Cybersecurity & Tech

California’s SB 823 (2018)  requires:

• Free credit card freezes and credit freeze lifts
• Allowing all credit reporting agencies to freeze credit by initiaiting a request with 1 credit reporting agency
• Allowing for electronic freezes and lifts

4 States currently allow for free credit freezes and freeze lifts:

•  Indiana
• Maine
• North Carolina
• South Carolina

The states looking to add net nuetrality requirements: North Carolina, Illinois, California, New York, Massachusetts, Nebraska, Rhode Island and Washington

4 policy goals of net nuetrality:

•  A level playing field for all online services that prohibits internet providers to block or slow down sites or online services
•  Ensure consumers find the content of the choice
• Maintain broad access to online services and information
• Protect businesses, large and small, from having to pay fees to reach users

Is there state authority to act? There is no statutory preemption & a 2016 case against the FCC stood for no FCC preemption 

Bipartisan? Yes. Republicans argue for the need to level the playing field for small businesses

New York Times |  States Push Back After Net Neutrality Repeal

The new federal legislation, The Data Breach Prevention and Compensation Act, would:

• Create a new cybersecurity office within the Federal Trade Commission
• Incentivize data security by imposing mandatory fines on credit reporting agencies with flawed security
• Annual inspections by the FTC of credit reporting agencies
• Fines would be divided to:
  • 50% to the consumers affected
  • 50% to the FTC to fund inspections and cybersecurity research
• Credit reporting agencies would have to report to the FTC their technical and organizational security measures

Gizmodo | New ‘Cybersecurity Office’ Would Oversee Companies Like Equifax and Dole Out Fines for Slipshod Security

The state Attorney General and a State Representative are promoting an forthcoming North Carolina bill, the Act to Strengthen Identity Theft Protections.

Here’s what the bill will do:

• Include ransomware in definition of data breach
• Protect more information by creating a duty for businesses to have reasonable data security standards, and include insurance/medical information in the data breach notification law
• Quicker consumer notification.  15 day time limit to notify the consumer & the Attorney General
• Free credit freezes & credit freeze lifts
• 3 free credit reports from each of the 3 credit reporting agencies
• 5 years of free credit monitoring if a credit reporting agency experiences a breach
• Penalties will follow the Deceptive Trade Practices Act  that makes each act a violation to which penalties can attach
• Require consent for credit reports
• Consumer right to all their information at a credit reporting service

Alabama’s Governor successfully pushed for a cybersecurity & engineering magnet school.

The school’s official name: Alabama School of Cyber-Technology and Engineering

Number of students: 300

Grades in the School of Cuber Technology & Engineering: grades 7-12

AL.com | New cyber, engineering magnet school coming to Huntsville

The 4 Issues the group wants covered by federal data breach legislation:

• A flexible, scalable standard for data protection that factors in:
  • the size and complexity of an organization
  • the cost of available tools to secure data
  • the sensitivity of the personal information an organization holds, as well as guarantees that small organizations are not burdened by excessive requirements.
• Notification when a reasonable risk exists. A notification regime requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm.
• Consistent, exclusive federal enforcement of the new national standard by the Federal Trade Commission (FTC) and state Attorneys General, other than for entities subject to state insurance regulation or who comply with the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996/HITECH Act. For entities under its jurisdiction, the FTC should have the authority to impose penalties for violations of the new law.
• Clear preemption of the existing patchwork of often conflicting and contradictory state laws. 

The group supporting federal data security legislation: 

ACT | The App Association

American Bankers Association

American Insurance Association

American Land Title Association

BSA | The Software Alliance

Consumer Bankers Association

Credit Union National Association CTIA

South Carolina Attorney General clarifies- financial info yes, but not security information

South Carolina Attorney General says that the South Carolina election commission can withhold from disclosure cybersecurity information. 

Can related information about election cybser security be released thbrough open records?

Yes, South Carolina election commission will release financial information about cybersecurity products & services purchased

Michigan considered a bill to protect election cybersecurity information

HB 4973 (2017)  excepts from disclosure information that addresses:

• CONFIDENTIALITY, INTEGRITY, OR AVAILABILITY OF INFORMATION SYSTEMS,

• AND CYBERSECURITY PLANS, ASSESSMENTS, OR VULNERABILITIES

   

  State Scoop | South Carolina election commission permitted to withhold cybersecurity documents

Mississippi is considering statewide standards for data that will:

• how to long to store personal data
• how to dispose of personal data
• what personal data can be disposed of
• how to store personal data
• apply to all state entities that have personal data in their possession
• what a state agency, Department of Archives and History, needs to store data in perpetuity

What prompted this legislative action by Mississippi?

• A 2013 breach of health care data at the Univeristy of Mississippi
• A resulting 2016 $2.75 Million penalty by the US DHHS as a result of the data breach
• An unfavorable report by the state legislative watchdog committee for Performance Expenditure and Evaluation Review

Clarion Ledger | Lawmakers to review ways to make public’s identifiable data in state hands more secure

​Maryland HB 974 (2017)

• Includes all HIPPA information in the defintion of personal information for state data breach law purposes
• The bill also protects Biometric data, such as fingerprints, voice prints, and genetic prints

Delaware HB 180 (2017)

• Includes medical history in the defintion of personal information
• Requires “any person who conducts business in Delaware and maintains personal information must safeguard that information.”
• Requires health insurance information to be protected
• Establishes standards to dispose of the electronic information

Health IT Security | 2017 Updated State Data Breach Laws Account for Medical Information 

A UK court found that an employer, that had taken appropriate measures to prevent a data breach,  can be held vicariously liable for a data breach when an employee:

• deliberately misused the data
• intended to cause damage to the employer by misuing the data

Bonjour U.S. State Legislators- daat security liability issues should be in your radar.

