Cybersecurity & Tech

Arizona Governor Ducey by Executive Order created the Arizona Cybersecurity Team (ACT).

ACT team membership: experts from state, local, and federal government, the private sector, and higher education

ACT Goals:

• enhancing cybersecurity workforce development and education
• increasing public awareness on cybersecurity best practices
•  advise and provide recommendations to the governor

The ACT primer cites 4 data breaches to support its mission:

• Texas Comptroller Data Breach
• Utah Health Care Data Breach
• Target Data Breach
• Home Depot Data Breach

Prescott News | Governor Ducey Forms Arizona Cybersecurity Team

The Online Snooping Bill:

• Georgia SB 315 (2018) 
• Republican State Senator
• unauthorized computer acess that didn’t involve taking data would result in a misdeamnor of a high and aggrevated nature

Opposition:

• criminalizes lying on a dating profile
• criminalizes violations of user agreements
• criminalizes any use of a work computer for personal use like checking the Falcons score

Washington Post | Sweeping Georgia cybercrime bill would target ‘snoopers’

The U.S. Supreme Court refused to grant review of CAREFIRST, INC., ET AL. V. ATTIAS, CHANTAL, ET AL which concerns:

• whether to bring a data security lawsuit, is actual harm or the possibility of harm required?
• the U.S. Supreme Court refusal left in place a standard  set by the U.S. Court of Appeals in the District of Columbiath that the possibility of harm is enough
• the burning question- is it up to the courts to hold entities responsible for safe keeping data?

Fierce Healthcare | Supreme Court denies CareFirst’s petition to review data breach case 

The new cybersecurity office:  Justice Department’s Cyber-Digital Task Force

Cyber Digital Task Force Goals:

• canvass the many ways that the Department is combatting the global cyber threat
• identify how federal law enforcement can more effectively accomplish its mission

Task Force members:

• CHAIR: senior Department official appointed by the Deputy Attorney General
• Department’s Criminal Division
• National Security Division
• United States Attorney’s Office community
• Office of Legal Policy
• Office of Privacy and Civil Liberties
• Office of the Chief Information Officer
• ATF
• FBI
• DEA
• U.S. Marshals Service

Report to be issued by June 2018 with a focus on these cyber issues:

• Election Hackers. election interference
• Grid Hackers. interfere with our critical infrastructure
• Fake News. use of the Internet to spread violent ideologies and to recruit followers
• Identity hackers. mass theft of corporate, governmental, and private information
• High level encryption. technology to avoid or frustrate law enforcement
• Viruses, ransomware  et. al. mass exploitation of computers and other digital devices to attack American citizens and businesses

Department of Justice | Attorney General Sessions Announces New Cybersecurity Task Force

State: Virginia

The legislation: HB 183 (2018) SB 271 (2018) 

What’s required by Virginia’s HB 183 and SB 271?

• Any income tax preparer in Virginia has to notify the VA Department of Taxation of a cyber security breach 
• Notification is triggered by when the tax preparer discovers the breach and must be done without unreasonable delay

Is there a cost savings according to the bill’s author? Yes, the state will save $300,000 a year because the state Department of Taxation won’t be issuing refunds to fake tax returns filed by hackers

WRIC | Va. bill takes on tax return data breaches

SEC adopted new rules this week to require greater disclosure of cybersecurity threats by businesses. 

What you need to know:

• prohibits trading on insider cyber security knowledge
• companies are urged to develop policies that allow them to quickly assess cybersecurity risks and decide when to tell the public
• prohibits companies from using internal or law enforcement investigations as an excuse for not informing the public.

Tech Crunch | The SEC says companies must disclose more information about cybersecurity risks

The new oversight:  Office of Cybersecurity, Energy Security, and Emergency Response at the Energy Department

Head of the new office:   will be led by an Assistant Secretary

Policy Goals of the new office:

• energy infrastructure security
•  support the expanded national security responsibilities
• coordination and focus on protecting energy infrastructure, like the electric grid, from cyber and foreign attacks & natural threats

Funding: $96 million

Department of Energy | Secretary of Energy Rick Perry Forms New Office of Cybersecurity, Energy Security, and Emergency Response

The Hill | Energy Department creates new office for cyber, energy security

Oregon’s SB 1551 (2018)  will require:

• notification to consumers of a data breach within 45 days unless it could hinder law enforcement
• if more than 250 Oregonians are affected, then notice must also go to the state Attorney General
• a violation triggers Deceptive Trade Practices Act 
  • this means class action lawsuits
  • this also means big fines
• no fees for credit freezes or thaws
• prohibits ‘ “upselling” by breached companies or third-party contractors when they offer people free credit monitoring or other damage-­mitigating services”

Register Guard | Oregon Senate approves new consumer protections after Equifax data breach

The 8 partners in the TRUST CHARTER:

• Siemens
• Munich Security Conference
• Airbus
• Allianz
• Daimler Group
• IBM
• NXP
• SGS
• Deutsche Telekom

Action Areas for Business and Government:

• A call to responsibility at the highest levels of government and business with a dedicated government section and chief information officer at organizations
• Companies must develop mandatory, third-party certification for infrastructure and solutions

“Governments must take a leadership role when it comes to the transaction rules in cyberspace,” said Wolfgang Ischinger, chairman of the Munich Security Conference

Clinical Innovation + Technology | Siemens, 8 partners sign charter to improve cybersecurity

State: Nebraska

The legislation: 

• LB 987 Bitcoin as acceptable currency
• LB 691 Virtual Currency Money Laundering Act
• LB 694  State preemtion on blockchain technology & prohibits local taxing of blockchain
• LB 695 Blockchain state contracting

LB 694 & 695 will require that:

• blockchain signatures are legally valid in Nebraska
• smart contracts are valid in all commerce in Nebraska
• local governments cannot tax, license or regulate blockchain technology

Omaha World Herald | Nebraska Legislature considers bills on blockchain, cryptocurrency for first time

State: Alabama

What entity organized the coalition against card skimming? Alabama’s Attorney General

The new coalition against card skimming: Alabama Focus Group on Skimming

What entities comprise the coalition?

