Cybersecurity & Tech

Stanford researchers and other professors looking at this federal definition of cybersecurity:

Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation

think that the definition is outdated and needs to reflect the use of disinformation.

The list of cybersecurity legislative changes that are being bandied about:

• including disinformation campaigns
•  prohibiting the use of digital bots to impersonate people
• more tansparency on how the algorithms used by social media sites work

Lawfare | Cybersecurity: Time for a New Definition

The New Jersey Senate passed a Block Chain Task Force bill S2297 (NJ |2018) that will determine whether:

• NJ should be using Blockchain technology to modernize government systems
• it would safeguard personal data is good for NJ
• if it would help with service delivery
• whether it would be good for local governments

Touted benefits of blockchain/distributed ledger storage? could also help safeguard government systems from cyber-security attacks

Insider NJ | Kean/Beach Blockchain Task Force Passes Senate  

What did the Michigan Chamber of Commerce tout as reasons to support a Data Security bill, HB 6405 (MI | 2018) that required businesses to do certain new tasks concerning data breaches:

• The Chamber likes a specific time frame to notify affected persons
  • The chamber did not like phrasing, within a reasonable time
• Is ok with “reasonable mandates” on businesses
• The Chamber supports “.. a consumers’ right to know that their personal identifying information was compromised”

Michigan Chamber of Commerce | Michigan Chamber Applauds Senate Action on Data Breach Notification Legislation

S3288 (115th Congress) creates an offense of Aggravated damage to a critical infrastructure computer & allows for forfeiture of assets related to bots.

Morning Cybersecurity | Sen. Sheldon Whitehouse, meanwhile, complained that the Trump administration hasn’t collaborated with him on bipartisan legislation (S. 3288) to take down botnets. 

• Libaility for the school, the school distric,t the principal, and the superintendent
• Legal requirements schools retain records like, HIPPA records, that has certian legal requirements
• Disruptions to Education When a school is subject to a hack, it can suspend learning
• Student Records. A cyber event may not only want to steal information, it may want to change information. Integrity of school records is crucial
• Reputation of the school, its educational system, and its leadership

EdScoop | Five reasons schools need to address cybersecurity now

The allegations of fake constitutent support:

• Comments to the FCC over net nuetrality rules
• Of 20 million comments, almost 50% were provided without consent

The investigations:

• FBI issuing subpoenas
•  New York Attorney General with support of Attorneys General of Massachusettes and the District of Columbia

Targets of the subpoenas:

• 14 organizations
• 11 of which are either politically conservative or related to the telecommunications industry and opposed net neutrality, and three of which supported

BuzzFeed | Millions Of Comments About The FCC’s Net Neutrality Rules Were Fake. Now The Feds Are Investigating

• More attention at the state level. States have been targets of hackers and that fuels their regulatory structures
• Agility. States can respond more quickly legislatively
• More to Lose. States are closer to local level data breaches and are as impacted by local breaches
• Business Accountability State resources also support businesses that have been impacted by hackers

Baltimore Post Examiner | Why is State Cybersecurity better than Federal Cybersecurity?

HR7283 (115th Congress) requires devices purchased by the federal government to be:

• Sets contractor minimum security requirements
• Agencies will set baseline secueity standards for procurements
• Standards must be “based on technology-neutral, out- come-based security principles”

Text of HR7283 (115th Congress)

NextGov | Upcoming Bill Would Lock Down Agencies’ Internet-Connected Devices 

Is this bipartisan? Yes, Sen. Rob Portman, R-Ohio, and Maggie Hassan, D-N.H.

What’s the bill called? The Public-Private Cybersecurity Cooperation Act

What would it do?  Creates a vulnerability disclosure program, crafted by the Department of Homeland Securty,  to allow hackers to report problems to the proper authorities without being prosecuted 

S3707 (115th Congress)

NextGov | Senators Introduce Bill to Let Hackers Reports Bugs to DHS

• Fees charged by bitcoin processor.  Do the fees exceed fees in other payment options
• Fraud there is a well known Canadian bitcoin tax scam
• Unnecessary  who wants bitcoin payment? the information according to the state will not be available until after a few months into the program
• Safety. Is it safe?

Nextgov | Is this about grabbing some of the sizzle that comes with all things blockchain and crypto

New Jersey legislature is moving A3245 (2018 |NJ) which is in repsonse to the Marriott data breach and will:

• Expands the state data breach notification requirements to include disclosure of:
  • usernames
  • email addresses
  • any passwords
  • security questions and answers
• The authors say prompt notification is required for people to keep their online acocunts protected

Insider NJ | Assembly Panel Clears Caputo & Murphy Bill Requiring Disclosure of Online Security Breaches 

• Lots of potential Texas impact.  potentially 100s of 1000s of Texans “vulnerable to the nightmare of identity theft”
• massive hack.  “compromising the personal information of up to 500 million guests”
• enforcement actions include:
  • ​serving an investigative subpoena
  • encouraging affected texans to file a complaint at  https://www.texasattorneygeneral.gov/cpd/file-a-consumer-complaint

Texas Attorney General Office | AG Pax­ton Begins Inves­ti­ga­tion Into Mar­riott Data Breach Affect­ing 500 Mil­lion Cus­tomers Worldwide

HB 747 (2018 | OH) will estalish the Ohio Cyber Reserve to protect Ohioans from cyber terrorists.

Authors tout that the Reserve will also help cities with cyber inititatives.

How many aspects of cybersecurity will the reserve have its fingers in?

• election security
• local governments
• critical infrastructure
• businesses

Like the national guard, the reserve will act by Governor action.