Lexology | Employer held vicariously liable for employee’s deliberate data breach

WM Morrison’s Supermarket PLC | England and Wales High Court (Queen’s Bench Division) Decisions

New York’s new rules on credit reporting agencies will do these 4 things:

• Require consumer credit-reporting agencies to identify “dedicated points of contact” for New York’s Division of Consumer Protection
  • WHY? Ensure consumers can promptly get answers 
• Mandate that credit-reporting agencies respond “within 10 days” to any requests for information made on behalf of consumers by the Division of Consumer Protection
• Credit reporting agencies must “plainly disclose” to consumers all fees associated with any identity theft protection product sold or purchased, “including when those products are originally offered for ‘free’
• Require the credit-reporting agencies disclose to New York’s Division of Consumer Protection all business relationships and contracts with companies involved in marketing credit monitoring services and related products.

The tagline from state leaders: consumers should not be penalized for having their data breached

Boston 25 News | Citing Equifax data breach, one state cracks down on credit-reporting agencies

What standards did Los Angeles use in crafting its Cyber Center? Federal Government and industry Standards

The key to the city Cyber Center?  integrated strategic operations center

What does the integrated strategic operations center do? 

•  “processes cyber threat information from the Homeland Security Department, the FBI and various private sector and non-profit sources and feeds it out to its member operations centers and to city departments”

How does this help unify cyber protections in Los Angeles?  Prior to the cyber center the city’s IT office, the Water and Power Department, the Port of Los Angeles and Los Angeles International Airport did not communicate regularly on cybersecurity. Now each is on the same page.

Are other cities taking note? Yes, Chicago, Las Vegas and New York have visited to learn more

NEXTGOV | LA Cyber Center Hopes to be a Model for Cities Nationwide

The FCC overturns net neutrality rules and Attorneys General of New York and Washington announce their lawsuit raising these 3 concerns:

• FCC’s net neutrality repeal harms consumers
• FCC’s net neutrality repeal harms small business
• FCC’s net neutrality repeal harms innovation

The Attorney General of Washington State notes that he is 5-0 in his lawsuits against the Trump administration. 

The Hill | Washington AG to sue over net neutrality repeal

• Policies to improve data security workforce
• Liability policy for businesses that utilize 3rd parties to manage and mitigate security incidents and challenges
• Policies to encourage more women in data security workforce
• Liability and notification requirements when comapnies utilize automated security security tools
• Policies that Support Awareness and Training of existing workforce
• Policies that ecourage businesses to maintain a base level of data security and notification requirements

Health Data Management | HIT Think 6 data security trends to expect in the New Year

Progressive Market’s analysis lists 3 drivers for an increased demand in cyber insurace/data security insurance including:

• legislation on data security
• growing number of cyber-attacks which have led to great losses for organizations worldwide
• rise in awareness of different cyber risks

  Digital Journal | Cyber Insurance Industry Will Be the Next Big Thing in 2018

   

Refreshing our recollection:

OHIO is considering SB 220 that ties the NIST standards to liability limitation. Yes, tort reform meets data security.

Input on Draft Standards:

Feedback and comments should be directed to cyberframework@nist.gov(link sends e-mail) by January 19th, 2018.

3 Goals of the draft standards is to align the needs of :

• policy requirements
• business needs
• technological methodologies

Flexible Standards

The standards should eveolve as technology evolves

New buzz words are emerging in dagta security policy like: Cyber attack lifecycle

NIST | Cybersecurity Framework Draft Version 1.1

A new report by the Center for Connected Medicine found that data security leads th eminds of health care businesses:

• 9 of 10 health care companies will spend more on data security in 2018
• 54% want to better identify threats
• 50% want to better detect threats
• 50% want to better protect against cyber threats
• Less than 20% are focused on recover and respond technologies

Would health care providers pay cybercriminals?

• 17% said yes
• 17% were undecided
• 22% didn’t know
• 44% said no

Healthcare Dive | Cybersecurity tops list of IT investments for 2018

In a repsonse to cybersecurity challenges to rail, H.R. 4474 was filed that requires:

• requires a report to Congress on cyber and physical threats presented by foreign-owned software to the transportation sector
• Directs DHS to inform the industry about technical assistance it offers on cybersecurity.

Politico | TRANSPORTATION BILL CONTAINS CYBER PROVISIONS

Missouri will be considering  SB582 (2018) about student data breach notification. 

SB582 requires notification of a student data breach to 3 parties:

• the student’s parent(s) or legal guardian(s)
• the department of elementary and secondary education
• the state auditor 

Lee’s Summit Tribune | Auditor Galloway announces legislation to require schools to notify parents in case of cyber security breach

U.S. Senator Bill Nelson’s S.2179 would trigger criminal charges if:

• its found that “intentionally and willfully conceals” a breach
• and, a person incurrs $1,000 in damages

The criminal charge comes with up to 5 years in prison and/or a fine.

Who is making a request that medical device makers disclose component parts? House Committee on Energy and Commerce

On what agency are these policymakers making a request? Department of Health and Human Services

What is Department of Health and Human Services​ being asked to do?

