Cybersecurity & Tech

Hackers targeting voting machines is passe’.

The new cyber threat theory- hackers will target media outlets to corrupt the election data that goes out to the public. It’s an old school espionage information campaign with 2016 tools.

Politico | Media vulnerable to Election Night cyber attack

The U.S. Chamber of Commerce penned a cybersecurity letter to President #45. The highlights:

• Cybersecurity is the most urgent threat to our security
• Keep the cybersecurity public-private partnership between business and government growing 
• Too many overlapping regulations among all agencies. Harmonize regulations.
• Foster information sharing ecosystem
• Cybersecurity is international our laws and regulations should take that into consideration

U.S. Chamber| Dear 45: Let’s Make Strides Towards Better Cybersecurity

The state: Vermont.

The players in this drama: Vermont College, the Vermont Attorney General, and the 3rd party software company whose product was breached

Why did the Attorney General get involved?

• the 3rd party vendor software affects more than just the Vermont College
• the 3rd party vendor software will affect Vermont’s businesses
• its an outreach opportunity to educate people about Vermont’s data breach notification law

Vermonth Biz | Attorney general enters data security settlement after college breach

Business gather and analyze data to make business decisions. Some businesses are embracing philanthropy and sharing that data with cities.

Examples of cities using data to improve public service:

•  New York City created the Mayor’s Office of Data Analytics
• Chicago has Array of Things, a sensor system to gather and collect data
• Boston and Uber are partnering to utilize Uber data to help Boston improve  congestion and community planning

Governing | How Companies Can Help Cities Close the Data Gap

• Katy ISD experienced a data breach
• The data breach came  by way of a third party vendor breach that exposed Katy ISD student data
• The data breached was on a secure server and included:
  • student names
  • birthdates
  • social security numbers/state ID numbers
  • email addresses
  • zip codes
• The 3rd party vendor will offer identification monitoring to impacted students

KHOU | Katy ISD notifies parents of potential data breach of students’ info

Houston Chronicle | Katy ISD warns staff, students after data breach

Health care attorneys agree that health care industry is at a higher risk for cyber crime. Here’s the data to support it:

• 88% of ransomeware targets are health care entities
• 84% of health care attorneys have been involved with clients who must dtermine issues like notification after a breach and adopting internal cyber security controls.

It must be bad if attorneys are agreeing with each other. 

Health Care Dive | Healthcare attorneys: Industry is at higher risk of cybercrime than others

The California Attorney General launched the California’s Cyber Crime Center (C4)

What’s the purpose of the state’s Cyber Crime Center? assist local law enforcement with investigations where digital expertise or assistance is required

What law enforcment collaboration will occur?  C4 will bring together:

• California’s eCrime unit that investigates & prosecutes large-scale identity theft and technology crimes
• California’s DOJ’s Office of Cyber Security experts
• California’s Digital Evidence Unit which uses scientific methods to extract and analyze information from items like cell phones

Government Technology | California Attorney General Unveils Cyber Crime Center

Where: Singapore and neighboring countries

What is this fund to help cyber security protections? Singapore is putting in $10 million to help Asean nations build up their cyber response capabilities

The goals:

• strengthen regional responses to cyber threats
• strengthen technical capabilities
• train technical officers, policy makers, and prosecutors

The Straits Times | Govt launches $10m fund to help Asean fight cyber threats

The cost of cyber security laws cause the greatest concern for state law makers. The solution: States are studying cyber security needs.

Governmetn Technology | Legislating Cybersecurity: Breaches Grab Lawmakers’ Attention

The National Association of Fleet Administrators issued a white paper making these recommendations for fleets:

• Address the most significant data threat, fleet telematics systems
  • tracking and wirelessly communicating the location, movement, behavior and health of a vehicle in real time make the system subject to hacking
• Highlights Chesterfield County, Virginia, which prohibits bluetooth in fleet vehicles to minimize hacking potential
• Establish communication protocols to exchange hacking threats
• Prioritize security within their organizations

SC Magazine | Connected car threats endanger corporate and municipal vehicle fleets; experts make policy recommendations

What sparked the push for more and new state regulation on data security? New York’s Cybersecurity regulations

Which industries are taking note? Finance & Insurance

Do legal experts think New York’s regulations will be a model for other states?  Yes, yes and yes. 

Law.com | NY Cybersecurity Regs Could Spur Legal Work Nationwide

New York’s Cybersecurity regulations

Welcome to the U.S., :  the 57-country Organization for Security and Cooperation in Europe

The OSCE will send 426 people to oversee U.S. elections.

The Hill links the oversight to : “rigged” election allegations

is this new? No, the OSCE has watched US elections since 2002

The Hill | Election observers to monitor US voting amid warnings from Trump

Mind readers, psychics and political pundits say Congress will pass data security legislation in easrly 2017.

