on cyber security lobbying
• Including a bill For Small Business Development Centers to offer cyber security training
• And a bill that would  strengthen data breach notification

Politico | Morning Cyber Security

Pennsylvania Supreme Court rules that all employers must exercise reasonable care to protect worker data.

How did they get there? A health care provider employee data breach led to a lawsuit. Lower courts sided with the employer that there was no data security requirements for employee records. The PA Supreme Court disagreed. 

Pittsburg Post Gazette | PA Supreme Court rules UPMC — and all employers — must protect workers’ data. Doing so is harder

Why is procurement key?

• Procurement contracts can set the tone for state data security standards

• Telecom infratructure is key to data security

• States should offensively say what the data standards are, rather than what cannot be done

• Private-public cooperation is the key for leading global solutions

• Strengthen cyber security workforces

• Contracted cloud solutions can fill in when funding does not exist for state data security experts

The Kosciuszko Institute| CYBERSEC 2018 RECOMMENDATIONS AND KEY TAKEAWAYS

State: Minnesota

Bill: SF 17 (MN | 2019)

What does it do?

• reworks state voter registration to secure it better
• federal funds
• all specifics of how the new voter registration will protect voter data is determined by the state secretary of state

Tim Cook (Apple) is recommending a Data Broker Registry.

What’s a data broker? they buy and sell data from third parties

So how would it work?

• every consumer can opt into their data being collected or not
• consumers would be able to remove their data from the registry
• the FTC would house the registry and consumers could see what info is being collected and by whom

Why does this sound familiar? Because in 2018 informed:intel told you about the first in the nation data broker state law in VT, and we gave you the bill text to create one in your state

Wired | How Tim Cook’s Data Broker Registry Might Actually Work

1. Election Security
2. Data privacy and Security think Marriott and Equifax Breach fixes to protect consumer data
3. Infrastructure Protection
4. Cyber Security Workforce 

The Hill | Four cybersecurity priorities for Congress to confront active threats

• 30 days to provide notification to consumers
• Greater disclosures to consumers about data collected and where it is stored
• Free credit freezes and unfreezes for a year
• 4 years of credit monitoring- free
• Applies Deceptive Trade Practices Act penalties to Businesses (these accrue daily and per incident)

Who is backing this bill: North Carolina  State Attorney General 

What impact does this have to businesses?

• healthcare comapnies would see their notifcation timeline cut from 60 days to 30 days

Have other states shortened notification timelines? Yes, in 2018 Colorado also went to 30 days. Iowa went to 45 days.

Health IT Security | North Carolina Reintroduces Strict Data Breach Notification Law

What are states doing to train their employees to protect data?

• Michigan, Oklahoma and Wyoming encourage but don’t require training
• Idaho Governor Excutive order requires training for all executive staff
• Illinois in 2017 made cybersecurity training mandatory for state employees
• Indiana’s CIO has authority to make training mandatory for state employees
• Utah sends out phony phishing emaisl to state employees to test them
• CT offers voluntary training every 2 months
• Alabama offers daily cybersecurity trivia games with prizes to employees, 1000 employees play a day

GCN  | As states lag on cyber training, agencies are fertile phishing grounds

SB273 (OH |2018) does the following:

• Adopts the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law
• OH becomes the 2nd state after South Caroline to adopt the model law
• Requires licesees develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to protect nonpublic information and the licensee’s information system within 1 year of the effective date of the Act;
• Perform a risk assessments 
• Develop a formal incident cyber response plan 
• Require their third-party service providers to implement security measures within 2 years
• Report data breaches to the head of its Department of Insurance  within 3 business days after determination tof a cyber event;
• Certify compliance to the  the head of its Department of Insurance
• 5 year retention of all records supporting the certificate of compliance 

Cybersecurity experts favor:  hand-marked paper records processed by optical scanners

What did Georgia’s voting security commission recommend? paper records but not hand marked and processed by optical scanners

politico | GEORGIA GOES ANOTHER DIRECTION

Paper products rejoice! South Carolina legislature will consider requiring paper ballots. S374 (2019 |SC)

Politico | Two states are placing election security on their agenda this week. 