• U.S. Secret Service
• Alabama Department of Agriculture and Industries
• Alabama Department of Transportation
• Alabama Fusion Center
• Alabama Law Enforcement Agency
• Alabama Petroleum Equipment Contractors Association
• Petroleum & Convenience Marketers of Alabama
• Alabama Attorney General’s Office

AL.com | State launches lab to fight growing problem of cyber crime

State: Alabama

Agency Housing the Cyber Crime Lab: Attorney General Office

What tools does the operator of a cyber crime lab need?

• talent to unlock cell phone evidence
• talent to track down credit/debit card skimmers
• talent to unmask criminals behind identity theft
• talent to help businesses &  local governments recover revenue  lost in cyber theft 

AL.com | State launches lab to fight growing problem of cyber crime

New alliance:  The Retail Cyber Intelligence Sharing Center (R-CISC)

Alliance members:

•  retailers
• gaming properties
• consumer product manufacturers
• grocers
•  hotels
• restaurants
• cybersecurity industry partners

Specific corporate members:

• Lowes
• Walgreens
• Starbucks
• MGM Resorts
• Gap
• Autonation
• Estee Lauder

Governor of Pennsylvania ordered counties to buy voting machines that also leave a paper trail to protect against hacking.

Pennsylvania is providing counties with this much funding to update voting machines: $0

Governing | To Prevent Hacking, Pennsylvania Will Create Voting Paper Trail

AP | Pennsylvania to require voting machines with paper backup

New York’s A09782  allows state agencies to enter into agreements to accept cyrpto currency like BitCoin.

State: New York

The Bills:  

• A08780 allows contracts secured through blockchain technology + allows smart contracts to exist in commerce
• A08792 blockchain to secure elections
• A08793 blockchain for the security of state records

The policy support for blockchain:

•  safer bet for state and local government records and contracts
• benefits to state and local governments
• tool for increasing accountability and transparency

State Tech | New York Targets Blockchain for Voter Security, Smart Contracts and More

Washington State House passed a net nuetrality bill, HB 2282, that will:

• establish net nuetrality in Washington State
• protect consumers in Washington State

The  bill will protect consumer by prohibiting companies from:

• Blocking of lawful content by internet service providers

• “Throttling,” or slowing down, of lawful content by internet service providers

• Favoring of certain content over others by internet service providers due to special deals (“paid prioritization”)

The vote in the House: 93-5

K5 | Washington House passes bill to protect net-neutrality rules

Seattle Times | Net-neutrality bill in the Washington Legislature easily passes the House

Bills in the Kansas legislature is proposing a Kansas cyber-security authority. H2331 (2018)

County Commissioners in Segwick County raise these concerns:

• Any local government connectiung to state system would have to have their cybersecurity programs reviewed
• Unfunded mandate
• For a small county like Segwick, the cost per person is estiamted at $700/person

WHAT WOULD THE KANSAS CYBER SECURITY AUTHORITY DO?

• Create a Kansas information security office
• review  cyber-security programs
• create training programs

KWCH 12 | County leaders express concern over cost of ‘Kansas Cybersecurity Act’

A Rhode Island legislator wants companies that have had a data breach to:

• notify the state and consumers in a “reasonable promptness”, quicker than the current 45 days
• Increase the penalty from $100 to $150,000 per breach

WPRI | Lawmaker proposes law to protect victims of data breaches

Rhode Island HB 7387 (2018) 

Harvard Business Review poses the question about creating no-fly list for computer systems to:

•  effectively identify threats and malicious traffic
• automate collection, optimization, and integration of threat intelligence
• share threat intelligence which has been shown to strengthen security 

Harvard Business Review | Why Every Company Should Consider Creating a “Cyber No-Fly List”

Cities and local governments are implementing net neutrality standards by:

• city-owned broadband options
• yes, municipally owned internet

What policies goals have some cities, like San Francisco, set for municipal broadband?

• internet acess must favor the general public and San Francisco values
• Ft. Collins is hailing municipal borad band as a means to reclaim privacy

Government Technology | States, Cities Turn to Tech in Bid to Preserve Net Neutrality Principles 

Two vulnerailities with EV charging stations have been spotted by tech experts:

• EV charnging stations are not required to transmit charging authorization information in an encrypted format
• EV charging stations are not required to prohibit duplicates of the same numbered card

Tech Crunch | Electric car charge-station payment systems may lack basic security measures

Nebraska Legislature is considering LB 757  that will:

• Applies data security requires people and businesses that owns, licenses or maintains data of Nebraska residents
• Requires a data security standard of “reasonable security procedures and practices:
• Ties the state legislation to  Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996 

How does this differ from other state approaches?

• Other states have focused on free credit freezes and free credit report un-freezing.

NTV | Proposed bill would offer free credit monitoring after data breach 

Iowa’s Attorney General is supporting House Study Bill 526 (2018)  which adds the following health care information to the state’s data breach statute:

• medical records, physical and mental health
  • including treatment & diagnosis
• health insurance information

Any other requirements in House Study Bill 526 (2018) ?

• 45 day notification requirement
• 128-bit data encryption requirement
• Notification to the state if written notification to more than 500 consumers in the state is required by a person’s primary or functional federal regulator (an Equifax fix)

Health IT Security | Proposed Iowa Data Breach Bill Accounts for Health Data

Gerogia Legislature is considering Senate Bill 315 (2018) .