• Require medical device manfuacturers to dislcose:
  • bill of materials (BOM) for each piece of medical technology
  • describe the device’s components
  • describe software utilized
  • disclose any known risks associated with those parts
• To promote cybersecurity through transparency

SC Media | House committee asks HHS to boost cybersecurity by requiring component list for medical devices

Vermont Governor Phil Scott named these new members to his Cybersecurity Team:

• Chief Security Officer at the UVM Medical Center
• President of Norwich University’s Applied Research Institutes
• Computer & Digital Forensics professor at Champlain College

4 Goals of the Cybersecurity Team:

• Assess the state’s cybersecurity status.
• Develop a plan to protect public and private sector information systems
• Evaluate readiness
• Strengthen safeguards

WAMC | Vermont Governor Names New Members To Cybersecurity Team 

The transportation system: Sacramento Regional Transit

The hack: destroyed internal systems data, but no data was stolen. It was a ransomware hack with a 1 bitcoin ransom

The recovered data: 80% via backup data

Impact on transportation systems: Train and bus service was not affected

Governing | Hackers Attack Transit System in California’s Capital

State with a new home health care worker registry: Massachusetts

 Supporters say:  Consumer protection

Opponents say: A worker database contradicts the state’s data security stance& jeopardizes worker safety

Mass Live | Gov. Charlie Baker signs law creating home care worker registry

The State joining the post-Equifax hack legislative trend: Rhode Island

The proponent: The Rhode Island Attorney General

The legislation would:

• Free credit freezes &un-freezes. prohibits credit bureaus from charging all Rhode Island consumers fees to place, temporarily lift, or remove security freezes on their accounts

WPRI | RI Attorney General files legislation on security freezes following Equifax data breach

The Business:   Cascade Investment, which is owned by Microsoft’s Bill Gates

The smart city: Belmont, a planned community in Arizona

The smart features:  

• high-speed networks
• autonomous vehicles
• high-speed digital networks
• data centers
• new manufacturing technologies
• autonomous logistics hubs

CNN | Bill Gates invests $80 million to build Arizona smart city

State: Colorado

What is risk limiting audit for elections? 

• require all jurisdictions to have a sound ballot accounting process
• require use a batch size of one ballot
• require that a cast vote record exist and be available and retrievable for each individual ballot

How do risk limiting audits combat election hacking?

• The number of ballots to select initially is calculated by using the risk limit and the margin of the contests
• Ballots are next randomly selected
• Each ballot’s vote marking is compared by hand to the CVR for that ballot

What other states are adopting similar protocols? New Mexico & Rhode Island

Was legislation involved? Yes

Governing | Colorado implements Risk-Limiting Audit process to verify election results

Health Data breach suit, CareFirst, is heading to the US Supreme Court, and setting up the standards for what injuries are necessary for a data security  claim.

The Appellate Court found that “that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft…we have little difficulty concluding that their injury in fact is fairly traceable to CareFirst,”

Code words for legislative drafters: fairly traceable

Health IT Security | CareFirst Data Breach Case Moves to US Supreme Court

Previously on informed:intel we read about Maryland’s updated data security bill from 2017, but let’s shift our focus to the inclusion of HIPPA requirements.

Maryland’s state data breach law will include this personal information colelcted by HIPAA covered entities:

• “medical history, medical condition, or medical treatment or diagnosis. Health insurance policy, certificate number, or health insurance subscriber identification number – in combination with a unique identifier that permits access to the information – were also added to the personal information definition.”

The HIPAA info will also triggers= the data security breach notification standard of “as soon as is reasonably practicable” or not later than 45 days.

Maryland HB 974  | Maryland Personal Information Protection Act – Revisions

Health IT Security | HIPAA Info Included in Updated MD Data Breach Notification Law

• Utah CIO say its expensive, a big budget item
  • $230,000 a year for $10 million in cyber coverage and has a $1 million deductible
• 38% of state CIOs say their state has some sort of cyber insurance
• Georgia has the largest amount of cyber coverage of any state
  • $100 million in coverage. $1.8 million-a-year premium & a $250,000 deductible per incident

Governing | Fearing Hackers, States Start Buying Cyber-Insurance + Insurance Journal

Ohio’s SB 220 sets up a benefit for businesses to comply: safe harbor from suit.

What’s required for a business to get the safe harbor? The business must  adopt “a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information that complies with the NIST cybersecurity framework “

The Toledo Blade | Lawmakers offer legal carrot to defeat data breaches

OH SB 220 (2017)

Cities in Wyoming are purchasing cyber insurance to protect themselves from hackers.

Some say that the Legislature should act to protect cities from hackers.

Proposed legislation includes:

•  long prison term for those caught conducting cyber attack
• a world-wide agreement on how to abolish cyber attacks

Cody Enterprise | EDiTORIAL: Cyber insurance good idea for city

The Iowa Attorney General is reviewing the state’s cyber security protocols to do 3 things:

• identify shortfalls in current legal requirements for those who store personal information
• look to enhance consumer protections
• seek to lessen the burden on consumers who’ve been victimized by data breaches
  • Such as “scrutinizing the fees that credit reporting agencies are allowed to charge Iowans for freezing and unfreezing credit reports — particularly data breach victims,”

Des Moines Register | Amid growing threats, Iowa lawmakers push for better state and local cybersecurity

Mcirosoft is hosting legislators from across the country to address cyber security legislative solutions.

Des Moines Register | Amid growing threats, Iowa lawmakers push for better state and local cybersecurity

The pension that was hacked: IPERS, Iowa Public Employees’ Retirement System

Hackers used this information:

• dates of birth
• social security numbers
• created online IPERS accounts to reroute payments

Government Technology | How Cyber-Thieves Stole From Iowa Pension Accounts

WHO: ECRI Institute annual health technology hazards list 

WHAT: #1 concern is data security. #2 concern is endoscope reprocessing failures #3 Alert fatigue

WHY: A May WannaCry cyberattack on UK hospitals shut down all medical equipment except emergency services.

