Cybersecurity & Tech

North Carolina’s electronic voting system in 2016 was hacked. The way hackers got in was through the company that provided the poll book- the electronic data that allows voting personnel to verify voters.

What changes we will we see to election procurement:

• contracts will contain and require higher data security standards
• vendors may be audited for data security purposes
• election workers will be equiped to switch to paper ballots, if during voting, it is discovered that election data is compromised

NPR | Russian Cyberattack Targeted Elections Vendor Tied To Voting Day Disruptions

71 % of health care organizations budget for cyber security

The majority say cybersecurity is more than 3% of their budget

A majority have hired a chief information security officer or other executive level cybersecurity position

75% do regular cybersecurity testing

80% of US healthcare orgnaizations will increase cybersecurity spending in 2017

Healthcare Dive | HIMSS survey: Hospitals ramping up cybersecurity efforts

Michigan created a volunteer public private task force to step in at a moment’s notice to resolve a cyber attack on state systems.

What is the group called? Michigan Cyber Civilian Corps, MiC3

Has Michigan Cyber Civilian Corps, MiC3 been deployed? No

How does it function? Like a volunteer fire department

Who has volunteered? cybersecurity experts from government, education and private industry

Has any other state done this? No. 

Governing | Michigan’s Volunteer-Based Cybersecurity Strategy Catches On

• Lack of cyber security funding
• Lack of cyber security talent (see above, talent and government wages don’t align)
• Threats are constantly evolving which takes time, money and talent to stay on top of properly
  • hackers target weakeness such as negligent insiders & unpatched vulnerabilities that leave agencies susceptible to risk

GCN | Why state and local government still struggle with cybersecurity

Missouri tests its state employees with its own phishing scams to keep state employees laser focused on cybersecurity.

Government Technology | In Illinois, Cybersecurity Training for State Employees Now Required by Law

Government Technology | Employee ‘Phishing’ Expeditions Among States’ Tools for Cybersecurity Awareness

Illinois HB 2371 requires every state employee to complete annual cybersecurity training. The Department of Information resources may offer a video in lieu of training.

By every employee, the Legislature managed to exclude these employees:

• legislative
• judicial
• higher education
• every constitutional officer

Government Technology | In Illinois, Cybersecurity Training for State Employees Now Required by Law

Johnson Co. Kansas relies on big data to address public safety and mental health concerns. The use of bug data has saved the local government:

• thousands in revenue
• thousands in man hours saved, saving $200,000 in patrol hours
• reduced mental health related arrests, 45 arrests prevented saved more than $100,000
• reduced reliance on emergency rooms, saving hospitals $150,000

How did Johnson Co. do it? By cross referencing 2 databases- county wide criminal jsutice database and a health and human services database that notes mental health issues.

State Tech | Johnson County (Kan.) Calls On Big Data to Link Public Safety and Mental Health

• What data are they capturing?
• Why are they capturing it?
• Where are they housing it?
• How do they recommend that schools house the data?

As schools place a greater concern on ensuring parents that student data is protected, schools are asking their edcation vendors more about data security.

Ed Tech | 3 Tips to Keep Parents Assured that Student Data Is Protected

A tech researcher visiting DefCon Voting Village in Las Vegas, hacked a U.S. styled voting machine within 2 minutes.

Wired | TO FIX VOTING MACHINES, HACKERS TEAR THEM APART

Companies are finding cybersecuity weaknesses in employees by sending faux phishing emails and seeing which employees bite.  

Corporate test data shows cyber literacy training reduces the number of employees who fall for phishing scams.

How many years until there are cyber literacy requirements in public education? in state contracts?

SC Media | Diagnosing employee phishing weaknesses key to improving email security

Taxpayers for Common Sense is ahead of the curve by creating a database to track federal cybersecurity spending.

The cybersecurity spending database is organized by agency and tracks spending for last 10 years.

The Consumer Tech Association filing with the Commerce Department recommends government action on cybersecurity/datasecurity policies for education because there are so many differnt players in education.

The recommendations that we may soon see in Education Procurement Contracts:

• market driven solutions e.g. contractors should step up and talk about their student data security protocols
• instead of government checklists, we need nimble polcies that can adapt as tech changes
• public-private partnerships are crucial to combat hackers

Consumer Technology Association | Promoting Stakeholder Action Against Botnets and Other Automated Threats 

Your Roomba is mapping your house and collecting data. Let’s repeat, your Roomba is colelcting data about how to get around your house and what is in your house. 

Better yet, the company hasn’t asked you whether they can keep the data, store the data or sell the data. What retailer wouldn’t want to buy data that says you have no loveseat? or only 1 sad and lonely dining chair?

This type of private property data is screaming for legislation. Legislation about disclosure of the data, sale of the data, consent to store the data, and how protected is the Roomba from hackers?

USA Today | Your Roomba already maps your home. Now the CEO plans to sell that map.

Congress’ H.R. 3170 tackles cyber security in small businesses by requiring cyber security training for small business devleopment centers.

In 2016, California created the State Innovation Lab.

California maintains an Office of Digital Innovation.

