Cybersecurity & Tech

Massachusetts Legislature is moving a net neutrality bill, S2376,  that will:

• create a central registry of internet service providers
• require net nuetrality in government contracts
• prohibit ISPs from collecting, using or sharing a consumer’s personal data without their consent
• State rules would be developed by the state Department of Telecommunications and Cable
• Requires ISPs to make the same disclosures to state regulatators that ISPs make to the FCC
• An assessment on ISPs would be levied to cover additional agency oversity costs

Gloucester Times | UPDATE: Senate bill would assess providers to ensure internet neutrality

Draft Federal legislation will require notification of breach if and only if a business determines:

• “a reasonable risk that the breach of data security has resulted in identity theft, fraud or economic loss”

Why does this specific statuory draft langauge matter? Courts are split on whether a business is liable when a data breach hasn’t resulted in actual fraud or economic loss, which means the language sets up a liability threshold.

Fox 13 | Report: Draft bill would allow credit reporting agencies, banks to conceal data breaches

The US Chamber of Commerce has a new White Paper supporting business-government partnerships for data security.

The 5 best practices recommended: 

• Cultivate trusted and bi-directional relationships with law enforcement and prosecutors
• Join a cyber information sharing organization
• Implement and Update cyber incident response plans
• Loop in legal counsel to keep counsel up to date on business’ cyber plans and resources
• Actively contact law enforcement during incident response for suspected criminal activity

City: New York City

Cybersecurity protection offered by NYC: A free app called NYC Secure that alerts a person to mailcious attempts to hack their device

5 Components to NYC Secure:

• Its a free app
• It will not collect or transmit any personal identifying information
• It will not collect or transmit private data
• It works in coordination with increased security rollouts at NYCs public Wi-Fi networks
• New York’s NYC Cyber Command (NYC3), a city-level cyber defense organization, will oversee the program

Tech Crunch | New York City is launching public cybersecurity tools to keep residents from getting hacked

32 Attorneys General oppose federal preemption of state data security laws because:

• Reduces state enforcement by allowing entities to decide if a breach needs to be reported
• Prevents proactive action by consumers in state law, which states currently have
• Leaves a vacant enforcement loophole for breaches that impact fewer than 5000 

Pocono News | PA attorney general seeks stronger enforcement of data breach notification laws

Bi partisan Attorneys General Letter Opposing Federal Data Security Preemption March 19, 2018

LBB | Overview of State Agency Cybersecurity Costs 

Florida legislature authorized the spending of  $1.9 million in federal Help America Vote Act (HAVA) money for:

• Counties to buy devices & pay for a monthly monitoring service that looks for hacker attacks
• Each sensor costs $8,000
• Monthly monitoring is $1,300/month
• Funding will last only for 12 months
• Funding was not provided to protect the statewide database of voter information
• Funding doe snot include the Governor’s request for 5 cyber security experts 

Tampa Bay Times | Despite attempted Russian election hack, Legislature did not create cyber security unit

Michigan enacted HB 4973 (2018) which will exclude cybersecurity information from open records requests. 

It creates these 4 cybersecurity definitions to protect the state’s cybersecurity:

• “Cybersecurity vulnerability”
• “Cybersecurity plan”
• “Cybersecurity incident”
• “Cybersecurity assessment”

The Peninsula | New law exempts data linked to cybersecurity from FOIA requests

• State agencies can  coordinate data sharing, processing and storage
• State and Local agencies can actively work on data minimization
• Include cybertraining as basic employee training

State Tech | What’s the State and Local Agency Role in the Battle for Data Privacy?

State: Florida

The bill: HB 7071 (2018)

What would this database do?

• store searchable, anonymized data about individual defendants
• includes ethnicities
• includes details of plea agreements
• county-level data about the daily number of people being held in a given jail pre-trial
• annual misdemeanor caseload at each court

How is this trend progressing?

• local governments like counties in California have created their own criminal case databases

WIRED | FLORIDA COULD START A CRIMINAL-JUSTICE DATA REVOLUTION

State: Nebraska

Nebraska’s 2018 post-Equifax reform bill: Legislative Bill 757 (2018)

What does Nebraska’s LB 757 do?

• requires reasonable security and disposal procedures and practices for all entities possessing data
• non-affiliated 3rd parties also have to maintain reasonable security and disposal procedures for data
• free credit freezes and free credit thaws

State: South Dakota

The South Dakota post-Equifax data breach bills: House Bill 1078 & House Bill 1127 

What did House Bill 1078  do? Freezes remain in place until the consumer requests otherwise & must be lifted within 3 days of a request

What did House Bill 1127  do? Cost free credit report freezing & un-freezing (thawing)

State: New York

Stop Hacks and Improve Electronic Data Security Act: NY Senate Bill S6933A (2018)

What do I need to know to sound like I know about the SHIELD Act?

• it covers both disclosure of hacks & securing information
• for businesses it uses the increasingly common standard of :”“reasonable safe-guards to protect the security, confidentiality and integrity” of private information.”
• The carrot: no new causes of action are created
• The stick: violations fall under the Deceptive Trade Practices Act and fines accrue per violation

National Law Review | A Primer on the SHIELD Act: New York’s Move to Adopt More Stringent Data Security Requirements, Part II

Background: A data security researcher at a public university in Georgia discovered the personal information of 6.7 million Georgia voters unprotected online. 