Fox 8 | Ohio House passes bill to establish cybersecurity team

Government Technology | Ohio House Passes Cybersecurity Team Bill

The Pennsylvania Supreme Court has ruled that employers have a duty to protect employees from cyberattacks by setting:

• Employer Duty: “a legal duty to exercise reasonable care to safeguard”
• Remedy: a recovery for negligent behavior under the economic loss doctrine

Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018)

White & Williams | Pennsylvania Supreme Court Holds Employers Have Duty to Protect Employee Data from Cyberattacks 

Norway is changing the way it taxes bitcoin miners.

The current tax structure for cryptocurrency miners: 

• the lower rate for power intensive industries (capacity of more than 0.5 megawatts)
• the rate: $0.00056 per kilowatt hour
  • 2.8% of the standard tax rate

The new rate tax structure for bitcoin in Norway:

•  $0.019 per kilowatt hour

CryptoCurrency 365 | Norway Decided to Impose Normal Electricity Tax on Miners

The Nevada Legislature will consider SB69 (2019 | NV) which is:

• backed by the Division of Public Safety’s Division of Emergency Management
• defines significant cyber events like invasions, disasters and riots
• require schools, cities, counties and resorts to have emergency response plans
• designates October as “Cybersecurity Awareness Month”
• allows the governor to call on the national guard during a significant cyber event

Nevada Independent | New pre-filed bills take aim at education, cybersecurity ahead of upcoming legislative session

• Ohio is the 1st state to accept bitcoin for tax payments
• On OhioCrypto.com 23 Ohio taxes can be paid via bitcoin
• Bitcoin tax payments will be limited to Businesses
  • After a successful pilot with businesses, then the bitcoin tax payments will open for individual OH taxpayers

Crypto Currency News | Ohio Accepts Bitcoin for Tax Payments: A Much-Needed Silver Lining. 

States have taken different approaches to how to regulate hacking by research, or white hat hackers, who identify and report data security vulnerabilities.

An example of this is a researcher who discovered in 2017 that USPS had left open all user information of the usps.gov website. There was no response from USPS, and the breach was disclosed this week. 

Tech Crunch | U.S. Postal Service Data Breach Exposes Data of 60M Customers 

• Texas is a leader. Texas should lead in regulating false information spread by bots
• Texas has been impacted by misinformation. Both these Texas events were followed by false information:
  • Austin bombings in March
  • Santa Fe High School shooting in May
• Model Legislation should include:
  • ​the 1st amendment should be respected for individuals and corporations
  • Bots should be labeled and identified
  • Outreach to encourager fact checking
  • Media Literacy in Schools

Jared Schroeder | Assistant professor of journalism, Southern Methodist University | Trib Talk | Texas needs legislation to combat bots — yesterday

Intel has drafted model data privacy bill that includes these 6 points:

•  comprehensive, technology neutral and support the free flow of data
•  risk-based accountability approaches
• Automated decision-making should be fostered while augmenting it with safeguards
• promote access to data, supporting the creation of reliable datasets available to all, fostering incentives for data sharing, and promoting cultural diversity
• Funding research in security
• Algorithms can help detect unintended discrimination and bias, identity theft and cyber threats.

The Intel Model Legislation

Press Release from Intel

New Hampshire voters approved a state constititional amendment to protect from government intrusion personal and private information.

The constitutional language: An individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent.

The passage rate: 80% of votgers supported it

Reason | N.H. Constitution Now Protects “Right to Live Free from Governmental Intrusion in Private or Personal Information”

How do consumers hold manufacturers of internet of things products, like a connected refrigerator, liable for a data theft or property damage from a hack?

That is part of what California’s SB 327 (2018 | CA) seeks to clarify to protect consumers.

CNN Wire | WE NEED STRONGER CYBERSECURITY LAWS FOR THE INTERNET OF THINGS

South Carolina Department of Revenue had a data breach impacting tax payers in 2012.

Then-Governor Nikki Haley promised those impacted life time credit mornitoring. 

The Legislature de-funded the program effective OCtober 31, 2018.

Government Technology | South Carolina Lawmakers Vote to End Post-Hack Credit Protections

• 2018 Vermont became the 1st state in the nation to regulate data brokers.
• Unintended consequences on small businesses is unknown, especially as it relates to small businesses that:
  • rely on technology platforms to reach rural customers
  • rely on cloud based storage

Vermont Digger | Christopher Minott: Protect small businesses from overly aggressive tech policy

Where: New Jersey

Who: New Jersey Attorney General Gurbir Grewal

What: In a settlement of a data breach  of medical records, New Jersey Office of Attorney General banned those responsoible for the breech from owning or operating a business in New Jersey. 

Gov Info Security | Breach Settlement Has Unusual Penalty 

Activists are promoting an Internet bIll of Rights, the kind of bill state legislatures love. What would it do?

• Keeping your “browsing history” private
  • ​Except: fraud or potential crimes  
• Full disclosure when being monitored, and the right to opt out
• Preserving the privacy of your social media accounts.
• Ownership of your personal, digital content
• Notification of injurious data breaches
• Fair play on social media platforms and/or internet providers
• Protecting children on social media
• Protection from “unfunded government mandates” on data-mining:
•  Keeping your health and fitness data private
•  Safeguarding email and text communications

Connecticut Post | We Need an Internet Bill of Rights

•  California Consumer Privacy Act (AB375 | 2018 | CA)
  • 2 year grace period
  • follows the EU’s GDPR
• Vermont ( H764 | 2018 | VT)
  • toughest data collection disclosure bill in the US
  • Data Broker Bill
• Colorado (HB11-1128 | 2018 | CO)
  • Strengthened its protections of “personal identifying information”
• New Jersey  (S1913 | 2016 |NJ)
  • Shopper Privacy Bill
  • limits retailer retention of consumer data
• Washington (HB1493 | 2017 | WA)
  • Protects more health data

The Hill | States are leading the way on data privacy

• Caution: Conflicts of Interest.  Virtual asset trading platforms often engage in several lines of business that would be restricted or carefully monitored in a traditional trading environment.
• Account for Abusive Trading Behavior
• Consumer Protetctions needed

NY Attorney General | Virtual Markets Integrity Investigation 

Activists are promoting an Internet bIll of Rights, the kind of bill state legislatures love. What would it do?