The policy goal in California is to “create novel, deployable technologies that address needs identified by state entity partners — with a particular focus on open-sourced technology.”

State Tech | How Innovative States Stay Ahead of the Tech Curve

Body cameras- love them, hate them- they collect data and a lot of data.

Lots of people support body cameras:

• 2/3 of police support body cameras
• 60% of the public supports body cameras
• Harris County Sheriff’s Office deployed 2500 body cameras

Body cameras are everywhere in law enforcement, so how are counties handling all that data?

• Harris Co. manages manages approximately 10PB of digital evidence
• Harris County’s 10PB of digital evidence is expected to double in 3-5 years
• Harris County created vendor partners, bringing body cameras together with a storage solution by Dell’s EMC line
• Data storage requires a categorization process- keep DWI videos separate from other felony arrests
• Create a data retention policy

State Tech | How Counties Manage the Body-Worn-Camera Video Data Boom

2017 Q2 reflects record spedning by tech giants. 

The 10 top issues tech wants elected officials and policymakers to know:

• cloud computing
• data centers
• renewable energy taxes
• data protection
• data encryption
•  cross-border data flows
• critical infrastructure protection
• transaction security
• government procurement
• IT modernization

Data Center Dynamics | Tech, data center firms increase US lobbying spend

Arkansas Workforce Services experienced a data breach that exposed the personally identifable details of 600,000 residents and 19,000 employment applications.

The state is seeking new database services. 

U.S. News and World Report | Data Breach Has Arkansas Seeking New Vendor

Yes, the California Supreme Court held that the California Medical Board can access private patient records in the state prescription database because the state interest in regulating potent prescription drugs and protecting patients from negligent doctors.

Access to patient records + Texas Medical Board Sunset Review = Patient Privacy vs. State Interest Amendments

Law 360 | Calif. Justices OK Medical Board’s Access To Rx Database

• New Mexico
  • Legislation clarifying when the National Guard can be used during cyber events
• Oregon
  • Executive order to unify all cybersecurity efforts into one agency
• Nevada
  •  a bill to create a cyber defense center to lead all their cyber projects in Nevada

State Scoop | 38 governors sign cybersecurity compact

The 2016-2017 Chair of the National Governor Association, Virginia Governor Terry McAuliffe, explains that cyber security directly impacts these policy areas and businesses:

• technology
• health care
• education
• public safety issue
• business and economics, including insurance
• democracy (elections)

State Scoop | 38 governors sign cybersecurity compact

National Governors Association is pushing for state reform of cyber security laws because:

• The federal government is too slow & too inactive
• Cyber security is not just an IT issue.
• Cyber Security is a  technology issue, a health issue, an education issue, a public safety issue, an economic issue and a democracy issue

The National Governor’s Association initiative, Meet the Threat, calls for:

• instituting cybersecurity governing bodies
• organizing computer crime units for law enforcement agencies
• designing cybersecurity education programs for staff 
• coordinating state efforts with cities and counties

State Scoop | 38 governors sign cybersecurity compact

Lloyds of London estimates a global cyber attack will result in damages similar to hurricane Sandy, or $53 billion in economic losses from a global hacking of cloud services.

How do the $53 Billion oin costs break down?

• Average economic losses  $4.6 billion to $53 billion

• Actual losses could be as high as $121 billion

• $45 billion of that sum may not be covered by cyber policies, because

  • companies are underinsuring

• If operating systems are hacked, average losses range from $9.7 billion to $28.7 billion. 

How is Texas regulating the cyberinsurance market?

Washington State University kept sensitive personal information on a backup disk locked in a $159 safe in a small safe in a storage unit.

The WSU storage unit was burlagized, and was the only unit burgalarized.

The takeaway for policy makers: Do not allow state institutions to store personal data in storage units. 

Common sense governing. Better late than never.

Government Technology | Washington State University Data Breach Teaches Valuable Cybersecurity Lesson (Editorial)

A poll by Carbon Black reveals the concern level of voters for election integrity.

• 27% of voters polled are considering not voting because of fear that their voter data will not be secure.
• If the 27% hold true, that reduduces voters by 59 million voters
• 45% think the 2018 elections will be impacted by cyber breaches

SC Media | Cybersecurity concerns may stop 59 million Americans from voting in 2018

In August 2016, Maryland officials notices hackers were trying to get to voter information, that set off a flurry of legislator and regulator activity. Here’s where they ended up almost a year later:

• legislators didn’t find out until it was in the news which ruffled feathers. suprise!
• Within 3 days of noticing the hacking attempt,  state’s computer staff blocked the IP address from multiple parts of the network
• The Maryland elections administrator notified the Governor’s cabinet
• 2 weeks later, Maryland officials alerted the FBI
• The FBI then notified Department of Homeland Security
• In September, Maryland’s elections administrator learned DHS had tools to help states at a conference, which she requested and began 1 month later
• DHS conducts remote weekly “cyber hygiene scans” of Maryland’s systems
• Maryland hired outside contractors to protect and monitor their election systems
• Maryland’s voter-registration database is not connected to the internet
• Maryland’s legislators are still gearing up to act

Wall Street Journal | How Maryland Contended With Attempted Hack Of Its Voter-Registration System

To avoid the use of stolen personally identifiable information, the uK is seeing a rise in the use of biometric identifiers.

