Cybersecurity & Tech

1. Election Security
2. Data privacy and Security think Marriott and Equifax Breach fixes to protect consumer data
3. Infrastructure Protection
4. Cyber Security Workforce 

The Hill | Four cybersecurity priorities for Congress to confront active threats

• 30 days to provide notification to consumers
• Greater disclosures to consumers about data collected and where it is stored
• Free credit freezes and unfreezes for a year
• 4 years of credit monitoring- free
• Applies Deceptive Trade Practices Act penalties to Businesses (these accrue daily and per incident)

Who is backing this bill: North Carolina  State Attorney General 

What impact does this have to businesses?

• healthcare comapnies would see their notifcation timeline cut from 60 days to 30 days

Have other states shortened notification timelines? Yes, in 2018 Colorado also went to 30 days. Iowa went to 45 days.

Health IT Security | North Carolina Reintroduces Strict Data Breach Notification Law

What are states doing to train their employees to protect data?

• Michigan, Oklahoma and Wyoming encourage but don’t require training
• Idaho Governor Excutive order requires training for all executive staff
• Illinois in 2017 made cybersecurity training mandatory for state employees
• Indiana’s CIO has authority to make training mandatory for state employees
• Utah sends out phony phishing emaisl to state employees to test them
• CT offers voluntary training every 2 months
• Alabama offers daily cybersecurity trivia games with prizes to employees, 1000 employees play a day

GCN  | As states lag on cyber training, agencies are fertile phishing grounds

SB273 (OH |2018) does the following:

• Adopts the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law
• OH becomes the 2nd state after South Caroline to adopt the model law
• Requires licesees develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to protect nonpublic information and the licensee’s information system within 1 year of the effective date of the Act;
• Perform a risk assessments 
• Develop a formal incident cyber response plan 
• Require their third-party service providers to implement security measures within 2 years
• Report data breaches to the head of its Department of Insurance  within 3 business days after determination tof a cyber event;
• Certify compliance to the  the head of its Department of Insurance
• 5 year retention of all records supporting the certificate of compliance 

Cybersecurity experts favor:  hand-marked paper records processed by optical scanners

What did Georgia’s voting security commission recommend? paper records but not hand marked and processed by optical scanners

politico | GEORGIA GOES ANOTHER DIRECTION

Paper products rejoice! South Carolina legislature will consider requiring paper ballots. S374 (2019 |SC)

Politico | Two states are placing election security on their agenda this week. 

Anatomy of a white hacker on construction equipment:

• Accessed 14 construction locations
• hacked into devices that not only controlled:
  • cranes
  • excavators
  • scrapers
  • other large machinery

The solution: Move equipment away from “esoteric custom protocols” and to “modern, standardized tech” that can be easily upgraded for security

Forbes | Exclusive: Hackers Take Control Of Giant Construction Cranes

What is special about Rhode Island’s newly implemented risk limiting audits?

• the gold standard of ballot audits
• Rhode Island is the 2nd state to adopt risk limiting audits in elections

Rhode Island Assembly | General Assembly passes Sheehan, Ajello bill that would establish a post-election audit program | (2017-S 0413A, 2017-H 5704A)

• data helps create more efficient permitting processes
  • CT allows local governments to get occupational licensing data directly form the state
• overdose data helps first responders and hospitals prepare for epidemics
• Prevent fraud 
  • IN adopted its Indiana’s Management and Performance Hub to “integrate” data from several agencies to build custom analytics solutions.” Its addressing issues from car crashes and infant mortality to Medicaid optimization.
  • TX shared data across agencies during Hurricane Harvey. Data was shared in real time to support first responders, law enforcement and others. 

StateTech | How States Benefit from Appointing a Chief Data Officer

Why is statutorily protecting business email correspondence increasingly important to law makers?

Data.

What does the FBI data say about business email hacking?

• 136% increase in identified global losses between December 2016 and May 2018
• losses from business email total  $12.5 billio

Are there other terms I need to watch for in legislation/from clients?

• cyber-enabled financial fraud

National Law Review | Privacy and Cybersecurity Issues to Watch in 2019

IN 2018, Vermont became the first state to regulate data brokers.

What is a data broker? 

• A business that
• knowingly collects and sells or licenses to third parties
• brokered personal information of a consumer
• with whom the business does not have a direct relationship

What business guidance did the Vermont Attorney General offer?

• If Vermont courts do not have jurisdiction, then this law does not apply to a business
• Does it establish an opt out requirement for consumers? no
• Will businesses have to change their practices to opt out? no
• A business that collects data for its own use only is not a data broker

Los Angeles City Attorney filed suit against the Weather Channel App for not properly disclosing that the app retains user location data.

Where would I see this in legislation? in fraud, deceptive trade practices, competititve practices, cybersecurity bills that protect geolocation

Engadget | LA sues Weather Channel app owner over ‘fraudulent’ data use

 Senate Bill 2110 (2019 | ND) would give a North Dakota state agency, Information Technology Department, the power to:

•  “advise, oversee and regulate cybersecurity strategy” for:
  • state agencies
  • higher education
  • cities
  • counties
  • school districts

What’s the state argument for a unified cybersecurity approach? the local govenrments and entities are connected at some point to a state network

Local government support? Yes, the North Dakota League of Cities supports the initiative because of (1) ransomware threats and (2) small cities with part time auditors

Grand Forks Herald | Bill looks to standardize North Dakota cybersecurity for public entities

Ohio was the first state to create a safe harbor for business in its 2018 cybersecurity legislation. SB220 (OH | 2018)

How did Ohio craft its liability protection for businesses? A business has to do 1 of these:

(1) Create, maintain, and comply with a written
cybersecurity program that contains administrative, technical,
and physical safeguards for the protection of personal
information and that reasonably conforms to an industry
recognized cybersecurity framework, as described in section
1354.03 of the Revised Code; or

      (2) Create, maintain, and comply with a written
cybersecurity program that contains administrative, technical,
and physical safeguards for the protection of both personal
information and restricted information and that reasonably
conforms to an industry recognized cybersecurity framework, as
described in section 1354.03 of the Revised Code.