Data Security research supporters say the bill raises these 3 concerns:

• The terms  “access” and “authority” are not clearly defined
• because the terms are not clearly defined research will be quelled for the fear of committing an unknown crime
• The Federal Computer Fraud and Abuse Act also had broad terms and led to the “overzealous” prosecution of researchers

What’s the goal of the bill? To add the crime of unauthorized computer access to the Georgia Computer Systems Protection Act

KSU Sentinel | Georgia bill poses potential threat to cybersecurity researchers

In 2017 states outpaced the federal government in data security legislation, here’s what happened:

• 42 states
• Considered 240 bills and resolutions related to cybersecurity
• That’s 2 times as many bills and resultions as 2016

Edgile | Businesswire | US State Cybersecurity Regulation More Than Doubled in 2017, While Federal Regulation Waned

Where: New York

Who: New York Governor Cuomo

How: By Executive Order

What does the executive order do? NY Executive Order Number 75

• Prohibits state contracts with entities that  treat all web traffic equally
• Establishes internet access as an essential service

Why: In response to the FCC net nuetrality repeal, NY became the 2nd state to creae its own net nuetrality provisions.

The Hill | Cuomo signs executive order protecting net neutrality in New York

• City-wide digital platforms Data gathering, aggregating, and analyzing data 
• Development of Connected Intersections Smart City initiatives 
• Computing at the edge  faster and accurate for data analytics.
• Merging of GIS, big data, and analytics data modeling community behavior
• Public safety vehicles as digital hubs  faster and more accurately emergency response 
• More Connected vehicle capabilities, See NHTSA suggestions for Vehicle to Vehicle (V2V) communications. The Feds- yay!
• Greater real-time citizen wireless interaction  new government-citizen collaborative tools, including real-time video and data sharing and base-level artificial intelligence
• Link autonomous vehicles with government sensors Smart Cities!
• City Apps  transparency of government-gathered data
• Smart city amendments to municipal codes

Cisco | Top 10 Smart City Trends for 2018

H.R. 1224 (115th Congress) requires a 6 point audit of federal agency data security:

• a description of staffing plans
• workforce capabilities
• methods of conducting such audits
• coordination with agencies to support such audits
• expected timeframe for the completion of the audits
• other relevant information

Florida legislature is considering SB 1302 and HB 953  that will end fees for freezing or unfreezing a credit report.

The bills make no other changes to credit reporting entities.

The opposition, the “Consumer Data Industry Association,” opposes bills that removes all fees from credit freezes.

Palm Beach Post | Florida considers ending fee to freeze credit as Equifax leads gripes

2017 Congressional spending by tech companies:

• Google spent $18 million (up from $15.4 million)
• Facebook spent $11.6 million (up from $8.7 million)
• Twitter  spent $561,000  (down from $680,000) 
• Amazon spent $12.8 million  ( up from  $11 million)
• Apple spent $7.1 million (up from $4.6 million)
•  Netflix spent  $800,000 (same amount from 2016)
• NCTA – The Internet & Television Association: $12.8 million  (down from $13.3 million)

The Hill | As Tech Industry Boosts Lobbying Spending, Showbiz Outlay Stays Largely the Same 

How did Montana add net nuetrality on the state level? Executive Order

What does Governor Steve Bullock (D) executive order require? internet service providers with state contracts to abide by net neutrality principle:

• “in order to receive a contract with the state government, internet service providers must not engage in blocking or throttling web content or create internet fast lanes.”

Effective Date: Immediately with a 6 month grace period

The Hill | Montana becomes first state to implement net neutrality after FCC repeal

MT Gov. Executive Order No. 3-2018

Florida legislature is considering House Bill 1357 that will :

• look to transition state data centers to blockchain technology
• provides for electronic contracts and signatures secured by blockchain technology

As a side note, Arizona passed a similar bill in 2017. AZ HB 2417 (2017)

CoinDesk | Florida Bill Would Legally Recognize Blockchain Signatures, Smart Contracts

The Tennessee legislature is considering House Bill 1507 and Senate Bill 1662 which will:

• define blockchain signatures as legal signatures
• statutorily recognize contracts secured through blockchain

Business contracting meets 2018.

This month the Federal Trade Commission released a paper on cybersecurity issues with conencted cars.

4 Points from the FTC paper:

• lots of information is gathered and shared, the information must be protected
• can a vehicle’s safety controlled fuctions be segregated from other functions for public safety?
• how to best update cars when a new vulnerability is discovered?
• how to set a base line security standard for connected cars

Colorado Legislature is considering SB18-086 that brings together blockchain & data security legislation.

What you need to know:

• Calls for CO to adopt a distributed ledger
  • this means pieces of the ledger live in different cyber spaces, so a hack of 1 space does not expose all the data
• How does the bill get to a distributed ledger in Colorado state government?
  • Directs Colorado’s chief information security officer to evaluate the costs and benefits of using distributed ledgers in various government systems
  • CO will examine blockchain’s capability in handling cyberattacks compared to traditional computer systems

The Prime Miniter of Sweden announced the immediate formation of an agency charged with protecting the integrity of Seden’s elections. 

