Cybersecurity & Tech

Vermont’s H.764 (2017-2018 | VT)  creates the first data broker regulations that will:

• eliminates costs on credit freezes & thaws
• establishes a registry and security standards for 3rd party ‘data broker’ industry
• clarifies data security requirements for commercial entities
• criminalizes acquiring data for fraudulent purposes, including harassment & discrimination

Talking Points for H764 which will give Vermont residents:

• greater privacy
• saves them money
• gives them information and tools to keep their personal information secure
• “light touch regulation”

Stateholders:

• economic development interests
• data industry
• consumer protection interests

VT Digger | Vermont first to pass data broker regulation bill

General Services Administration issued a Request for information to provide a more comprehensive assortment of cybersecurity services and expedite their discovery and acquisition.

To participate in the request for information, the deadline is 6/9/2018.

What does this mean for procurement? GSA wants to increase:

• the number of agencies that procure cybersecurity services
• the number of contractors and specialties of cybersecurity contractors

Nextgov | GSA Wants to Modernize How the Government Buys Cybersecurity Services 

The report: US Senate Intel report

The recommendation on wi-fi and voting machines: Voting machines should not have wi-fi capabilities.

The Most Hackable Cities:

1.  Las Vegas
2. Memphis
3. Charlotte
4. Houston 
5. providence
6. Birmingham
7. Jacksonville
8. West Palm Beach
9. Orlando
10. Tampa

Coronet | Cybersecurity in the City

4 reasons Seminole County, Florida is accepting cryptocurrency:

• eliminates credit card processing fees
• improves payment accuracy
• improves payment transparency
• improves payment efficiency

Is there a procurement opportunity here? yes, Seminole County contracted with BitPay

The Seminole County Press Release May 2018

For the U.S. market of cyber secuity insurance policies in 2017:

• 32% growth in direct premiums written in year over year growth
• $1.8 billion,
• 2.6 million policies in force, a 24% increase
•  claims increased to 9,017 from 5,955
• 56.3% of the claims by packaged policies
• 43.7% of claims by standalone policies  

Insurance Journal | U.S. Cyber Market Grew 32% in 2017 But Most Small-Medium Firms Opted Out: A.M. Best

In lieu of hiring cyber security employees, local governments are using third party software and hardware to bolster cybersecurity. 

What short hand do I need to know for this technology?

•  It is “machine learning and AI”
• It  can detect cyber threats rapidly
• it allows for large-scale behavioral detection

State Tech | Cities and Counties Turn to Machine Learning to Bolster Cybersecurity

State: Colorado

Proposed Rules for bitcoin campaign contributions will:

• follow along with the FEC
• A Colorado Governor candidate was one of the 1st campaigns to accept bitcoin during the candidates congressional run
• includes accounting rules
• that liken cryptocurrency to inkind contributions
• any crypto currency contributions count toward contribution limits

Governing | Should Bitcoin Be Used for Campaign Donations?

Which Texas cybersecurity experts signed this letter to the Texas Secretary of State?

• Scott Aaronson, Professor, University of Texas at Austin
• Chris Bronk, Assistant Professor, University of Houston
• Alvaro Cardenas, Assistant Professor, University of Texas at Dallas
• Guofei Gu, Associate Professor, Texas A&M
• Murat Kantarcioglu, Professor, University of Texas at Dallas
• Jiang Ming, Assistant Professor, University of Texas at Arlington
• Dan S. Wallach, Professor, Rice University
• Brent Waters, Associate Professor, University of Texas at Austin
• Greg White, Professor, University of Texas at San Antonio

What 4 priorities did the cybersecurity experts identify?

• updated election security standards and accountability mechanisms
  • legislative action
  • key phrase: ensure consistent cyber-hygiene
  • require election officials to undergo cybersecurity training
  • no electronic overseas voting
  • Legislature should give the Secretary of State authority to oversee the safeguards of all elections in Texas
• auditable paper trails
  • all counties
• mandatory post-election audits
  • clear rules for the methodology and size of the audits
• secure voter registration systems
  • prepare for disasters by ensuring that voter database servers are capable of both local and offsite failover

What 3 things should the required Study of Texas Election Systems Include?

•  investigation of vulnerabilities and risks for a cyber attack against Texas’s voting and voting registration systems
• information on any attempted cyber attack on these systems
• recommendations for protecting a county’s voting system machines and list of registered voters from a cyber attack

Local May 2018 election that was hacked:  Knox County, Tennessee primary for mayor &  local races

What kind of hack was used?  A DDoS attack routed through 65 countries

Translation of the hack? A lot of computers from all over the world tried to access the web server for the election from 7pm to 10pm causing the election site to crash

Politico |  WHAT HAPPENED IN TENNESSEE: 

Who is offering the suggested solution to combat hackers? The head of Germany’s domestic intelligence service

What is the proposed solution to combat hackers of Germany’s critical infrastructure? to plant malware that gets triggered when the critical infrastructure is hacked.

What does that mean in non-tech term? Fight back by hacking back. 

dw.com | German intelligence head warns of cyber attacks on critical infrastructure

• No requirements for tech companies to build in backdoors
• The Secure Data Act

Politico | PRO-ENCRYPTION BILL LAUDED 

South Carolina’s  H4655 (2018 | SC) will:

• require insurers to establish “strong and aggressive” program to protect companies from a data breach
• require insurers to establish “strong and aggressive” program to protect consumers from a data breach
• what does it cover?  
  • rules for insurers, agents and other licensed entities covering data security
  • investigation and notification of breach
  • maintaining an information security program based on ongoing risk assessment
  • overseeing third-party service providers
  • investigating data breaches
  • notifying regulators of a cyber security event

How did this bill begin?