      (B) A covered entity's cybersecurity program shall be
designed to do all of the following with respect to the
information described in division (A)(1) or (2) of this section,
as applicable:

      (1) Protect the security and confidentiality of the
information;

      (2) Protect against any anticipated threats or hazards to
the security or integrity of the information;

      (3) Protect against unauthorized access to and acquisition
of the information that is likely to result in a material risk
of identity theft or other fraud to the individual to whom the
information relates.

      (C) The scale and scope of a covered entity's
cybersecurity program under division (A)(1) or (2) of this
section, as applicable, is appropriate if it is based on all of
the following factors:

      (1) The size and complexity of the covered entity;

 (2) The nature and scope of the activities of the covered
entity;

      (3) The sensitivity of the information to be protected;

      (4) The cost and availability of tools to improve
information security and reduce vulnerabilities;

      (5) The resources available to the covered entity.

1st state to adopt model insurance data security law: South Carolina

2nd state: Ohio legislation with 8 modifications SB 273 (OH | 2018)

The model law: NAIC

National Law Review | Ohio Moves on Insurance Cybersecurity

In 2018, Vermont passed a data breach notification bill to address the Equifax data breach.

Vermont’s Attorney General is Recommending the following additional legislative fixes:

• Create a new statewide office, Chief Privacy Officer,  charged with ensuring the state establishes best practices for handling Vermonters’ personal information
  • the position would advocate for additional privacy protections for citizens & hear concerns
• Stronger protections for student data by educational technology
  • The model: a 2016 California law that prohibits education technology companies from selling student information or disclosing it for purposes unrelated to education

VT Digger | AG says Vermont should take more steps to protect data privacy

New Jersey is looking to save costs by moving to exclusively digital records, making the state government paperless. 

The caveat: data security risks

What was the legislative plan to get to a paperless NJ state government?

• The Govenror made it a goal for his administration
• Legislation creates a task force to make recommendations and suggestionts to address concerns, like data security
• Task Force 15 person membership includes:
  • secretary of state
  • state treasurer
  • director of the New Jersey Division of Taxation
  • head of cybersecurity in the Office of Homeland Security and Preparedness
  • other members with expertise in such areas as government information technology, revenue collection and voting

Government Technology | New Jersey Bill Would Push State Government to Go Paperless

• California Privacy Act.  Will other states replicate it? Is it the US solution for GDPR?
• Federal Preemption. Will Congress pass federal data breach notification standards?
• Data Privacy Requirements for Internet of Things.  Privacy standards for your home thermostat, etc… See California’s SB 327 (2018)
• Will small businesses get a carve out bill? See S770 (115th Congress)
• Federal Preemption of Data Encryption Standards for Business

Sc Media | Top cybersecurity legislation of 2019

According to lawyers wirting in the Harvard Business Review, a data security regulatory system should:

• focusing more on systemic ways to address cyber threat
• not treat businesses punitively 
• require the federal government to take a more active role in cyber defense
• require the federal government to share cybersecuity knowledge with the private sector
• require agencies to “issue pragmatic, cost-effective operational guidance to companies on how to defend against evolving risks”
• incentivizing security improvements
•  provides greater confidentiality concerning security measures
• provide liability protections
• create a public-private collective cyber defense

Harvard Business Review | Stopping Data Breaches Will Require Help from Governments

• Thinking on these laws is backwards. Laws should switch from punishing coporations to realizing in data breaches, companies are most likely also victims of criminal activity
  • it is not a fair framework to punish companies
  • and it is not effective enforcement
• Limited cyber experts. It is impossible for “every company in America to have sufficient internal cyber expertise to manage the risk.”
• The robbery analogy. When a bank is robbed, do we blame the bank? No.

Harvard Business Review | Stopping Data Breaches Will Require Help from Governments

Stanford researchers and other professors looking at this federal definition of cybersecurity:

Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation

think that the definition is outdated and needs to reflect the use of disinformation.

The list of cybersecurity legislative changes that are being bandied about:

• including disinformation campaigns
•  prohibiting the use of digital bots to impersonate people
• more tansparency on how the algorithms used by social media sites work

Lawfare | Cybersecurity: Time for a New Definition

The New Jersey Senate passed a Block Chain Task Force bill S2297 (NJ |2018) that will determine whether:

• NJ should be using Blockchain technology to modernize government systems
• it would safeguard personal data is good for NJ
• if it would help with service delivery
• whether it would be good for local governments

Touted benefits of blockchain/distributed ledger storage? could also help safeguard government systems from cyber-security attacks

Insider NJ | Kean/Beach Blockchain Task Force Passes Senate  

What did the Michigan Chamber of Commerce tout as reasons to support a Data Security bill, HB 6405 (MI | 2018) that required businesses to do certain new tasks concerning data breaches:

• The Chamber likes a specific time frame to notify affected persons
  • The chamber did not like phrasing, within a reasonable time
• Is ok with “reasonable mandates” on businesses
• The Chamber supports “.. a consumers’ right to know that their personal identifying information was compromised”

Michigan Chamber of Commerce | Michigan Chamber Applauds Senate Action on Data Breach Notification Legislation

S3288 (115th Congress) creates an offense of Aggravated damage to a critical infrastructure computer & allows for forfeiture of assets related to bots.

Morning Cybersecurity | Sen. Sheldon Whitehouse, meanwhile, complained that the Trump administration hasn’t collaborated with him on bipartisan legislation (S. 3288) to take down botnets. 