SC Media | Rise in use of biometrics products for cyber-security, report predicts

Oregon’s Senate Bill 90 creates a new position of Chief Information Officer who is responsible for:

• Overseeing the Cybersecurity Advisory Council with 9 voting members and an indeterminate number of appointed, non-voting members
  • with required participation by law enforcement representatives
• Creating the Oregon Cybersecurity Center of Excellence tasked with inter- and intra-agency coordination, threat response, & information-sharing
• Mandates agency cooperation with the CIO

Government Technology | Oregon Gets Cybersecurity Booster Shot with Governor’s Approval of Senate Bill 90

Why are Frederick County Public Schools (Maryland) adopting new data security rules? The School experiences a data breach.

5 Elements from the new data breach policy:

• Requires frequent and thorough teacher and staff training for treatment of sensitive information
• incident response planning
• acceptable use of technology
•  information technology security awareness
• sets guidelines to mitigate and communicate risks for FCPS student and staff information systems

Also requires a 3rd party contractor to test the schools’ data security regularly.

Frederick News Post | New FCPS data security policy takes measures to protect student information

How to pass electric grid cybersecurity standards in 2 steps of legislstive logic:

• Tie expedited permitting of pipelines to electric grid modernization
• Tie electric grid modernization to grid cybersecurity

Natural Gas Intel | Senate Energy Policy Reform Bill Revived, Fast-Tracked

A bipartisan, and awkwardly named piece of legislation, the Promoting Good Cyber Hygiene Act, calls for:

• National Institute of Standards and Technology would establish a set of baseline voluntary best practices for safeguarding against cyber intrusions 
• provide the public access to the cyber hygiene practices
• require annual updates

The Hill | Senators introduce ‘cyber hygiene’ bill

1/2 of health care organizations say they are prepared for a data breach.

The American Medical Association proposes these data security incentives:

• CMS to include among its improvement activities in the Quality Payment Program (QPP), a credit for practices who engage in good cybersecurity hygiene and protect sensitive information;
• best practices and tools must be scalable & able to accommodate the needs of physicians of all sizes and practic areas; and
• larger practices should share their best practices with smaller health care entities to best protect health care communities.

Health IT Security | Incentivize Cybersecurity Best Practices for Data Security

Automakers say they need flexibility to adapt technology of self driving cars. 

What’s known for flexibility? the sarcastic answer: enacted statutes and their ability to keep up with technology

What’s the solution for cybersecurity for self driving cars? According to the American Center for Mobility self imposed rules by industry are the best option.

Automotive News | Cybersecurity push may tie up autonomous-car legislation

Department of Defense is adding cybersecurity standards to its procurement process. 

Requirements in the new contracting rules that take effect this fall are:

• Maintain adequate cybersecurity
• Notify the requisite agency of cyber incidents
• Applies to any subcontractors

FedScoop | Pentagon will soon hold contractors to elevated cyber standards

Data Breach at HHSC? No, a box of client records was left in a box unattended by a dumpster in Houston.

The personal information exposed included:

• names
• client numbers
• birth dates
• case numbers
• phone numbers

The HHSC response:

• 1 year of free credit monitoring to anyone affected
• A review. of HHSC’s document destruction procedures

SC Media | 2,000 Texas HHSC clients health data compromised

HHSC | HIPAA Notice: Houston-area Accidental Loss of Client Information

Vermont’s Governor signed S135 that will expand economic opportunity for financial technology industries.

Arizona’s Governor signed HB2417  that recognizes blockchain signatures and smart contracts

Buckley Sandler | Vermont Governor Enacts Law Including Blockchain Application

GOP Data Firm, Deep Root Analytics, stored personal details of roughly 198 million citizens unprotected and publicly assessible. 

A cybersecurity firm says potentially all of America’s 200 million registered voters were exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details.

The complaint: McAleer v. Deep Root

Business Insider Nordic | ‘The mother lode of all leaks’: A massive data breach exposed information that ‘you can use to steal an election’

SC Media | No recourse, perhaps, for 200M affected in breach of RNC database, attorney says

21 States responded to President Trump’s repeal of Obama era internet privacy regulations, by offering state regulations for internet privacy. Let’s take a peak.

In California, one internet service providfer, AT&T, has spent $2.71M in the last year.

Federal preemption isn’t a concern because the FCC laws and rules share duties with the states and there is no explicit preemption.

NCSL | PRIVACY LEGISLATION RELATED TO INTERNET SERVICE PROVIDERS

The Recorder | Calif. Pushes Internet Privacy Rules That Trump Repealed

21 States responded to President Trump’s repeal of Obama era internet privacy regulations, by offering state regulations for internet privacy. Let’s take a peak.

In  California, Assembly Bill 375, will:

• Customer information an only be used or sold after obtaining “opt-in” consent
• Prohibit penalties or discounts based on consent

Federal preemption isn’t a concern because the FCC laws and rules share duties with the states and there is no explicit preemption.