The new agency will be cahrged with:

• “psychological defence by identifying, analysing, and responding to external influence campaigns”
• will not hesitate to expose those who meddle in Swedish elections
• in coordination with the agency, there will be increased funding for Swedish intelligence and cyber-defence services to monitor external threats
• the agency will work with each parties’ officials to secure the election

Why does this matter? “A US report noted that Nordic states (Sweden) were “a favourite target of the Kremlin’s propaganda machine”

EU Observer | Sweden raises alarm on election meddling

Ohio Legislature is set to consider bills to strengthen cybersecurity for their election system by:

• Establishing a Cybersecurity director within the Secretary of State administration
  • the Director would be responsible for recommendations to keep elections secure
• Establishing a cyber-security advisory council appointed by the Secretary of State and made up of:
  • business community
  • technology community
  • law enforcement
  • voting advocates
  •  elections officials from both political parties
• Requiring counties to have election audits

Cleveland.com | Democrat Rep. Kathleen Clyde to introduce legislation to beef up elections cybersecurity

OH HB 466 (2018) 

OH HB 467 (2018)

California’s SB 823 (2018)  requires:

• Free credit card freezes and credit freeze lifts
• Allowing all credit reporting agencies to freeze credit by initiaiting a request with 1 credit reporting agency
• Allowing for electronic freezes and lifts

4 States currently allow for free credit freezes and freeze lifts:

•  Indiana
• Maine
• North Carolina
• South Carolina

The states looking to add net nuetrality requirements: North Carolina, Illinois, California, New York, Massachusetts, Nebraska, Rhode Island and Washington

4 policy goals of net nuetrality:

•  A level playing field for all online services that prohibits internet providers to block or slow down sites or online services
•  Ensure consumers find the content of the choice
• Maintain broad access to online services and information
• Protect businesses, large and small, from having to pay fees to reach users

Is there state authority to act? There is no statutory preemption & a 2016 case against the FCC stood for no FCC preemption 

Bipartisan? Yes. Republicans argue for the need to level the playing field for small businesses

New York Times |  States Push Back After Net Neutrality Repeal

The new federal legislation, The Data Breach Prevention and Compensation Act, would:

• Create a new cybersecurity office within the Federal Trade Commission
• Incentivize data security by imposing mandatory fines on credit reporting agencies with flawed security
• Annual inspections by the FTC of credit reporting agencies
• Fines would be divided to:
  • 50% to the consumers affected
  • 50% to the FTC to fund inspections and cybersecurity research
• Credit reporting agencies would have to report to the FTC their technical and organizational security measures

Gizmodo | New ‘Cybersecurity Office’ Would Oversee Companies Like Equifax and Dole Out Fines for Slipshod Security

The state Attorney General and a State Representative are promoting an forthcoming North Carolina bill, the Act to Strengthen Identity Theft Protections.

Here’s what the bill will do:

• Include ransomware in definition of data breach
• Protect more information by creating a duty for businesses to have reasonable data security standards, and include insurance/medical information in the data breach notification law
• Quicker consumer notification.  15 day time limit to notify the consumer & the Attorney General
• Free credit freezes & credit freeze lifts
• 3 free credit reports from each of the 3 credit reporting agencies
• 5 years of free credit monitoring if a credit reporting agency experiences a breach
• Penalties will follow the Deceptive Trade Practices Act  that makes each act a violation to which penalties can attach
• Require consent for credit reports
• Consumer right to all their information at a credit reporting service

Alabama’s Governor successfully pushed for a cybersecurity & engineering magnet school.

The school’s official name: Alabama School of Cyber-Technology and Engineering

Number of students: 300

Grades in the School of Cuber Technology & Engineering: grades 7-12

AL.com | New cyber, engineering magnet school coming to Huntsville

The 4 Issues the group wants covered by federal data breach legislation:

• A flexible, scalable standard for data protection that factors in:
  • the size and complexity of an organization
  • the cost of available tools to secure data
  • the sensitivity of the personal information an organization holds, as well as guarantees that small organizations are not burdened by excessive requirements.
• Notification when a reasonable risk exists. A notification regime requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm.
• Consistent, exclusive federal enforcement of the new national standard by the Federal Trade Commission (FTC) and state Attorneys General, other than for entities subject to state insurance regulation or who comply with the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996/HITECH Act. For entities under its jurisdiction, the FTC should have the authority to impose penalties for violations of the new law.
• Clear preemption of the existing patchwork of often conflicting and contradictory state laws. 

The group supporting federal data security legislation: 

ACT | The App Association

American Bankers Association

American Insurance Association

American Land Title Association

BSA | The Software Alliance

Consumer Bankers Association

Credit Union National Association CTIA

South Carolina Attorney General clarifies- financial info yes, but not security information

South Carolina Attorney General says that the South Carolina election commission can withhold from disclosure cybersecurity information. 

Can related information about election cybser security be released thbrough open records?

Yes, South Carolina election commission will release financial information about cybersecurity products & services purchased

Michigan considered a bill to protect election cybersecurity information

HB 4973 (2017)  excepts from disclosure information that addresses:

• CONFIDENTIALITY, INTEGRITY, OR AVAILABILITY OF INFORMATION SYSTEMS,

• AND CYBERSECURITY PLANS, ASSESSMENTS, OR VULNERABILITIES

   

  State Scoop | South Carolina election commission permitted to withhold cybersecurity documents

Mississippi is considering statewide standards for data that will:

• how to long to store personal data
• how to dispose of personal data
• what personal data can be disposed of
• how to store personal data
• apply to all state entities that have personal data in their possession
• what a state agency, Department of Archives and History, needs to store data in perpetuity

What prompted this legislative action by Mississippi?

• A 2013 breach of health care data at the Univeristy of Mississippi
• A resulting 2016 $2.75 Million penalty by the US DHHS as a result of the data breach
• An unfavorable report by the state legislative watchdog committee for Performance Expenditure and Evaluation Review

Clarion Ledger | Lawmakers to review ways to make public’s identifiable data in state hands more secure

​Maryland HB 974 (2017)

• Includes all HIPPA information in the defintion of personal information for state data breach law purposes
• The bill also protects Biometric data, such as fingerprints, voice prints, and genetic prints

Delaware HB 180 (2017)

• Includes medical history in the defintion of personal information
• Requires “any person who conducts business in Delaware and maintains personal information must safeguard that information.”
• Requires health insurance information to be protected
• Establishes standards to dispose of the electronic information

Health IT Security | 2017 Updated State Data Breach Laws Account for Medical Information 

A UK court found that an employer, that had taken appropriate measures to prevent a data breach,  can be held vicariously liable for a data breach when an employee:

• deliberately misused the data
• intended to cause damage to the employer by misuing the data

Bonjour U.S. State Legislators- daat security liability issues should be in your radar.