• Libaility for the school, the school distric,t the principal, and the superintendent
• Legal requirements schools retain records like, HIPPA records, that has certian legal requirements
• Disruptions to Education When a school is subject to a hack, it can suspend learning
• Student Records. A cyber event may not only want to steal information, it may want to change information. Integrity of school records is crucial
• Reputation of the school, its educational system, and its leadership

EdScoop | Five reasons schools need to address cybersecurity now

The allegations of fake constitutent support:

• Comments to the FCC over net nuetrality rules
• Of 20 million comments, almost 50% were provided without consent

The investigations:

• FBI issuing subpoenas
•  New York Attorney General with support of Attorneys General of Massachusettes and the District of Columbia

Targets of the subpoenas:

• 14 organizations
• 11 of which are either politically conservative or related to the telecommunications industry and opposed net neutrality, and three of which supported

BuzzFeed | Millions Of Comments About The FCC’s Net Neutrality Rules Were Fake. Now The Feds Are Investigating

• More attention at the state level. States have been targets of hackers and that fuels their regulatory structures
• Agility. States can respond more quickly legislatively
• More to Lose. States are closer to local level data breaches and are as impacted by local breaches
• Business Accountability State resources also support businesses that have been impacted by hackers

Baltimore Post Examiner | Why is State Cybersecurity better than Federal Cybersecurity?

HR7283 (115th Congress) requires devices purchased by the federal government to be:

• Sets contractor minimum security requirements
• Agencies will set baseline secueity standards for procurements
• Standards must be “based on technology-neutral, out- come-based security principles”

Text of HR7283 (115th Congress)

NextGov | Upcoming Bill Would Lock Down Agencies’ Internet-Connected Devices 

Is this bipartisan? Yes, Sen. Rob Portman, R-Ohio, and Maggie Hassan, D-N.H.

What’s the bill called? The Public-Private Cybersecurity Cooperation Act

What would it do?  Creates a vulnerability disclosure program, crafted by the Department of Homeland Securty,  to allow hackers to report problems to the proper authorities without being prosecuted 

S3707 (115th Congress)

NextGov | Senators Introduce Bill to Let Hackers Reports Bugs to DHS

• Fees charged by bitcoin processor.  Do the fees exceed fees in other payment options
• Fraud there is a well known Canadian bitcoin tax scam
• Unnecessary  who wants bitcoin payment? the information according to the state will not be available until after a few months into the program
• Safety. Is it safe?

Nextgov | Is this about grabbing some of the sizzle that comes with all things blockchain and crypto

New Jersey legislature is moving A3245 (2018 |NJ) which is in repsonse to the Marriott data breach and will:

• Expands the state data breach notification requirements to include disclosure of:
  • usernames
  • email addresses
  • any passwords
  • security questions and answers
• The authors say prompt notification is required for people to keep their online acocunts protected

Insider NJ | Assembly Panel Clears Caputo & Murphy Bill Requiring Disclosure of Online Security Breaches 

• Lots of potential Texas impact.  potentially 100s of 1000s of Texans “vulnerable to the nightmare of identity theft”
• massive hack.  “compromising the personal information of up to 500 million guests”
• enforcement actions include:
  • ​serving an investigative subpoena
  • encouraging affected texans to file a complaint at  https://www.texasattorneygeneral.gov/cpd/file-a-consumer-complaint

Texas Attorney General Office | AG Pax­ton Begins Inves­ti­ga­tion Into Mar­riott Data Breach Affect­ing 500 Mil­lion Cus­tomers Worldwide

HB 747 (2018 | OH) will estalish the Ohio Cyber Reserve to protect Ohioans from cyber terrorists.

Authors tout that the Reserve will also help cities with cyber inititatives.

How many aspects of cybersecurity will the reserve have its fingers in?

• election security
• local governments
• critical infrastructure
• businesses

Like the national guard, the reserve will act by Governor action.

Fox 8 | Ohio House passes bill to establish cybersecurity team

Government Technology | Ohio House Passes Cybersecurity Team Bill

The Pennsylvania Supreme Court has ruled that employers have a duty to protect employees from cyberattacks by setting:

• Employer Duty: “a legal duty to exercise reasonable care to safeguard”
• Remedy: a recovery for negligent behavior under the economic loss doctrine

Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018)

White & Williams | Pennsylvania Supreme Court Holds Employers Have Duty to Protect Employee Data from Cyberattacks 

Norway is changing the way it taxes bitcoin miners.

The current tax structure for cryptocurrency miners: 

• the lower rate for power intensive industries (capacity of more than 0.5 megawatts)
• the rate: $0.00056 per kilowatt hour
  • 2.8% of the standard tax rate

The new rate tax structure for bitcoin in Norway:

•  $0.019 per kilowatt hour

CryptoCurrency 365 | Norway Decided to Impose Normal Electricity Tax on Miners

The Nevada Legislature will consider SB69 (2019 | NV) which is:

• backed by the Division of Public Safety’s Division of Emergency Management
• defines significant cyber events like invasions, disasters and riots
• require schools, cities, counties and resorts to have emergency response plans
• designates October as “Cybersecurity Awareness Month”
• allows the governor to call on the national guard during a significant cyber event

Nevada Independent | New pre-filed bills take aim at education, cybersecurity ahead of upcoming legislative session

• Ohio is the 1st state to accept bitcoin for tax payments
• On OhioCrypto.com 23 Ohio taxes can be paid via bitcoin
• Bitcoin tax payments will be limited to Businesses
  • After a successful pilot with businesses, then the bitcoin tax payments will open for individual OH taxpayers

Crypto Currency News | Ohio Accepts Bitcoin for Tax Payments: A Much-Needed Silver Lining. 

States have taken different approaches to how to regulate hacking by research, or white hat hackers, who identify and report data security vulnerabilities.

An example of this is a researcher who discovered in 2017 that USPS had left open all user information of the usps.gov website. There was no response from USPS, and the breach was disclosed this week. 