• South Carolina Insurance Director Raymond G. Farmer chaired the  National Association of Insurance Commissioners’ Cybersecurity (EX) Working Group that drafted the bill

Business Insurance | S.C. governor signs insurer cyber security into law

Cyber Crimes in the U.S. cost:

• reported losses exceeding $1.4 Billion (2017)
• total of 301,580 complaints (2017)
• In 2013, the losses were $781Million with 262,813 complaints
• Average of 800 complaints per day
• Victim losses are highest in TX. ($115.7Million) & CA ($214.2M)

FBI | 2017 Internet Crime Report

Georgia Governor Deal vetoed  SB315 (2018 | GA)  because:

• the bill could undermined national security
•  harmed private businesses’ efforts to stop hackers
• Georgia needs more discussion on this bill

A future data security bill should:

• develop a comprehensive policy
• promoting national security
• protecting online information
• continuing to advance Georgia’s position as a leader in the technology industry

Veto Statement on SB 315 May 8, 2018 Georgia Governor Deal

Politically Georgia | Computer snooping bill vetoed by Georgia Gov. Nathan Deal

Refreshing our recollection:

3 Reasons Tech Companies Want a Data Security Bill Vetoed in the Cherokee Rose State

West Virigina is securing its voting maschines from hackers by:

• West Virginia Air National Guard, with top secret clearance, actively tracks hackers
• West Virigina Secretary of State is prioritizing data security
• Intelligence Fusion Center, a nexus of state and federal law-enforcement and intelligence officials who handle threats ranging from floods to cyberattacks.
• State law requires that hand-countable paper ballots be used in every election

New York Times | How West Virginia Is Trying to Build Hacker-Proof Voting. 

Colorado Legislature passes SB18-086 to require 3 governmental entities:

• governor’s office of information technology (OIT)
• department of state
• department of regulatory agencies

to consider using encryption techniques and blockchain tech in order to protect:

confidential state records.

The bill also requires Colorado to accept business filings in distirbuted ledger (blockchain).

Colorado SB18-086

Cointelegraph | Colorado Passes Bill Advocating Blockchain For Gov’t Data Protection And Cyber Security

State: Wisconsin

What did Wisconsin’s Ethics Commission do about bitcoin campaign contributions? The Ethics Commission Administrator asked the Legislature to make a determination on how to handle bitcoin contributions

What 2 policy reasons did the Ethics Commission give to the Legislature? 

• “provide clarity to candidates and committees as to whether they may accept contributions of cryptocurrency.”
• concern over the anonimity of bitcoin contributions

What prompted bitcoin as campaign contributions in Wisconsin? A request from the Libertarian party to allow for bitcoin contributions

3 Governmental entities allow bitcoin contributions:

•  federal government
• Montana
• Washington, D.C.

Tampa Bay Times via AP | Ethics Commission asks Legislature to decide bitcoins

A group of tech companies, including:

• Google
• Microsoft
• + 50 academics, researchers, cybersecurity experts and technologists

are asking Georgia Governor Deal to veto a bill that makes unauthorized cyber access a crime punishable with up to 1 year in jail because the bill will:

• chill security research
• harm the state’s cybersecurity industry
• Why is that a big deal? Because the bill for the first time would “create new liabilities for security researchers who identify and disclose weaknesses to improve cybersecurity”

It’ll punish the white hat hackers- who hack to make systems better. 

AP | Tech giants urge governor to veto Georgia cybercrime bill

Wyoming this year sought to stake out territory as a leader in luring blockchain technology to the state.

These are the benefits that are touted:

• economic (new businesses moving to WY)
• elections- blockchain can streamline voting & make it more secure
• no cost to the state

The concern:

• Wyoming needs a tax structure that encourages technology companies to move there

Casper Star Tribune | Editorial board: Blockchain could be a boon for Wyoming 

State: Hawaii

The Equifax Response bill: HB 2342 (HI | 2018) 

What does the bill do?

• No fees for credit freezes
• No fees for credit thaws

Maui Now | Bill to Make Credit Freezes Free Passes Legislature

State: Texas

The pieces of information that State Representative Giovanni Capriglione wants to prohibit from being sold by the State of Texas:

• A person’s precise geographic location
• A person’s internet browsing history
• A person’s application usage history
• Teh functional equivalent of this information

What information is the State of Texas selling?

• Voting records
• Driver’s records

Houston Chronicle | Facebook may not sell the data it collects, but the state of Texas sure does

State: West Virginia

The lawsuit by the West Virginia Attorney General:  Violation of the the state’s Consumer Credit and Protection Act  

The potential penalty: $150,000 for each security breach and $5,000 for each violation of each of the 730,000 West Virginians affected by the Equifax breach

The statement from the WV Attorney General:

“Equifax’s failure to secure consumers’ personal information constitutes a shocking betrayal of public trust and an egregious violation of West Virginia consumer protection and data privacy laws,” Morrisey said in a statement.