What does Texas love? It loves when the Feds tells it and Texas businesses what they have to do. In this case what levels of data protection and when, who and how to notify of a breach.

The Hill | Yahoo hack spurs push for legislation

Which device? Johnson & Johnson warns that its insulin pumps are suspectible to hacking

What would be required of the hacker? A hacker in close proximity to the device could isolate hte unencrypted radio signal used by the device

Wall Street Journal | J&J Warns Insulin Pump Vulnerable to Cyber Hacking

The data collection: Collecting data in violation of Children’s Online Privacy Protection Act, including IP and GPS data on children utilizing an App

The violation of Texas law: Deceptive Trade Practices for collecting data on Texans younger than 13 via an App

Office of Attorney General Ken Paxton | AG Paxton Settles Suit with App Company Collecting Children’s Information

Top 5 data security vulnerabilities for local governments:

• passwords of officials and staff
• providing too great of access to computer network to officials/employees
• failure to automatically locking systems after non-use
• inadequate backups
• failure to restrict editing by users and failure to track edits by users

Missouri State Auditor | Findings in the summary report of common cybersecurity mistakes 

• The organizers were a Reddit group of 200,000 Trump supporters
• The organizers gave the supporters the polls to target
• and the modes of target: brigading, bots, and other forms of manipulation

The goal: impact the mainstream media 

Daily Dot | 4chan and Reddit bombarded debate polls to declare Trump the winner

Federal Trade Commission wants enforcement powers over communications common carriers for data security and data breach issues.

Currently the FTC enforcement powers have an exemption for communications common carriers.

Inside Cybersecurity | FTC commissioners call for data-breach legislation, repeal of ‘common carrier’ exemption

Legislation aimed at curtailing election machine hacking would:

• require electronic machines to generate a paper trail
• declare voting systems to be critical infrastructure
• establish security standards
• establish protocols for security failures

H.R. 6072 by Congressman  Johnson (D-GA)

SC Magazine | Rep. Johnson introduces bill designed to deter electoral hacking

Critics lambast New York’s proposed financial cyber security regulations as:

• unlikely to improve security at financial institutions
• financial institutions need a consolidation of cyber security regulations at all governmental levels
• this is nothing more than more paperwork and overregulation

CNBC | Critics are skeptical of New York’s proposed financial cybersecurity rules

Your Informed Intel on the 14th of September 2016:

Reg. Trends. Gov. & Banking Regulator. State Banking Cyber Security Requirements.

Which 5 cities are first out of the gate to consider ordiannces to improve transparency in police surveillance?

• New York City
• Washington DC
• Seattle
• Milwaukee
• Richmond

What does the coaltion of supporters look like?

• privacy groups
• civil libertians
• civil rights groups
• minority & ethnic groups

What technology is likely to be dislcosed?

•  StingRay/ IMSI catchers
• RFID plate readers
• CCTV cameras
•  biometric surveillance software and databases
• X-ray backscatter vans
• LED surveillance light bulbs
• through-the-wall radar sensors
• forensic and hacking software

SC Magazine | Cities planning transparency laws for police surveillance tech

The legislation: Cybersecurity Responsibility and Accountability Act of 2016 by Rep. Ralph Abraham, R-La.

What does it do?

• If an agency has a data breach
• Cause in whole or in part by the agency’s failing
• (Cue eery music) The head of the agency gets das boot
• Also prohibits agency head from getting “any cash or pay awards or bonuses for a period of one year” after a data breach

NEXTGOV | CYBER BILL WOULD LET AGENCY HEADS BE FIRED IF THERE’S A DATA BREACH

The goal: Provide cybersecurity awareness and training programs for small businesses

The federal legislation: H.R. 5064 To amend the Small Business Act to allow small business development centers to assist and advise small business concerns on relevant cyber security matters, and for other purposes. 

SC Magazine | House plans vote on bill to improve small business cyber preparedness

Rand researchers put the cost of an average data breach at: t $200,000, much lower than the millions estimated elsewhere.

How much are cyber security costs per year for a business? An estimated 0.4% of annual revenues

Information Week | Rand Study: Average Data Breach Costs $200K, Not Millions

Scenario: School provides kid laptop/ipad. Kid uses laptop/ipad for school work and personal use.  School learns kid likes to watch YouTube at 3am and sleeps in class.

How can schools track students:

• schools can access what programs/websites kids use
• schools can access where the kids were when they used the laptop/ipad
• some schools remotely monitor students through cameras on the devices

Are 3rd parties involved to monitor kids activity on school laptops/ipads? yes & they flag unusual behavior for schools.

What does this mean for kid’s privacy?