• Keeping your “browsing history” private
  • ​Except: fraud or potential crimes  
• Full disclosure when being monitored, and the right to opt out
• Preserving the privacy of your social media accounts.
• Ownership of your personal, digital content
• Notification of injurious data breaches
• Fair play on social media platforms and/or internet providers
• Protecting children on social media
• Protection from “unfunded government mandates” on data-mining:
•  Keeping your health and fitness data private
•  Safeguarding email and text communications

Connecticut Post | We Need an Internet Bill of Rights

Ohio’s  SB 220 (2018 | OH), signed by the Governor, will establish these blockchain standards:

• blockchain transactions are legitimized as enforceable electronic transactions
• applies to electronic records using blockchain
• applies to electornic signatures using blockchain
• amends the definition of “electronic record” to include blockchain
• amends the definition of “electronic signature” to include blockchain

SB 220 would apply to state contracting and state procurement.

Ohio’s  SB 220 (2018 | OH)

If a business’ cybersecurity procedures reasonably conform to any of these:

State law: California which passed the strongest net nuetrality law has agreed to put its regulations on hold while the legal fights and federal regulations are revisited

The DOJ & internet service provider trade associations lawsuit against California: Also put on hold

What are they waiting to play out? 

• February 2019 lawsuit filed by  20 states’ attorneys general along with public interest groups and private businesses filed a lawsuit against the Federal Communications Commission when it rolled back net nuetrality

What are the feds saying? our case is so strong

What is California saying? Californians can still enjoy unlimited data plans

San Francisco Chronicle | California agrees to pause net neutrality rules amid messy legal battle

The report is by: maritime law firm Jones Walker LLP

What did the report find?

• Hacks are happening at ports. 80% of large maritime industry companies (400+ employees) report cyber attack in the last year
• Unprepared. 64% say their own companies are unprepared to handle the far-reaching business, financial, regulatory and public relations consequences of a data breach
  • 6% of small companies are prepared for a cyberattack (1-49 employees)
  • 19% of midsize companies are prepared (49-400 employees)
• Not Insured.
  • ​92% small firms no cyberattack insurance
  • 69% midsize  no cyber insurance
• Legacy Software many companies operate lagacy software that cannot be modified with cyber protections​

WaterWays Journal | Report Sounds Cybersecurity Alarm 

WHO has to pay $5.79 Million? Uber

WHAT is the $5.79 million settlement for?

• a breach exposed personal information, including drivers licenses for 13,000 uber drivers
• the company waited roughly 372 days to provide notice
• failed to notify the state attorney general within the then required 45 days
• $170 will be awarded to each driver

WHERE: Washington State

Washington State Attorney General Office | AG DATA BREACH REPORT FINDS 3.4 MILLION WASHINGTONIANS’ PRIVACY COMPROMISED BY DATA BREACHES

The State Attorney General, who recommended that Washington State require breech notification when more than 500 Washingtonians are impacted, recommends the following changes to the law after data breeches increase by 26% in the last year:

• Reduce the deadline to notify affected individuals of a breach to 30 days after the breach is discovered;
• Require preliminary notification to the Attorney General’s Office of a breach within 10 days after the breach’s discovery; and
• Expand the definition of personally identifiable information to include:
  • full dates of birth
  • usernames in combination with passwords
  • digital signatures
  • DNA profiles
  • other forms of biometric data
  • identification numbers from passports and other sources.

Wasington State Attorney General Office | AG DATA BREACH REPORT FINDS 3.4 MILLION WASHINGTONIANS’ PRIVACY COMPROMISED BY DATA BREACHES

Washington State State Attorney General annual Data Breach Report found that:

• July 2017 to July 2018 3.4 million Washingtonians affected by data breeches
• 26% increase
• leading cause: mailicious cyberattack

What information is the satte Attorney General using in his statutorily required annual report?

• breach notifications WA requires notice to the Attorney General when a breach impacts 500+ 

Wasington State Office of Attorney General | AG DATA BREACH REPORT FINDS 3.4 MILLION WASHINGTONIANS’ PRIVACY COMPROMISED BY DATA BREACHES

• In 2018 it passed mandatory post election audits  HB 2406 (WA | 2018)
• Utilizing national guard during election day that also hold day jobs in the state’s largest cyber security companies
• Requires voting vendors to disclose breaches of their equipmen.