The legislative Response: Gerogia’s SB 315 (2018) 

What is the legislative goal? Prevent computer snooping by requiring permission at the outset before seeking unprotecting data maintained by a government or business

What does the tech community say? Fix this bill by only criminalizing computer snooping with maiclious intent

Atlanta Journal Constitution | Georgia bill might limit efforts to find internet security problems

State: Connecticut

The Data Security for Education Contracts Bill: 2016’s  H.B. No. 5469

3 Takeaways for Education Vendors:

• All vendors need written data privacy agreements
  • All means all from yearbook publishers to niche apps to Google
• 2 Policy Goals the state wanted to meet:
  • Protect students from targeted advertising
  • Require notification of data breaches 
• The unintended consequence: Each data privacy contract is required by each school district which led to a lot of legal fees for school districts

EdSurge | States Issue Privacy Ultimatums to Education Technology Vendors

Wyoming HB 0070 (2018) will create this regulatory system for bitcoin in Wyoming:

• Creates an open blockchain token
• Cannot be marketed as an investment or part of a repurchase agreement
• Exchange of open blockchain does not trigger broker dealer regulations

3 Tech commentaries:

• Wyoming is forward-thinking to allow freer reign for cryptocurrency companies
• Makes Cheyenne intruiging to a  few dozen crypto startups
• Wyoming revealed its willingness to be a “test bed for future regulation”

The impact to Texas: Wyoming has the regulatory framework for sandboxing, which is in the 2018 interim charges for the Texas House.

Tech Crunch  | Wyoming works to make some crypto tokens exempt from regulation

• 5 Governors have net nuetrality executive orders
• Washington State Governor signed a Net Nuetrality Law
  •  The WA bill says providers offering service in the state cannot block or throttle legal content, & cannot offer fast-lane access to companies willing to pay extra.
• Oregon’s Governor is expected to sign its Net Nuetrality Law
  • The OR bill prohibits state and local entities from buying internet service that blocks or throttles content
• 25 States are considering net nuetrality bills
• The bills are bipartisan

WIRED | WASHINGTON STATE ENACTS NET NEUTRALITY LAW, IN CLASH WITH FCC. 

Pennsylvania Attorney General has filed suit against Uber for violating the state’s data breach notification laws.

What are the alleged violations? (Also Known As red flags for drafting data breach notification laws)

• 13,500 Pennsylvanians were not notified in a reasonable time
• each violation has a $1000 fine, for a total of $13.5 Million

What ogther circumstances did the Attorney General mention?

• The company waited a year
• intentionally hid the breach
• contracted with hackers concerning the breach

WIRED | UBER ‘SURPRISED’ BY TOTALLY UNSURPRISING PENNSYLVANIA DATA BREACH LAWSUIT

What role did local government play? Houston Mayor and City Council tasked a group to develop strategies to support and attract technology companies

The result of the local government task:  A land-neutral proposal for a data consortium 

Local additional elements: The Univeristy of Houston’s Institute for Data Science that will focus on:

• cyber and physical security
• drug development and discovery
• sustainable communities and infrastructure
• accessible and personalized health care

Houston Business Journal | Texas Medical Center, Houston energy cos. considering data science consortium

Houston Chronicle | Texas Medical Center, Houston’s energy industry in talks on data science collaboration

State: Oregon

The legislation: OR HB 4155 (2018)

What does Oregon’s HB4155 do?

• It does not mandate net nuetrality
• it prohibits agencies, cities and counties from using internet service that blocks or prioritizes specific content or apps
• it does not apply in areas where there is only 1 service provider

oregon Live | Oregon Senate sends net neutrality bill to Gov. Kate Brown

Seattle Times | Net neutrality bill passes Oregon Legislature 

Arizona Governor Ducey by Executive Order created the Arizona Cybersecurity Team (ACT).

ACT team membership: experts from state, local, and federal government, the private sector, and higher education

ACT Goals:

• enhancing cybersecurity workforce development and education
• increasing public awareness on cybersecurity best practices
•  advise and provide recommendations to the governor

The ACT primer cites 4 data breaches to support its mission:

• Texas Comptroller Data Breach
• Utah Health Care Data Breach
• Target Data Breach
• Home Depot Data Breach

Prescott News | Governor Ducey Forms Arizona Cybersecurity Team

The Online Snooping Bill:

• Georgia SB 315 (2018) 
• Republican State Senator
• unauthorized computer acess that didn’t involve taking data would result in a misdeamnor of a high and aggrevated nature

Opposition:

• criminalizes lying on a dating profile
• criminalizes violations of user agreements
• criminalizes any use of a work computer for personal use like checking the Falcons score

Washington Post | Sweeping Georgia cybercrime bill would target ‘snoopers’

The U.S. Supreme Court refused to grant review of CAREFIRST, INC., ET AL. V. ATTIAS, CHANTAL, ET AL which concerns:

• whether to bring a data security lawsuit, is actual harm or the possibility of harm required?
• the U.S. Supreme Court refusal left in place a standard  set by the U.S. Court of Appeals in the District of Columbiath that the possibility of harm is enough
• the burning question- is it up to the courts to hold entities responsible for safe keeping data?

Fierce Healthcare | Supreme Court denies CareFirst’s petition to review data breach case 

The new cybersecurity office:  Justice Department’s Cyber-Digital Task Force

Cyber Digital Task Force Goals:

• canvass the many ways that the Department is combatting the global cyber threat
• identify how federal law enforcement can more effectively accomplish its mission

Task Force members:

• CHAIR: senior Department official appointed by the Deputy Attorney General
• Department’s Criminal Division
• National Security Division
• United States Attorney’s Office community
• Office of Legal Policy
• Office of Privacy and Civil Liberties
• Office of the Chief Information Officer
• ATF
• FBI
• DEA
• U.S. Marshals Service

Report to be issued by June 2018 with a focus on these cyber issues:

• Election Hackers. election interference
• Grid Hackers. interfere with our critical infrastructure
• Fake News. use of the Internet to spread violent ideologies and to recruit followers
• Identity hackers. mass theft of corporate, governmental, and private information
• High level encryption. technology to avoid or frustrate law enforcement
• Viruses, ransomware  et. al. mass exploitation of computers and other digital devices to attack American citizens and businesses

Department of Justice | Attorney General Sessions Announces New Cybersecurity Task Force

State: Virginia

The legislation: HB 183 (2018) SB 271 (2018) 

What’s required by Virginia’s HB 183 and SB 271?