Tech Crunch | U.S. Postal Service Data Breach Exposes Data of 60M Customers 

• Texas is a leader. Texas should lead in regulating false information spread by bots
• Texas has been impacted by misinformation. Both these Texas events were followed by false information:
  • Austin bombings in March
  • Santa Fe High School shooting in May
• Model Legislation should include:
  • ​the 1st amendment should be respected for individuals and corporations
  • Bots should be labeled and identified
  • Outreach to encourager fact checking
  • Media Literacy in Schools

Jared Schroeder | Assistant professor of journalism, Southern Methodist University | Trib Talk | Texas needs legislation to combat bots — yesterday

Intel has drafted model data privacy bill that includes these 6 points:

•  comprehensive, technology neutral and support the free flow of data
•  risk-based accountability approaches
• Automated decision-making should be fostered while augmenting it with safeguards
• promote access to data, supporting the creation of reliable datasets available to all, fostering incentives for data sharing, and promoting cultural diversity
• Funding research in security
• Algorithms can help detect unintended discrimination and bias, identity theft and cyber threats.

The Intel Model Legislation

Press Release from Intel

New Hampshire voters approved a state constititional amendment to protect from government intrusion personal and private information.

The constitutional language: An individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent.

The passage rate: 80% of votgers supported it

Reason | N.H. Constitution Now Protects “Right to Live Free from Governmental Intrusion in Private or Personal Information”

How do consumers hold manufacturers of internet of things products, like a connected refrigerator, liable for a data theft or property damage from a hack?

That is part of what California’s SB 327 (2018 | CA) seeks to clarify to protect consumers.

CNN Wire | WE NEED STRONGER CYBERSECURITY LAWS FOR THE INTERNET OF THINGS

South Carolina Department of Revenue had a data breach impacting tax payers in 2012.

Then-Governor Nikki Haley promised those impacted life time credit mornitoring. 

The Legislature de-funded the program effective OCtober 31, 2018.

Government Technology | South Carolina Lawmakers Vote to End Post-Hack Credit Protections

• 2018 Vermont became the 1st state in the nation to regulate data brokers.
• Unintended consequences on small businesses is unknown, especially as it relates to small businesses that:
  • rely on technology platforms to reach rural customers
  • rely on cloud based storage

Vermont Digger | Christopher Minott: Protect small businesses from overly aggressive tech policy

Where: New Jersey

Who: New Jersey Attorney General Gurbir Grewal

What: In a settlement of a data breach  of medical records, New Jersey Office of Attorney General banned those responsoible for the breech from owning or operating a business in New Jersey. 

Gov Info Security | Breach Settlement Has Unusual Penalty 

Activists are promoting an Internet bIll of Rights, the kind of bill state legislatures love. What would it do?

• Keeping your “browsing history” private
  • ​Except: fraud or potential crimes  
• Full disclosure when being monitored, and the right to opt out
• Preserving the privacy of your social media accounts.
• Ownership of your personal, digital content
• Notification of injurious data breaches
• Fair play on social media platforms and/or internet providers
• Protecting children on social media
• Protection from “unfunded government mandates” on data-mining:
•  Keeping your health and fitness data private
•  Safeguarding email and text communications

Connecticut Post | We Need an Internet Bill of Rights

•  California Consumer Privacy Act (AB375 | 2018 | CA)
  • 2 year grace period
  • follows the EU’s GDPR
• Vermont ( H764 | 2018 | VT)
  • toughest data collection disclosure bill in the US
  • Data Broker Bill
• Colorado (HB11-1128 | 2018 | CO)
  • Strengthened its protections of “personal identifying information”
• New Jersey  (S1913 | 2016 |NJ)
  • Shopper Privacy Bill
  • limits retailer retention of consumer data
• Washington (HB1493 | 2017 | WA)
  • Protects more health data

The Hill | States are leading the way on data privacy

• Caution: Conflicts of Interest.  Virtual asset trading platforms often engage in several lines of business that would be restricted or carefully monitored in a traditional trading environment.
• Account for Abusive Trading Behavior
• Consumer Protetctions needed

NY Attorney General | Virtual Markets Integrity Investigation 

Activists are promoting an Internet bIll of Rights, the kind of bill state legislatures love. What would it do?

• Keeping your “browsing history” private
  • ​Except: fraud or potential crimes  
• Full disclosure when being monitored, and the right to opt out
• Preserving the privacy of your social media accounts.
• Ownership of your personal, digital content
• Notification of injurious data breaches
• Fair play on social media platforms and/or internet providers
• Protecting children on social media
• Protection from “unfunded government mandates” on data-mining:
•  Keeping your health and fitness data private
•  Safeguarding email and text communications

Connecticut Post | We Need an Internet Bill of Rights

Ohio’s  SB 220 (2018 | OH), signed by the Governor, will establish these blockchain standards:

• blockchain transactions are legitimized as enforceable electronic transactions
• applies to electronic records using blockchain
• applies to electornic signatures using blockchain
• amends the definition of “electronic record” to include blockchain
• amends the definition of “electronic signature” to include blockchain

SB 220 would apply to state contracting and state procurement.

Ohio’s  SB 220 (2018 | OH)

If a business’ cybersecurity procedures reasonably conform to any of these:

State law: California which passed the strongest net nuetrality law has agreed to put its regulations on hold while the legal fights and federal regulations are revisited

The DOJ & internet service provider trade associations lawsuit against California: Also put on hold

What are they waiting to play out? 

• February 2019 lawsuit filed by  20 states’ attorneys general along with public interest groups and private businesses filed a lawsuit against the Federal Communications Commission when it rolled back net nuetrality

What are the feds saying? our case is so strong

What is California saying? Californians can still enjoy unlimited data plans

San Francisco Chronicle | California agrees to pause net neutrality rules amid messy legal battle

The report is by: maritime law firm Jones Walker LLP

What did the report find?

• Hacks are happening at ports. 80% of large maritime industry companies (400+ employees) report cyber attack in the last year
• Unprepared. 64% say their own companies are unprepared to handle the far-reaching business, financial, regulatory and public relations consequences of a data breach
  • 6% of small companies are prepared for a cyberattack (1-49 employees)
  • 19% of midsize companies are prepared (49-400 employees)
• Not Insured.
  • ​92% small firms no cyberattack insurance
  • 69% midsize  no cyber insurance
• Legacy Software many companies operate lagacy software that cannot be modified with cyber protections​

WaterWays Journal | Report Sounds Cybersecurity Alarm 

WHO has to pay $5.79 Million? Uber

WHAT is the $5.79 million settlement for?