Anatomy of a white hacker on construction equipment:

• Accessed 14 construction locations
• hacked into devices that not only controlled:
  • cranes
  • excavators
  • scrapers
  • other large machinery

The solution: Move equipment away from “esoteric custom protocols” and to “modern, standardized tech” that can be easily upgraded for security

Forbes | Exclusive: Hackers Take Control Of Giant Construction Cranes

What is special about Rhode Island’s newly implemented risk limiting audits?

• the gold standard of ballot audits
• Rhode Island is the 2nd state to adopt risk limiting audits in elections

Rhode Island Assembly | General Assembly passes Sheehan, Ajello bill that would establish a post-election audit program | (2017-S 0413A, 2017-H 5704A)

• data helps create more efficient permitting processes
  • CT allows local governments to get occupational licensing data directly form the state
• overdose data helps first responders and hospitals prepare for epidemics
• Prevent fraud 
  • IN adopted its Indiana’s Management and Performance Hub to “integrate” data from several agencies to build custom analytics solutions.” Its addressing issues from car crashes and infant mortality to Medicaid optimization.
  • TX shared data across agencies during Hurricane Harvey. Data was shared in real time to support first responders, law enforcement and others. 

StateTech | How States Benefit from Appointing a Chief Data Officer

Why is statutorily protecting business email correspondence increasingly important to law makers?

Data.

What does the FBI data say about business email hacking?

• 136% increase in identified global losses between December 2016 and May 2018
• losses from business email total  $12.5 billio

Are there other terms I need to watch for in legislation/from clients?

• cyber-enabled financial fraud

National Law Review | Privacy and Cybersecurity Issues to Watch in 2019

IN 2018, Vermont became the first state to regulate data brokers.

What is a data broker? 

• A business that
• knowingly collects and sells or licenses to third parties
• brokered personal information of a consumer
• with whom the business does not have a direct relationship

What business guidance did the Vermont Attorney General offer?

• If Vermont courts do not have jurisdiction, then this law does not apply to a business
• Does it establish an opt out requirement for consumers? no
• Will businesses have to change their practices to opt out? no
• A business that collects data for its own use only is not a data broker

Los Angeles City Attorney filed suit against the Weather Channel App for not properly disclosing that the app retains user location data.

Where would I see this in legislation? in fraud, deceptive trade practices, competititve practices, cybersecurity bills that protect geolocation

Engadget | LA sues Weather Channel app owner over ‘fraudulent’ data use

 Senate Bill 2110 (2019 | ND) would give a North Dakota state agency, Information Technology Department, the power to:

•  “advise, oversee and regulate cybersecurity strategy” for:
  • state agencies
  • higher education
  • cities
  • counties
  • school districts

What’s the state argument for a unified cybersecurity approach? the local govenrments and entities are connected at some point to a state network

Local government support? Yes, the North Dakota League of Cities supports the initiative because of (1) ransomware threats and (2) small cities with part time auditors

Grand Forks Herald | Bill looks to standardize North Dakota cybersecurity for public entities

Ohio was the first state to create a safe harbor for business in its 2018 cybersecurity legislation. SB220 (OH | 2018)

How did Ohio craft its liability protection for businesses? A business has to do 1 of these:

(1) Create, maintain, and comply with a written
cybersecurity program that contains administrative, technical,
and physical safeguards for the protection of personal
information and that reasonably conforms to an industry
recognized cybersecurity framework, as described in section
1354.03 of the Revised Code; or

      (2) Create, maintain, and comply with a written
cybersecurity program that contains administrative, technical,
and physical safeguards for the protection of both personal
information and restricted information and that reasonably
conforms to an industry recognized cybersecurity framework, as
described in section 1354.03 of the Revised Code.