Insurance Journal | West Virginia Sues Equifax Over Data Breach

Pennsylvania Secretary of State imposed a 12/31/2019 deadline for:

• each county in Pennsylvania
• to order new voting machines
• that keep a paper trail of each ballot

The total estimated cost for all counties: Between $95 million and $153 million

Penn Live | Pa. says counties must have new voting machines – with paper trails – for next presidential election

Who is behind the California Mayors Cyber Cup? California Mayors and California Cyberhub

The competition: brings high school and junior high school students from across the state to represent their specific cities in a cybersecurity competition

The policy goals: 

• educated workforce
• leader in addressing the global cybersecurity skills gap
• helps cities meet economic development goals to strengthen the workforce

CISION | California Uses Cyber Competition to Bring Cybersecurity Awareness to Communities Across the State 

the candidate: California State Senate incumbent Sen. Richard Pan, D-Sacramento

the alleged hack: Sent the campaign treasurer, from the candidates account, an invoice for a vaccine-related nonprofit organization, billing  the campaign for $46,000,  which was paid

What track was left? A series of emails between the Campaign Treasurer and the hackers, pretending to the candidate, with the treasurer asking whether the candidate really wanted to pay the Texas based vaccine related non-profit

Sacramento Bee | Hackers stole his campaign cash, Sacramento lawmaker says 

Members of  “Reform Government Surveillance”: Apple, Google, Yahoo, Microsoft, Twitter

6 Plank Agenda:

• limiting government authority to collect user information
• enhancing government oversight
• promoting transparency about government demands for data
• preventing hurdles for sharing information
• ensuring cooperation between nations’ governments
• encryption. opposing any government required engineered vulnerailities in technology

Politico | SURVEILLANCE COALITION INCLUDES NEW AGENDA ITEM

The legislation: Small Business Advanced Cybersecurity Enhancements Act of 2018 H.R. 4668

3 Points from HR 4668:

•  create cybersecurity assistance units at Small Business Development Centers (SBDCs) throughout the country
• point-of-contact for small businesses that suffer a cyber-attack
• Coordinate expertise from several federal agencies to provide small businesses with the best resources to prevent and recover from cyber-attacks.

The Support Letter from the US Chamber:   HR 4668 Letter 

3 Points from the US Chamber letter:

HR 3668 will help small business better protect themselves against malicious actors

WLUC | Peters, Risch introduce bill to increase federal cybersecurity resources for small businesses

Conference of Western Attorneys General will be discussing the following data security issues this year:

• data privacy, cybersecurity, and digital piracy
• breach notification
• the European Union’s data protection regulations
• national security & cybersecurity intersection
• FinTech

Enacted Laws to be highlighted:

• Arizona’s Regulatory Sandbox Program, signed into law by Governor Doug Ducey on March 22, 2018
• Arizona House Bill 2154 into law on April 11, 2018 that prioritize data privacy in partnership with the AG’s office

Why will these bills be highlighted: Arizona Attorney General Chairs the Conference of Western Attorneys General

The Delarware Attorney General launched a new webpage that has 4 data secuity resources:

• Online Reporting of Data Security Breaches
• Data Security Breach Notice Database
• Model Form for Providing Notice to Consumers and Other Affected Persons
• Links to Online Cybersecurity Resources

Delaware.gov | Attorney General Denn Announces New Online Data Security Breach Reporting Resource

State: Colorado

The Net Neutrality Bill in Colorado: HB18-1312 

What does Colorado’s HB 18-1312  do?

• Any entity receiving state funds to provide internet service, like rural broadband programs, must commit to net neutrality
• Requires net-neutral service preference when state taxpayer dollars are being spent on internet services

What reasons do Colorado Legislatorsy offer to support Colorado’s HB18-1312?  

• The Colorado Bill has nothing to do with the FCC reclassification, unlike what the Americans for Tax Reform Argument from Digital Liberty
• 83% of Americans support allowing non-net-neutral services

The Hill | Colorado must fight to protect net neutrality

California Legislature is moving a state net nuetrality biull that will move oversight to the State Attorney General to enforce net nuetrality among ISP providers.

California SB 822 (2018) 

Los Anglese Times | Net neutrality rules move past first hurdle in California 

Healthcare Supply Chain Association recommends these contract provisions for health care contracts:

State: Colorado

The Net Nuetrality Bill in Colorado: HB18-1312 

What group is opposing the bill? Americans for Tax Reform sister organization, Digital Liberty

What reasons do Americans for Prosperity offer to oppose Colorado’s HB18-1312?

• The bill does not help net nuetrality, because the FCC did not destroy the internet
• The bill harms Coloradoans

The Hill | Colorado’s legislature should think twice about passing a net neutrality law

The Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. S2639 (2018) will:

• require edge providers (Facebook and Google)
• obtain opt-in consent from users before using, sharing  or selling their information
• require reasonable data security practices from edge providers
• require notifcation to users about all collection, use, and sharing of users’ personal information, and to inform users of a data breach
• clarifies that enforcement authority trests with the Federal Trade Commission

PYMTS | Consumer Watchdog Wants More Than Regulation For Facebook

Congress is considering STB Information and Security Act (H.R. 4921) and The FRA Safety Data Improvement Act (H.R. 4925) that will:

• implement a plan to improve railway nformation security system
• improve the management and collection of railroad safety data
• identifying and mitigating rail safety risks

Railway Age | Rail data security bills head to Senate

State: Michigan

The 2 ransomware bills signed by Michigan’s Governor:

• PA 95 HB 5257 (2018) 
  • prohibits knowingly possess ransomware with the intent to use or employ that ransomware
• PA 96 HB 5258 (2018)
  • sentencing guidelines for ransomware possession

What problems was the Legislature trying address: 

• Michigan had no recourse to charge cybercriminals that had ransomware on their computers that they hadn’t used  
• In 2017 there were 1,300 reported cases of ransomware attacks in Michigan 

State Scoop | Possession of ransomware is now a crime in Michigan

Wyoming looks to be a world leader on blockchain technology.

To achieve its goal, Wyoming Legislature passed these bills:

• House Bill 19  trade and commerce standards that include virtual commerce
• House Bill 70  framework for developing, selling or facilitating the exchange of an open blockchain token
• House Bill 101 business use of blockchain records
• House Bill 126 LLC use of blockchain records
• Senate File 111 Property taxes and digital currency

What is Wyoming’s state strategy? Wyoming’s economic diversification strategy is known as ENDOW – which stands for Economically Needed Diversity Options for Wyoming 

Government Technology | New Laws Reverse Wyoming’s Strict Stance on Blockchain, Cryptocurrencies

Date of cyber attack: April 2, 2018

What part of a pipeline system was attcked? an Electronic Data Interchange for the pipeline system

What impact did the hack have on the piepline?