Lexology | Employer held vicariously liable for employee’s deliberate data breach

WM Morrison’s Supermarket PLC | England and Wales High Court (Queen’s Bench Division) Decisions

New York’s new rules on credit reporting agencies will do these 4 things:

• Require consumer credit-reporting agencies to identify “dedicated points of contact” for New York’s Division of Consumer Protection
  • WHY? Ensure consumers can promptly get answers 
• Mandate that credit-reporting agencies respond “within 10 days” to any requests for information made on behalf of consumers by the Division of Consumer Protection
• Credit reporting agencies must “plainly disclose” to consumers all fees associated with any identity theft protection product sold or purchased, “including when those products are originally offered for ‘free’
• Require the credit-reporting agencies disclose to New York’s Division of Consumer Protection all business relationships and contracts with companies involved in marketing credit monitoring services and related products.

The tagline from state leaders: consumers should not be penalized for having their data breached

Boston 25 News | Citing Equifax data breach, one state cracks down on credit-reporting agencies

What standards did Los Angeles use in crafting its Cyber Center? Federal Government and industry Standards

The key to the city Cyber Center?  integrated strategic operations center

What does the integrated strategic operations center do? 

•  “processes cyber threat information from the Homeland Security Department, the FBI and various private sector and non-profit sources and feeds it out to its member operations centers and to city departments”

How does this help unify cyber protections in Los Angeles?  Prior to the cyber center the city’s IT office, the Water and Power Department, the Port of Los Angeles and Los Angeles International Airport did not communicate regularly on cybersecurity. Now each is on the same page.

Are other cities taking note? Yes, Chicago, Las Vegas and New York have visited to learn more

NEXTGOV | LA Cyber Center Hopes to be a Model for Cities Nationwide

The FCC overturns net neutrality rules and Attorneys General of New York and Washington announce their lawsuit raising these 3 concerns:

• FCC’s net neutrality repeal harms consumers
• FCC’s net neutrality repeal harms small business
• FCC’s net neutrality repeal harms innovation

The Attorney General of Washington State notes that he is 5-0 in his lawsuits against the Trump administration. 

The Hill | Washington AG to sue over net neutrality repeal

• Policies to improve data security workforce
• Liability policy for businesses that utilize 3rd parties to manage and mitigate security incidents and challenges
• Policies to encourage more women in data security workforce
• Liability and notification requirements when comapnies utilize automated security security tools
• Policies that Support Awareness and Training of existing workforce
• Policies that ecourage businesses to maintain a base level of data security and notification requirements

Health Data Management | HIT Think 6 data security trends to expect in the New Year

Progressive Market’s analysis lists 3 drivers for an increased demand in cyber insurace/data security insurance including:

• legislation on data security
• growing number of cyber-attacks which have led to great losses for organizations worldwide
• rise in awareness of different cyber risks

  Digital Journal | Cyber Insurance Industry Will Be the Next Big Thing in 2018

   

Refreshing our recollection:

OHIO is considering SB 220 that ties the NIST standards to liability limitation. Yes, tort reform meets data security.

Input on Draft Standards:

Feedback and comments should be directed to cyberframework@nist.gov(link sends e-mail) by January 19th, 2018.

3 Goals of the draft standards is to align the needs of :

• policy requirements
• business needs
• technological methodologies

Flexible Standards

The standards should eveolve as technology evolves

New buzz words are emerging in dagta security policy like: Cyber attack lifecycle

NIST | Cybersecurity Framework Draft Version 1.1

A new report by the Center for Connected Medicine found that data security leads th eminds of health care businesses:

• 9 of 10 health care companies will spend more on data security in 2018
• 54% want to better identify threats
• 50% want to better detect threats
• 50% want to better protect against cyber threats
• Less than 20% are focused on recover and respond technologies

Would health care providers pay cybercriminals?

• 17% said yes
• 17% were undecided
• 22% didn’t know
• 44% said no

Healthcare Dive | Cybersecurity tops list of IT investments for 2018

In a repsonse to cybersecurity challenges to rail, H.R. 4474 was filed that requires:

• requires a report to Congress on cyber and physical threats presented by foreign-owned software to the transportation sector
• Directs DHS to inform the industry about technical assistance it offers on cybersecurity.

Politico | TRANSPORTATION BILL CONTAINS CYBER PROVISIONS

Missouri will be considering  SB582 (2018) about student data breach notification. 

SB582 requires notification of a student data breach to 3 parties:

• the student’s parent(s) or legal guardian(s)
• the department of elementary and secondary education
• the state auditor 

Lee’s Summit Tribune | Auditor Galloway announces legislation to require schools to notify parents in case of cyber security breach

U.S. Senator Bill Nelson’s S.2179 would trigger criminal charges if:

• its found that “intentionally and willfully conceals” a breach
• and, a person incurrs $1,000 in damages

The criminal charge comes with up to 5 years in prison and/or a fine.

Who is making a request that medical device makers disclose component parts? House Committee on Energy and Commerce

On what agency are these policymakers making a request? Department of Health and Human Services

What is Department of Health and Human Services​ being asked to do?