Tech republic | State of Washington has new laws and the Air National Guard to help secure 2018 midterm election

• #1 Google at  $16.4 million year to date in 2018
  • online advertising
  • data privacy
  • data security
  • self driving cars
• Facebook $9.8 million
  •  high-tech visas
  • government surveillance overhauls
  • tax
  • trade
  • privacy legislation
  • regulation of online election ads

Roll Call | Google Still K Street’s Top Tech Spender

What agency is involved? Employee Retirement System of Texas

What was the data breach? Personal health information data for other individuals was accessible when a person was logged into the agency portal

When did ERS receive notification? August 17 2018

How many people were impacted? nearly 1.25 million individuals

When did ERS report the incident?  reported to the U.S. Department of Health and Human Services as a “unauthorized access/disclosure” health data breach on October 15th

Gov Info Security | Texas Retirement Agency Portal Breach Affects 1.25 Million

Health IT Security | ERS Online Coding Error Exposes 1.25M Users to Health Data Breach

• tech companies should de-identify customer data or not collect customer data
• comprehensive federal law is necessary
  • why? tech companies that collect a lot of data are basically spies
• people should have a right in their data, and a right to have that data minimized
• consumers must be told what data is being collected & why
• the data belongs to the users and users (consumers) should always have access to it

The gold standard law: GDPR in the EU

Ars Technica | Tim Cook Calls for Strong US Privacy law, rips “data industrial complex”

Marketing Land | Report: Apple expected to say GDPR a model for US privacy regulation

What would a bill to protect ethical hackers do? Prevent liability for “white hat hackers” who find unsecured data

What group is behind this? Electronic Frontier Foundation

Do they have a campaign? Yes, the Coders’ Rights project

The Daily Swig | Campaign launched to protect ethical hackers in the Americas

State Treasurers from RI, PA and IL and New York City are backing Trillium Asset Management in calling for Zuckerberg to step down from facebook over security breaches and misuse of the platform by foreign agents.

Governing | States and New York City Urge Mark Zuckerberg to Give Up Facebook Chairman Role

What is being proposed? an international organization modeled after the International Committee of the Red Cross that would help in cyber emergencies

How would this work? provide assistance and relief to vulnerable citizens and enterprises affected by serious cyberattacks

Why? Its based on work by tech companies including:

• November 2017 a UN speech on cyber security y Brad Smith, Microsoft´s President and Chief Legal Officer
• Spring 2018 Microsoft initiated the Cybersecurity Tech Accord
• Fall 2018 60 tech companies have signed on to support core principles

Lawfare | Proposal for a Cyber-International Committee of the Red Cross

What data was exposed? Tea Party Patriots campaign materials, call lists, guidelines for national student led pro-2nd amendment protests, including toolkits for protests

How was it exposed? Left unpassword protected on an Amazon S3 storage bucket

Who found it?UpGuard, a California-based “cyber resiliency” firm renowned for locating confidential records inadvertently exposed online

Gizmodo | Tea Party Group Leaks Call Lists, Guides for Staging Pro-Gun ‘Student-Led’ High School Protests

Which utility was hit with ransomware? Jacksonville, North Carolina-based Onslow Water and Sewer Authority

when was the ransomware triggered? middle of the night Saturday,  “specifically targeted” the utility in the wake of Hurricane Florence

what was the impact of the ransomware?

• operating with limited computer capabilities
• overwheliming IT support
• accounts are being managed manually
• not interrupt water and wastewater service

CyberScoop | Ransomware hits computer networks of North Carolina water utility

Where: CipherTrace’s 2018 Q3 Cryptocurrency Anti-Money Laundering Report says 4.7% of funds moved through unregulated bitcoin exchanges is being cleaned

How can it be stopped? 

• strong money laundering laws
• bitcoin exchange regulation

Business Technology Media | Strong anti-money laundering laws hamper crypto-currency crime

A newly report titled “Email and Internet Voting: The Overlooked Threat to Election Security.” It’s a collaboration between the National Election Defense Coalition, the Association for Computing Machinery, R Street and Common Cause lists this as the best way to protect elections:

paper ballots

Politico | HIGH-TECH, LOW SECURITY

• Clear communication about compliance (35% of businesses say)
• Grace periods without penalties when regulations are implemented (31% of businesses)
• More time for compliance (17% of businesses)

78% say more cyber security regulations drive more cyber investment in businesses

Beta News | Infosecurity North America | 77 percent of CISOs get conflicting advice on changing regulation 

Both candidates set forth cybersecurity plans that will:

• train more cybersecurity professionals
  •  including 5,000 new female and minority cybersecurity professionals by 2021
• secure consumer’s private data
• protect Colorado as a place to do business

Colorado Sun | Colorado’s candidates for governor offer a first glimpse into the importance they will place on cybersecurity. 

SEC Commissioner Kara M. Stein raises these policy issues for regulators:

• Should a company value its data?
• Should it disclose the value of its data?
• Who is responsible for the appropriate collection and use of data?
• Who is responsible for protecting the privacy of personally identifiable information that is collected and used?
• Who is responsible for determining how data can be shared?
• Who is responsible for establishing and implementing minimum standards for data collection and use?
• Who is responsible for addressing inherent conflicts of interest?

SEC | From the Data Rush to the Data Wars: A Data Revolution in Financial Markets

California’s Internet of Things legislation, SB 327 (2018 | CA), requires consumer goods to:

• come with a unique password per consumer good
• passwords cannot be set to admin or password
• in the alternative, consumer goods can require a statup procedure that requires the consumer to set a password

BBC News | Weak passwords banned in California from 2020

How a state can legislatively protect its residents from data miners:

• apply laws not only to 3rd party data miners but also 1st party data miners that do have a direct relationship with consumers such as:
  • retailers
  • social media companies

Also, what is a data miner? an entity or person that collects and sells personal information from consumers with whom the broker has no direct relationship

Electronic Fronteir Foundation | Vermont’s New Data Privacy Law

Which tech giants are we talking about? Facebook, Apple, Alphabet and Amazon

What is the opposition to the Australian encrypted data law?