• The interchange was handled by a 3rd party
• allegations that the system was shutdown, with no known impact on the natural gas flow
• later in the evening, it was  safe to transfer files through the EDI platform
• no data or operations were affected by the attack

CISO Magazine | Energy Transfer Partners reports cyber breach

• 7 states have enacted blockchain bills
  • Arizona, Delaware, Illinois, Nevada, Tennessee, Vermont, and Wyoming
• 8 States have amended wire transfer satutes to account for lockchain
• $2.4 Billion in venture capital invested in blockchain since 2012
• $120,000 to $150,000 average salary for a blockchain company employee
• 19 states considering lockcahin bills in 2018
  • Including: Hawaii, New York, Colorado, Nebraska, Vermont, Virginia, Florida, Maryland, and North Dakota

The Verge | Blockchain laws tend to be hasty, unnecessary, and extremely thirsty

•  Trump administration has elevated U.S. Cyber Command to a unified combatant command
• The internet is a critically weak link for the U.S.’s military 
  • “Adm. Michael Rogers, the head of Cyber Command, recently told Congress he needs $647 million to build the cyber mission force and conduct cyber operations”

Richmond Times Dispatch | Editorial: Cyber security is far more critical than border security

Atlanta’s city services recently experienced a ransomware attack, the responses include:

• Calls for more transparency for utilities about their cybersecurity to “keep consumers aware of the threats and their frequency”
• Because electricity is a security issue, the market cannot resolve the issue & the government must act
• FERC is beefing up mandatory reporting requirements

Eagle Tribune Opinion | Utilities should be more transparent about cybersecurity

Massachusetts Legislature is moving a net neutrality bill, S2376,  that will:

• create a central registry of internet service providers
• require net nuetrality in government contracts
• prohibit ISPs from collecting, using or sharing a consumer’s personal data without their consent
• State rules would be developed by the state Department of Telecommunications and Cable
• Requires ISPs to make the same disclosures to state regulatators that ISPs make to the FCC
• An assessment on ISPs would be levied to cover additional agency oversity costs

Gloucester Times | UPDATE: Senate bill would assess providers to ensure internet neutrality

Draft Federal legislation will require notification of breach if and only if a business determines:

• “a reasonable risk that the breach of data security has resulted in identity theft, fraud or economic loss”

Why does this specific statuory draft langauge matter? Courts are split on whether a business is liable when a data breach hasn’t resulted in actual fraud or economic loss, which means the language sets up a liability threshold.

Fox 13 | Report: Draft bill would allow credit reporting agencies, banks to conceal data breaches

The US Chamber of Commerce has a new White Paper supporting business-government partnerships for data security.

The 5 best practices recommended: 

• Cultivate trusted and bi-directional relationships with law enforcement and prosecutors
• Join a cyber information sharing organization
• Implement and Update cyber incident response plans
• Loop in legal counsel to keep counsel up to date on business’ cyber plans and resources
• Actively contact law enforcement during incident response for suspected criminal activity

City: New York City

Cybersecurity protection offered by NYC: A free app called NYC Secure that alerts a person to mailcious attempts to hack their device

5 Components to NYC Secure:

• Its a free app
• It will not collect or transmit any personal identifying information
• It will not collect or transmit private data
• It works in coordination with increased security rollouts at NYCs public Wi-Fi networks
• New York’s NYC Cyber Command (NYC3), a city-level cyber defense organization, will oversee the program

Tech Crunch | New York City is launching public cybersecurity tools to keep residents from getting hacked

32 Attorneys General oppose federal preemption of state data security laws because:

• Reduces state enforcement by allowing entities to decide if a breach needs to be reported
• Prevents proactive action by consumers in state law, which states currently have
• Leaves a vacant enforcement loophole for breaches that impact fewer than 5000 

Pocono News | PA attorney general seeks stronger enforcement of data breach notification laws

Bi partisan Attorneys General Letter Opposing Federal Data Security Preemption March 19, 2018

LBB | Overview of State Agency Cybersecurity Costs 

Florida legislature authorized the spending of  $1.9 million in federal Help America Vote Act (HAVA) money for:

• Counties to buy devices & pay for a monthly monitoring service that looks for hacker attacks
• Each sensor costs $8,000
• Monthly monitoring is $1,300/month
• Funding will last only for 12 months
• Funding was not provided to protect the statewide database of voter information
• Funding doe snot include the Governor’s request for 5 cyber security experts 

Tampa Bay Times | Despite attempted Russian election hack, Legislature did not create cyber security unit

Michigan enacted HB 4973 (2018) which will exclude cybersecurity information from open records requests. 

It creates these 4 cybersecurity definitions to protect the state’s cybersecurity:

• “Cybersecurity vulnerability”
• “Cybersecurity plan”
• “Cybersecurity incident”
• “Cybersecurity assessment”

The Peninsula | New law exempts data linked to cybersecurity from FOIA requests

• State agencies can  coordinate data sharing, processing and storage
• State and Local agencies can actively work on data minimization
• Include cybertraining as basic employee training

State Tech | What’s the State and Local Agency Role in the Battle for Data Privacy?

State: Florida

The bill: HB 7071 (2018)

What would this database do?

• store searchable, anonymized data about individual defendants
• includes ethnicities
• includes details of plea agreements
• county-level data about the daily number of people being held in a given jail pre-trial
• annual misdemeanor caseload at each court

How is this trend progressing?