Health Care IT | ECRI: Cybersecurity tops 2018 health technology hazards

State : Michigan

When did Michigan create its Cyber Security Volunteer Corps?  2013 under the Michigan Department of Technology, Management, and Budget

What did the 2017 amendment do? Michigan’s HB 4508  codifies the Corps and permits volunteers to bring cyber-defense services to nonprofit organizations, private businesses, educational groups, and other non-governmental associations.

What is required of volunteers?  Volunteers must undergo criminal background and FBI checks

Is there charitable immunity for the corps? Yes

Homeland Preparedness News | New Michigan law assigns cybersecurity volunteers to network security assistance during cyber attacks

Stateline | Pew Charitable Trusts | Michigan Governor Signs Volunteer Cyber Corps Bill

The U.S. Treasury Department’s October 276.2017 report entitled, A Financial System
That Creates Economic Opportunities Asset Management and Insurance, goes all in for uniform state legislation for data security model legislation for insurers.

What is the model legislation? The NAIC Data Security Model Law 

What’s the 10,000 foot view of the Model law?

• Applies to insurers, agents, and other licensees.
• Cover 3 hot data security issues:
  • implementation of information security programs
  • investigation of cybersecurity events, includ­ing risk assessment and risk management, as well as oversight of third-party service providers
  • notification to state insurance regulators about cybersecurity events 
• The Model law does not take the place of stte data privacy and data breach notification laws

Florida looks to be THE state for cybersecurity. Here’s what it is doing to get there:

• Higher Education. 
  • Florida currently has 13 schools that the National Security Agency has designated as centers of academic excellence in cybersecurity education or research.
  • Florida universities and colleges offer  40 cybersecurity-related programs for graduate and undergraduate studies 
• Workforce Pipeline.
  • ​The Florida Center for Cybersecurity helps universities & students
  • Shapes curriculum to meet industry wants
• Public Education
  • ​Including cybersecurity as early as kindergarten 
• Business
  • ​ Creating a cybersecurity hub
  • Hosting “boot camp-style” training programs, meet-ups and events
• Stronger Information Privacy Laws
  • ​the goal: to shape how companies approach issues such as securing personal information and disclosing to consumers when their data has been leaked.
• Engage the Attorney General
  • ​Mimicking California and encouraging the State Attorney General to take a “strong stance toward digital privacy.”

Government Technology | Florida Sets Sights on Becoming Cybersecurity Front-Runner

Michigan Legislature is moving HB 4973 to prevent cybersecurity efforts from being dusclosued under public information act. 

Support in the Michigan House: 101 to 5

The key bill text that exempts cybersecurity info from public information:  prevents disclosure of information concerning the  “confidentiality, integrity or availability of information systems.”

Potential policy benefit: the information protection could enecourage businesses to engagte in more information sharing on cyber security 

Michigan HB 4973 (2017) 

Congress’ Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act will:

• Require a maritime representative on the nation’s information sharing hub for critical infrastructure cyber threats run by Department of Homeland Security
• Require Department of Homeland Security to improve cyber information sharing and coordination at U.S. ports

U.S. H.R. 3101 | Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act

The Hill | House passes bill to boost cybersecurity at US ports

The Democratic National Committee is claling on state party offices to srengthen cyber security.

Buzz Feed | DNC Warns State Parties On Cybersecurity: Be Better

Connecticut is creating the Connecticut Cyber Task Force.

The Connecticut Cyber Task Force will consist of:

• a mix of Local, state and federal law enforcement agencies:
  • FBI
  • Drug Enforcement Administration
  • U.S. Secret Service
  • U.S. Postal Inspection Service
  • Homeland Security Investigations
  • Internal Revenue Service – Criminal Investigation
  • Defense Criminal Investigative Service
  • Connecticut State Police
  • 11 police departments from across the state, including the Bridgeport, Bristol, Fairfield, Greenwich, Hartford, New Canaan, New London, Norwalk, Stamford, Torrington and Westport Police Departments
• coordinated efforts for  emerging cyber threats
• provide training, resources and investigative strategies to address the significant ransomware and business email compromise attacks

2 Priorities of the tax force:

• identify and disrupt criminal organizations that use computer intrusions to defraud companies of their money and information
• target criminal activity on the dark web

United States Attorney’s Office District of Connecticut | U.S. Attorney and Law Enforcement Partners Announce Formation of Connecticut Cyber Task Force

A bipartisan bill in Congress seeks to require social media companies to disclose the same campaign related information that is required of radio and tv.

Which social media companies would be affected? websites, apps, search engines, social media and ad networks with over 50 million unique visitors

What would be trigger amount for dislcosures?  if a person or entity spends at least $500 on political ads a year

What disclosures would be required?

•  copies of ads
• information about groups purchasing ads
• data on the targets of the ads 

S 1989 (2017) by Kolbuchar, McCain and Warner

The Hill | Bill to halt election meddling on social media introduced

Alexandria Virginia News | Warner, Klobuchar, McCain Introduce Bipartisan Legislation To Prevent Foreign Interference In Future Elections, Improve Transparency Of Online Political Ads

Federal:

• Free Credit freezes:  HR 3766, S 1810 and SB1816,

States:

• New York SB 6879
  • ​require credit reporting agencies to automatically place a freeze on consumer credit files
• ​New York SB 6880
  • require businesses to disclose breaches within 15 days of discovery
•  Illinois (HB 4095 and SB 2230)  & Michigan (HB 5055)
  •  as well as measures providing for free credit freezes

Congressman Tom Graves H.R. 4036:

• “A voluntary review process that individuals and companies can utilize before using active-defense techniques;
  • This provision allows defenders to benefit from review of their proposed active-defense measures by the FBI Joint Taskforce, which will assist defenders in conforming to federal law and improving the technical operation of the measure;
  • The authority to conduct these reviews would exist under a two-year pilot program, and could be amended or renewed at a later date.
• Requires notification to the government for the use of active-cyber defense measures that go beyond beaconing;
• Clarification that the bill does not interfere with a person’s right to seek damages;
• Requires an annual report on the federal government’s progress in deterring cybercrime.”