• giving law enforcement access,  creates tools that weaken encryption & is a huge risk to our digital security
• oppose back-door access to their user’s data
• 5 nations in the  Five Eyes nations are expected to follow suit: Australia, New Zealand, Great Britain, US and Canada

CNBC | Apple and Facebook among tech firms lobbying against Australia’s encrypted data law

By applying the Deceptive Trade Practices Act to ALL data privacy violations under state law, consumers can bring private causes of action.

Electronic Fronteir Foundation | Vermont’s New Data Privacy Law

States can enacted legislation to address Data Broikers by:

• impose a fiduciary duty towards the consumers whose data they harvest and monetize
• establish a government office to assist the victims of data breaches
• compensation for their financial & non-financial injuries 
• require disclosures by data brokers like:
  •  consumer’s “right to know” what personal information a data broker has gathered
  •  how the broker obtained it
  • to whom they sold it
•  require consumer consent for data collection or sale

Electronic Fronteir Foundation | Vermont’s New Data Privacy Law

The TRUMP administration sued California when Governor Jerry Brown signed SB 327 (2018 | CA). 

What is the federal government telling the state?

• data privacy is federal jurisdiction because it impacts interstate commerce
• the FCC chair says the  “law prohibits many free-data plans”

Governing | Trump Administration Sues California After Governor Signs Net Neutrality Protections

REFRESHING OUR RECOLLECTION  |  informed:intel September 20, 2018:

California’s internet of things law, SB 327 (2018 | CA), is:

• first in the nation to address cyber security for internet of things
• internet of things- connected thermostats, coffee makers etc… that have been used to take down major websites
• it sets the floor for data security standards for connected devices

Concerns:

• Whether placing standards on ingternet of things harms innovation

Washington Post | The Cybersecurity 202: California’s Internet of Things cybersecurity bill could lay groundwork for federal action

The Congressional CyberSecurity Caucus:

Co-Chairs:   Michael McCaul & Jim Langevin

Members: 

Aguilar, Pete, California, 31st
Allen, Rick A., Georgia, 12th
Barton, Joe, Texas, 6th
Bishop, Mike, Michigan, 8th
Blum, Rod, Iowa, 1st
Brooks, Mo, Alabama, 5th
Bustos, Cheri, Illinois, 17th
Capuano, Michael, Massachusetts, 7th
Carbajal, Salud, California, 20th
Cárdenas, Tony, California, 29th
Castro, Joaquin, Texas, 20th
Chabot, Steve, Ohio, 1st
Cicilline, David, Rhode Island, 1st 
Clarke, Yvette D., New York, 11th 
Coffman, Mike, Colorado, 6th
Comstock, Barbara, Virginia, 10th
Conaway, Mike, Texas, 11th
Connolly, Gerry, Virginia, 11th 
Cooper, Jim, Tennessee, 5th
Correa, J. Luis, California, 46th
Crist, Charlie, Florida, 13th
Davis, Susan, California, 53rd
Demings, Val, Florida, 10th
Dingell, Debbie, Michigan, 12th
DeSantis, Ron, Florida, 6th
Donovan, Dan, New York, 11th
Emmer, Tom, Minnesota, 6th
Evans, Dwight, Pennsylvania, 2nd
Fitzpatrick, Brian, Pennsylvania, 8th
Fortenberry, Jeff, Nebraska, 1st
Gallagher, Mike, Wisconsin, 8th
Garamendi, John, California, 3rd
Graves, Tom, Georgia, 14th
Hastings, Alcee, Florida, 20th
Heck, Denny, Washington, 10th
Himes, Jim, Connecticut, 4th
Hultgren, Randy, Illinois, 14th
Jackson Lee, Sheila, Texas, 18th
Johnson, Bill, Ohio, 6th
Jordan, Jim, Ohio, 4th
Kaptur, Marcy, Ohio, 9th
Keating, Bill, Massachusetts, 10th
Kilmer, Derek, Washington, 6th

Lamborn, Doug, Colorado, 5th
Lance, Leonard, New Jersey, 7th
Latta, Bob, Ohio, 5th
Lesko, Debbie, Arizona, 8th
Lieu, Ted, California, 33rd
Lofgren, Zoe, California, 16th
Lowenthal, Alan, California, 47th
Lowey, Nita, New York, 17th
Lujan, Ben Ray, New Mexico, 3rd
Lynch, Stephen, Massachusetts, 8th
Marshall, Roger, Kansas, 1st
McNerney, Jerry, California, 11th
Messer, Luke, Indiana, 6th
Panetta, Jimmy, California, 20th
Peters, Scott, California, 52nd
Perry, Scott, Pennsylvania, 4th
Poliquin, Bruce, Maine, 2nd
Polis, Jared, Colorado, 2nd
Ratcliffe, John, Texas, 4th
Rice, Kathleen, New York, 4th
Richmond, Cedric, Louisiana, 2nd
Rosen, Jacky, Nevada, 3rd
Rothfus, Keith, Pennsylvania, 12th
Ruppersberger, Dutch, Maryland, 2nd
Schiff, Adam, California, 29th
Schweikert, David, Arizona, 6th
Scott, David, Georgia, 13th
Shea-Porter, Carol, New Hampshire, 1st
Sinema, Kyrsten, Arizona, 9th
Smith, Adam, Washington, 9th
Speier, Jackie, California, 14th
Stewart, Chris, Utah, 2nd
Stivers, Steve, Ohio, 15th
Swalwell, Eric, California, 15th
Taylor, Scott, Virginia, 2nd
Thornberry, Mac, Texas, 13th
Tsongas, Niki, Massachusetts, 3rd
Turner, Michael, Ohio, 3rd
Weber, Randy, Texas, 14th
Wilson, Joe, South Carolina, 2nd
Wittman, Rob, Virginia, 1st
Yoho, Ted, Florida, 3rd