• Schools can assemble behavioral patterns, learning habits or disabilities, and intellectual interests, stored and analyzed outside of the control of parents/students

Tech Crunch | Kids need to reclaim their data and security… especially at school

Which car was hacked? Tesla Model S

Who did the hacking? Researchers

Does Tesla have a bounty program to report vulnerabilities? yes

What were the hackers able to control?  

• sunroof
• central display
• door locks
• braking system
• activate the steering light
• reposition the driver’s seat
• windshield washers
• open the trunk
• fold in the side mirrors

PC World | Researchers hack Tesla Model S with remote attack

Alliance members include:  Uber, Airbnb, Atlassian, Docker, Dropbox, GoDaddy, Palantir, Square, and Twitter

Goal of the Alliance: “streamline the vetting process that businesses use for evaluating vendors’ cybersecurity risks”

October 1st unvieling: security and compliance questionnaire to benchmark vendor risks

SC Magazine | Uber, Airbnb, Dropbox, and others form coalition to evaluate vendor cyber risks

A recent Tripwire survey of energy cybersecurity experts reveals:

• Most energy security experts don’t know what would happen if their systems were breached
• Only 59% know how long it would take to find a hacker on their system
• 73% believe they could detect unauthorized intrustions in their network

SC Magazine | Energy sector cybersecurity workers overconfident in their capabilities

The State: New York

NY Settled a suit with Hasbro, JumpStart Games, Mattel & Viacom for violating what law? The federal Children’s Online Privacy Protection Act

What did the companies do? Gather personal data about children under 13

The settlement: collective $835,000 in penalties plus regular reporting to New York regulators

Engadget | Websites settle with New York over online child tracking

Which state? New York

Which state officials are proposing cyber security regulations for banks/financial institutions? Governor Cuomo & New York State top banking regulator.

What will be required of financial institutions under these state data security regulations?

• Required to hire a chief information security officer
• Must implement measures that detect and deter cyber intrusions
• Must meet consumer protection standards, with companies able to assess their own needs and adopt standards that meet their business
• 72 hours to report a breach to  New York’s Department of Financial Services

The Wall Street Journal | New York Proposes Cybersecurity Regulations for Banks

New York’s Proposed Data Security Regulations for Banks

New York Department of Financial Services | GOVERNOR CUOMO ANNOUNCES PROPOSAL OF FIRST-IN-THE-NATION CYBERSECURITY REGULATION TO PROTECT CONSUMERS AND FINANCIAL INSTITUTIONS

Engadget | New York proposes online security rules for banks and insurers

Where is this happening? Oregon courts

What is the complaint by the credit union and the other financial institutions in the class action? 

• A restaurant chain failed to implement or maintain adequate data security measures for customer information
• This caused the credit union to pay:
  • fraudulent charges 
  • replace cards
  • stop payments
  • block transactions
  • and other costs

SC Magazine | Oregon credit union sues Noodles & Company over breach

Who is recommending student data protections?  A report from new report on data privacy from the Southern Regional Education Board

What are the 4 recommendations?

• Clear & transparent state data governance policies. Make the policies easy to find for parents.
  • Print the policies out and pin them to parents at orientation
• Fund & improve student data security
  • Stop being so stingy
• Train the people who handle student data
  • Teach the teachers
• Fund IT support at schools
  • Again, stop being so stingy, we know computers are scary. But, it’s 2016.

eschool news | Report: 4 security recommendations to keep student data safe

• Hacking voter information is about grabbing personal data
• Vote tabulation databases are not connected to the internet & thus cannot be hacked.

The Hill | Hacking the election is nearly impossible. But that’s not Russia’s goal.

Alphabet Inc. spent more on lobbying efforts, $16.6 million. For those keeping count that’s more than AT&T & Lockhead Martin.

Wall Street Journal | What Your CEO Is Reading: Tech Lobbying; Cloud Quandaries; The Fed’s Social Pummeling

Add Kansas to the list of states working with the FBI to protect state voting machines from hackers.

Other states seeking federal protection for voting machines:

• Illinois
• Arizona
• Kansas
• North Carolina

Governing | Kansas Works With Feds to Protect Elections From Hackers

Governing | North Carolina Asks Feds to Assess Its Elections Cybersecurity

The Data:  Seattle police cameras had 2,283 recordings erased by a glitch

The data glitch impact: 500 videos were to be used in criminal cases

Governing | 2, 283

Seattle Times | Thousands of Seattle police dashcam videos lost due to computer glitch

Biggest data security concern: 3rd party vendors. Especially free web based vendors.

The school district’s solution: Training teachers and staff about data privacy standards

The contracting change the district made: Standard privacy clauses that do not shift privacy liability to the school district

EdScoop | Small Missouri school district thinks big about privacy and security

Which states require notification to the state attorney general of a data breach? Nebraska and Rhode Island

How did Nebraska tackle the legislation? Requiring companies to notify the Attorney General in the same time that they notify a resident

How did Rhose Island tackle the issues? Requiring Attorney General notification if more than 500 people had their data compromised

National Law Review | Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way

What change did the Nevada & Rhode Island Legislatures make? Changed the definition of personal information for data breaches

What was added to the definition of personal information?