• Any income tax preparer in Virginia has to notify the VA Department of Taxation of a cyber security breach 
• Notification is triggered by when the tax preparer discovers the breach and must be done without unreasonable delay

Is there a cost savings according to the bill’s author? Yes, the state will save $300,000 a year because the state Department of Taxation won’t be issuing refunds to fake tax returns filed by hackers

WRIC | Va. bill takes on tax return data breaches

SEC adopted new rules this week to require greater disclosure of cybersecurity threats by businesses. 

What you need to know:

• prohibits trading on insider cyber security knowledge
• companies are urged to develop policies that allow them to quickly assess cybersecurity risks and decide when to tell the public
• prohibits companies from using internal or law enforcement investigations as an excuse for not informing the public.

Tech Crunch | The SEC says companies must disclose more information about cybersecurity risks

The new oversight:  Office of Cybersecurity, Energy Security, and Emergency Response at the Energy Department

Head of the new office:   will be led by an Assistant Secretary

Policy Goals of the new office:

• energy infrastructure security
•  support the expanded national security responsibilities
• coordination and focus on protecting energy infrastructure, like the electric grid, from cyber and foreign attacks & natural threats

Funding: $96 million

Department of Energy | Secretary of Energy Rick Perry Forms New Office of Cybersecurity, Energy Security, and Emergency Response

The Hill | Energy Department creates new office for cyber, energy security

Oregon’s SB 1551 (2018)  will require:

• notification to consumers of a data breach within 45 days unless it could hinder law enforcement
• if more than 250 Oregonians are affected, then notice must also go to the state Attorney General
• a violation triggers Deceptive Trade Practices Act 
  • this means class action lawsuits
  • this also means big fines
• no fees for credit freezes or thaws
• prohibits ‘ “upselling” by breached companies or third-party contractors when they offer people free credit monitoring or other damage-­mitigating services”

Register Guard | Oregon Senate approves new consumer protections after Equifax data breach

The 8 partners in the TRUST CHARTER:

• Siemens
• Munich Security Conference
• Airbus
• Allianz
• Daimler Group
• IBM
• NXP
• SGS
• Deutsche Telekom

Action Areas for Business and Government:

• A call to responsibility at the highest levels of government and business with a dedicated government section and chief information officer at organizations
• Companies must develop mandatory, third-party certification for infrastructure and solutions

“Governments must take a leadership role when it comes to the transaction rules in cyberspace,” said Wolfgang Ischinger, chairman of the Munich Security Conference

Clinical Innovation + Technology | Siemens, 8 partners sign charter to improve cybersecurity

State: Nebraska

The legislation: 

• LB 987 Bitcoin as acceptable currency
• LB 691 Virtual Currency Money Laundering Act
• LB 694  State preemtion on blockchain technology & prohibits local taxing of blockchain
• LB 695 Blockchain state contracting

LB 694 & 695 will require that:

• blockchain signatures are legally valid in Nebraska
• smart contracts are valid in all commerce in Nebraska
• local governments cannot tax, license or regulate blockchain technology

Omaha World Herald | Nebraska Legislature considers bills on blockchain, cryptocurrency for first time

State: Alabama

What entity organized the coalition against card skimming? Alabama’s Attorney General

The new coalition against card skimming: Alabama Focus Group on Skimming

What entities comprise the coalition?

• U.S. Secret Service
• Alabama Department of Agriculture and Industries
• Alabama Department of Transportation
• Alabama Fusion Center
• Alabama Law Enforcement Agency
• Alabama Petroleum Equipment Contractors Association
• Petroleum & Convenience Marketers of Alabama
• Alabama Attorney General’s Office

AL.com | State launches lab to fight growing problem of cyber crime

State: Alabama

Agency Housing the Cyber Crime Lab: Attorney General Office

What tools does the operator of a cyber crime lab need?

• talent to unlock cell phone evidence
• talent to track down credit/debit card skimmers
• talent to unmask criminals behind identity theft
• talent to help businesses &  local governments recover revenue  lost in cyber theft 

AL.com | State launches lab to fight growing problem of cyber crime

New alliance:  The Retail Cyber Intelligence Sharing Center (R-CISC)

Alliance members:

•  retailers
• gaming properties
• consumer product manufacturers
• grocers
•  hotels
• restaurants
• cybersecurity industry partners

Specific corporate members:

• Lowes
• Walgreens
• Starbucks
• MGM Resorts
• Gap
• Autonation
• Estee Lauder

Governor of Pennsylvania ordered counties to buy voting machines that also leave a paper trail to protect against hacking.

Pennsylvania is providing counties with this much funding to update voting machines: $0

Governing | To Prevent Hacking, Pennsylvania Will Create Voting Paper Trail

AP | Pennsylvania to require voting machines with paper backup

New York’s A09782  allows state agencies to enter into agreements to accept cyrpto currency like BitCoin.

State: New York

The Bills:  

• A08780 allows contracts secured through blockchain technology + allows smart contracts to exist in commerce
• A08792 blockchain to secure elections
• A08793 blockchain for the security of state records

The policy support for blockchain:

•  safer bet for state and local government records and contracts
• benefits to state and local governments
• tool for increasing accountability and transparency

State Tech | New York Targets Blockchain for Voter Security, Smart Contracts and More

Washington State House passed a net nuetrality bill, HB 2282, that will:

• establish net nuetrality in Washington State
• protect consumers in Washington State

The  bill will protect consumer by prohibiting companies from:

• Blocking of lawful content by internet service providers

• “Throttling,” or slowing down, of lawful content by internet service providers

• Favoring of certain content over others by internet service providers due to special deals (“paid prioritization”)

The vote in the House: 93-5

K5 | Washington House passes bill to protect net-neutrality rules

Seattle Times | Net-neutrality bill in the Washington Legislature easily passes the House

Bills in the Kansas legislature is proposing a Kansas cyber-security authority. H2331 (2018)

County Commissioners in Segwick County raise these concerns:

• Any local government connectiung to state system would have to have their cybersecurity programs reviewed
• Unfunded mandate
• For a small county like Segwick, the cost per person is estiamted at $700/person

WHAT WOULD THE KANSAS CYBER SECURITY AUTHORITY DO?