NCSL | PRIVACY LEGISLATION RELATED TO INTERNET SERVICE PROVIDERS

The Recorder | Calif. Pushes Internet Privacy Rules That Trump Repealed

Some say hospitals that get hit by a ransomware attack need not disclose the ransomware data breach.

The question- If data is held hostage/accessed but is not taken must that be disclosed?

The supporters for disclosure say: More mandatory reporting.This regulatory gap limits the health-care system’s ability to fight cybercriminals.

Who is counted among supporters of disclosure? Congressman Ted Lieu, a California Democrat who along with Congressmen Will Hurd, a Texas Republican

What do hospital lawyers say? Hospitals have financial and competitive incentives to avoid all but required reporting

WallStreet Journal | Why Some of the Worst Cyberattacks in Health Care Go Unreported

Cyber security is becoming an element in analysis for bond markets.

Is this shift a result of a catalyst? Yes, the use of malware toward local governmental entities

Does this follow inthe footsteps of other entities disclosing cyber protections to investors? Yes, utilities and hospitals are starting to disclose any information to potential investors in bond documents about cyber risks or defenses

Reuters | U.S. muni market slowly starts paying heed to cyber risks

State: Illinois

Illinois’ Solutions to prevent election hacking in the 2018 mid term elections:

• Sending election officials a letter with these instructions:
  • scrub voting systems of potential malware
  • fill any kind of security gaps
  • continue to be vigilant 

Politico | LAND OF LINCOLN PREPS FOR 2018

WGN | Illinois among 8 states investigating Russian hacking of its elections

Chicago Tribune | From the community: Sen. Michael E. Hastings works to protect Illinois election data from foreign cyber threats

Virginia Gov. Terry McAuliffe, Chair of the National Governor Association, urges states to:

• not wait for the federal government to protect data security and privacy
• federal funding is needed for states
• states must lead with coordiantion with the federal government
• Virginia’s Executive Order creating a Cyber Security Commission should be duplicated in other states

Politico | Governor Cyber Speaks

Fitness Tracker data storage in the cloud leaves individuals subject to the following data privacy issues:

• stalking
• identity theft
• profiling by creditors and insurance companies
• extortion

Irish Times | Fitness trackers run into resistance over data security concerns

The Securities Exchange Commission has issued a warning investment advisers that they need to be more proactive in data security by:

• conduct continuous cyber-risk assessments
• performing penetration or venerability tests
• 26% of advisers and funds examined failed to conduct periodic risk assessments of critical systems to identify cyber security threats, vulnerabilities, and the potential business consequences.

Reuters | SEC identifies adviser cyber security flaws

Reuters | Exclusive: New SEC enforcement chiefs see cyber crime as biggest market threat

Has a US city had its credit rating downgraded after a cyber attack? No

Do financial industry analysts think it possible to downfgrade a city’s credit rating after a cyber attack? yes

What factors can play into whether a local governmental entity’s credit rating could get downgraded?

• Does the local governmental entity, like a school district or municipal utility, have the fiscal reserves to pay the costs of cleaning up a cyber attack?
• Does the cyber attack hamper the tax payers support of the local governmental entity, and thus the local governmental entity[s ability to raise additional taxes?

Governing | Can a Cyberattack Cause a Credit Rating Downgrade?

State: California

The legislation: Assemblyman Matt Dababneh sought to apply the standard applied to business of requiring 1 year of ID theft protection services for anyone who is impacted by any government breach in California. AB 241 (2017) 

The Opposition is winning as the bill stalls. The loyal opposition includes California State Assn. of Counties, the Urban Counties of California, and the League of California Cities

Opposition arguments:

• it would cost cities & counties too much
• state agencies store their information in shared data centers so it would be too hard to discern whcih agency should pay the cost of the services

Government Tech | New Legislation Pressures California Lawmakers to Strengthen Data Security

The federal HEALTH CARE INDUSTRY CYBERSECURITY TASK FORCE released 27 recommendations in its June 2017 report, and set forth these 5 future regulatory issues for health care cybersecurity:

The State Legislature that created the Office of Cyber Defense Coordination​: Nevada

Within which state agency will the Office live? Nevada’s Department of Public Safety

The Legislation creating the office: Nevada’s AB 471 (2017)

What do these cyber offices look like in other states?

• New Jersey Cybersecurity and Communications Integration Cell 

• Washington state’s Office of Cybersecurity 

• Georgia has its State Government System Review Board, under the direction of Georgia’s CIO.

• California’s Cybersecurity Integration Center is housed within the California Office of Emergency Services

• Idaho lawmakers approved the Cybercore Integration Center on the Idaho National Laboratory campus

• Oregon has pending legislation for  the consolidation of cybersecurity powers under the state CIO, as well as establishing the Oregon Cybersecurity Center of Excellence and the Oregon Cybersecurity Fund.

Government Technology | Nevada Governor Signs Bill to Create Office of Cyber Defense Coordination

State: Massachusetts

The highest level Massachusetts government position created: Secretary of Technology

The MA Secretary of Technology would be tasked with hiring:

• chief data officer
• chief privacy officer
•  chief digital officer

Originator of the MA Secretary of Technology post: The Massachusetts Governor

Data and cyber positions are gaining power insisde and outside government.