• medical identification number
• a health insurance identification number
• a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that permits access to an online account

The difference between the 2 states? Rhode Island clarified which accounts were protected by clarifying that it applies to “personal, medical, insurance or financial account.”

National Law Review | Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way

Which state is facing privacy concerns over its automatic toll road system? Massachusettes

What is the primary concern? How the license plate readers can be used by police

The state‘s policy: According to the Fortune article, the state’s policy is devoid of detail

Fortune | Massachusetts’ Automated Toll System Raises Privacy Concerns

What sparked this lawsuit? Facebook’s acquisition of WhatsApp and concerns that WhatsApp data will be shared with Facebook

What law is at the center? Deeptive Trade Practices Act

Tech Times | Privacy Groups Prepare To File Complaint Over WhatsApp Sharing Data To Facebook 

The state creating an opioid database: California

What will be required of physicians before writing an opioid prescription?  Physicians will have to check a database of patient prescription histories before recommending addictive drug.

The legislation: Senate Bill 482 by Lara

Bryan College Station Eagle | The Latest: Senate backs health plan pricing bill

The State: California

The Legislation: Assembly Bill 83

What does AB 83 require?

• expand data security requirements for businesses that retain biometric & geolocating data
• protect data collected by mobile apps or fitness devices
• protects data collected in photo taggins such as social media and photo storage services for photo tagging purposes.
• requires businesses to use a “reasonably prudent” standard

How does AB 83 accomplish its goals? By expanding the definitions of “personal information” to include “geolocation information” and “biometric information”

National Law Review | California Legislature Nearing Final Debate of Biometric and Geolocation Data Security Bill

Bloomberg Law | California Bill Would Add Security Standards to Data Breach Law

What entity is proposing model data security laws for insurance?  the Cybersecurity Task Force (Task Force) of the National Association of Insurance Commissioners (NAIC)

Is it final? No, its a revised draft after taking into account stakeholder positions

What issues are covered in the model act draft?

• Require licensees to create a “comprehensive written information security program”
• Required Data Security programs will detail the:
  • administrative,
  • technical, &
  • physical safeguards for the protection of personal information
• Require licensees to contract only with 3rd service providers who are “capable of maintaining appropriate safeguards for personal information.”
• Creates standards for investigations of a data breach, including:
  •  When a data breach occurs
  • That  the licensee must properly investigate the breach
  • Assessing the nature and scope of the breach
  • Identifying the personal information that may have been involved
  • Determining if the personal information had been acquired without authorization
  • Taking reasonable measures to restore the security of the systems compromised in the breach.

To comment: Email Sara Robben at srobben@naic.org by close of business on Friday, September 16, 2016.

Lexology | Mayer Brown | NAIC Issues Revised Insurance Data Security Model Law

Which banks are invloved? The 8 largest banks are joining forces. This includes Bank of America, JP Morgan, and Goldman Sachs.

What will the 8 banks do to protect against cuber crime? Share intel and conduct war games to improve data security.

Why did they form? The large banks issues are similar unlike the data security efforts among all financial institutions and the large banks share information with the federal governmet but believe they get little information in return.

Wall Street Journal | Big Banks Team Up to Fight Cyber Crime

Which state included data regulation of marijuana? Colorado

What is the goal of data regulation of marijuana legalization? safely and securely control the flow of the drug across the state

What state agency houses this data center? Marijuana Enforcement Division (MED) in the state’s Department of Revenue

Governing | Managing Marijuana: the Role of Data-Driven Regulation

The state: Alabama

The legislation: A State agency to track student data from early education through entering the workforce

What‘s the background? In 2015, the Governor issued an executive order to create a  longitudinal data system to track studnt data. This executive order requires legislation to fund it.

The projected cost to track student data? $1.6 million

What did the Governor’s Executive Order do?

• Created an advisory board
• “Developed a state talent pipeline capable of ensuring that all Alabama students graduate from school being college and career ready, improving decision-making on educational programs, making decisions based upon validated and objective measures of student outcomes, and permitting qualified researchers to collaboratively evaluate the success of state programs.”