• Create a Kansas information security office
• review  cyber-security programs
• create training programs

KWCH 12 | County leaders express concern over cost of ‘Kansas Cybersecurity Act’

A Rhode Island legislator wants companies that have had a data breach to:

• notify the state and consumers in a “reasonable promptness”, quicker than the current 45 days
• Increase the penalty from $100 to $150,000 per breach

WPRI | Lawmaker proposes law to protect victims of data breaches

Rhode Island HB 7387 (2018) 

Harvard Business Review poses the question about creating no-fly list for computer systems to:

•  effectively identify threats and malicious traffic
• automate collection, optimization, and integration of threat intelligence
• share threat intelligence which has been shown to strengthen security 

Harvard Business Review | Why Every Company Should Consider Creating a “Cyber No-Fly List”

Cities and local governments are implementing net neutrality standards by:

• city-owned broadband options
• yes, municipally owned internet

What policies goals have some cities, like San Francisco, set for municipal broadband?

• internet acess must favor the general public and San Francisco values
• Ft. Collins is hailing municipal borad band as a means to reclaim privacy

Government Technology | States, Cities Turn to Tech in Bid to Preserve Net Neutrality Principles 

Two vulnerailities with EV charging stations have been spotted by tech experts:

• EV charnging stations are not required to transmit charging authorization information in an encrypted format
• EV charging stations are not required to prohibit duplicates of the same numbered card

Tech Crunch | Electric car charge-station payment systems may lack basic security measures

Nebraska Legislature is considering LB 757  that will:

• Applies data security requires people and businesses that owns, licenses or maintains data of Nebraska residents
• Requires a data security standard of “reasonable security procedures and practices:
• Ties the state legislation to  Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996 

How does this differ from other state approaches?

• Other states have focused on free credit freezes and free credit report un-freezing.

NTV | Proposed bill would offer free credit monitoring after data breach 

Iowa’s Attorney General is supporting House Study Bill 526 (2018)  which adds the following health care information to the state’s data breach statute:

• medical records, physical and mental health
  • including treatment & diagnosis
• health insurance information

Any other requirements in House Study Bill 526 (2018) ?

• 45 day notification requirement
• 128-bit data encryption requirement
• Notification to the state if written notification to more than 500 consumers in the state is required by a person’s primary or functional federal regulator (an Equifax fix)

Health IT Security | Proposed Iowa Data Breach Bill Accounts for Health Data

Gerogia Legislature is considering Senate Bill 315 (2018) .

Data Security research supporters say the bill raises these 3 concerns:

• The terms  “access” and “authority” are not clearly defined
• because the terms are not clearly defined research will be quelled for the fear of committing an unknown crime
• The Federal Computer Fraud and Abuse Act also had broad terms and led to the “overzealous” prosecution of researchers

What’s the goal of the bill? To add the crime of unauthorized computer access to the Georgia Computer Systems Protection Act

KSU Sentinel | Georgia bill poses potential threat to cybersecurity researchers

In 2017 states outpaced the federal government in data security legislation, here’s what happened:

• 42 states
• Considered 240 bills and resolutions related to cybersecurity
• That’s 2 times as many bills and resultions as 2016

Edgile | Businesswire | US State Cybersecurity Regulation More Than Doubled in 2017, While Federal Regulation Waned

Where: New York

Who: New York Governor Cuomo

How: By Executive Order

What does the executive order do? NY Executive Order Number 75

• Prohibits state contracts with entities that  treat all web traffic equally
• Establishes internet access as an essential service

Why: In response to the FCC net nuetrality repeal, NY became the 2nd state to creae its own net nuetrality provisions.

The Hill | Cuomo signs executive order protecting net neutrality in New York

• City-wide digital platforms Data gathering, aggregating, and analyzing data 
• Development of Connected Intersections Smart City initiatives 
• Computing at the edge  faster and accurate for data analytics.
• Merging of GIS, big data, and analytics data modeling community behavior
• Public safety vehicles as digital hubs  faster and more accurately emergency response 
• More Connected vehicle capabilities, See NHTSA suggestions for Vehicle to Vehicle (V2V) communications. The Feds- yay!
• Greater real-time citizen wireless interaction  new government-citizen collaborative tools, including real-time video and data sharing and base-level artificial intelligence
• Link autonomous vehicles with government sensors Smart Cities!
• City Apps  transparency of government-gathered data
• Smart city amendments to municipal codes

Cisco | Top 10 Smart City Trends for 2018

H.R. 1224 (115th Congress) requires a 6 point audit of federal agency data security:

• a description of staffing plans
• workforce capabilities
• methods of conducting such audits
• coordination with agencies to support such audits
• expected timeframe for the completion of the audits
• other relevant information

Florida legislature is considering SB 1302 and HB 953  that will end fees for freezing or unfreezing a credit report.

The bills make no other changes to credit reporting entities.

The opposition, the “Consumer Data Industry Association,” opposes bills that removes all fees from credit freezes.