• a breach exposed personal information, including drivers licenses for 13,000 uber drivers
• the company waited roughly 372 days to provide notice
• failed to notify the state attorney general within the then required 45 days
• $170 will be awarded to each driver

WHERE: Washington State

Washington State Attorney General Office | AG DATA BREACH REPORT FINDS 3.4 MILLION WASHINGTONIANS’ PRIVACY COMPROMISED BY DATA BREACHES

The State Attorney General, who recommended that Washington State require breech notification when more than 500 Washingtonians are impacted, recommends the following changes to the law after data breeches increase by 26% in the last year:

• Reduce the deadline to notify affected individuals of a breach to 30 days after the breach is discovered;
• Require preliminary notification to the Attorney General’s Office of a breach within 10 days after the breach’s discovery; and
• Expand the definition of personally identifiable information to include:
  • full dates of birth
  • usernames in combination with passwords
  • digital signatures
  • DNA profiles
  • other forms of biometric data
  • identification numbers from passports and other sources.

Wasington State Attorney General Office | AG DATA BREACH REPORT FINDS 3.4 MILLION WASHINGTONIANS’ PRIVACY COMPROMISED BY DATA BREACHES

Washington State State Attorney General annual Data Breach Report found that:

• July 2017 to July 2018 3.4 million Washingtonians affected by data breeches
• 26% increase
• leading cause: mailicious cyberattack

What information is the satte Attorney General using in his statutorily required annual report?

• breach notifications WA requires notice to the Attorney General when a breach impacts 500+ 

Wasington State Office of Attorney General | AG DATA BREACH REPORT FINDS 3.4 MILLION WASHINGTONIANS’ PRIVACY COMPROMISED BY DATA BREACHES

• In 2018 it passed mandatory post election audits  HB 2406 (WA | 2018)
• Utilizing national guard during election day that also hold day jobs in the state’s largest cyber security companies
• Requires voting vendors to disclose breaches of their equipmen.

Tech republic | State of Washington has new laws and the Air National Guard to help secure 2018 midterm election

• #1 Google at  $16.4 million year to date in 2018
  • online advertising
  • data privacy
  • data security
  • self driving cars
• Facebook $9.8 million
  •  high-tech visas
  • government surveillance overhauls
  • tax
  • trade
  • privacy legislation
  • regulation of online election ads

Roll Call | Google Still K Street’s Top Tech Spender

What agency is involved? Employee Retirement System of Texas

What was the data breach? Personal health information data for other individuals was accessible when a person was logged into the agency portal

When did ERS receive notification? August 17 2018

How many people were impacted? nearly 1.25 million individuals

When did ERS report the incident?  reported to the U.S. Department of Health and Human Services as a “unauthorized access/disclosure” health data breach on October 15th

Gov Info Security | Texas Retirement Agency Portal Breach Affects 1.25 Million

Health IT Security | ERS Online Coding Error Exposes 1.25M Users to Health Data Breach

• tech companies should de-identify customer data or not collect customer data
• comprehensive federal law is necessary
  • why? tech companies that collect a lot of data are basically spies
• people should have a right in their data, and a right to have that data minimized
• consumers must be told what data is being collected & why
• the data belongs to the users and users (consumers) should always have access to it

The gold standard law: GDPR in the EU

Ars Technica | Tim Cook Calls for Strong US Privacy law, rips “data industrial complex”

Marketing Land | Report: Apple expected to say GDPR a model for US privacy regulation

What would a bill to protect ethical hackers do? Prevent liability for “white hat hackers” who find unsecured data

What group is behind this? Electronic Frontier Foundation

Do they have a campaign? Yes, the Coders’ Rights project

The Daily Swig | Campaign launched to protect ethical hackers in the Americas

State Treasurers from RI, PA and IL and New York City are backing Trillium Asset Management in calling for Zuckerberg to step down from facebook over security breaches and misuse of the platform by foreign agents.

Governing | States and New York City Urge Mark Zuckerberg to Give Up Facebook Chairman Role

What is being proposed? an international organization modeled after the International Committee of the Red Cross that would help in cyber emergencies

How would this work? provide assistance and relief to vulnerable citizens and enterprises affected by serious cyberattacks

Why? Its based on work by tech companies including:

• November 2017 a UN speech on cyber security y Brad Smith, Microsoft´s President and Chief Legal Officer
• Spring 2018 Microsoft initiated the Cybersecurity Tech Accord
• Fall 2018 60 tech companies have signed on to support core principles

Lawfare | Proposal for a Cyber-International Committee of the Red Cross

What data was exposed? Tea Party Patriots campaign materials, call lists, guidelines for national student led pro-2nd amendment protests, including toolkits for protests

How was it exposed? Left unpassword protected on an Amazon S3 storage bucket

Who found it?UpGuard, a California-based “cyber resiliency” firm renowned for locating confidential records inadvertently exposed online

Gizmodo | Tea Party Group Leaks Call Lists, Guides for Staging Pro-Gun ‘Student-Led’ High School Protests

Which utility was hit with ransomware? Jacksonville, North Carolina-based Onslow Water and Sewer Authority

when was the ransomware triggered? middle of the night Saturday,  “specifically targeted” the utility in the wake of Hurricane Florence

what was the impact of the ransomware?

• operating with limited computer capabilities
• overwheliming IT support
• accounts are being managed manually
• not interrupt water and wastewater service

CyberScoop | Ransomware hits computer networks of North Carolina water utility

Where: CipherTrace’s 2018 Q3 Cryptocurrency Anti-Money Laundering Report says 4.7% of funds moved through unregulated bitcoin exchanges is being cleaned

How can it be stopped? 