Times Daily | Collins will bring back student data bill

• Impact to Candidates. Leaks from Guccifer of hacked information tageted certain candidates running for Congress in Florida
• Impact to Move Voters in a Direction. The target: to swing moderate voters to vote Republican

Reuters | Democrats fear hackers targeted tight Florida races for latest data leaks

The Electronic Privacy Information Center (EPIC.org) wants states to pass bills that:

• No Targeted Ads. prohibit K-12 mobile and online service operators from using student information to target advertisements to students;
• No Profiling Students. prohibit online service providers from creating K-12 student profiles for commercial purposes; 
• No Selling Info. forbid companies from selling student information;
• All Students (K-16) extend protection to all students, including college and post-graduate students;
•  Enforcement. strong enforcement mechanisms, including a private right of action against private companies that abuse student data;
•  Limit Data Collection. limiting the type of data that companies and schools collect (e.g., Social Security numbers, biometric information, social media information);
• Transparency. publishing the types of information companies and schools collect, the purposes for which the information will be used, and the security practices in place;
•  Data Retention Policies. data retention limitations that require companies to delete student data after the data is no longer needed;
• Student and Parental Control over Info. permitting students to delete & correct certain student information;
• Notification. data breach notification; and
• Schools Can’t Disclose Students. prohibiting schools from disclosing “directory information,” including student name and home address.

EPIC.org | State Student Privacy Policy

EPIC.org | EPIC Urges Wisconsin Legislature to Safeguard Student Privacy

The growth of investment in cybersecurity firms since 2011: 235%

SC Magazine | Investment in cybersecurity strong as cyberthreats increase

The Democratic National Committee this week announced a new cybersecurity advisory board. 

The intel to keep you informed about the future of campaigns and data security:

• Created by new DNC Chair Donna Brazille
• Composed of security experts, including:
  • National Security. Rand Beers, former Department of Homeland Security acting secretary
  • Lawyer. Nicole Wong, former deputy chief technology officer of the U.S. and a former technology lawyer for Google and Twitter
  • Tech Expert. Aneesh Copra, co-founder of Hunch Analytics and former chief technology officer of the U.S.
  • Lawyer. Michael Sussmann, a partner in privacy and data security at the law firm Perkins Coie and a former Justice Department cybercrime prosecutor.
• The DNC is active in providing notification in those impacted by data breaches.

Politico | DNC creates cybersecurity advisory board following hack

The Hill | DNC creates cybersecurity board

What type of healthcare data? Medical records and wearable data from heart monitors to implanted devices to fitbits

What is crucial about protecting health care data? It must be protected as the information moves from device to cloud storage to medical records end point at a physician or hospital

What makes health records more valuable? 

• Unlike financial information, health data or changes to social security numbers are not quickly identifiable
• The release of health records includes social stigma that isn’t tied to financial records.
• Health records are personal and private, therefore the release is stigmatizing. 

Data Informed | Why Hackers Attack Healthcare Data, and How to Protect It

Why are businesses not securing all online information? Its profitable to not secure the data. The penalties for not securing data are not impactful.

What legislation or regulatory reform is crucial? Not government specifics on security but rather strong enforcement and meaningful fines from regulatory enforcement.

What’s the future in hacking? Its not buying and selling information, but rather modification of the data that is out there already.

Business insider | A security expert who in his spare time discovers data breaches affecting millions explains why he does it

The enforcing regulatory authority: U.S. Department of Health and Human Services

The data breach: 4 million patients personal data, financial information and electronic health information was exposed in 3 different incidents within 1 year. 

The Settlement amount: almost $6 million fine

Society for Human Resource Management | Health Care System to Pay Largest Data Breach Settlement Ever

What data security issues are being bandied about against Fantasy Sports?

• Communicating with consumers requesting personal information without the use of encryption
• Asking customers to send sensitive information, such as Social Security Numbers, and credit card images, via unencrypted email

Is ther an investigation? A complaint filed with the FTC 

Daily Dashboard | Daily fantasy sports sites face data security questions

A Tesla self driving car drove its owner to a hospital.

Tech Crunch | Autopilot in Tesla Model X helps driver get safely to a hospital

Why are voting machines an easy target for hackers? Most voting machines operate on Windows XP, which has not had a security patch from Microsoft since 2014

A hack isn’t the only way to cause voting chaos? Slowing the machines down can be enough to turn people away from the polls

Is this a real, existing problem? Yes, it is. “Virginia decertified thousands of insecure WinVote machines”

The best way to control for electronic voting machine intereference? Auditing the vote. 

Wired | America’s Electronic Voting Machines Are Scarily Easy Targets

• Cyber Insurance policies are still new and prone to litigation.
• Companies should vet all public statements through lawyers
• 2 federal Circuits have loosened up when a suit can continue. Its not as easy to get these cases kicked out of the courtroom.

Texas Lawyer | 3 Things GCs Should Know About Data Privacy Class Actions

California Legislature is pushing forward with a bill to prohibit the sharing of information from health trackers without express authorization.

The Recorder | Five Bills to Watch in the California Legislature

This week Apple joined other tech cmpanies in offering bounties to hackers who reveal security bugs.

The bounty: up to $200,000.