Palm Beach Post | Florida considers ending fee to freeze credit as Equifax leads gripes

2017 Congressional spending by tech companies:

• Google spent $18 million (up from $15.4 million)
• Facebook spent $11.6 million (up from $8.7 million)
• Twitter  spent $561,000  (down from $680,000) 
• Amazon spent $12.8 million  ( up from  $11 million)
• Apple spent $7.1 million (up from $4.6 million)
•  Netflix spent  $800,000 (same amount from 2016)
• NCTA – The Internet & Television Association: $12.8 million  (down from $13.3 million)

The Hill | As Tech Industry Boosts Lobbying Spending, Showbiz Outlay Stays Largely the Same 

How did Montana add net nuetrality on the state level? Executive Order

What does Governor Steve Bullock (D) executive order require? internet service providers with state contracts to abide by net neutrality principle:

• “in order to receive a contract with the state government, internet service providers must not engage in blocking or throttling web content or create internet fast lanes.”

Effective Date: Immediately with a 6 month grace period

The Hill | Montana becomes first state to implement net neutrality after FCC repeal

MT Gov. Executive Order No. 3-2018

Florida legislature is considering House Bill 1357 that will :

• look to transition state data centers to blockchain technology
• provides for electronic contracts and signatures secured by blockchain technology

As a side note, Arizona passed a similar bill in 2017. AZ HB 2417 (2017)

CoinDesk | Florida Bill Would Legally Recognize Blockchain Signatures, Smart Contracts

The Tennessee legislature is considering House Bill 1507 and Senate Bill 1662 which will:

• define blockchain signatures as legal signatures
• statutorily recognize contracts secured through blockchain

Business contracting meets 2018.

This month the Federal Trade Commission released a paper on cybersecurity issues with conencted cars.

4 Points from the FTC paper:

• lots of information is gathered and shared, the information must be protected
• can a vehicle’s safety controlled fuctions be segregated from other functions for public safety?
• how to best update cars when a new vulnerability is discovered?
• how to set a base line security standard for connected cars

Colorado Legislature is considering SB18-086 that brings together blockchain & data security legislation.

What you need to know:

• Calls for CO to adopt a distributed ledger
  • this means pieces of the ledger live in different cyber spaces, so a hack of 1 space does not expose all the data
• How does the bill get to a distributed ledger in Colorado state government?
  • Directs Colorado’s chief information security officer to evaluate the costs and benefits of using distributed ledgers in various government systems
  • CO will examine blockchain’s capability in handling cyberattacks compared to traditional computer systems

The Prime Miniter of Sweden announced the immediate formation of an agency charged with protecting the integrity of Seden’s elections. 

The new agency will be cahrged with:

• “psychological defence by identifying, analysing, and responding to external influence campaigns”
• will not hesitate to expose those who meddle in Swedish elections
• in coordination with the agency, there will be increased funding for Swedish intelligence and cyber-defence services to monitor external threats
• the agency will work with each parties’ officials to secure the election

Why does this matter? “A US report noted that Nordic states (Sweden) were “a favourite target of the Kremlin’s propaganda machine”

EU Observer | Sweden raises alarm on election meddling

Ohio Legislature is set to consider bills to strengthen cybersecurity for their election system by:

• Establishing a Cybersecurity director within the Secretary of State administration
  • the Director would be responsible for recommendations to keep elections secure
• Establishing a cyber-security advisory council appointed by the Secretary of State and made up of:
  • business community
  • technology community
  • law enforcement
  • voting advocates
  •  elections officials from both political parties
• Requiring counties to have election audits

Cleveland.com | Democrat Rep. Kathleen Clyde to introduce legislation to beef up elections cybersecurity

OH HB 466 (2018) 

OH HB 467 (2018)

California’s SB 823 (2018)  requires:

• Free credit card freezes and credit freeze lifts
• Allowing all credit reporting agencies to freeze credit by initiaiting a request with 1 credit reporting agency
• Allowing for electronic freezes and lifts

4 States currently allow for free credit freezes and freeze lifts:

•  Indiana
• Maine
• North Carolina
• South Carolina

The states looking to add net nuetrality requirements: North Carolina, Illinois, California, New York, Massachusetts, Nebraska, Rhode Island and Washington

4 policy goals of net nuetrality:

•  A level playing field for all online services that prohibits internet providers to block or slow down sites or online services
•  Ensure consumers find the content of the choice
• Maintain broad access to online services and information
• Protect businesses, large and small, from having to pay fees to reach users

Is there state authority to act? There is no statutory preemption & a 2016 case against the FCC stood for no FCC preemption 

Bipartisan? Yes. Republicans argue for the need to level the playing field for small businesses

New York Times |  States Push Back After Net Neutrality Repeal

The new federal legislation, The Data Breach Prevention and Compensation Act, would:

• Create a new cybersecurity office within the Federal Trade Commission
• Incentivize data security by imposing mandatory fines on credit reporting agencies with flawed security
• Annual inspections by the FTC of credit reporting agencies
• Fines would be divided to:
  • 50% to the consumers affected
  • 50% to the FTC to fund inspections and cybersecurity research
• Credit reporting agencies would have to report to the FTC their technical and organizational security measures

Gizmodo | New ‘Cybersecurity Office’ Would Oversee Companies Like Equifax and Dole Out Fines for Slipshod Security

The state Attorney General and a State Representative are promoting an forthcoming North Carolina bill, the Act to Strengthen Identity Theft Protections.

Here’s what the bill will do:

• Include ransomware in definition of data breach
• Protect more information by creating a duty for businesses to have reasonable data security standards, and include insurance/medical information in the data breach notification law
• Quicker consumer notification.  15 day time limit to notify the consumer & the Attorney General
• Free credit freezes & credit freeze lifts
• 3 free credit reports from each of the 3 credit reporting agencies
• 5 years of free credit monitoring if a credit reporting agency experiences a breach
• Penalties will follow the Deceptive Trade Practices Act  that makes each act a violation to which penalties can attach
• Require consent for credit reports
• Consumer right to all their information at a credit reporting service

Alabama’s Governor successfully pushed for a cybersecurity & engineering magnet school.