• strong money laundering laws
• bitcoin exchange regulation

Business Technology Media | Strong anti-money laundering laws hamper crypto-currency crime

A newly report titled “Email and Internet Voting: The Overlooked Threat to Election Security.” It’s a collaboration between the National Election Defense Coalition, the Association for Computing Machinery, R Street and Common Cause lists this as the best way to protect elections:

paper ballots

Politico | HIGH-TECH, LOW SECURITY

• Clear communication about compliance (35% of businesses say)
• Grace periods without penalties when regulations are implemented (31% of businesses)
• More time for compliance (17% of businesses)

78% say more cyber security regulations drive more cyber investment in businesses

Beta News | Infosecurity North America | 77 percent of CISOs get conflicting advice on changing regulation 

Both candidates set forth cybersecurity plans that will:

• train more cybersecurity professionals
  •  including 5,000 new female and minority cybersecurity professionals by 2021
• secure consumer’s private data
• protect Colorado as a place to do business

Colorado Sun | Colorado’s candidates for governor offer a first glimpse into the importance they will place on cybersecurity. 

SEC Commissioner Kara M. Stein raises these policy issues for regulators:

• Should a company value its data?
• Should it disclose the value of its data?
• Who is responsible for the appropriate collection and use of data?
• Who is responsible for protecting the privacy of personally identifiable information that is collected and used?
• Who is responsible for determining how data can be shared?
• Who is responsible for establishing and implementing minimum standards for data collection and use?
• Who is responsible for addressing inherent conflicts of interest?

SEC | From the Data Rush to the Data Wars: A Data Revolution in Financial Markets

California’s Internet of Things legislation, SB 327 (2018 | CA), requires consumer goods to:

• come with a unique password per consumer good
• passwords cannot be set to admin or password
• in the alternative, consumer goods can require a statup procedure that requires the consumer to set a password

BBC News | Weak passwords banned in California from 2020

How a state can legislatively protect its residents from data miners:

• apply laws not only to 3rd party data miners but also 1st party data miners that do have a direct relationship with consumers such as:
  • retailers
  • social media companies

Also, what is a data miner? an entity or person that collects and sells personal information from consumers with whom the broker has no direct relationship

Electronic Fronteir Foundation | Vermont’s New Data Privacy Law

Which tech giants are we talking about? Facebook, Apple, Alphabet and Amazon

What is the opposition to the Australian encrypted data law?

• giving law enforcement access,  creates tools that weaken encryption & is a huge risk to our digital security
• oppose back-door access to their user’s data
• 5 nations in the  Five Eyes nations are expected to follow suit: Australia, New Zealand, Great Britain, US and Canada

CNBC | Apple and Facebook among tech firms lobbying against Australia’s encrypted data law

By applying the Deceptive Trade Practices Act to ALL data privacy violations under state law, consumers can bring private causes of action.

Electronic Fronteir Foundation | Vermont’s New Data Privacy Law

States can enacted legislation to address Data Broikers by:

• impose a fiduciary duty towards the consumers whose data they harvest and monetize
• establish a government office to assist the victims of data breaches
• compensation for their financial & non-financial injuries 
• require disclosures by data brokers like:
  •  consumer’s “right to know” what personal information a data broker has gathered
  •  how the broker obtained it
  • to whom they sold it
•  require consumer consent for data collection or sale

Electronic Fronteir Foundation | Vermont’s New Data Privacy Law

The TRUMP administration sued California when Governor Jerry Brown signed SB 327 (2018 | CA). 

What is the federal government telling the state?

• data privacy is federal jurisdiction because it impacts interstate commerce
• the FCC chair says the  “law prohibits many free-data plans”

Governing | Trump Administration Sues California After Governor Signs Net Neutrality Protections

REFRESHING OUR RECOLLECTION  |  informed:intel September 20, 2018:

California’s internet of things law, SB 327 (2018 | CA), is:

• first in the nation to address cyber security for internet of things
• internet of things- connected thermostats, coffee makers etc… that have been used to take down major websites
• it sets the floor for data security standards for connected devices

Concerns:

• Whether placing standards on ingternet of things harms innovation

Washington Post | The Cybersecurity 202: California’s Internet of Things cybersecurity bill could lay groundwork for federal action

The Congressional CyberSecurity Caucus:

Co-Chairs:   Michael McCaul & Jim Langevin

Members: 

Aguilar, Pete, California, 31st
Allen, Rick A., Georgia, 12th
Barton, Joe, Texas, 6th
Bishop, Mike, Michigan, 8th
Blum, Rod, Iowa, 1st
Brooks, Mo, Alabama, 5th
Bustos, Cheri, Illinois, 17th
Capuano, Michael, Massachusetts, 7th
Carbajal, Salud, California, 20th
Cárdenas, Tony, California, 29th
Castro, Joaquin, Texas, 20th
Chabot, Steve, Ohio, 1st
Cicilline, David, Rhode Island, 1st 
Clarke, Yvette D., New York, 11th 
Coffman, Mike, Colorado, 6th
Comstock, Barbara, Virginia, 10th
Conaway, Mike, Texas, 11th
Connolly, Gerry, Virginia, 11th 
Cooper, Jim, Tennessee, 5th
Correa, J. Luis, California, 46th
Crist, Charlie, Florida, 13th
Davis, Susan, California, 53rd
Demings, Val, Florida, 10th
Dingell, Debbie, Michigan, 12th
DeSantis, Ron, Florida, 6th
Donovan, Dan, New York, 11th
Emmer, Tom, Minnesota, 6th
Evans, Dwight, Pennsylvania, 2nd
Fitzpatrick, Brian, Pennsylvania, 8th
Fortenberry, Jeff, Nebraska, 1st
Gallagher, Mike, Wisconsin, 8th
Garamendi, John, California, 3rd
Graves, Tom, Georgia, 14th
Hastings, Alcee, Florida, 20th
Heck, Denny, Washington, 10th
Himes, Jim, Connecticut, 4th
Hultgren, Randy, Illinois, 14th
Jackson Lee, Sheila, Texas, 18th
Johnson, Bill, Ohio, 6th
Jordan, Jim, Ohio, 4th
Kaptur, Marcy, Ohio, 9th
Keating, Bill, Massachusetts, 10th
Kilmer, Derek, Washington, 6th