The Wall Street Journal | Apple Announces ‘Bug Bounty’ Program

“Albany Law School is launching the nation’s first online master’s program aimed at the legal studies of cybersecurity and data privacy.”

Albany Times Union | Albany Law launches online cybersecurity master’s program

Case Study: Target. Target’s Securities & Exchange Commission filings show:

• costs thus far of $290 Million
• estimated future costs will total $370 Million

Case Study: Anthem Insurance. Anthem’s SEC filings show it cannot estimate the cost of its data breach because:

• ongoing investigation
• early stage of legal proceedings progress
• unknown damages
• uncertain number of lawsuits that will be filed

In additional to actual costs, there are soft costs to a data breach such as:

• lost contract revenue
• lost customers
• brand damage

eweek | Researchers Struggle to Determine True Cost of Data Breaches

Which regulatory leader wants comprehensive data security laws? The FTC Chairwoman Edith Ramirez

Why the push for data security laws?

• Hacks aren’t going away
• Laws need to address how entities gather, save and disseminate personal information

Daily Dashboard | FTC’s Ramirez calls for comprehensive data security laws

Top business sector for data breach complaints: Finance

Have data security laws led to more enforcement actions?

What benefit of data security laws is highlighted? breach notification to impacted customers

Information Age | The financial data divide: regulations are not having the desired effect

The state: New York

The NY State Agency: New York Comptroller

The School District: Avon School District

The Avon School District’s data security failings:

• not adopting policies for managing passwords
• not backing up data
• not protecting its employees’ and students’ personal, private and sensitive information
• making the school district more vulnerable to data breach
• providing too many employees access to financial information of the school district
• for failing to implment the recommended data security policies under a 2009 review

Livingston County News | State faults Avon schools’ lack of data security policies

Which state added curriculum changes in its student data protection laws? Delaware

What changes ere made to public school curriculum? data security training

Why train teachers and students on data security? because human error is the largest driver of data breaches

Delaware Public Meda | First State working to incorporate data privacy training into ed prep programs

Bonjour to Canada’s Privacy Commission who oversees the data privacy of Canadians. 

The Privacy Commissioner recommended these changes to national data security laws for 2016:

Data security breach reporting should include:

• The company’s name;
• Contact information for someone who can answer questions on the company’s behalf;
• Description of the breach, including:
  • The estimated number of users affected;
  • The personal information leaked;
  • The date of the breach, if known, or an estimated date or date range if unknown;
• A list of other organizations involved in the breach, such as affiliates or third party processors;
• An assessment of the risk faced by individuals as a result of the breach;
• A description of any steps planned or taken to notify affected individuals, including:
  • A notification date;
  • Whether the party has been or will be notified, whether they will be notified directly or indirectly, and if indirectly notified, why (more on this below);
  • A copy of the notification;
• A list of third party organizations that were notified of the breach;
• A description of measures the company has taken or will be taking to contain the breach and reduce its risk to affected users;
• A description of the organization’s related safeguards, taking improvements against future breaches into account.

Which state passed student data protection bills in 2016? Colorado

What does the new legislation cover? 

• the gathering of student data
  • requires notice & consent
• the storage of student data
  • limits on the length of storage
• require all contractors to maintain comprehensive information security programs
  • limits contractors from sharing information unless there is express consent
• no target advertising 
• no building student profiles

JD Supra | Thompson Coburn LLP| Colorado jumps into student data privacy protection with new privacy law

Colorado joins 35 states that have passed student data protection laws in the last 2 years.

JD Supra | Thompson Coburn LLP| Colorado jumps into student data privacy protection with new privacy law

Connecticut passed student data privacy legislation in 2016.

A group of mothers who started the push for student data privacy reform are touting its benefits:

• Restricting student information use by contractors providing educational software and electronic storage of student records and by operators of websites, online services, or mobile applications (i.e., apps).
• Clarifying ownership student data collected for school purposes is not owned by any of these third-party contractors.
• Parental Notification. Requiring local boards of education to notify parents when they execute a new contract with a software, data storage, or internet service provider.
• Procurement Contract Requirements. Stipulating data security and privacy provisions that must figure in all contracts between local school districts and software, data storage, and internet service providers.
• Local Control. Requiring school districts to withhold the release of student directory information if the local or regional board of education determines that a request for such information is not related to school purposes.

Easton Courier | Legislation will protect student data privacy

What groups are concerned by model student data privacy laws? 24+ civil liberties and advocacy organizations

What’s the model act called? Employee and Student Online Privacy Protection Act

The privacy concerns about the model act:

• broad and vague

• does not prevent school administrators & employers from coercing or requiring students and employees to turn over highly sensitive social media account information

• violates the Fourth or Fifth Amendment

Electronic Fronteir Foundation | EFF and ACLU-led Coalition Opposes Dangerous “Model” Employee and Student “Privacy” Legislation

Why do health and services entities need to pay more attention to ransomware?