The school’s official name: Alabama School of Cyber-Technology and Engineering

Number of students: 300

Grades in the School of Cuber Technology & Engineering: grades 7-12

AL.com | New cyber, engineering magnet school coming to Huntsville

The 4 Issues the group wants covered by federal data breach legislation:

• A flexible, scalable standard for data protection that factors in:
  • the size and complexity of an organization
  • the cost of available tools to secure data
  • the sensitivity of the personal information an organization holds, as well as guarantees that small organizations are not burdened by excessive requirements.
• Notification when a reasonable risk exists. A notification regime requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm.
• Consistent, exclusive federal enforcement of the new national standard by the Federal Trade Commission (FTC) and state Attorneys General, other than for entities subject to state insurance regulation or who comply with the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996/HITECH Act. For entities under its jurisdiction, the FTC should have the authority to impose penalties for violations of the new law.
• Clear preemption of the existing patchwork of often conflicting and contradictory state laws. 

The group supporting federal data security legislation: 

ACT | The App Association

American Bankers Association

American Insurance Association

American Land Title Association

BSA | The Software Alliance

Consumer Bankers Association

Credit Union National Association CTIA

South Carolina Attorney General clarifies- financial info yes, but not security information

South Carolina Attorney General says that the South Carolina election commission can withhold from disclosure cybersecurity information. 

Can related information about election cybser security be released thbrough open records?

Yes, South Carolina election commission will release financial information about cybersecurity products & services purchased

Michigan considered a bill to protect election cybersecurity information

HB 4973 (2017)  excepts from disclosure information that addresses:

• CONFIDENTIALITY, INTEGRITY, OR AVAILABILITY OF INFORMATION SYSTEMS,

• AND CYBERSECURITY PLANS, ASSESSMENTS, OR VULNERABILITIES

   

  State Scoop | South Carolina election commission permitted to withhold cybersecurity documents

Mississippi is considering statewide standards for data that will:

• how to long to store personal data
• how to dispose of personal data
• what personal data can be disposed of
• how to store personal data
• apply to all state entities that have personal data in their possession
• what a state agency, Department of Archives and History, needs to store data in perpetuity

What prompted this legislative action by Mississippi?

• A 2013 breach of health care data at the Univeristy of Mississippi
• A resulting 2016 $2.75 Million penalty by the US DHHS as a result of the data breach
• An unfavorable report by the state legislative watchdog committee for Performance Expenditure and Evaluation Review

Clarion Ledger | Lawmakers to review ways to make public’s identifiable data in state hands more secure

​Maryland HB 974 (2017)

• Includes all HIPPA information in the defintion of personal information for state data breach law purposes
• The bill also protects Biometric data, such as fingerprints, voice prints, and genetic prints

Delaware HB 180 (2017)

• Includes medical history in the defintion of personal information
• Requires “any person who conducts business in Delaware and maintains personal information must safeguard that information.”
• Requires health insurance information to be protected
• Establishes standards to dispose of the electronic information

Health IT Security | 2017 Updated State Data Breach Laws Account for Medical Information 

A UK court found that an employer, that had taken appropriate measures to prevent a data breach,  can be held vicariously liable for a data breach when an employee:

• deliberately misused the data
• intended to cause damage to the employer by misuing the data

Bonjour U.S. State Legislators- daat security liability issues should be in your radar.

Lexology | Employer held vicariously liable for employee’s deliberate data breach

WM Morrison’s Supermarket PLC | England and Wales High Court (Queen’s Bench Division) Decisions

New York’s new rules on credit reporting agencies will do these 4 things:

• Require consumer credit-reporting agencies to identify “dedicated points of contact” for New York’s Division of Consumer Protection
  • WHY? Ensure consumers can promptly get answers 
• Mandate that credit-reporting agencies respond “within 10 days” to any requests for information made on behalf of consumers by the Division of Consumer Protection
• Credit reporting agencies must “plainly disclose” to consumers all fees associated with any identity theft protection product sold or purchased, “including when those products are originally offered for ‘free’
• Require the credit-reporting agencies disclose to New York’s Division of Consumer Protection all business relationships and contracts with companies involved in marketing credit monitoring services and related products.

The tagline from state leaders: consumers should not be penalized for having their data breached

Boston 25 News | Citing Equifax data breach, one state cracks down on credit-reporting agencies

What standards did Los Angeles use in crafting its Cyber Center? Federal Government and industry Standards

The key to the city Cyber Center?  integrated strategic operations center

What does the integrated strategic operations center do? 

•  “processes cyber threat information from the Homeland Security Department, the FBI and various private sector and non-profit sources and feeds it out to its member operations centers and to city departments”

How does this help unify cyber protections in Los Angeles?  Prior to the cyber center the city’s IT office, the Water and Power Department, the Port of Los Angeles and Los Angeles International Airport did not communicate regularly on cybersecurity. Now each is on the same page.

Are other cities taking note? Yes, Chicago, Las Vegas and New York have visited to learn more

NEXTGOV | LA Cyber Center Hopes to be a Model for Cities Nationwide

The FCC overturns net neutrality rules and Attorneys General of New York and Washington announce their lawsuit raising these 3 concerns:

• FCC’s net neutrality repeal harms consumers
• FCC’s net neutrality repeal harms small business
• FCC’s net neutrality repeal harms innovation

The Attorney General of Washington State notes that he is 5-0 in his lawsuits against the Trump administration. 

The Hill | Washington AG to sue over net neutrality repeal

• Policies to improve data security workforce
• Liability policy for businesses that utilize 3rd parties to manage and mitigate security incidents and challenges
• Policies to encourage more women in data security workforce
• Liability and notification requirements when comapnies utilize automated security security tools
• Policies that Support Awareness and Training of existing workforce
• Policies that ecourage businesses to maintain a base level of data security and notification requirements

Health Data Management | HIT Think 6 data security trends to expect in the New Year

Progressive Market’s analysis lists 3 drivers for an increased demand in cyber insurace/data security insurance including:

• legislation on data security
• growing number of cyber-attacks which have led to great losses for organizations worldwide
• rise in awareness of different cyber risks

  Digital Journal | Cyber Insurance Industry Will Be the Next Big Thing in 2018

   

Refreshing our recollection:

OHIO is considering SB 220 that ties the NIST standards to liability limitation. Yes, tort reform meets data security.