Tom Graves | Rep. Tom Graves Formally Introduces Active Cyber Defense Bill

• West Virginia’s elections team added a cybersecurity expert from the state National Guard with a top-secret federal security clearance
• Colorado “will now verify election results via an advanced statistical procedure called a risk-limiting audit.”
• Rhode Island “will now verify election results via an advanced statistical procedure called a risk-limiting audit.”
• Delaware is moving its voter-registration list off the state’s aging mainframe computer

There are also new federal guidelines for election machines.

New York Times |  Wary of Hackers, States Move to Upgrade Voting Systems

The State: Kentucky

The proposed legislation would require companies responsible for a data breach to provide impacted Kentuckians:

• access to a free credit freeze
• 3 free credit reports each year from each of the major credit reporting agencies
• 5 years of credit monitoring
• Require all credit reports be encrypted.

How was the bill proposal announced? The State Attorney General Andy Beshear and the bill’s author, State Senator McGarvey, at AARP Kentucky’s Louisville headquarters

Insider Lousiville  | AG, senator announce legislation to protect Kentuckians following Equifax data breach 

California regulations on ride share require annual data reports. The data required to be sent to the state includes:

• types of service they provide
• what neighborhoods they serve
• how many miles their drivers log

What data do the cities want? 

• Data to help solve local transporation issues
• Ride Share’s affect on roads
• Ride Share’s affect on the environment

The data’s big bad issue: Privacy concerns about rider personal information

The Recorder | Uber and Lyft Resist Regulators’ Appeal for Data Sharing

October is National Cyber Security Awareness Month. Here’s exampkes of what governments and businesses have done to engage:

• D.C. has a Cyberscoop’s  DC CyberWeek  that brings together experts, executives, innovators, influencers and decision makers from government and business sectors to learn, network, hack and improve cybersecurity outcomes.
• ESETand Wrapify are sending a squad of #CyberAware vehicles on San Diego roads offering cyber security trivia and prizes
• Secure San Diego is a day event sponsored by partners The Cyber Center of Excellence & the City of San Diego  to showcase region-wide efforts to nurture a more secure cyber environment

We Live Security | Five cool things happening for National Cyber Security Awareness Month

Thus far in 2017, the number of education data breaches:

• doubled over 2016
• the first half of 2017 saw an increase of 103%
• North American bears the brunt of educaiton hacks, with 88% occuring here
• 74% were caused by malicious outsiders
• 13% were caused by stolen, lost or otherwise compromised records

Campus Technology | Education Data Breaches Double in First Half of 2017

Resiliance is the name of the game. R Street is calling for “resiliance” and not “remediation” in legislative solutions to data breaches.

If bills shouldn’t require that  consumers receive free credit report monitoring and cyber security standards and breach notification requirements for entities that maintain consumer data, what should bills do?

• Require the National Institute of Standards and Technology to maintain a list of brest practices
• The guidelines would ” empower[s] consumers to improve their resilience to cyberattacks”

R Street | Remediation won’t cut it – we need cyber resilience

Recode | Equifax rival TransUnion has hired cybersecurity lobbyists in Washington, D.C.

The Hill | Reddit hires first lobbyists

Texas State Representatives Minajarez, Pickett, Dale, Oliverson & Goldman requested the following interim charge:​

• Study what precautions toll road operators in Texas have in place to prevent cyber security threats, both internal and external.

The Minajarez, Pickett, Dale, Oliverson & Goldman letter to Speaker Straus dated 10.2.2017

During the Congressional hearings on the Equifax breach, Republicans bandied about the idea of requiring credit reporting businesses, that have exposed consumer information, to pay affected consumers “a couple thousand bucks each [consumer]”

The rational: An incentive to keep business data security up to snuff

The Republican: Congressman Joe Barton (R-TX), a founder of the bipartisan Congressional Privacy Caucus

The Hill | GOP rep pitches fines for hacked credit-monitoring firms

Data Security makes Governing’s Top 5 Government Trends to Watch. 

Why is data security such a big deal?

• costly
• includes identity theft which hits your constituents
• securing data and fighting off ransomware is expensive
• as it comes to health care and infrastructure- data security willultimately cost lives

Governing | 5 Government Trends to Watch

• 40% of local government CIOs report experiencing more attacks during the last 12 months
• 26% of CIOs reporting an attack, incident or breach attempt occurring hourly
• 18% report a cyberattempt at least daily
• 78% of municipalities don’t have an adequate password management policy
• 97% of the municipalities he surveyed don’t have a well-documented disaster recovery plan
• 46% store their backup files and records onsite rather than offsite or in the cloud
• 90% of local governments don’t bother to encrypt sensitive emails

Government Technology | Small Towns Confont Big Cyber-Risks

A House Companion to the Senate’s, Securing Energy Infrastructure Act of 2017 by Senator Angus King (I-ME) and Senator James E. Risch (R-ID), has been filed by Congressman C.A. Dutch Ruppersberger (MD-02) and Congressman John R. Carter (TX-31). The legislation will:

• “establishes a two-year pilot program to study covered entities and identify new classes of security vulnerabilities and research and test technology – like analog devices – that could be used to isolate the most critical systems of covered entities from cyber-attacks
• develops a working group to evaluate the technology solutions proposed and develop a national cyber-informed strategy to isolate the energy grid from attacks
• requires the Secretary of Energy to submit a report to Congress describing the results of the program, assessing the feasibility of the techniques considered, and outlining the results of the working group’s evaluations.”