Greenfield Recorder  | New Baker bill creates Cabinet position for technology

The brainchildren behind Intelligent Transportation Cybersecurity Task Force: Intelligent Transportation Society of America & nonprofit Cyber Future Foundation

Which stakeholders are involved? auto manufacturers, government leaders and transportation officials

What will the task forces study? cybersecurity issues-  legal and liability issues and policy, regulation and legislation- to esnusre the highest elevel of safety and privacy in a connected transportation environment

Politico | Morning Cyber Security | NEW TRANSPORTATION THINKING

• Rural and underserved areas will have fewer options for telemedicine with no net neutrality
• Rural and underserved areas will have more expensive telehealth care
• Hinders the growth of improved digital healthcare and access to healthcare

Healthcare Dive | What happens to telemedicine if we lose net neutrality?

Background: The FCC in 2017 overturned internet privacy

What is Congress Doing in Response? Congresswoman Marsha Blackburn, R-Tenn., chairwoman of the Communications and Technology Subcommittee, filed a bill to return the power to regulate the internet back to the FTC.

What do privacy advocacy rights advocates say about this bill? 17 states have bills to protect state resident data privacy. The federal bill by Congrresswoman Blackburn would preempt those state laws.

Improving the Outcomes of Government IT | Internet Privacy Bill Would Override State Laws

Nevada Senate passed an internet security bill that will:

• Requires Internet providers to disclose what types of personal information they collect from users
• Requires Internet providers to publish information on any third-party contractors who may be stockpiling user data

Why are states passing internet security bills?

• Facebook has settled a suit about its scanning of persoinal messages
• The Trump Administration repealed internet privacy regulations
• Google is in settlement proceedings over scanning non-gmail email 
• Vizio allegedly collects viewer data without consent

Nevada Senate Bill 538 (2017)

Jurist | Nevada Senate Approves Internet Privacy Bill

A court in Vermont ruled that the State Agency of Education must release school bullying information it has collected under the public information act.

Rutland Herald | State must yield bullying data

Amendments to Congressman Tom Graves’ Active Cyber Defense Certainty Act include:

• mandatory reporting requirement for entities that use active-defense technique
• the reporting to federal law enforcement will ensure such tools are used responsibly
• 2 year sunset clause
• exemption allowing people or companies to recover their lost data if it’s found using defensive techniques and can be grabbed back without destroying other data.

Politico Morning Cyber Security | Scoop: ‘Hack back’ bill gets version 2.0

State: Florida

The data breach: Department of Agriculture and Consumer Services online payment system was hacked and the following information was obtained:

•  names, addresses and phone numbers of 16,000
• 470 people whose social security numbers

What steps did Florida take? Ordered a review of the department’s cyber security measures  & offering free credit monitoring

What was the reaction of gun owners? “ too little too late”

WWSB ABC 7 | Concealed weapons permit holders targeted in massive data breach​

Satte Attorneys General reached an $18.5 Million settlement with Target. 

Law 360 | State AGs Set Data Security Bar With Record $18.5M Pact

AG Paxton Announces $18.5 Million Settlement with Target to Resolve 2013 Data Breach 

Country: Germany

The protections that Germany seeks to combat election hacking:

• Greater hacking authority for its law enforcement
• Specifically, Germans are pushing for the ” use co-called Staatstrojaner, or “state-trojan,” to break into computers and smartphones.”
• German high courts have limited the ability for government hacking unless lives are at stake.

SC Media | Lawmakers in Germany push for encryption-busting trojan in lead up to election

Who is proposing a cyber national guard? Congressman Will Hurd, Chair of the House’s information technology subcommittee

Why push for a cyber national guard?  to help recruit stronger talent to fill cybersecurity roles in the federal government

How does the private sector factor in? a cyber nataional guard would “allow industry professionals to bring innovative ideas back into the federal government without the government having to keep up with the salaries available in the technology community.”

The Hill | House IT chair eyes ‘cyber national guard’ as next legislative push

The GAO has issued a warning about the economic impact of data breaches & the economic boon of the Internet of Things, inter conencted devices. 

The economic impact as a result of a data breach is tempered by the economic benefits of health care adopting connected devices (IoT technology). The numbers:

•  60% of healthcare organizations worldwide expect to adopt IoT technology by 2019
• 73% of organizations that adopt IoT point to cost savings

Health Care Dive | GAO warns about IoT security, privacy and safety issues

GAO | Internet of Things

4 ways mortgage companies can up their game and push back regulatory fines:

• Proper security frameworks and policies that secure data both inside and outside;
• Assess vendors and third parties for data breach risk;
• Work with experts to assess and manage the “risk across the supply chain and build better defense-in-depth to prevent a breach;” and
• “Use tools and analytics that are specially designed to monitor and assess the security posture of vendors in real-time, as well as improve contractual provisions that result in greater security performance.”

Housing Wire | Mortgage data isn’t secure: Here’s why and how to fix it

State: Delaware

 What is HB 180 in Delaware trying to do?