• Ransomware is different from a regular data breach
• Ransomware impacts patient safety by siezing a health care provider’s computer systems
• Ransomware directly impacts health care operations

Gov Info Security | Congressmen: Ransomware Requires New Guidance​

Concerns related to maintaining  data collection: Make certain the state collects enough data necessary  to improve schools

Concerns to protect student data from voucher schools: Student data must be protected from “voucher schools” that would use the data to advertise to public school students

Milwaukee Star Tribune | Legislators to study how to protect student data

The state: Minnesota

The approach to student data protection: Recommendations for the 2017-2018 Minnesoata Legislature

The focus: 3 Points of focus:

• The information collected by its state department of education
• Whether it is necessary for the state to collect the student data
• The use of student data by vendors

Milwaukee Star Tribune | Legislators to study how to protect student data

The State: North Carolina

The cybersecurity apprenticeship qualifications:

• 10% disability rating from the Department of Veterans Affairs
• $600,000 per year
• Allows the Department of Information Technology to hire and train five veterans for cybersecurity-focused positions

State coop | North Carolina moves closer to creating cyber apprenticeship program for disabled vets

• toys and apps gather personally identifiable information
• access to names, birthdates, and gender
• Hackers could exploit cybersecurity weaknesses within these devices as an entrance point to a family’s wireless networks

Augusta Free Press | Warner calls on FTC to protect children’s data security

What type of schalarly research is hitting against anti-hacking laws?

• Michigan & Illinois researchers are looking at real estate websites to track discriminatory practices
• Northeastern University researchers are looking at discriminatory practices in job posting websites

How do they run afoul with anti-hacking laws? The researchers generate faux profiles on the websites they are researching

WallStreet Journal | First Amendment Suit Claims Anti-Hacking Law Criminalizes Scholarly Research

The key tort issue in data breaches: whether the consumer has been injured

What’s the argument if hackers have your information isn’t that a harm to a consumer? Some courts say yes, other courts say no.

Where are cases proceeding where the harm of the data breach is only having your personal information hacked? Judges in California, Illinois and other states

Wallstreet Journal | For Consumers, Injury Is Hard to Prove in Data-Breach Cases

How? Via laptop theives can open doors, and start an ignition to steal late model cars prompting new laws against auto manufacturers to secure vehicle data

Is this in Texas? Yes. Houston has recorded theft of a 2010 Jeep

Which manufacturers are targeted? Known hacks of autombilies are of Fiat Chrysler, GM and Tesla vehicles

WallStreet Journal | Thieves Go High-Tech to Steal Cars

• Retaining too much data
• Employee unintentional or intentional error
• Customer data security when customers access accounts
• 3rd party vendors
• Being consumed by 1 threat, makes a bank vulnerable to other data security threats

American Banker | What’s the Biggest Threat to Data Security?

Citizens in the UK dislike both the European Union and Businesses that have data breaches. 

An overwhelming majority supporting fining businesses & the recommendation has made it to Parliament.

Computer Weekly | UK consumers support fines for firms that lose personal data

UK Parliament | Cyber Security: Protection of Personal Data Online

Out with PINS in with biometric identifiers to access banking information. 

Why switch from PIN numbers to biometrics at financial institutions? 

• traditional passwords are too cumbersome
• traditional passwords are no longer secure

New York Times | DealB%k | Goodbye, Password. Banks Opt to Scan Fingers and Faces Instead.

• Major data breaches occured via a 3rd party contractor (Target, Home Depot, etc…)
• The cost of a major data breach increases annually, and it hits the company that hired the 3rd party contrator
• FICO is rolling out a data security score called an Enterprise Security Score

Pymnts.com | Procurement Is Ground Zero For Cybersecurity Protection

Which school district was affected by an internal hack? Abingdon-Avon School District, IL

Who is thought to have  hacked the school district internally? The Head of its IT

The purported purpose? Changing grades

The state law charges? 3 felony counts of Eavesdropping

KWQC | Abingdon-Avon employee arrested in relation to data breach

What campaign related voter information was hacked?   Voter files compiled by  L2, a political data brokerage, but hacked from a client (campaign) that left the voter information unprotected on a cloud

What type of voter information was exposed?   names, addresses, political preferences and opinions on social issues

Where were the hackers? Serbia or routed through Serbia

The Hill | US voter database accessed from Serbian server

The Federal Trade Commission publishes “Start with Security: A Guide for Business” & offers these recommendations for business:

• Don’t collect personal information you don’t need.

• Hold on to information only as long as you have a legitimate business need.

• Don’t use personal information when it’s not necessary.

• Restrict access to sensitive data.

• Limit administrative access.

• Insist on complex and unique passwords.

• Store passwords securely.

• Guard against brute force attacks.

• Protect against authentication bypass.