• 6 candidates for U.S. House &  Senate spent more than $1,000 on cybersecurity
• why? campaigning takes too much time to address cybersecurity issues ro raise funds for cyber security technology protections
• what do recent hacks look like?
  • ​Senator McCaskill says her campaign was hacked
  • Hacking in 2 California House races are being investigated by the FBI
  • Silverlining: 2 major parties spend heavily on cyber security protections

Government Technology | Despite Mounting Threats, Cybersecurity Spending Is Low Among Candidates

A Def Con report to Congress on Thursday will say:

• 50% of voting machines are hackable
• The defect is traceable back to a 2007 report by the OH Secretary of State
• The hacking can occur remotely or when the hacker has physical contact with the machine

WallStreet Journal | Voting Machine Used in Half of U.S. Is Vulnerable to Attack, Report Finds

State: Pennsylvania

The legislation: HB32 (PA | 2018)

How is the centralization of data security decisions structured?

• create a Cybersecurity Innovation and Excellence Commission
• The Commission will be comprised of:
  • lawmakers
  • government officials such as:
    • Department of Community and Economic Development
    • Department of Labor and Industry
    •  Pennsylvania Emergency Management Agency
  • outside experts 
• The goal is to stay ahead of cybersecurity developments by:
  • coordinate statewide activities
  • but would have no responsible for enforcement activities

Pennsylvania WatchDog | House bill would create commission to centralize cybersecurity decisions in Pennsylvania

• Caution: Conflicts of Interest.  Virtual asset trading platforms often engage in several lines of business that would be restricted or carefully monitored in a traditional trading environment.
• Account for Abusive Trading Behavior
• Consumer Protetctions needed

NY Attorney General | Virtual Markets Integrity Investigation 

California’s internet of things law, SB 327 (2018 | CA), is:

• first in the nation to address cyber security for internet of things
• internet of things- connected thermostats, coffee makers etc… that have been used to take down major websites
• it sets the floor for data security standards for connected devices

Concerns:

• Whether placing standards on ingternet of things harms innovation

Washington Post | The Cybersecurity 202: California’s Internet of Things cybersecurity bill could lay groundwork for federal action

Campaign entity: The DNC

The data device policy:  Eliminate Android, espcially ZTE devices. Retain iphones.

Is there a campaign officer for security? Yes, chief information security officer, the former chief information security officer at Yahoo

Forbes | Democrat Cyber Defenders Are Purging Androids In Favor Of iPhones

HR 6743 (2018) will preempt state data breach rules.

Opposition includes:

• States with stronger data reech laws
• States with stronger protection of insurance consumers
• Hampers state ability to investigate and mitigate damages in the state

Lake County News | Jones urges House to oppose bill that undermines California security data protections

Survey of states about voter registration database security reveals:

• STATES ARE IMPROVING AND IMPLEMENTING BEST PRACTICES
• multi factor identification for access is crucial
• system iuntegrity is crucial- staff and security
• consistent auditing of security systems
• train employees about phishing

CENTER FOR ELECTION INNOVATION AND RESEARCH

 H.R. 5534 (2018) in House Financial Services Committee grants rule making authority to allow the Consumer Financial Protection Bureau to determine cybersecurity standards for its licensees. 

Credit Union Times | House Committee Approves CFPB Guidance, Data Breach Legislation

WHAT: touchscreen kiosks to direct residents & tourists to:

• points of interest
• offer directions
• offer WIFI
• public transit maps
• emergency alert functions.

WHERE St Louis MO via  St. Louis Development Corp., the city’s economic development arm

HOW: Issued a request for proposals that requires:

• kiosks not be considered a commercial venture
• kiosks are not a type of electronic billboard
• capable of capturing video surveillance footage at 1080p resolution
• 4G or 5G

State Tech | St. Louis Aims to Deploy Wi-Fi-Enabled Smart Kiosks by January 2019 

Which groups don’t like the focus on the financial sector? Retailers, because it slows passage of across the board data breach notification statutes

What’s the purpsoe of focusing on the financial sector?

• Find a solution for the Equifax breach

What are state officials saying? “He has consistently opposed federal legislation that would pre-empt state attorneys general, as this proposal appears to do.” — CT Attorney General

Inside Cybersecurity | A debate unfolds over narrow breach-notice bill’s impact on broader efforts

WHO: Faith-Based Information Sharing and Analysis Organization (FB-ISAO)

WHAT information does this group want to protect from disclosure?

• donor data
• religious websites

Cyber Scoop | Religious groups find their calling in threat sharing

WHAT: The US Chamber of Commerce opposes California’s Consumer Privacy Act and wants the federal government to preempt state law

WHAT legislative specifics do they want?

• Preemption of state data protection laws
• Require concrete harm before a lawsuit
• Preclude all class action lawsuits
•  

WHY? 