H,R. 3958 (2017)

Congressman Rup[ersberger | RUPPERSBERGER INTRODUCES HOUSE COMPANION TO SENATE ENERGY GRID SECURITY MEASURE

According to the association representing tech giants, cryber crime will have a $6 trillion impact on the U.S. 

Politico | Morning Cyber Security | Cybercrime will cost up to $6 trillion by 2021

The State:  New York

The regulator:  New York’s Department of Financial Services

The Subpoena: Seeks more information about Equifax’s data breach, including:

• details on when Equifax learned of the breach
• details on what actions Equifax took after the breach was discovered

More regulatory enforcement in the works? Yes, New York also wants to impose the financial data security rules it finalized this year to apply to credit reporting agencies like Equifax.

What does this mean for other states? Colorado followed in New York’s footsteps to become the 2nd state to impose specific data security requirement son the financial industry. Look for a specific application to credit reporting agencies forthwith

Reuters | New York regulator subpoenas Equifax over massive data breach: Report

New York Law Journal | NY Issues Subpoena to Equifax Over Breach, Vullo Confirms

Kentucky Attorney General proposes revisions to the state’s data breach notification statute to require:

• Kentuckians impacted by a data breach would gain access to a free credit freeze
• Require access to 3 free credit reports each year from each of the major credit reporting agencies
• Require 5 years of credit monitoring
• Require all credit reports be encrypted

WCPO | Kentucky’s attorney general proposes new data breach protections after Equifax incident

New York General Assembly measure A08679 would allow New Yorkers to check their credit reports as often as they wanted for free.

Federal law requires an annuak free credit report check be available.

New York State Assembly measure SO 6886  would require a breached entity to provide 5 years of free credit freezes.

In the Cybersecurity Act of 2015,   Congress created the Health Care Industry Cybersecurity Task Force.

6 “critical” recommendations were offered:

1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.

2. Increase the security and resilience of medical devices and health IT.

3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

4. Increase health care industry readiness through improved cybersecurity awareness and education.

5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.

6. Improve information sharing of industry threats, weaknesses, and mitigations.

JAMA | Cybersecurity—A Serious Patient Care Concern

The local government: Montgomery Co. Maryland

The hackers demanded: 9 bitcoins, valued at between $40,000 and $50,000

Other local governmetns have been able to retrieve data from back up and not pay the ransom, was that tried? Yes, but for reasons unrelated to the hack the backup was not a viable option

What was the value of the data to the county? $5 million

Montgomery Advertiser  | Montgomery County pays ransom, gets data back

Wisconsin’s election officials have created a state elections security team, and here’s what you need to know:

• Inter-agency Communication.  It will work with federal, state and local elections officials
• Cyber security Infrastructure. Builds on cyber-security steps already taken
• Best Practices. Establishes best practices to address ever-changing threats
• Statewide Policies?  The team will consider whether to mandate that local clerks meet minimum security requirements for hardware and software they use
•  3 Ways the Security Team will Help Local Election Administrators.
  • ​Training of local election officials
  • Maintaining a list of key federal, state and local contacts
  • Developing contingency and action plans to deal with security issues

Wisconsin Law Journal | State creating elections security team, plan

• Partner with the private sector and local nonprofits.
• Be creative and develop a program that is customized to the particular area. 
• Develop connections between military and government units that have use for the local talent and the companies that surround them.
• Facilitate the local placement of national government cybersecurity capacities. 

Politico | How to erect an economic powerhouse using cybersecurity

Cybersecurity as an Engine for Growth Authors: Natasha Cohen, Rachel Hulvey, Jittip Mongkolnchaiarunya, Anne Novak, Robert Morgus and Adam Segal

A new report, Cybersecurity as an Engine for Growth, looked at Beersheba, Israel; Malvern, United Kingdom; and San Antonio, United States to find 3 ways cyber security can lead to economic growth:

• Proximity to government cybersecurity functions ups the talent pool & opens up contracting opportunities.
• Being able to attract or develop a workforce is critical.
• Requires Research centers and incubators nearby.
• Industry leadership help raise public awareness & bring crucial capital to the market

Politico Morning Cyber Security | How to erect an economic powerhouse using cybersecurity

• The new hot commodity in data security: blockchain
• How does it work? Llike a spy network where no one entity or server has all the information.
• How quickly can information and payments move? Instaneously with no holding fees.

How does the spy network analogy play out for data?

Say your a city controller making payments to a contractor. The payment can be processed instaneously without being hacked because the information is broken down into packets, encrypted and each packet is sent a different path & then reassembled so that the city knows the funds have been withdrawn and the contract recipient has funds deposited.

Governing | The Next Big Technology to Transform Government 

New York State Assembly is pursuing SB06880 to require a consumer to be notified of a breach within 15 days of discovering the breach.New York SB 06880 (2017)

Supporting changes to New York’s Data Security and Notification Act, the state Attorney General states:

• Expect more from companies entrusted with your data
• All companies need reasonable security measures for their scale of company and type of business (what’s good for Equifax isn’t good for the Zavala Patisserie)
• Private information should include your phone fingerprint or face scan and a slew of other private information

New York Daily News |Op-Ed by New York A.G. Eric Schneiderman | Raising our guard vs. mega-breaches 

Long Island Business News  | AG calls for tighter regs after Equifax breach

Convenience and Fuel retailers and a coalition of that includes the American Hotel & Lodging Association, International Franchise Association, National Association of Realtors, National Association of Truck Stop Operators, National Council of Chain Restaurants, National Grocers Association, National Retail Federation,  Society of Independent Gasoline Marketers of America, and the U.S. Travel Association support 4 principles of data security legislation:

• National Standards. Not piecemeal state regulation.
• Reasonable data security standards. A standard of reasonableness is logical as politics is very reasonable.
• FTC enforcement standards. A path to reign in the other federal agencies exercising data security enforcment- bonjour– FTC, HHS, and SEC.
• Any and all breached entities should be required to notify. No special industry exceptions.