• local governments like counties in California have created their own criminal case databases

WIRED | FLORIDA COULD START A CRIMINAL-JUSTICE DATA REVOLUTION

State: Nebraska

Nebraska’s 2018 post-Equifax reform bill: Legislative Bill 757 (2018)

What does Nebraska’s LB 757 do?

• requires reasonable security and disposal procedures and practices for all entities possessing data
• non-affiliated 3rd parties also have to maintain reasonable security and disposal procedures for data
• free credit freezes and free credit thaws

State: South Dakota

The South Dakota post-Equifax data breach bills: House Bill 1078 & House Bill 1127 

What did House Bill 1078  do? Freezes remain in place until the consumer requests otherwise & must be lifted within 3 days of a request

What did House Bill 1127  do? Cost free credit report freezing & un-freezing (thawing)

State: New York

Stop Hacks and Improve Electronic Data Security Act: NY Senate Bill S6933A (2018)

What do I need to know to sound like I know about the SHIELD Act?

• it covers both disclosure of hacks & securing information
• for businesses it uses the increasingly common standard of :”“reasonable safe-guards to protect the security, confidentiality and integrity” of private information.”
• The carrot: no new causes of action are created
• The stick: violations fall under the Deceptive Trade Practices Act and fines accrue per violation

National Law Review | A Primer on the SHIELD Act: New York’s Move to Adopt More Stringent Data Security Requirements, Part II

Background: A data security researcher at a public university in Georgia discovered the personal information of 6.7 million Georgia voters unprotected online. 

The legislative Response: Gerogia’s SB 315 (2018) 

What is the legislative goal? Prevent computer snooping by requiring permission at the outset before seeking unprotecting data maintained by a government or business

What does the tech community say? Fix this bill by only criminalizing computer snooping with maiclious intent

Atlanta Journal Constitution | Georgia bill might limit efforts to find internet security problems

State: Connecticut

The Data Security for Education Contracts Bill: 2016’s  H.B. No. 5469

3 Takeaways for Education Vendors:

• All vendors need written data privacy agreements
  • All means all from yearbook publishers to niche apps to Google
• 2 Policy Goals the state wanted to meet:
  • Protect students from targeted advertising
  • Require notification of data breaches 
• The unintended consequence: Each data privacy contract is required by each school district which led to a lot of legal fees for school districts

EdSurge | States Issue Privacy Ultimatums to Education Technology Vendors

Wyoming HB 0070 (2018) will create this regulatory system for bitcoin in Wyoming:

• Creates an open blockchain token
• Cannot be marketed as an investment or part of a repurchase agreement
• Exchange of open blockchain does not trigger broker dealer regulations

3 Tech commentaries:

• Wyoming is forward-thinking to allow freer reign for cryptocurrency companies
• Makes Cheyenne intruiging to a  few dozen crypto startups
• Wyoming revealed its willingness to be a “test bed for future regulation”

The impact to Texas: Wyoming has the regulatory framework for sandboxing, which is in the 2018 interim charges for the Texas House.

Tech Crunch  | Wyoming works to make some crypto tokens exempt from regulation

• 5 Governors have net nuetrality executive orders
• Washington State Governor signed a Net Nuetrality Law
  •  The WA bill says providers offering service in the state cannot block or throttle legal content, & cannot offer fast-lane access to companies willing to pay extra.
• Oregon’s Governor is expected to sign its Net Nuetrality Law
  • The OR bill prohibits state and local entities from buying internet service that blocks or throttles content
• 25 States are considering net nuetrality bills
• The bills are bipartisan

WIRED | WASHINGTON STATE ENACTS NET NEUTRALITY LAW, IN CLASH WITH FCC. 

Pennsylvania Attorney General has filed suit against Uber for violating the state’s data breach notification laws.

What are the alleged violations? (Also Known As red flags for drafting data breach notification laws)

• 13,500 Pennsylvanians were not notified in a reasonable time
• each violation has a $1000 fine, for a total of $13.5 Million

What ogther circumstances did the Attorney General mention?

• The company waited a year
• intentionally hid the breach
• contracted with hackers concerning the breach

WIRED | UBER ‘SURPRISED’ BY TOTALLY UNSURPRISING PENNSYLVANIA DATA BREACH LAWSUIT

What role did local government play? Houston Mayor and City Council tasked a group to develop strategies to support and attract technology companies

The result of the local government task:  A land-neutral proposal for a data consortium 

Local additional elements: The Univeristy of Houston’s Institute for Data Science that will focus on:

• cyber and physical security
• drug development and discovery
• sustainable communities and infrastructure
• accessible and personalized health care

Houston Business Journal | Texas Medical Center, Houston energy cos. considering data science consortium

Houston Chronicle | Texas Medical Center, Houston’s energy industry in talks on data science collaboration

State: Oregon

The legislation: OR HB 4155 (2018)

What does Oregon’s HB4155 do?

• It does not mandate net nuetrality
• it prohibits agencies, cities and counties from using internet service that blocks or prioritizes specific content or apps
• it does not apply in areas where there is only 1 service provider

oregon Live | Oregon Senate sends net neutrality bill to Gov. Kate Brown

Seattle Times | Net neutrality bill passes Oregon Legislature 

Arizona Governor Ducey by Executive Order created the Arizona Cybersecurity Team (ACT).