• Require medical device manfuacturers to dislcose:
  • bill of materials (BOM) for each piece of medical technology
  • describe the device’s components
  • describe software utilized
  • disclose any known risks associated with those parts
• To promote cybersecurity through transparency

SC Media | House committee asks HHS to boost cybersecurity by requiring component list for medical devices

Vermont Governor Phil Scott named these new members to his Cybersecurity Team:

• Chief Security Officer at the UVM Medical Center
• President of Norwich University’s Applied Research Institutes
• Computer & Digital Forensics professor at Champlain College

4 Goals of the Cybersecurity Team:

• Assess the state’s cybersecurity status.
• Develop a plan to protect public and private sector information systems
• Evaluate readiness
• Strengthen safeguards

WAMC | Vermont Governor Names New Members To Cybersecurity Team 

The transportation system: Sacramento Regional Transit

The hack: destroyed internal systems data, but no data was stolen. It was a ransomware hack with a 1 bitcoin ransom

The recovered data: 80% via backup data

Impact on transportation systems: Train and bus service was not affected

Governing | Hackers Attack Transit System in California’s Capital

State with a new home health care worker registry: Massachusetts

 Supporters say:  Consumer protection

Opponents say: A worker database contradicts the state’s data security stance& jeopardizes worker safety

Mass Live | Gov. Charlie Baker signs law creating home care worker registry

The State joining the post-Equifax hack legislative trend: Rhode Island

The proponent: The Rhode Island Attorney General

The legislation would:

• Free credit freezes &un-freezes. prohibits credit bureaus from charging all Rhode Island consumers fees to place, temporarily lift, or remove security freezes on their accounts

WPRI | RI Attorney General files legislation on security freezes following Equifax data breach

The Business:   Cascade Investment, which is owned by Microsoft’s Bill Gates

The smart city: Belmont, a planned community in Arizona

The smart features:  

• high-speed networks
• autonomous vehicles
• high-speed digital networks
• data centers
• new manufacturing technologies
• autonomous logistics hubs

CNN | Bill Gates invests $80 million to build Arizona smart city

State: Colorado

What is risk limiting audit for elections? 

• require all jurisdictions to have a sound ballot accounting process
• require use a batch size of one ballot
• require that a cast vote record exist and be available and retrievable for each individual ballot

How do risk limiting audits combat election hacking?

• The number of ballots to select initially is calculated by using the risk limit and the margin of the contests
• Ballots are next randomly selected
• Each ballot’s vote marking is compared by hand to the CVR for that ballot

What other states are adopting similar protocols? New Mexico & Rhode Island

Was legislation involved? Yes

Governing | Colorado implements Risk-Limiting Audit process to verify election results

Health Data breach suit, CareFirst, is heading to the US Supreme Court, and setting up the standards for what injuries are necessary for a data security  claim.

The Appellate Court found that “that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft…we have little difficulty concluding that their injury in fact is fairly traceable to CareFirst,”

Code words for legislative drafters: fairly traceable

Health IT Security | CareFirst Data Breach Case Moves to US Supreme Court

Previously on informed:intel we read about Maryland’s updated data security bill from 2017, but let’s shift our focus to the inclusion of HIPPA requirements.

Maryland’s state data breach law will include this personal information colelcted by HIPAA covered entities:

• “medical history, medical condition, or medical treatment or diagnosis. Health insurance policy, certificate number, or health insurance subscriber identification number – in combination with a unique identifier that permits access to the information – were also added to the personal information definition.”

The HIPAA info will also triggers= the data security breach notification standard of “as soon as is reasonably practicable” or not later than 45 days.

Maryland HB 974  | Maryland Personal Information Protection Act – Revisions

Health IT Security | HIPAA Info Included in Updated MD Data Breach Notification Law

• Utah CIO say its expensive, a big budget item
  • $230,000 a year for $10 million in cyber coverage and has a $1 million deductible
• 38% of state CIOs say their state has some sort of cyber insurance
• Georgia has the largest amount of cyber coverage of any state
  • $100 million in coverage. $1.8 million-a-year premium & a $250,000 deductible per incident

Governing | Fearing Hackers, States Start Buying Cyber-Insurance + Insurance Journal

Ohio’s SB 220 sets up a benefit for businesses to comply: safe harbor from suit.

What’s required for a business to get the safe harbor? The business must  adopt “a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information that complies with the NIST cybersecurity framework “

The Toledo Blade | Lawmakers offer legal carrot to defeat data breaches

OH SB 220 (2017)

Cities in Wyoming are purchasing cyber insurance to protect themselves from hackers.

Some say that the Legislature should act to protect cities from hackers.

Proposed legislation includes:

•  long prison term for those caught conducting cyber attack
• a world-wide agreement on how to abolish cyber attacks

Cody Enterprise | EDiTORIAL: Cyber insurance good idea for city

The Iowa Attorney General is reviewing the state’s cyber security protocols to do 3 things:

• identify shortfalls in current legal requirements for those who store personal information
• look to enhance consumer protections
• seek to lessen the burden on consumers who’ve been victimized by data breaches
  • Such as “scrutinizing the fees that credit reporting agencies are allowed to charge Iowans for freezing and unfreezing credit reports — particularly data breach victims,”

Des Moines Register | Amid growing threats, Iowa lawmakers push for better state and local cybersecurity

Mcirosoft is hosting legislators from across the country to address cyber security legislative solutions.

Des Moines Register | Amid growing threats, Iowa lawmakers push for better state and local cybersecurity

The pension that was hacked: IPERS, Iowa Public Employees’ Retirement System

Hackers used this information:

• dates of birth
• social security numbers
• created online IPERS accounts to reroute payments

Government Technology | How Cyber-Thieves Stole From Iowa Pension Accounts

WHO: ECRI Institute annual health technology hazards list 

WHAT: #1 concern is data security. #2 concern is endoscope reprocessing failures #3 Alert fatigue

WHY: A May WannaCry cyberattack on UK hospitals shut down all medical equipment except emergency services.

Health Care IT | ECRI: Cybersecurity tops 2018 health technology hazards

State : Michigan

When did Michigan create its Cyber Security Volunteer Corps?  2013 under the Michigan Department of Technology, Management, and Budget

What did the 2017 amendment do? Michigan’s HB 4508  codifies the Corps and permits volunteers to bring cyber-defense services to nonprofit organizations, private businesses, educational groups, and other non-governmental associations.