NACS | RETAILERS OUTLINE FOUR PRINCIPLES OF DATA SECURITY 

Illinois is proposing to eliminate fees that credit-reporting companies are allowed to charge for imposing or lifting a credit security freeze.

Illinois Senate Bill 2230 (2017). 

2 Attorneys General (MA and NY) are suing, or my soon sue, Equifax for violating state consumer laws.

This sparked legislation to require credit reporting agencies to have the same scrutiny as banks, hospitals and others that handle confidential consumer data.

CBS This Morning | Mass. attorney general to sue Equifax for violating state consumer protection laws

WGBH | Mass. AG Maura Healey Will Sue Equifax Over Data Breach

Nebraska State Sen. Adam Morfeld is proposing a bill to require a credit reporting agency that has a breach to offer lifetime credit monitoring for free.

Morfeld’s reasoning? Equifax response to its hack was not enough

Virginia de-certified touch screen voting machines that do not leave a paper trail after voting machines were hacked within seconds at a tech conference earlier this year.

A vote by the State Election Department triggered the removal of the voting machines.

Tech Crunch | Virginia just decertified its most hackable voting machines

What is a data trespass law? While it sounds like data security, these laws create a crime against physically entering land to acquire data like pollution or animal cruetly.

Are data trespass laws constititional? Maybe not. A Federal Appeals court has found a Wyoming law likely violates the 1st Amendment.

Who is for these laws? Land owners, members of the Farm Bureau

Who is against these laws? People for the Ethical Treatment of Animals, Center for Food Safety, National Press Photographers Association

Casper Star Tribune | Denver court rules against Wyoming data trespass law

Recent cyber security philanthropic gifts:

• creating a cybersecurity research center aimed at African American students in underserved communities
•  $30 million in gifts to fund the construction of the Madison Cyber Labs as well as scholarships for students and support for additional faculty and staff at Dakota State University
• Harvard, which received a $15 million gift from Robert and Renee Belfer to establish the Cyber Security Project
• Amherst, which netted a $15 commitment from MassMutual Foundation that includes $3 million for its Cybersecurity Institute;
• MIT, Stanford, and UC Berkeley, which received funding thanks to the Hewlett Foundation’s $45 million effort to establish new academic centers for cybersecurity.

Inside Philanthropy | Are Gifts for Cybersecurity the Next Gold Rush for Campus Fundraisers?

Hurricane Harvey exposed the need for energy security legislation by:

• highlighting that we must ensure our energy resources are safe, secure and plentiful
• allowing states to leverage federal resources, knowledge, and expertise to build stronger partnerships with public and private stakeholders to guarantee a better energy future

The Hill | Opinion by Rep. Fred Upton (R-MI) | In Harvey’s wake, energy security legislation needed now more than ever

Oracle repoprtedly broke with other tech companies, to openly back a federal human trafficking bill.

The legislation:Stop Enabling Sex Traffickers Act, sponsored by Senator Richard Blumenthal (D-CT) and Senator Robert Portman (R-OH)

What this bill would do:  Amend protections for social networking sites & online platforms such as Google and Facebook from being held legally liable for content shared by those on the site.

What do tech opponents say? These amendments will create endless lawsuits and stifle digital innovation.

Tech Crunch | Oracle breaks with tech industry in backing human trafficking bill

A review of grid security by Symatec reveals that since 2015 hackers have been trying to gain access to the energy sector. Here’s what you need to know:

• It’s not only US based energy sector that is being targeting. The energy sectors in the U.S., Switzerland and Trukey.
• New technology targets. the hackers are looking for expanded access to operational systems & are taking screenshots of all systems in use to outline their function
• Hackers gained access through malware and phishing employees of  power generation, transmission and distribution companies.

The Hill | Sophisticated hacking campaign has targeted energy sector since 2015

 National Association of Insurance Commissioner’s approved Insurance Data Security Model Law to improve cyber risk management in the U.S. insurance market.

What does the model law do?

• establish industry standards for data security
• applies to insurers, brokers, and agents
• requires companies to have written information security program protecting sensitive data
• requires annual cetification to state insurance commissioners
• requires notification of data breaches within 72 hours
• encourages insurers to incorporate cybersecurity into their overall enterprise risk management & corporate governance practices
• minimum practices of board and senior management reporting
• oversight of information security practices
• monitoring of third party service provider
  arrangements

Reinsurance News |  NAIC’s new security model to improve U.S. insurance sector’s cyber risk management: Fitch

• Direct State Funding
• Federal Funding via National Institute of Standards and Technology, which Congressional budget bills defund
• State Funding Via an agency that oversees election cybersecurity

8 States have a plan to replace their voting machines: MN, MI, NV, NM, CO, AR, MD, RI

Politico | Cash-strapped states brace for Russian hacking fight

Governing | State Election Officials Need Money to Boost Cybersecurity, But Where Will They Get It?

Experts say self driving cars are better protected from hackers; making human driven cars more likely to face a hacker.

Why are non-selfing driving cars easier to hack? Because the cars send signals via sensors to themselves about distances and the like over low-level system that hackers have been penetrating for years. 