Lamborn, Doug, Colorado, 5th
Lance, Leonard, New Jersey, 7th
Latta, Bob, Ohio, 5th
Lesko, Debbie, Arizona, 8th
Lieu, Ted, California, 33rd
Lofgren, Zoe, California, 16th
Lowenthal, Alan, California, 47th
Lowey, Nita, New York, 17th
Lujan, Ben Ray, New Mexico, 3rd
Lynch, Stephen, Massachusetts, 8th
Marshall, Roger, Kansas, 1st
McNerney, Jerry, California, 11th
Messer, Luke, Indiana, 6th
Panetta, Jimmy, California, 20th
Peters, Scott, California, 52nd
Perry, Scott, Pennsylvania, 4th
Poliquin, Bruce, Maine, 2nd
Polis, Jared, Colorado, 2nd
Ratcliffe, John, Texas, 4th
Rice, Kathleen, New York, 4th
Richmond, Cedric, Louisiana, 2nd
Rosen, Jacky, Nevada, 3rd
Rothfus, Keith, Pennsylvania, 12th
Ruppersberger, Dutch, Maryland, 2nd
Schiff, Adam, California, 29th
Schweikert, David, Arizona, 6th
Scott, David, Georgia, 13th
Shea-Porter, Carol, New Hampshire, 1st
Sinema, Kyrsten, Arizona, 9th
Smith, Adam, Washington, 9th
Speier, Jackie, California, 14th
Stewart, Chris, Utah, 2nd
Stivers, Steve, Ohio, 15th
Swalwell, Eric, California, 15th
Taylor, Scott, Virginia, 2nd
Thornberry, Mac, Texas, 13th
Tsongas, Niki, Massachusetts, 3rd
Turner, Michael, Ohio, 3rd
Weber, Randy, Texas, 14th
Wilson, Joe, South Carolina, 2nd
Wittman, Rob, Virginia, 1st
Yoho, Ted, Florida, 3rd

• 6 candidates for U.S. House &  Senate spent more than $1,000 on cybersecurity
• why? campaigning takes too much time to address cybersecurity issues ro raise funds for cyber security technology protections
• what do recent hacks look like?
  • ​Senator McCaskill says her campaign was hacked
  • Hacking in 2 California House races are being investigated by the FBI
  • Silverlining: 2 major parties spend heavily on cyber security protections

Government Technology | Despite Mounting Threats, Cybersecurity Spending Is Low Among Candidates

A Def Con report to Congress on Thursday will say:

• 50% of voting machines are hackable
• The defect is traceable back to a 2007 report by the OH Secretary of State
• The hacking can occur remotely or when the hacker has physical contact with the machine

WallStreet Journal | Voting Machine Used in Half of U.S. Is Vulnerable to Attack, Report Finds

State: Pennsylvania

The legislation: HB32 (PA | 2018)

How is the centralization of data security decisions structured?

• create a Cybersecurity Innovation and Excellence Commission
• The Commission will be comprised of:
  • lawmakers
  • government officials such as:
    • Department of Community and Economic Development
    • Department of Labor and Industry
    •  Pennsylvania Emergency Management Agency
  • outside experts 
• The goal is to stay ahead of cybersecurity developments by:
  • coordinate statewide activities
  • but would have no responsible for enforcement activities

Pennsylvania WatchDog | House bill would create commission to centralize cybersecurity decisions in Pennsylvania

• Caution: Conflicts of Interest.  Virtual asset trading platforms often engage in several lines of business that would be restricted or carefully monitored in a traditional trading environment.
• Account for Abusive Trading Behavior
• Consumer Protetctions needed

NY Attorney General | Virtual Markets Integrity Investigation 

California’s internet of things law, SB 327 (2018 | CA), is:

• first in the nation to address cyber security for internet of things
• internet of things- connected thermostats, coffee makers etc… that have been used to take down major websites
• it sets the floor for data security standards for connected devices

Concerns:

• Whether placing standards on ingternet of things harms innovation

Washington Post | The Cybersecurity 202: California’s Internet of Things cybersecurity bill could lay groundwork for federal action

Campaign entity: The DNC

The data device policy:  Eliminate Android, espcially ZTE devices. Retain iphones.

Is there a campaign officer for security? Yes, chief information security officer, the former chief information security officer at Yahoo

Forbes | Democrat Cyber Defenders Are Purging Androids In Favor Of iPhones

HR 6743 (2018) will preempt state data breach rules.

Opposition includes:

• States with stronger data reech laws
• States with stronger protection of insurance consumers
• Hampers state ability to investigate and mitigate damages in the state

Lake County News | Jones urges House to oppose bill that undermines California security data protections

Survey of states about voter registration database security reveals:

• STATES ARE IMPROVING AND IMPLEMENTING BEST PRACTICES
• multi factor identification for access is crucial
• system iuntegrity is crucial- staff and security
• consistent auditing of security systems
• train employees about phishing

CENTER FOR ELECTION INNOVATION AND RESEARCH

 H.R. 5534 (2018) in House Financial Services Committee grants rule making authority to allow the Consumer Financial Protection Bureau to determine cybersecurity standards for its licensees. 

Credit Union Times | House Committee Approves CFPB Guidance, Data Breach Legislation

WHAT: touchscreen kiosks to direct residents & tourists to:

• points of interest
• offer directions
• offer WIFI
• public transit maps
• emergency alert functions.