ACT team membership: experts from state, local, and federal government, the private sector, and higher education

ACT Goals:

• enhancing cybersecurity workforce development and education
• increasing public awareness on cybersecurity best practices
•  advise and provide recommendations to the governor

The ACT primer cites 4 data breaches to support its mission:

• Texas Comptroller Data Breach
• Utah Health Care Data Breach
• Target Data Breach
• Home Depot Data Breach

Prescott News | Governor Ducey Forms Arizona Cybersecurity Team

The Online Snooping Bill:

• Georgia SB 315 (2018) 
• Republican State Senator
• unauthorized computer acess that didn’t involve taking data would result in a misdeamnor of a high and aggrevated nature

Opposition:

• criminalizes lying on a dating profile
• criminalizes violations of user agreements
• criminalizes any use of a work computer for personal use like checking the Falcons score

Washington Post | Sweeping Georgia cybercrime bill would target ‘snoopers’

The U.S. Supreme Court refused to grant review of CAREFIRST, INC., ET AL. V. ATTIAS, CHANTAL, ET AL which concerns:

• whether to bring a data security lawsuit, is actual harm or the possibility of harm required?
• the U.S. Supreme Court refusal left in place a standard  set by the U.S. Court of Appeals in the District of Columbiath that the possibility of harm is enough
• the burning question- is it up to the courts to hold entities responsible for safe keeping data?

Fierce Healthcare | Supreme Court denies CareFirst’s petition to review data breach case 

The new cybersecurity office:  Justice Department’s Cyber-Digital Task Force

Cyber Digital Task Force Goals:

• canvass the many ways that the Department is combatting the global cyber threat
• identify how federal law enforcement can more effectively accomplish its mission

Task Force members:

• CHAIR: senior Department official appointed by the Deputy Attorney General
• Department’s Criminal Division
• National Security Division
• United States Attorney’s Office community
• Office of Legal Policy
• Office of Privacy and Civil Liberties
• Office of the Chief Information Officer
• ATF
• FBI
• DEA
• U.S. Marshals Service

Report to be issued by June 2018 with a focus on these cyber issues:

• Election Hackers. election interference
• Grid Hackers. interfere with our critical infrastructure
• Fake News. use of the Internet to spread violent ideologies and to recruit followers
• Identity hackers. mass theft of corporate, governmental, and private information
• High level encryption. technology to avoid or frustrate law enforcement
• Viruses, ransomware  et. al. mass exploitation of computers and other digital devices to attack American citizens and businesses

Department of Justice | Attorney General Sessions Announces New Cybersecurity Task Force

State: Virginia

The legislation: HB 183 (2018) SB 271 (2018) 

What’s required by Virginia’s HB 183 and SB 271?

• Any income tax preparer in Virginia has to notify the VA Department of Taxation of a cyber security breach 
• Notification is triggered by when the tax preparer discovers the breach and must be done without unreasonable delay

Is there a cost savings according to the bill’s author? Yes, the state will save $300,000 a year because the state Department of Taxation won’t be issuing refunds to fake tax returns filed by hackers

WRIC | Va. bill takes on tax return data breaches

SEC adopted new rules this week to require greater disclosure of cybersecurity threats by businesses. 

What you need to know:

• prohibits trading on insider cyber security knowledge
• companies are urged to develop policies that allow them to quickly assess cybersecurity risks and decide when to tell the public
• prohibits companies from using internal or law enforcement investigations as an excuse for not informing the public.

Tech Crunch | The SEC says companies must disclose more information about cybersecurity risks

The new oversight:  Office of Cybersecurity, Energy Security, and Emergency Response at the Energy Department

Head of the new office:   will be led by an Assistant Secretary

Policy Goals of the new office:

• energy infrastructure security
•  support the expanded national security responsibilities
• coordination and focus on protecting energy infrastructure, like the electric grid, from cyber and foreign attacks & natural threats

Funding: $96 million

Department of Energy | Secretary of Energy Rick Perry Forms New Office of Cybersecurity, Energy Security, and Emergency Response

The Hill | Energy Department creates new office for cyber, energy security

Oregon’s SB 1551 (2018)  will require:

• notification to consumers of a data breach within 45 days unless it could hinder law enforcement
• if more than 250 Oregonians are affected, then notice must also go to the state Attorney General
• a violation triggers Deceptive Trade Practices Act 
  • this means class action lawsuits
  • this also means big fines
• no fees for credit freezes or thaws
• prohibits ‘ “upselling” by breached companies or third-party contractors when they offer people free credit monitoring or other damage-­mitigating services”

Register Guard | Oregon Senate approves new consumer protections after Equifax data breach

The 8 partners in the TRUST CHARTER:

• Siemens
• Munich Security Conference
• Airbus
• Allianz
• Daimler Group
• IBM
• NXP
• SGS
• Deutsche Telekom

Action Areas for Business and Government:

• A call to responsibility at the highest levels of government and business with a dedicated government section and chief information officer at organizations
• Companies must develop mandatory, third-party certification for infrastructure and solutions

“Governments must take a leadership role when it comes to the transaction rules in cyberspace,” said Wolfgang Ischinger, chairman of the Munich Security Conference

Clinical Innovation + Technology | Siemens, 8 partners sign charter to improve cybersecurity

State: Nebraska

The legislation: 

• LB 987 Bitcoin as acceptable currency
• LB 691 Virtual Currency Money Laundering Act
• LB 694  State preemtion on blockchain technology & prohibits local taxing of blockchain
• LB 695 Blockchain state contracting

LB 694 & 695 will require that:

• blockchain signatures are legally valid in Nebraska
• smart contracts are valid in all commerce in Nebraska
• local governments cannot tax, license or regulate blockchain technology

Omaha World Herald | Nebraska Legislature considers bills on blockchain, cryptocurrency for first time

State: Alabama

What entity organized the coalition against card skimming? Alabama’s Attorney General

The new coalition against card skimming: Alabama Focus Group on Skimming

What entities comprise the coalition?