The fusion of these sensors in self-driving cars creates a ecueity protection as each sensor doesn’t trust the others data and the system as a hwole can override a command.

Guardian News | Assume self-driving cars are a hacker’s dream? Think again

Hurricane Harvey marks the 1st wide scale commerical use of drones after a disaster.

In addition to news crews utilizing drone footage, drones have been deployed by :

• Insurance Companies to document and determine damages
• Telecommunications companies to assess damages to infrastucture

San Antonio Express News | Government Technology | How Fleets of Drones Are Helping Assess Damage from Hurricane Harvey

465,000 pacemakers are under voluntary recall for security issues that could allow a cybersecurity breach that would allow a 3rd party to :

• modify pacing commands
• cause premature battery depletion

No known cybersecurity issues with the pacemakers are known.

Regulatory Affairs Professionals Society | Abbott Recalls 465,000 Pacemakers for Cybersecurity Patch

In 2013 North Carolina created the 1st Innovation Center (iCenter) in the U.S.

Since 2013, the iCenter has become focused on changing the culture of state government by:

• working with higher ed
• reaching out to local governments to help with IT 
• using technology to think differently and approach issues differently 

What does this mean? State innovation centers are a way to introduce new technology to all levels of government within a state.

Government Technology | North Carolina’s iCenter Reaches Beyond State Agencies for New Ideas, Best Practices

Data Centers are chosing to set up shop in Iowa. Corn fields and data servers go together like Bluebell Ice cream and Texas.

The latest data center by Apple Inc. includes an economic incentive package that includes:

• $208 million in state and local tax benefits
• Apple will provide 50 jobs, buy 1000 acres and build cpaital investments of $1.4 Billion

What does the Hawkeye State have to offer?

• generous tax breaks
• wind-generated power
• relative security from natural disasters

AP | Apple gets $208 million in tax breaks to build Iowa data center

Nevada is streamlining its state email servers, for all its state employees, to a single provider contract.

Government Technology | Nevada CIO: State’s Major IT Initiatives Are Moving Forward

Cinncinati is using predictive modeling to determine which properties might fall into disrepair to thwart blight before it occurs. 

Government Technology | Battling Blight: Four Ways Cities Are Using Data to Address Vacant Properties

The Business: Integrated Roadways

What are integrated roadways? Roads with sensors, phone, and internet connectivity, telecommunications, fiber-optic cable, and high-speed Internet, as well as other hardware, inside road surfaces.

Would these integrated roads collect data for the benefit of the city? Yes.
 

What type of dats would roadways collect?  data on vehicle counts, speeds, and weights to give cities access to information

Equipment World | Smart pavement pilot projects stuffing roads with sensors and internet connectivity

Virginia has a new state level program to train veterans to fill cybersecurity jobs.

Virginia’s vetrans training program :VetSuccess Immersion Academies via SANS CyberTalent Solutions

The veterans can take up to 3 courses and receive certification when they qualify.

Government Technology | Virginia Expands Cybersecurity Training for Veterans in Bid to Fill Vacant Positions Statewide

The State: Virginia

The goal of the public-private partnership:  “optimizing opportunities for innovative collaboration and investment in Virginia’s transportation system”

The data shared with the private sector: 22 different data sets, with initial data sets including traffic volumes, speed limits, travel advisories, lane closures, crashes, truck restrictions, traffic sensors, incidents, sign messages and locations, paving schedules, short- and long-term weather events, the Six-Year Improvement Plan, major road construction and Signal Phase and Timing data.

Equipment World | Virginia DOT launches SmarterRoads data portal for transportation app development

Gartner Inc. estimates that cybersecurity spending will increase in 2017:

• By 7%
• Accounting for a world-wide spending of $86.4 billion in 2017 and $90 Billion in 2018

Spending will be focused on:

• cyber security services
• IT outsourcing
• consulting
• implementation services

By 2020, bundled cybersecurity contracts will account for 40% of all managed security service contracts and will include:

• cybersecurity
• IT deisgn build outsourcing

Politico | Morning Cyber Security | Still a Growing Boy

Gartner Inc. | Gartner Says Worldwide Information Security Spending Will Grow 7 Percent to Reach $86.4 Billion in 2017

Maryland is offering its Medicaid patients a Telehealth App with these policy goals:

•  By offering emergency room telehealth visits, Maryalnd estiamtes it will cut down on Medicaid ER costs
• It can help connect patients to medical professionals, such as where to find services
• Allows for prescriptions to be called in after a telehealth visit

State Government Tech | Maryland Offers Medicaid Users Free Telemedicine App

These 30 Governors, Republican and Democrat, signed onto ther National Governor’s Association Confront the Cyber Threat Initiative: AL, AK, AZ, AR, CA, CO, CT, DE, Guam, HI, ID, IN, IA, KY, LA, MA, MD,MI, MN, MO, MT, NV, NH, NJ, NC, ND, OK, OR, PA, Puerto Rico, RI, UT, VT, Virgin Islands, WA, WV, WI, WY.

The Compact calls for 3 major strides:

The Federal Trade Commission settled a data privacy investigation by Uber agreeing to 20 years of privacy audits.

The FTC says the company “failed consumers”

CNBC | Uber agrees to 20 years of privacy audits after FTC says it ‘failed consumers’

First comes banning investments in the country du jour, now comes stopping outsourcing funds or policy initiatives related to cybersecurity to Russia.

Amendments bandied about D.C. by Senators Durbin, Warren and Whitehouse prohibit the use of federal funds to establish or support a “joint cybersecurity initiative” with Russia.

This trend is heading toward statehouses near you.

Politico | Morning Cybersecurity | Amendments to the policy roadmap