• avoid a disparate patchwork of data privacy rules
• without preemption, companies have to choose the strictist law to comply with and that is California’s consumer privacy act

MARTECH | US Chamber of Commerce calls on feds to preempt CA privacy law

​German reinsurance giant Munich Re estiamtes cybcer insurance market will:

• double by 2020 to over 8 billion dollars
• corporate spending will be $3.4-$4 billion (3-3.4 billion euros) in 2017
• corporate spending will be up to $8-$9 billion by 2020
•  economic costs of large-scale cyber attacks already exceeds losses caused by natural disasters

PHYS.ORG | Cyber insurance market to double by 2020, says Munich Re

Congress, and thus soon the states, will openly consider regulatory and legislative measures for cybersecurity in aerospace including:

• aerospace equipment
• airport cybersecurity
• connected devices

Why should I care about this for my clients?  Atlanta’s airport 2017 ransomware attack costs  may be upward of $40 million in direct costs and loss of productivity

House Committee on Homeland Security | UNDERSTANDING CYBERSECURITY THREATS TO AMERICA’S AVIATION SECTOR

Cities with mentioned cybersecurity insurance coverage:

• Houston, 3  policies covering $10 Million with a $471,400 premium
• Dallas
• San Antonio via existing property policy
• Ft. Worth,  $5 million cyberpolicy with a $99,570 premium
• Atlanta 
• Charlotte, N.C
•  San Francisco has $50 million cyberpolicy for its public-health department

Cities actively looking at acquiring policies:

• Boston
• Nashville
• Washington, D.C.
• San Jose, CA

Self insured cities:

• Seattle 

Wall Street Journal | More U.S. Cities Brace for ‘Inevitable’ Hackers

California’s AB 3075 (2018 | CA) which will require the Office of Elections Cybersecurity within the California Secretary of State’s office to:

• Create policy by litigating
  • ex: suits to support online privacy could be the new tobacco lawsuit
• Blocking Federal Policies
  • Repulican Attorneys General sued Obama Administration 46 times in 8 years
  • Democratic Attornesy General have sued the Trump Administration 35 times in year 1
• Crafting policy by managing State-level settlements delivering big headlines and fast payouts
  • ex: Equifax settlements

Forbes | How state attorneys general are driving tech policy

California Legislature overhwelmingly passed SB 822 (2018 |CA) that will:

• bans internet service providers from blocking access to legal online content
• bans internet service providers from forcing websites to pay more money for faster speeds
• restores internet protections that federal regulators rescinded

Why did the Legislature enact this bill?

California elected officials passed the bill because the California fire agency complained that Verizon restricted its internet access during an emergency.

What do providers need to know?

• throttling state agency internet acess in an emergency has repercussions.
• when a state agency contacts an internet provider during an emergency selling another data plan has repercussions
• taking family photos from social media to create memes opposing their actions has repercussions.

Sacramento Bee | Californians’ internet speed protected in bill sent to Jerry Brown

Authors of Report: Information Technology and Innovation Foundation

The report: Benchmarking State Government Websites

What do I need to know?

• States can improve their security by having their web servers properly enable HTTPS and DNSSEC
• State website accessibility is improving with 67% passing mobile friendly standards

Texas came in 41st overall. Virginia #1. 

Governing | Only 4 Percent of State Websites Pass Security Tests 

The federal govenrment has tied Title IV Funding to data security, here’s the key standards that could be replicated by states:

• Universities will be required to have “reasonable safeguards” to data breaches
• Universities will beed an estblished response plan
• Universities will need to oversee 3rd party service providers

Without these requirements, univeristies lose funding.

Department of Education | Breach Response Check List

EdTech | How to Tighten Higher Education Cybersecurity as Government Threatens Funding

What steps did Chattanooga TN take to expand health care accessibility?

• Chattanooga’s utilities provider,invested heavily in fiber-optic network infrastructure, delivering 1-gigabit-per-second connections
• The city actively explored  delivering telehealth services to residents who subscribe to EPB broadband services
• Docity, as Hypepotamus reports, is “a HIPAA-compliant telehealth platform that works by partnering with communities and internet service providers to add telehealth access to their normal packages.” If users get broadband service from an ISP, they can add telehealth services for as little as $30 per month, the report adds.

State Tech | Chattanooga’s Broadband Investment Opens the Door to Telehealth 

•  a single file containing an estimated 14.8 million records was left unsecured, without a password, online
• File ownership is not clear but is likely “Data Trust, a Republican-focused data analytics firm created by the GOP”
• data includes fields that might score an individual’s believed views on immigration, hunting, abortion rights, government spending and views on the Second Amendment
• data also includes additional personal information, such as a person’s phone numbers and their ethnicity and race

Tech Crunch | Millions of Texas Voters Records Exposed Online

1. Hiring IT professionals (36%)
2. Procuring Voting Machines (28%)

EAC analysis

Politico | Moment of Truth for Secure Elections Act 

Michigan Secretary of State Democratic candidate is proposing this election security plan:

•  Post-election audits requirement
• Standardizing poll worker training
• Convening a commission of top election security experts to advise Michigan
• Stronger penalties for tampering with voting machines
• Switching Michigan to a different system to crosscheck voter files against other states

WKAR | Democratic Secretary Of State Nominee Targets Election Security 

States are enacting more quickly and fully than the federal government on data security regulation. Here’s a look at the 5 states leading the way:

•  California Consumer Privacy Act (AB375 | 2018 | CA)
  • 2 year grace period
  • follows the EU’s GDPR
• Vermont ( H764 | 2018 | VT)
  • toughest data collection disclosure bill in the US
  • Data Broker Bill
• Colorado (HB11-1128 | 2018 | CO)
  • Strengthened its protections of “personal identifying information”
• New Jersey  (S1913 | 2016 |NJ)
  • Shopper Privacy Bill
  • limits retailer retention of consumer data
• Washington (HB1493 | 2017 | WA)
  • Protects more health data

The Hill | States are leading the way on data privacy

Indiana Secretary of State outreach plan touting a secure election contains:

•  television, radio, and print ads stressing voter registration deadline
  • safe, secure, and reliable voter registration, go to Indianavoters.com.”
• refers to the IN election system as “he healthiest 200-year-old”
• touting security measures:
  • stresses none of Indiana’s voting machines are connected to the internet
  • Ball State tests the state’s voting systems

WFYI | Indiana Secretary Of State Seeks To Reassure Hoosiers Over Election Security 

Removing a requirement for a paper count of ballots as a post-election audit method.