• U.S. Secret Service
• Alabama Department of Agriculture and Industries
• Alabama Department of Transportation
• Alabama Fusion Center
• Alabama Law Enforcement Agency
• Alabama Petroleum Equipment Contractors Association
• Petroleum & Convenience Marketers of Alabama
• Alabama Attorney General’s Office

AL.com | State launches lab to fight growing problem of cyber crime

State: Alabama

Agency Housing the Cyber Crime Lab: Attorney General Office

What tools does the operator of a cyber crime lab need?

• talent to unlock cell phone evidence
• talent to track down credit/debit card skimmers
• talent to unmask criminals behind identity theft
• talent to help businesses &  local governments recover revenue  lost in cyber theft 

AL.com | State launches lab to fight growing problem of cyber crime

New alliance:  The Retail Cyber Intelligence Sharing Center (R-CISC)

Alliance members:

•  retailers
• gaming properties
• consumer product manufacturers
• grocers
•  hotels
• restaurants
• cybersecurity industry partners

Specific corporate members:

• Lowes
• Walgreens
• Starbucks
• MGM Resorts
• Gap
• Autonation
• Estee Lauder

Governor of Pennsylvania ordered counties to buy voting machines that also leave a paper trail to protect against hacking.

Pennsylvania is providing counties with this much funding to update voting machines: $0

Governing | To Prevent Hacking, Pennsylvania Will Create Voting Paper Trail

AP | Pennsylvania to require voting machines with paper backup

New York’s A09782  allows state agencies to enter into agreements to accept cyrpto currency like BitCoin.

State: New York

The Bills:  

• A08780 allows contracts secured through blockchain technology + allows smart contracts to exist in commerce
• A08792 blockchain to secure elections
• A08793 blockchain for the security of state records

The policy support for blockchain:

•  safer bet for state and local government records and contracts
• benefits to state and local governments
• tool for increasing accountability and transparency

State Tech | New York Targets Blockchain for Voter Security, Smart Contracts and More

Washington State House passed a net nuetrality bill, HB 2282, that will:

• establish net nuetrality in Washington State
• protect consumers in Washington State

The  bill will protect consumer by prohibiting companies from:

• Blocking of lawful content by internet service providers

• “Throttling,” or slowing down, of lawful content by internet service providers

• Favoring of certain content over others by internet service providers due to special deals (“paid prioritization”)

The vote in the House: 93-5

K5 | Washington House passes bill to protect net-neutrality rules

Seattle Times | Net-neutrality bill in the Washington Legislature easily passes the House

Bills in the Kansas legislature is proposing a Kansas cyber-security authority. H2331 (2018)

County Commissioners in Segwick County raise these concerns:

• Any local government connectiung to state system would have to have their cybersecurity programs reviewed
• Unfunded mandate
• For a small county like Segwick, the cost per person is estiamted at $700/person

WHAT WOULD THE KANSAS CYBER SECURITY AUTHORITY DO?

• Create a Kansas information security office
• review  cyber-security programs
• create training programs

KWCH 12 | County leaders express concern over cost of ‘Kansas Cybersecurity Act’

A Rhode Island legislator wants companies that have had a data breach to:

• notify the state and consumers in a “reasonable promptness”, quicker than the current 45 days
• Increase the penalty from $100 to $150,000 per breach

WPRI | Lawmaker proposes law to protect victims of data breaches

Rhode Island HB 7387 (2018) 

Harvard Business Review poses the question about creating no-fly list for computer systems to:

•  effectively identify threats and malicious traffic
• automate collection, optimization, and integration of threat intelligence
• share threat intelligence which has been shown to strengthen security 

Harvard Business Review | Why Every Company Should Consider Creating a “Cyber No-Fly List”

Cities and local governments are implementing net neutrality standards by:

• city-owned broadband options
• yes, municipally owned internet

What policies goals have some cities, like San Francisco, set for municipal broadband?

• internet acess must favor the general public and San Francisco values
• Ft. Collins is hailing municipal borad band as a means to reclaim privacy

Government Technology | States, Cities Turn to Tech in Bid to Preserve Net Neutrality Principles 

Two vulnerailities with EV charging stations have been spotted by tech experts:

• EV charnging stations are not required to transmit charging authorization information in an encrypted format
• EV charging stations are not required to prohibit duplicates of the same numbered card

Tech Crunch | Electric car charge-station payment systems may lack basic security measures

Nebraska Legislature is considering LB 757  that will:

• Applies data security requires people and businesses that owns, licenses or maintains data of Nebraska residents
• Requires a data security standard of “reasonable security procedures and practices:
• Ties the state legislation to  Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996 

How does this differ from other state approaches?

• Other states have focused on free credit freezes and free credit report un-freezing.

NTV | Proposed bill would offer free credit monitoring after data breach 

Iowa’s Attorney General is supporting House Study Bill 526 (2018)  which adds the following health care information to the state’s data breach statute:

• medical records, physical and mental health
  • including treatment & diagnosis
• health insurance information

Any other requirements in House Study Bill 526 (2018) ?

• 45 day notification requirement
• 128-bit data encryption requirement
• Notification to the state if written notification to more than 500 consumers in the state is required by a person’s primary or functional federal regulator (an Equifax fix)

Health IT Security | Proposed Iowa Data Breach Bill Accounts for Health Data

Gerogia Legislature is considering Senate Bill 315 (2018) .