Input on Draft Standards:

Feedback and comments should be directed to cyberframework@nist.gov(link sends e-mail) by January 19th, 2018.

3 Goals of the draft standards is to align the needs of :

• policy requirements
• business needs
• technological methodologies

Flexible Standards

The standards should eveolve as technology evolves

New buzz words are emerging in dagta security policy like: Cyber attack lifecycle

NIST | Cybersecurity Framework Draft Version 1.1

A new report by the Center for Connected Medicine found that data security leads th eminds of health care businesses:

• 9 of 10 health care companies will spend more on data security in 2018
• 54% want to better identify threats
• 50% want to better detect threats
• 50% want to better protect against cyber threats
• Less than 20% are focused on recover and respond technologies

Would health care providers pay cybercriminals?

• 17% said yes
• 17% were undecided
• 22% didn’t know
• 44% said no

Healthcare Dive | Cybersecurity tops list of IT investments for 2018

In a repsonse to cybersecurity challenges to rail, H.R. 4474 was filed that requires:

• requires a report to Congress on cyber and physical threats presented by foreign-owned software to the transportation sector
• Directs DHS to inform the industry about technical assistance it offers on cybersecurity.

Politico | TRANSPORTATION BILL CONTAINS CYBER PROVISIONS

Missouri will be considering  SB582 (2018) about student data breach notification. 

SB582 requires notification of a student data breach to 3 parties:

• the student’s parent(s) or legal guardian(s)
• the department of elementary and secondary education
• the state auditor 

Lee’s Summit Tribune | Auditor Galloway announces legislation to require schools to notify parents in case of cyber security breach

U.S. Senator Bill Nelson’s S.2179 would trigger criminal charges if:

• its found that “intentionally and willfully conceals” a breach
• and, a person incurrs $1,000 in damages

The criminal charge comes with up to 5 years in prison and/or a fine.

Who is making a request that medical device makers disclose component parts? House Committee on Energy and Commerce

On what agency are these policymakers making a request? Department of Health and Human Services

What is Department of Health and Human Services​ being asked to do?

• Require medical device manfuacturers to dislcose:
  • bill of materials (BOM) for each piece of medical technology
  • describe the device’s components
  • describe software utilized
  • disclose any known risks associated with those parts
• To promote cybersecurity through transparency

SC Media | House committee asks HHS to boost cybersecurity by requiring component list for medical devices

Vermont Governor Phil Scott named these new members to his Cybersecurity Team:

• Chief Security Officer at the UVM Medical Center
• President of Norwich University’s Applied Research Institutes
• Computer & Digital Forensics professor at Champlain College

4 Goals of the Cybersecurity Team:

• Assess the state’s cybersecurity status.
• Develop a plan to protect public and private sector information systems
• Evaluate readiness
• Strengthen safeguards

WAMC | Vermont Governor Names New Members To Cybersecurity Team 

The transportation system: Sacramento Regional Transit

The hack: destroyed internal systems data, but no data was stolen. It was a ransomware hack with a 1 bitcoin ransom

The recovered data: 80% via backup data

Impact on transportation systems: Train and bus service was not affected

Governing | Hackers Attack Transit System in California’s Capital

State with a new home health care worker registry: Massachusetts

 Supporters say:  Consumer protection

Opponents say: A worker database contradicts the state’s data security stance& jeopardizes worker safety

Mass Live | Gov. Charlie Baker signs law creating home care worker registry

The State joining the post-Equifax hack legislative trend: Rhode Island

The proponent: The Rhode Island Attorney General

The legislation would:

• Free credit freezes &un-freezes. prohibits credit bureaus from charging all Rhode Island consumers fees to place, temporarily lift, or remove security freezes on their accounts

WPRI | RI Attorney General files legislation on security freezes following Equifax data breach

The Business:   Cascade Investment, which is owned by Microsoft’s Bill Gates

The smart city: Belmont, a planned community in Arizona

The smart features:  

• high-speed networks
• autonomous vehicles
• high-speed digital networks
• data centers
• new manufacturing technologies
• autonomous logistics hubs

CNN | Bill Gates invests $80 million to build Arizona smart city

State: Colorado

What is risk limiting audit for elections? 

• require all jurisdictions to have a sound ballot accounting process
• require use a batch size of one ballot
• require that a cast vote record exist and be available and retrievable for each individual ballot

How do risk limiting audits combat election hacking?

• The number of ballots to select initially is calculated by using the risk limit and the margin of the contests
• Ballots are next randomly selected
• Each ballot’s vote marking is compared by hand to the CVR for that ballot

What other states are adopting similar protocols? New Mexico & Rhode Island

Was legislation involved? Yes

Governing | Colorado implements Risk-Limiting Audit process to verify election results

Health Data breach suit, CareFirst, is heading to the US Supreme Court, and setting up the standards for what injuries are necessary for a data security  claim.

The Appellate Court found that “that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft…we have little difficulty concluding that their injury in fact is fairly traceable to CareFirst,”

Code words for legislative drafters: fairly traceable

Health IT Security | CareFirst Data Breach Case Moves to US Supreme Court

Previously on informed:intel we read about Maryland’s updated data security bill from 2017, but let’s shift our focus to the inclusion of HIPPA requirements.

Maryland’s state data breach law will include this personal information colelcted by HIPAA covered entities:

• “medical history, medical condition, or medical treatment or diagnosis. Health insurance policy, certificate number, or health insurance subscriber identification number – in combination with a unique identifier that permits access to the information – were also added to the personal information definition.”