• Improve notification requirements
• Require 1 year of identity theft mitigation services when Social Security numbers are breached
• Require businesses to safeguard personal information
• Require notice to Delawareans affected by a breach within 60 days of discovery
• If more than 500 residents impacted, the Attorney General must be notified

If passed, Delaware would be state #2 to require ID theft services after a breach.

News.Delaware.Gov | Governor Carney and Legislators Announce Bill to Expand Cybersecurity Protections for Delawareans

Delaware HB 180 (2017) 

Legislative body is located where? Australia

What triggers licensing issues when failing to meet data security standards? 

• Licensing enforcement is triggered only for companies valued at greater than $3 million in revenue

The goal: Move data security to the forefront with business leadership

Intelligent Insurer | New data breach reporting legislation deemed cyber game changer in Australia

The advocates:  Parent Coalition for Student Privacy and the Campaign for a Commercial-Free Childhood

The toolkit for parents to empower them on student data privacy: toolkit

What’s the target: data privacy policies of school districts and ed tech companies

Education Week | New Student Data Privacy Toolkit Encourages Parent Advocacy

The Federal Trade Commission created  the website, FTC Small Business.

The goal of  FTC Small Business is to:

• become better prepared for dealing with scams
• securing computer networks

State agencies to follow…

SC Media | FTC launches cybersecurity site for small businesses

The State: Rhode Island

The New Executive Level Office in Rhode ISland:  state cybersecurity officer

The goal of the office:  developing and putting into place a comprehensive state cybersecuritystrategy

How did the state cybersecurity officer position emerge? It was a “key recommendation of the governor’s Cybersecurity Commission, established in 2015 with the aim to lay out plans to protect the state’s IT infrastructure as well as grow a thriving cybersecurity industry”

State Tech | Rhode Island Ups Cybersecurity With Creation of CSO Position

the federal legislation: Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology (MAIN STREET) Cybersecurity Act

how it helps small businesses: Adds small businesses to the list of things that the National Institute of Standards and Technology must consider  when updating its voluntary guidance on how to guard against cyberattacks. 

the state commission recommendation: Missouri’s Cybersecurity Task Force recommended increased support for small businesses around cybersecurity threats

Financial Regulation News | Sen. McCaskill introduces bill to protect small businesses from cyber-attacks

The state: Illinois

The election data target:  no specific data target, it was a broadly executed hack on the Illinois election system

The hack:  Retrieving voter information via voter identification number starting at “000000001 and incrementally adding one” digit

The Hill | Illinois voting records hack didn’t target specific records, says IT staff

The fake statistic: 60 percent of small businesses that suffer a cyberattack will go out of business within six months

The statistic is usually attributed to :   National Cyber Security Alliance

What legisaltion has this fake statistic appeared in?  HR 2105  & S770

NextGov | HOW A FAKE CYBER STATISTIC RACED THROUGH WASHINGTON

City: Seattle

Seattle’s Broadband Ordinance requires:

• ​requires Cable Operators to obtain opt-in consent before sharing a customer’s web browsing history
• Requires Cable Operators to obtain opt-in consent before they use customer web browsing history
• The exception: unless it is necessary to render a service ordered by the customer or pursuant to a subpoena or valid court order authorizing disclosure, or to a governmental entity.
• Cable operators must attest to compliance with this rule by September 30, 2017, and annually thereafter

Seattle.gov | Seattle issues rule to strengthen broadband privacy for consumers

Cybersecurity Risk Management Audits are a 2 step process:

• “criteria used by management to explain its cybersecurity risk management”
• “a control, outcome-based criteria that management can use to internally evaluate controls and processes in place”

Bloomberg | “COMMON LANGUAGE” ENVISIONED FOR CYBERSECURITY RISK MANAGEMENT AUDITS

First came New York. Now comes Colorado promulgating cybersecurity rules on their financial sector. 

The Colorado proposal will apply to:

• financial advisers
• broker-dealers
•  entities with state securities licenses

The Colorado rules will require securities licensees to:

•  conduct an annual assessment of their cybersecurity risks
• require written policies and procedures explaining how they are protecting clients’ personal and financial information

Bloomberg Law | Colorado Moving to Set Financial Adviser Cybersecurity Rule

Colorado’s Rulemaking Notice (2017)

The uptick in hacks as connectivity increases:

• 42% increase in the number of connected devices since 2016
•  number of attacks on critical infrastructure jumped from under 200 in 2012 to almost 300 attacks in 2015

Smart technology adoption is high, but:

• innovations are deployed without robust testing
• cybersecurity is often neglected
• security protocols are not kept current

A hypothetical hack of power systems impacting 93 Million in North America would cost:

 anywhere from $21 billion to $71 billion in damages.

Harvard Business Review | Smart Cities Are Going to Be a Security Nightmare

• Self driving cars
  • The Hill | Cyber official: Feds, companies need better dialogue on security of self-driving cars
• Flying Cars
  • The Recorder | Who Will Regulate Flying Cars?