What is required of volunteers?  Volunteers must undergo criminal background and FBI checks

Is there charitable immunity for the corps? Yes

Homeland Preparedness News | New Michigan law assigns cybersecurity volunteers to network security assistance during cyber attacks

Stateline | Pew Charitable Trusts | Michigan Governor Signs Volunteer Cyber Corps Bill

The U.S. Treasury Department’s October 276.2017 report entitled, A Financial System
That Creates Economic Opportunities Asset Management and Insurance, goes all in for uniform state legislation for data security model legislation for insurers.

What is the model legislation? The NAIC Data Security Model Law 

What’s the 10,000 foot view of the Model law?

• Applies to insurers, agents, and other licensees.
• Cover 3 hot data security issues:
  • implementation of information security programs
  • investigation of cybersecurity events, includ­ing risk assessment and risk management, as well as oversight of third-party service providers
  • notification to state insurance regulators about cybersecurity events 
• The Model law does not take the place of stte data privacy and data breach notification laws

Florida looks to be THE state for cybersecurity. Here’s what it is doing to get there:

• Higher Education. 
  • Florida currently has 13 schools that the National Security Agency has designated as centers of academic excellence in cybersecurity education or research.
  • Florida universities and colleges offer  40 cybersecurity-related programs for graduate and undergraduate studies 
• Workforce Pipeline.
  • ​The Florida Center for Cybersecurity helps universities & students
  • Shapes curriculum to meet industry wants
• Public Education
  • ​Including cybersecurity as early as kindergarten 
• Business
  • ​ Creating a cybersecurity hub
  • Hosting “boot camp-style” training programs, meet-ups and events
• Stronger Information Privacy Laws
  • ​the goal: to shape how companies approach issues such as securing personal information and disclosing to consumers when their data has been leaked.
• Engage the Attorney General
  • ​Mimicking California and encouraging the State Attorney General to take a “strong stance toward digital privacy.”

Government Technology | Florida Sets Sights on Becoming Cybersecurity Front-Runner

Michigan Legislature is moving HB 4973 to prevent cybersecurity efforts from being dusclosued under public information act. 

Support in the Michigan House: 101 to 5

The key bill text that exempts cybersecurity info from public information:  prevents disclosure of information concerning the  “confidentiality, integrity or availability of information systems.”

Potential policy benefit: the information protection could enecourage businesses to engagte in more information sharing on cyber security 

Michigan HB 4973 (2017) 

Congress’ Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act will:

• Require a maritime representative on the nation’s information sharing hub for critical infrastructure cyber threats run by Department of Homeland Security
• Require Department of Homeland Security to improve cyber information sharing and coordination at U.S. ports

U.S. H.R. 3101 | Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act

The Hill | House passes bill to boost cybersecurity at US ports

The Democratic National Committee is claling on state party offices to srengthen cyber security.

Buzz Feed | DNC Warns State Parties On Cybersecurity: Be Better

Connecticut is creating the Connecticut Cyber Task Force.

The Connecticut Cyber Task Force will consist of:

• a mix of Local, state and federal law enforcement agencies:
  • FBI
  • Drug Enforcement Administration
  • U.S. Secret Service
  • U.S. Postal Inspection Service
  • Homeland Security Investigations
  • Internal Revenue Service – Criminal Investigation
  • Defense Criminal Investigative Service
  • Connecticut State Police
  • 11 police departments from across the state, including the Bridgeport, Bristol, Fairfield, Greenwich, Hartford, New Canaan, New London, Norwalk, Stamford, Torrington and Westport Police Departments
• coordinated efforts for  emerging cyber threats
• provide training, resources and investigative strategies to address the significant ransomware and business email compromise attacks

2 Priorities of the tax force:

• identify and disrupt criminal organizations that use computer intrusions to defraud companies of their money and information
• target criminal activity on the dark web

United States Attorney’s Office District of Connecticut | U.S. Attorney and Law Enforcement Partners Announce Formation of Connecticut Cyber Task Force

A bipartisan bill in Congress seeks to require social media companies to disclose the same campaign related information that is required of radio and tv.

Which social media companies would be affected? websites, apps, search engines, social media and ad networks with over 50 million unique visitors

What would be trigger amount for dislcosures?  if a person or entity spends at least $500 on political ads a year

What disclosures would be required?

•  copies of ads
• information about groups purchasing ads
• data on the targets of the ads 

S 1989 (2017) by Kolbuchar, McCain and Warner

The Hill | Bill to halt election meddling on social media introduced

Alexandria Virginia News | Warner, Klobuchar, McCain Introduce Bipartisan Legislation To Prevent Foreign Interference In Future Elections, Improve Transparency Of Online Political Ads

Federal:

• Free Credit freezes:  HR 3766, S 1810 and SB1816,

States:

• New York SB 6879
  • ​require credit reporting agencies to automatically place a freeze on consumer credit files
• ​New York SB 6880
  • require businesses to disclose breaches within 15 days of discovery
•  Illinois (HB 4095 and SB 2230)  & Michigan (HB 5055)
  •  as well as measures providing for free credit freezes

Congressman Tom Graves H.R. 4036:

• “A voluntary review process that individuals and companies can utilize before using active-defense techniques;
  • This provision allows defenders to benefit from review of their proposed active-defense measures by the FBI Joint Taskforce, which will assist defenders in conforming to federal law and improving the technical operation of the measure;
  • The authority to conduct these reviews would exist under a two-year pilot program, and could be amended or renewed at a later date.
• Requires notification to the government for the use of active-cyber defense measures that go beyond beaconing;
• Clarification that the bill does not interfere with a person’s right to seek damages;
• Requires an annual report on the federal government’s progress in deterring cybercrime.”