The HIPAA info will also triggers= the data security breach notification standard of “as soon as is reasonably practicable” or not later than 45 days.

Maryland HB 974  | Maryland Personal Information Protection Act – Revisions

Health IT Security | HIPAA Info Included in Updated MD Data Breach Notification Law

• Utah CIO say its expensive, a big budget item
  • $230,000 a year for $10 million in cyber coverage and has a $1 million deductible
• 38% of state CIOs say their state has some sort of cyber insurance
• Georgia has the largest amount of cyber coverage of any state
  • $100 million in coverage. $1.8 million-a-year premium & a $250,000 deductible per incident

Governing | Fearing Hackers, States Start Buying Cyber-Insurance + Insurance Journal

Ohio’s SB 220 sets up a benefit for businesses to comply: safe harbor from suit.

What’s required for a business to get the safe harbor? The business must  adopt “a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information that complies with the NIST cybersecurity framework “

The Toledo Blade | Lawmakers offer legal carrot to defeat data breaches

OH SB 220 (2017)

Cities in Wyoming are purchasing cyber insurance to protect themselves from hackers.

Some say that the Legislature should act to protect cities from hackers.

Proposed legislation includes:

•  long prison term for those caught conducting cyber attack
• a world-wide agreement on how to abolish cyber attacks

Cody Enterprise | EDiTORIAL: Cyber insurance good idea for city

The Iowa Attorney General is reviewing the state’s cyber security protocols to do 3 things:

• identify shortfalls in current legal requirements for those who store personal information
• look to enhance consumer protections
• seek to lessen the burden on consumers who’ve been victimized by data breaches
  • Such as “scrutinizing the fees that credit reporting agencies are allowed to charge Iowans for freezing and unfreezing credit reports — particularly data breach victims,”

Des Moines Register | Amid growing threats, Iowa lawmakers push for better state and local cybersecurity

Mcirosoft is hosting legislators from across the country to address cyber security legislative solutions.

Des Moines Register | Amid growing threats, Iowa lawmakers push for better state and local cybersecurity

The pension that was hacked: IPERS, Iowa Public Employees’ Retirement System

Hackers used this information:

• dates of birth
• social security numbers
• created online IPERS accounts to reroute payments

Government Technology | How Cyber-Thieves Stole From Iowa Pension Accounts

WHO: ECRI Institute annual health technology hazards list 

WHAT: #1 concern is data security. #2 concern is endoscope reprocessing failures #3 Alert fatigue

WHY: A May WannaCry cyberattack on UK hospitals shut down all medical equipment except emergency services.

Health Care IT | ECRI: Cybersecurity tops 2018 health technology hazards

State : Michigan

When did Michigan create its Cyber Security Volunteer Corps?  2013 under the Michigan Department of Technology, Management, and Budget

What did the 2017 amendment do? Michigan’s HB 4508  codifies the Corps and permits volunteers to bring cyber-defense services to nonprofit organizations, private businesses, educational groups, and other non-governmental associations.

What is required of volunteers?  Volunteers must undergo criminal background and FBI checks

Is there charitable immunity for the corps? Yes

Homeland Preparedness News | New Michigan law assigns cybersecurity volunteers to network security assistance during cyber attacks

Stateline | Pew Charitable Trusts | Michigan Governor Signs Volunteer Cyber Corps Bill

The U.S. Treasury Department’s October 276.2017 report entitled, A Financial System
That Creates Economic Opportunities Asset Management and Insurance, goes all in for uniform state legislation for data security model legislation for insurers.

What is the model legislation? The NAIC Data Security Model Law 

What’s the 10,000 foot view of the Model law?

• Applies to insurers, agents, and other licensees.
• Cover 3 hot data security issues:
  • implementation of information security programs
  • investigation of cybersecurity events, includ­ing risk assessment and risk management, as well as oversight of third-party service providers
  • notification to state insurance regulators about cybersecurity events 
• The Model law does not take the place of stte data privacy and data breach notification laws

Florida looks to be THE state for cybersecurity. Here’s what it is doing to get there:

• Higher Education. 
  • Florida currently has 13 schools that the National Security Agency has designated as centers of academic excellence in cybersecurity education or research.
  • Florida universities and colleges offer  40 cybersecurity-related programs for graduate and undergraduate studies 
• Workforce Pipeline.
  • ​The Florida Center for Cybersecurity helps universities & students
  • Shapes curriculum to meet industry wants
• Public Education
  • ​Including cybersecurity as early as kindergarten 
• Business
  • ​ Creating a cybersecurity hub
  • Hosting “boot camp-style” training programs, meet-ups and events
• Stronger Information Privacy Laws
  • ​the goal: to shape how companies approach issues such as securing personal information and disclosing to consumers when their data has been leaked.
• Engage the Attorney General
  • ​Mimicking California and encouraging the State Attorney General to take a “strong stance toward digital privacy.”

Government Technology | Florida Sets Sights on Becoming Cybersecurity Front-Runner

Michigan Legislature is moving HB 4973 to prevent cybersecurity efforts from being dusclosued under public information act. 

Support in the Michigan House: 101 to 5

The key bill text that exempts cybersecurity info from public information:  prevents disclosure of information concerning the  “confidentiality, integrity or availability of information systems.”

Potential policy benefit: the information protection could enecourage businesses to engagte in more information sharing on cyber security 

Michigan HB 4973 (2017) 

Congress’ Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act will:

• Require a maritime representative on the nation’s information sharing hub for critical infrastructure cyber threats run by Department of Homeland Security
• Require Department of Homeland Security to improve cyber information sharing and coordination at U.S. ports

U.S. H.R. 3101 | Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act

The Hill | House passes bill to boost cybersecurity at US ports