South Africa recently enacted a new data breach notification law that requires companies to:

• Notification by the company will have to factor in the needs of law enforcement
  • Delay is only permitted if it undermines or impedes an investigation
• Companies are asked to restore the integrity of their information system.
•  Notification itself must be in writing  either via email or regular mail 
• Alternative notification if mail fails, is  prominent position on the website, published in the media; or as directed by the Information Regulator.
• The notification must provide sufficient information to allow the person whose information was compromised to take protective measures against the potential consequences of the compromise.

• Notice must describe measures taken by the company  to address the security breach
• Notice must include recommendation on what measures  the person whose information was compromised should take to mitigate the possible adverse effects of the breach.

• If known to the company, the identity of the unauthorised person who may have accessed or acquired the personal information must also be divulged to the data subject.

Business Tech | SA companies will soon be forced to tell customers of a data breach by law​

City: Newark, NJ

The ransom: 24 bitcoins, or roughly $30,000

the impact to the city: Poilice operations were functioning, but the city’s administrative systems were functioning in safe mode.

The date of the attack: Began on April 21st.

SC Media | City of Newark reportedly hit in ransomware attack

Federal Agency Regulatory Oversight option(s):

•  FTC
•  Consumer Financial Protection Bureau
•  Office of the Comptroller of the Currency

4 identified data security areas in fintech:

• marketplace lenders
•  mobile payments
•  digital wealth platforms
• distributed ledger technology

Balance data security protections with the 3 benefits of fintech:

• lower costs
•  faster service
• expanded access to credit

The Recorder | GAO’s Fintech Report Highlights Data Security, Lack of Clarity on Regulatory Oversight

• Technology moves faster than legislation
• State based regulations are more uniformly enforced than federal
• State based legislation is more easily fixed than federal 

GCN | Closing the gap between technology and public policy

State: South Carolina

The Cyber Security Executive Level Entity: Critical Infrastructure Cybersecurity Executive Oversight Group

How was the Critical Infrastructure Cybersecurity Executive Oversight Group created? Executive order

 The Governor tasked the group with:

• examine, enforce, and strengthen cybersecurity
• aim to mitigate cyberattack

State Tech | South Carolina Establishes Cybersecurity Oversight Group

WISTV | McMaster looks to boost state’s cybersecurity through executive order

How the Spring Branch School District school was hacked: with a stolen password

What did the hacker do once in the SBISD computer system: changed grades

Was the hacker caught?

• Yes, the 10th grade student was arrested & charged with breaching a computer system, a state jail felony
• The student offered to change other student grades for a fee

SC Media | Texas 10th grader hacks school network to change grades

KHOU | Student accused of changing grades at Memorial HS

When considering legislation to protect state infrastructure and emergency management systems, it has beeen revealed that the hack that led to the triggering of the Dallas emergency alarms was not a computer hack, but a hack of the radio signals.

State Tech | Dallas Reveals Radio Signals, Not Network Hack, Triggered Emergency Sirens

State: Virginia

The breach that triggered legislation: rampant W-2 phishing e-mails that have plagued businesses

Why was a legislative fix necessary? These data breaches and scames cost many states millions of dollars as a result of payments made and investigations conducted on fraudulent tax returns.

The legislative fix:

• Notification to Attorney General & VA Department of Taxation
• When employers and payroll service providers experience a breach
• The breach must involve taxpayer identification numbers & withholding information 

Virginia H2113 (2017)

The survey of utility professionals: Utility Dive’s fourth annual State of the Electric Utility Survey, surveying more than 600 utility professionals

The #1 most pressing issue facing utility companies: cyber and physical security 

what you need to know:

• In 2015 & 2016 cyber and physical security was the 6th most pressing issue for utilities
• Increased media attention to cyber threats has raised the issue’s importance
• How the issues ranked as very important to the companies surveyed:
  • cyber and physical security  36%
  • DER policy. 32%
  • state regulatory model reform 32%
  • rate design reform. 29%
  • aging grid infrastructure 28%
  •  threat to reliability from integrating variable renewables and DERs 28%

Utility Dive | Why utilities say grid security is the most pressing sector issue of 2017

The U.K. Parliament is working to create an election hacking unit that:

• The unit’s goal: help ensure the integrity of UK Democracy & public confidence
• The unit will be monitoring only
• Recommendations focus on an executive level, law enforcement driven unit

SC Magazine UK | Parliamentary committee proposes unit to combat ‘election hacking’

Trendy new exception to data breach notifications: encrypted data

How Tennesee worded the exception in its legislation: 

Tennessee SB 547 (2017) 

The National Association of Insurance Commissioners is being urged to adopt New York’s Cyber Finance Security Rules in each of their respective states.