The statement from Verified Voting.

Florida offers local governments election security grants that:

• Can purchase electronic poll registers to prevent double voting
• Can purchase and install off-site server
• Provide for hiring an IT professional to implement the new off-site server
• Offers local governments an opportunity for backups in place to resume the continuity of operations instantaneously

Suwannee Democrat | Election security grants approved for local counties

Washington and Alaska ended their online voting in response to hacking threats.

McClatchy DC Bureau | Can hackers tamper with your vote? Researchers show it’s possible in nearly 30 states

An 11 year old hacked a replica of Florida’s election results website in 10 minutes and change names and tallies.

10 minutes to fake election results.

Reuters | Boy, 11, hacks into replica U.S. vote website in minutes at convention

Campaign: For Massachusetts election official, the Secretary of State

The 2 competing election hacking plans:

• Plan 1:
  • add 7-10 full-time cybersecurity specialists
  • create the Cybersecurity Operations Center
    •  operate on a 24/7 basis and monitor the office’s voting data
  •  risk-limiting audits to be conducted after all state and federal elections
• Plan 2 from the 7 term incumbent
  • continue to only use paper ballots
  • store  voters’ personal information off the internet
  • exisiting IT staff and standards that have been working

WWLP | Secretary candidates describe approaches to election security

WHERE: California

WHAT: The information sharing at the California Cybersecurity Integration Center alerted agencies along I-5 to a wildfire before the wildfire was phoned in

HOW: the Cybersecurity Inegration Center uses electronic scrapes of twitter, and a tweet started the wildfire information sharing through the agency

Cybersecurity Integration Center was created by Executive Order in 2015. 

Route 50 | How California Is Improving Cyber Threat Information Sharing

These make funny road sign hacks, like the zombie apoocalypse is now,  look like childs play:

• Flood Sensors can be manipulated by hackers
• Radiation Alarms can be hacked
• General Chaos by hacking traffic lights, emergency signals

Security Intelliegence | How to Outsmart the Smart City 

• 8 States collaborating with the Governors Association
  • Arkansas, Colorado, Delaware, Indiana, Iowa, Minnesota, Vermont and Washington
• Establish best practices for health care data
• Really long name:  “Harnessing the Power of Data to Achieve State Policy Goals: The Foundation for State Success in Improving Quality and Reducing Costs,”
• 16 months 
• Goals:
  • enable a fuller and better use of the countless health-care data streams they collect and maintain
  • legislative fixes
  • regulatory fixes
  • lasting impact that could even extend beyond health care

Government Technology | Governors Association Works with Eight States to Improve Health Data Sharing 

Activists are promoting an Internet bIll of Rights, the kind of bill state legislatures love. What would it do?

• Keeping your “browsing history” private
  • ​Except: fraud or potential crimes  
• Full disclosure when being monitored, and the right to opt out
• Preserving the privacy of your social media accounts.
• Ownership of your personal, digital content
• Notification of injurious data breaches
• Fair play on social media platforms and/or internet providers
• Protecting children on social media
• Protection from “unfunded government mandates” on data-mining:
•  Keeping your health and fitness data private
•  Safeguarding email and text communications

Connecticut Post | We Need an Internet Bill of Rights 

Ohio’s  SB 220 (2018 | OH), signed by the Governor, will establish these blockchain standards:

• blockchain transactions are legitimized as enforceable electronic transactions
• applies to electronic records using blockchain
• applies to electornic signatures using blockchain
• amends the definition of “electronic record” to include blockchain
• amends the definition of “electronic signature” to include blockchain

SB 220 would apply to state contracting and state procurement.

Ohio’s  SB 220 (2018 | OH)

If a business’ cybersecurity procedures reasonably conform to any of these:

DOE Secretary Perry looks to DOUBLE the number of utilties sharing cyberthreat information.

Why?

• Close collaboration between DOE and utiltiies helped thwart utilty cyber attacks last year
• DOE is increasing its cyber security efforts
• “We’re leading by example, by strengthening protection and response capabilities for our own power marketing administrations that fall under the DOE’s supervision,” Perry said.

FCW | DOE looks to double number of electric utilities sharing cyber threat data

A Navigant research report on cyber security of utilities and the grid broadened cyber security to smart meters.

The suggested recommendations for smart meter cyber security:

• robust security strategy
• clear breach response plan
• providing strong and constant security training to all employees

State Tech | Where Smart Utilities Meet Cybersecurity

Philadelphia terminated its data sharing agreement with ICE.

What do supports say?

• Federal Courts agree with the constitutional concerns of not providing basic, humane treatment of immigrants
• concerned that ICE was using the database “in inappropriate ways” 
• Distrust in immigrant communities harsm law enforcement’s ability to keep the city safe

Governing | A Major City Ends Data-Sharing Contract With ICE 

Courts have ruled that business cyberinsurance does cover phishing attacks and other courts have ruled that cyberinsurance does not cover phishing scams.

Coming to a regualtor or legislator near you soon….

LegalTech News | Cyber Insurance Growing Pains: Sixth Circuit Overturns Email Phishing Ruling

Montana’s Top Election official said hackers entered their systems during the 2016 election.

AP | Official: Russian hackers targeted 2016 Montana election