      (B) A covered entity's cybersecurity program shall be
designed to do all of the following with respect to the
information described in division (A)(1) or (2) of this section,
as applicable:

      (1) Protect the security and confidentiality of the
information;

      (2) Protect against any anticipated threats or hazards to
the security or integrity of the information;

      (3) Protect against unauthorized access to and acquisition
of the information that is likely to result in a material risk
of identity theft or other fraud to the individual to whom the
information relates.

      (C) The scale and scope of a covered entity's
cybersecurity program under division (A)(1) or (2) of this
section, as applicable, is appropriate if it is based on all of
the following factors:

      (1) The size and complexity of the covered entity;

 (2) The nature and scope of the activities of the covered
entity;

      (3) The sensitivity of the information to be protected;

      (4) The cost and availability of tools to improve
information security and reduce vulnerabilities;

      (5) The resources available to the covered entity.

1st state to adopt model insurance data security law: South Carolina

2nd state: Ohio legislation with 8 modifications SB 273 (OH | 2018)

The model law: NAIC

National Law Review | Ohio Moves on Insurance Cybersecurity

In 2018, Vermont passed a data breach notification bill to address the Equifax data breach.

Vermont’s Attorney General is Recommending the following additional legislative fixes:

• Create a new statewide office, Chief Privacy Officer,  charged with ensuring the state establishes best practices for handling Vermonters’ personal information
  • the position would advocate for additional privacy protections for citizens & hear concerns
• Stronger protections for student data by educational technology
  • The model: a 2016 California law that prohibits education technology companies from selling student information or disclosing it for purposes unrelated to education

VT Digger | AG says Vermont should take more steps to protect data privacy

New Jersey is looking to save costs by moving to exclusively digital records, making the state government paperless. 

The caveat: data security risks

What was the legislative plan to get to a paperless NJ state government?

• The Govenror made it a goal for his administration
• Legislation creates a task force to make recommendations and suggestionts to address concerns, like data security
• Task Force 15 person membership includes:
  • secretary of state
  • state treasurer
  • director of the New Jersey Division of Taxation
  • head of cybersecurity in the Office of Homeland Security and Preparedness
  • other members with expertise in such areas as government information technology, revenue collection and voting

Government Technology | New Jersey Bill Would Push State Government to Go Paperless

• California Privacy Act.  Will other states replicate it? Is it the US solution for GDPR?
• Federal Preemption. Will Congress pass federal data breach notification standards?
• Data Privacy Requirements for Internet of Things.  Privacy standards for your home thermostat, etc… See California’s SB 327 (2018)
• Will small businesses get a carve out bill? See S770 (115th Congress)
• Federal Preemption of Data Encryption Standards for Business

Sc Media | Top cybersecurity legislation of 2019

According to lawyers wirting in the Harvard Business Review, a data security regulatory system should:

• focusing more on systemic ways to address cyber threat
• not treat businesses punitively 
• require the federal government to take a more active role in cyber defense
• require the federal government to share cybersecuity knowledge with the private sector
• require agencies to “issue pragmatic, cost-effective operational guidance to companies on how to defend against evolving risks”
• incentivizing security improvements
•  provides greater confidentiality concerning security measures
• provide liability protections
• create a public-private collective cyber defense

Harvard Business Review | Stopping Data Breaches Will Require Help from Governments

• Thinking on these laws is backwards. Laws should switch from punishing coporations to realizing in data breaches, companies are most likely also victims of criminal activity
  • it is not a fair framework to punish companies
  • and it is not effective enforcement
• Limited cyber experts. It is impossible for “every company in America to have sufficient internal cyber expertise to manage the risk.”
• The robbery analogy. When a bank is robbed, do we blame the bank? No.

Harvard Business Review | Stopping Data Breaches Will Require Help from Governments