NAIC will release proposed rules soon

Reuters | New York Regulator Wants Other States to Model Cyber Laws After Its Rules

Refresher on the New York Cyber Security Rules from January 2nd, 2017 informed:intel:

The state upping the ante on data security rules for the finance industry: New York

The new New York rules announced December 28th will:

• Effective Date will be March 1, 2017 instead of January 1st
• Require annual reporting to the state about data security compliance
• Requires financial institutions to maintain comprehensive audit trails
• Mandatory reporting of any cybersecurity event within 72 hours
• Financial institutions must appoint a Chief Information Security Officer (CISO)
• Required multifactor authentication for staff accessing internal networks or information systems externally

Business Insider | New York delays new cybersecurity rules for financial firms​

Background on the emergency system hack:

• all 156 of Dallas’ emergency sirens were hacked and triggered to sound last weekend
• The hack of the system exposed that the system had to be shut down 

Procurement Opportunities for Emergency IT:

• Mayor Rawlings called it “evidence of a need to upgrade and safeguard the city’s technology infrastructure”
• The hack was tracked down because of the ability to coordinate with other security professionals
• The sirens triggered a heavy load on the city’s 911 system that triggered up to 11 minute wait times

New York Times | Hacking Attack Woke Up Dallas With Emergency Sirens, Officials Say

An exception to Tennessee’s data notification law is if the data that was hacked was encrypted. 

Bloomberg Law | New Tenn. Law: No Breach Notice Needed if Data Encrypted

The  Bill:  Illinois Right to Know Bill

What does the Right to Know Bill in Illinois do? It allows a person to know what information is collected about the person and to which businesses that information could be sold.

Why is it considered bad for business? 

• complex compliance regulations, which would apply to businesses of all sizes,
• enormous burden on small businesses statewide
• “requires any business with a website — even a local flower  shop or pizza parlor — to draft privacy policies longer and more confusing than anything required by existing law and to create new IT (information technology) systems”
• pro-trial lawyer legislation

Dispatch Argus | Bill will crush small business, tech investment

Teaching Hospitals. 

Johns Hopkins Carey Business School looked at data for data breeches at hospitals:

•  1,798 data breaches hit hospitals from Oct. 21, 2009, to Dec. 31, 2016
• 33 hospitals reported more than one breach — many of them teaching hospitals. 
• Of the 141 acute care hospitals that reported breaches to HHS, 52 were major academic medical centers
• In 2016, the overall number of electronic records that were compromised grew by 566% to more than 4 billion

Health Care Dive | Teaching hospitals at higher risk for data breaches, study finds

75% of adults polled want digital privacy & “would not let investigators tap into their Internet activity to help the U.S. combat domestic terrorism”

Reuters | Most Americans unwilling to give up privacy to thwart attacks: Reuters/Ipsos poll

• Illinois
  • “right to know” bill
    • will let consumers find out what information about them is collected & what kinds of businesses the information is shared with
  • A bill to regulate when consumers’ locations can be tracked by smartphone applications
  • A bill to limit the use of microphones in internet-connected devices like mobile phones, smart TVs and personal assistants like Amazon’s Echo
• California and Connecticut
  • Updated their laws to restrict government access to online communications like email
• New Mexico 
  • Considering the California & Connecticut law to restrict government access to online communications
• Nebraska & West Virginia
  • Enacted laws that limit how companies can monitor employees’ social media accounts
• Hawaii & Missouri
  • Pending legislation limits how companies can monitor employees’ social media accounts & may move to add the same protctions for students and tenants.

New York Times | Push for Internet Privacy Rules Moves to Statehouses

A March 2017 GAO highlights flaws with credit monitoring services.

Credit monitoring services do not address these cyberthreats:

• medical identity
• tax refund fraud 

GAO | IDENTITY THEFT SERVICES 

State: Ohio

IT Procurement Issue: How to get innovative tech firms to bid on IT contracts, especially for data analytics.

The procurement change: Remove the old school, clunky procurement process

The procurement fix:

•  streamline the procurement process by creating a request for proposal that prequalifies companies to provide analytics according to a range of disciplines, such as fraud, auditing, risk management, public safety…
• remove the requirement that a vendor has to have worked for a state of similar size before the vendor works with Ohio

Governing | Letting the Little Guy In: How Ohio Expanded Its IT Expertise

What guidance is the FBI giving medical and dental providers on cybersecurity? That file transfer protocols, FTP, transfers csn be accessed by anonymous users without passwords. Cyber secuity measures should be taken to correct server settings.

What speficially did the FBI say about protected health information (PHI) pr personally identifiable information (PII) ? PHI & PII should not be kept on FTP servers allowing for anonymous operation

National Law Review | New FBI Warning for Healthcare Providers: Cybersecurity

No, thank you. Or, thank you, but no. 

Microsoft has taken the stand  that the only way it will turn over data to the government  is if Microsoft is legally compelled to do so.

What is Microsoft saying? Sue me or more politically correct, “”We will not help any government, including our own, hack or attack any customer anywhere,””

SC Media | Microsoft president takes stand against turning over data

The U.S. Chamber of Commerce is making cyber security recommendations for regulators and policy makers, including:

• agency leadership needs to work with business to “harmonize cyber regulations”
• modernize government IT structure
• clarify the roles and responsibilities of the public and private sectors when it comes to cybersecurity

The Hill | Chamber of Commerce urges Trump to get business input for cyber strategy

The data breach: Denton Health Group had thieves steal 7 years of patient data

The cyber theft: The thieves stole physical hard drives which were not encrypted

Encryption & health care:

• 65% of health care providers encrypt in the cloud

Health Care Dive IT | Cyber thieves steal 7 years worth of unencrypted data from Denton Health Group hard drive