Tom Graves | Rep. Tom Graves Formally Introduces Active Cyber Defense Bill

• West Virginia’s elections team added a cybersecurity expert from the state National Guard with a top-secret federal security clearance
• Colorado “will now verify election results via an advanced statistical procedure called a risk-limiting audit.”
• Rhode Island “will now verify election results via an advanced statistical procedure called a risk-limiting audit.”
• Delaware is moving its voter-registration list off the state’s aging mainframe computer

There are also new federal guidelines for election machines.

New York Times |  Wary of Hackers, States Move to Upgrade Voting Systems

The State: Kentucky

The proposed legislation would require companies responsible for a data breach to provide impacted Kentuckians:

• access to a free credit freeze
• 3 free credit reports each year from each of the major credit reporting agencies
• 5 years of credit monitoring
• Require all credit reports be encrypted.

How was the bill proposal announced? The State Attorney General Andy Beshear and the bill’s author, State Senator McGarvey, at AARP Kentucky’s Louisville headquarters

Insider Lousiville  | AG, senator announce legislation to protect Kentuckians following Equifax data breach 

California regulations on ride share require annual data reports. The data required to be sent to the state includes:

• types of service they provide
• what neighborhoods they serve
• how many miles their drivers log

What data do the cities want? 

• Data to help solve local transporation issues
• Ride Share’s affect on roads
• Ride Share’s affect on the environment

The data’s big bad issue: Privacy concerns about rider personal information

The Recorder | Uber and Lyft Resist Regulators’ Appeal for Data Sharing

October is National Cyber Security Awareness Month. Here’s exampkes of what governments and businesses have done to engage:

• D.C. has a Cyberscoop’s  DC CyberWeek  that brings together experts, executives, innovators, influencers and decision makers from government and business sectors to learn, network, hack and improve cybersecurity outcomes.
• ESETand Wrapify are sending a squad of #CyberAware vehicles on San Diego roads offering cyber security trivia and prizes
• Secure San Diego is a day event sponsored by partners The Cyber Center of Excellence & the City of San Diego  to showcase region-wide efforts to nurture a more secure cyber environment

We Live Security | Five cool things happening for National Cyber Security Awareness Month

Thus far in 2017, the number of education data breaches:

• doubled over 2016
• the first half of 2017 saw an increase of 103%
• North American bears the brunt of educaiton hacks, with 88% occuring here
• 74% were caused by malicious outsiders
• 13% were caused by stolen, lost or otherwise compromised records

Campus Technology | Education Data Breaches Double in First Half of 2017

Resiliance is the name of the game. R Street is calling for “resiliance” and not “remediation” in legislative solutions to data breaches.

If bills shouldn’t require that  consumers receive free credit report monitoring and cyber security standards and breach notification requirements for entities that maintain consumer data, what should bills do?

• Require the National Institute of Standards and Technology to maintain a list of brest practices
• The guidelines would ” empower[s] consumers to improve their resilience to cyberattacks”

R Street | Remediation won’t cut it – we need cyber resilience

Recode | Equifax rival TransUnion has hired cybersecurity lobbyists in Washington, D.C.

The Hill | Reddit hires first lobbyists

Texas State Representatives Minajarez, Pickett, Dale, Oliverson & Goldman requested the following interim charge:​

• Study what precautions toll road operators in Texas have in place to prevent cyber security threats, both internal and external.

The Minajarez, Pickett, Dale, Oliverson & Goldman letter to Speaker Straus dated 10.2.2017

During the Congressional hearings on the Equifax breach, Republicans bandied about the idea of requiring credit reporting businesses, that have exposed consumer information, to pay affected consumers “a couple thousand bucks each [consumer]”

The rational: An incentive to keep business data security up to snuff

The Republican: Congressman Joe Barton (R-TX), a founder of the bipartisan Congressional Privacy Caucus

The Hill | GOP rep pitches fines for hacked credit-monitoring firms

Data Security makes Governing’s Top 5 Government Trends to Watch. 

Why is data security such a big deal?

• costly
• includes identity theft which hits your constituents
• securing data and fighting off ransomware is expensive
• as it comes to health care and infrastructure- data security willultimately cost lives

Governing | 5 Government Trends to Watch

• 40% of local government CIOs report experiencing more attacks during the last 12 months
• 26% of CIOs reporting an attack, incident or breach attempt occurring hourly
• 18% report a cyberattempt at least daily
• 78% of municipalities don’t have an adequate password management policy
• 97% of the municipalities he surveyed don’t have a well-documented disaster recovery plan
• 46% store their backup files and records onsite rather than offsite or in the cloud
• 90% of local governments don’t bother to encrypt sensitive emails

Government Technology | Small Towns Confont Big Cyber-Risks

A House Companion to the Senate’s, Securing Energy Infrastructure Act of 2017 by Senator Angus King (I-ME) and Senator James E. Risch (R-ID), has been filed by Congressman C.A. Dutch Ruppersberger (MD-02) and Congressman John R. Carter (TX-31). The legislation will:

• “establishes a two-year pilot program to study covered entities and identify new classes of security vulnerabilities and research and test technology – like analog devices – that could be used to isolate the most critical systems of covered entities from cyber-attacks
• develops a working group to evaluate the technology solutions proposed and develop a national cyber-informed strategy to isolate the energy grid from attacks
• requires the Secretary of Energy to submit a report to Congress describing the results of the program, assessing the feasibility of the techniques considered, and outlining the results of the working group’s evaluations.”

H,R. 3958 (2017)

Congressman Rup[ersberger | RUPPERSBERGER INTRODUCES HOUSE COMPANION TO SENATE ENERGY GRID SECURITY MEASURE

According to the association representing tech giants, cryber crime will have a $6 trillion impact on the U.S. 

Politico | Morning Cyber Security | Cybercrime will cost up to $6 trillion by 2021