WHERE St Louis MO via  St. Louis Development Corp., the city’s economic development arm

HOW: Issued a request for proposals that requires:

• kiosks not be considered a commercial venture
• kiosks are not a type of electronic billboard
• capable of capturing video surveillance footage at 1080p resolution
• 4G or 5G

State Tech | St. Louis Aims to Deploy Wi-Fi-Enabled Smart Kiosks by January 2019 

Which groups don’t like the focus on the financial sector? Retailers, because it slows passage of across the board data breach notification statutes

What’s the purpsoe of focusing on the financial sector?

• Find a solution for the Equifax breach

What are state officials saying? “He has consistently opposed federal legislation that would pre-empt state attorneys general, as this proposal appears to do.” — CT Attorney General

Inside Cybersecurity | A debate unfolds over narrow breach-notice bill’s impact on broader efforts

WHO: Faith-Based Information Sharing and Analysis Organization (FB-ISAO)

WHAT information does this group want to protect from disclosure?

• donor data
• religious websites

Cyber Scoop | Religious groups find their calling in threat sharing

WHAT: The US Chamber of Commerce opposes California’s Consumer Privacy Act and wants the federal government to preempt state law

WHAT legislative specifics do they want?

• Preemption of state data protection laws
• Require concrete harm before a lawsuit
• Preclude all class action lawsuits
•  

WHY? 

• avoid a disparate patchwork of data privacy rules
• without preemption, companies have to choose the strictist law to comply with and that is California’s consumer privacy act

MARTECH | US Chamber of Commerce calls on feds to preempt CA privacy law

​German reinsurance giant Munich Re estiamtes cybcer insurance market will:

• double by 2020 to over 8 billion dollars
• corporate spending will be $3.4-$4 billion (3-3.4 billion euros) in 2017
• corporate spending will be up to $8-$9 billion by 2020
•  economic costs of large-scale cyber attacks already exceeds losses caused by natural disasters

PHYS.ORG | Cyber insurance market to double by 2020, says Munich Re

Congress, and thus soon the states, will openly consider regulatory and legislative measures for cybersecurity in aerospace including:

• aerospace equipment
• airport cybersecurity
• connected devices

Why should I care about this for my clients?  Atlanta’s airport 2017 ransomware attack costs  may be upward of $40 million in direct costs and loss of productivity

House Committee on Homeland Security | UNDERSTANDING CYBERSECURITY THREATS TO AMERICA’S AVIATION SECTOR

Cities with mentioned cybersecurity insurance coverage:

• Houston, 3  policies covering $10 Million with a $471,400 premium
• Dallas
• San Antonio via existing property policy
• Ft. Worth,  $5 million cyberpolicy with a $99,570 premium
• Atlanta 
• Charlotte, N.C
•  San Francisco has $50 million cyberpolicy for its public-health department

Cities actively looking at acquiring policies:

• Boston
• Nashville
• Washington, D.C.
• San Jose, CA

Self insured cities:

• Seattle 

Wall Street Journal | More U.S. Cities Brace for ‘Inevitable’ Hackers

California’s AB 3075 (2018 | CA) which will require the Office of Elections Cybersecurity within the California Secretary of State’s office to:

• Create policy by litigating
  • ex: suits to support online privacy could be the new tobacco lawsuit
• Blocking Federal Policies
  • Repulican Attorneys General sued Obama Administration 46 times in 8 years
  • Democratic Attornesy General have sued the Trump Administration 35 times in year 1
• Crafting policy by managing State-level settlements delivering big headlines and fast payouts
  • ex: Equifax settlements

Forbes | How state attorneys general are driving tech policy

California Legislature overhwelmingly passed SB 822 (2018 |CA) that will:

• bans internet service providers from blocking access to legal online content
• bans internet service providers from forcing websites to pay more money for faster speeds
• restores internet protections that federal regulators rescinded

Why did the Legislature enact this bill?

California elected officials passed the bill because the California fire agency complained that Verizon restricted its internet access during an emergency.

What do providers need to know?

• throttling state agency internet acess in an emergency has repercussions.
• when a state agency contacts an internet provider during an emergency selling another data plan has repercussions
• taking family photos from social media to create memes opposing their actions has repercussions.

Sacramento Bee | Californians’ internet speed protected in bill sent to Jerry Brown

Authors of Report: Information Technology and Innovation Foundation

The report: Benchmarking State Government Websites

What do I need to know?

• States can improve their security by having their web servers properly enable HTTPS and DNSSEC
• State website accessibility is improving with 67% passing mobile friendly standards

Texas came in 41st overall. Virginia #1. 

Governing | Only 4 Percent of State Websites Pass Security Tests 

The federal govenrment has tied Title IV Funding to data security, here’s the key standards that could be replicated by states:

• Universities will be required to have “reasonable safeguards” to data breaches
• Universities will beed an estblished response plan
• Universities will need to oversee 3rd party service providers

Without these requirements, univeristies lose funding.

Department of Education | Breach Response Check List

EdTech | How to Tighten Higher Education Cybersecurity as Government Threatens Funding

What steps did Chattanooga TN take to expand health care accessibility?

• Chattanooga’s utilities provider,invested heavily in fiber-optic network infrastructure, delivering 1-gigabit-per-second connections
• The city actively explored  delivering telehealth services to residents who subscribe to EPB broadband services
• Docity, as Hypepotamus reports, is “a HIPAA-compliant telehealth platform that works by partnering with communities and internet service providers to add telehealth access to their normal packages.” If users get broadband service from an ISP, they can add telehealth services for as little as $30 per month, the report adds.

State Tech | Chattanooga’s Broadband Investment Opens the Door to Telehealth 

•  a single file containing an estimated 14.8 million records was left unsecured, without a password, online
• File ownership is not clear but is likely “Data Trust, a Republican-focused data analytics firm created by the GOP”
• data includes fields that might score an individual’s believed views on immigration, hunting, abortion rights, government spending and views on the Second Amendment
• data also includes additional personal information, such as a person’s phone numbers and their ethnicity and race

Tech Crunch | Millions of Texas Voters Records Exposed Online