Data Security research supporters say the bill raises these 3 concerns:

• The terms  “access” and “authority” are not clearly defined
• because the terms are not clearly defined research will be quelled for the fear of committing an unknown crime
• The Federal Computer Fraud and Abuse Act also had broad terms and led to the “overzealous” prosecution of researchers

What’s the goal of the bill? To add the crime of unauthorized computer access to the Georgia Computer Systems Protection Act

KSU Sentinel | Georgia bill poses potential threat to cybersecurity researchers

In 2017 states outpaced the federal government in data security legislation, here’s what happened:

• 42 states
• Considered 240 bills and resolutions related to cybersecurity
• That’s 2 times as many bills and resultions as 2016

Edgile | Businesswire | US State Cybersecurity Regulation More Than Doubled in 2017, While Federal Regulation Waned

Where: New York

Who: New York Governor Cuomo

How: By Executive Order

What does the executive order do? NY Executive Order Number 75

• Prohibits state contracts with entities that  treat all web traffic equally
• Establishes internet access as an essential service

Why: In response to the FCC net nuetrality repeal, NY became the 2nd state to creae its own net nuetrality provisions.

The Hill | Cuomo signs executive order protecting net neutrality in New York

• City-wide digital platforms Data gathering, aggregating, and analyzing data 
• Development of Connected Intersections Smart City initiatives 
• Computing at the edge  faster and accurate for data analytics.
• Merging of GIS, big data, and analytics data modeling community behavior
• Public safety vehicles as digital hubs  faster and more accurately emergency response 
• More Connected vehicle capabilities, See NHTSA suggestions for Vehicle to Vehicle (V2V) communications. The Feds- yay!
• Greater real-time citizen wireless interaction  new government-citizen collaborative tools, including real-time video and data sharing and base-level artificial intelligence
• Link autonomous vehicles with government sensors Smart Cities!
• City Apps  transparency of government-gathered data
• Smart city amendments to municipal codes

Cisco | Top 10 Smart City Trends for 2018

H.R. 1224 (115th Congress) requires a 6 point audit of federal agency data security:

• a description of staffing plans
• workforce capabilities
• methods of conducting such audits
• coordination with agencies to support such audits
• expected timeframe for the completion of the audits
• other relevant information

Florida legislature is considering SB 1302 and HB 953  that will end fees for freezing or unfreezing a credit report.

The bills make no other changes to credit reporting entities.

The opposition, the “Consumer Data Industry Association,” opposes bills that removes all fees from credit freezes.

Palm Beach Post | Florida considers ending fee to freeze credit as Equifax leads gripes

2017 Congressional spending by tech companies:

• Google spent $18 million (up from $15.4 million)
• Facebook spent $11.6 million (up from $8.7 million)
• Twitter  spent $561,000  (down from $680,000) 
• Amazon spent $12.8 million  ( up from  $11 million)
• Apple spent $7.1 million (up from $4.6 million)
•  Netflix spent  $800,000 (same amount from 2016)
• NCTA – The Internet & Television Association: $12.8 million  (down from $13.3 million)

The Hill | As Tech Industry Boosts Lobbying Spending, Showbiz Outlay Stays Largely the Same 

How did Montana add net nuetrality on the state level? Executive Order

What does Governor Steve Bullock (D) executive order require? internet service providers with state contracts to abide by net neutrality principle:

• “in order to receive a contract with the state government, internet service providers must not engage in blocking or throttling web content or create internet fast lanes.”

Effective Date: Immediately with a 6 month grace period

The Hill | Montana becomes first state to implement net neutrality after FCC repeal

MT Gov. Executive Order No. 3-2018

Florida legislature is considering House Bill 1357 that will :

• look to transition state data centers to blockchain technology
• provides for electronic contracts and signatures secured by blockchain technology

As a side note, Arizona passed a similar bill in 2017. AZ HB 2417 (2017)

CoinDesk | Florida Bill Would Legally Recognize Blockchain Signatures, Smart Contracts

The Tennessee legislature is considering House Bill 1507 and Senate Bill 1662 which will:

• define blockchain signatures as legal signatures
• statutorily recognize contracts secured through blockchain

Business contracting meets 2018.

This month the Federal Trade Commission released a paper on cybersecurity issues with conencted cars.

4 Points from the FTC paper:

• lots of information is gathered and shared, the information must be protected
• can a vehicle’s safety controlled fuctions be segregated from other functions for public safety?
• how to best update cars when a new vulnerability is discovered?
• how to set a base line security standard for connected cars

Colorado Legislature is considering SB18-086 that brings together blockchain & data security legislation.

What you need to know:

• Calls for CO to adopt a distributed ledger
  • this means pieces of the ledger live in different cyber spaces, so a hack of 1 space does not expose all the data
• How does the bill get to a distributed ledger in Colorado state government?
  • Directs Colorado’s chief information security officer to evaluate the costs and benefits of using distributed ledgers in various government systems
  • CO will examine blockchain’s capability in handling cyberattacks compared to traditional computer systems

The Prime Miniter of Sweden announced the immediate formation of an agency charged with protecting the integrity of Seden’s elections. 

The new agency will be cahrged with:

• “psychological defence by identifying, analysing, and responding to external influence campaigns”
• will not hesitate to expose those who meddle in Swedish elections
• in coordination with the agency, there will be increased funding for Swedish intelligence and cyber-defence services to monitor external threats
• the agency will work with each parties’ officials to secure the election

Why does this matter? “A US report noted that Nordic states (Sweden) were “a favourite target of the Kremlin’s propaganda machine”

EU Observer | Sweden raises alarm on election meddling

Ohio Legislature is set to consider bills to strengthen cybersecurity for their election system by:

• Establishing a Cybersecurity director within the Secretary of State administration
  • the Director would be responsible for recommendations to keep elections secure
• Establishing a cyber-security advisory council appointed by the Secretary of State and made up of:
  • business community
  • technology community
  • law enforcement
  • voting advocates
  •  elections officials from both political parties
• Requiring counties to have election audits

Cleveland.com | Democrat Rep. Kathleen Clyde to introduce legislation to beef up elections cybersecurity

OH HB 466 (2018) 

OH HB 467 (2018)