• Keep sensitive information secure throughout its lifecycle.

• Use industry-tested and accepted methods.

• Ensure proper configuration.

• Segment your network.

• Monitor activity on your network.

• Ensure endpoint security.

• Put sensible access limits in place.

• Train your engineers in secure coding.

• Follow platform guidelines for security.

• Verify that privacy and security features work.

• Test for common vulnerabilities.

• Put it in writing.

• Verify compliance.

• Update and patch third-party software.

• Heed credible security warnings and move quickly to fix them.

• Securely store sensitive files.

• Protect devices that process personal information.

• Keep safety standards in place when data is en route.

• Dispose of sensitive data securely.

Are all data breaches electronic? No, hard copies of personal information are still sources of data breaches.

Are there examples of major data breaches that were based on hard paper copies? Yes. For example:

• The NFL medical record data breach of 2016
• A 2014 State of California investigation of Safeway for improperly disposing of customer records
• A 2011 find of NYPD records found in a trash bin

Do data breach laws discuss paper records?  No, not all. The Federal laws and these 8 states have added paper records to their data breach statutes:

•  Alaska
• Hawaii
• Indiana
• Iowa
• Massachusetts
• North Carolina
• Washington
• Wisconsin

Lexology | Patterson Bellknapp Webb & Tyler | The Paper Trail: The Potential Data-Breach Sitting in your Printer

Why Illinois updated its data security laws? To make the laws more consistent with technology

What additional personal information is covered by data breach law?

• health insurance
• medical information
• biometric information
• username and password or security questions

How will businesses be able to notify consumers of a breach? By email

Cook County Record | New IL legislation updates data breach law to cover more tech, speed required consumer notifications

According to the author of The Car Hacker’s Handbook, the data your car collects is more valuable to hackers than taking over control of your vehicle. 

Tech Crunch | The Car Hacker’s Handbook digs into automotive data security

Ponemon Institute released its annual data breach informatics. The cost of an average daa breach has risen to $7 million.

Law 360 | Data Breach Costs Rise To $7M Per Incident, Study Says

Which financial entity is facing an SEC fine for a data breach? Morgan Stanley

How much is the SEC fine? $1,000,000

What was the data breach? Security measures failed to prevent an employee from transfering account information to a private server that was hacked

What do federal rules require of financial entities? policies and procedures that are reasonably designed to protect customer data

The Hill | Morgan Stanley to pay $1M SEC fine for data breach

What government is requiring authorization from the governing body before a purchase of surveillance equipment can be made? Santa Clara County deep on Silicon Valley

Which police purchases will require approval?  Any law enforcement purchase of new surveillance technologies. e.g.:

• license plate scanners
• products that spoof cellphone towers
• closed-circuit cameras

What entities can approve the police technology?  County board and district attorney approval are required

Why require approval before law enforcement buys technology?

• too little oversight in the current system
• too many intrusive technologies are in use with the data retained

Are there other requirements for surveillance equipment? Yes, law enforcement is required to:

• publish annual surveillance reports detailing:
  • usage
  • how successful different technologies have been
  • complaints
  • internal audits not subject to privilege

The Hill | California county becomes first to restrict surveillance technology

Data Security is the 1 key element missing from the 7 states that have passed self driving car laws.

Cars can be hacked. Cars contain data. The data your car’s computers contain can be used for:

• direct & targeted marketing
• cam be accessed by hackers

California is addressing vehicle data via regulation by requiring:

• notice and consent
• before information can be collected from operators
• this excludes information that is needed to operate the vehicle

The Guardian | Self-driving cars: overlooking data privacy is a car crash waiting to happen

• passwords are valuable because we don’t change them and use them on multiple account
• its data mining material to engineer more information about your identity
• a hacker can use 4 year old LinkedIn data for their own illegal purposes, and 4 years later sell it openly on the black market. 

IT Pro Portal | Why four-year-old data is more valuable than you think

What cyber security threat could be helped by old school methods? Electric Grid Security

Who is proposing old school solutions? 4 U.S. Senators: King, Heinrich, Risch, Collins

What does the legislation call for? 

• 2 year study
• examinging technology that makes the grid vulnerable
• how the automated systems can be hacked remotely
• “reengineer the last mile of the energy grid  to isolate its most important systems”

The Hill | Senate bill would encourage ‘retro’ grid security approach 

What is civic hacking? hackers doing good to solve governmental problems

How does it work? The feds listed 16 issues that it needs helps with and called for a National Day of Civic Hacking. Examples include:

• application process for food stamps, business licenses, criminal record copies, business licenses, affordable housing, 
• developing a community platform for California’s Health and Human Services Commission

Code for America | 4th Annual National Day of Civic Hacking 

Which school district experienced a data breach of its W-2 data, and all data retlated to persons who have received payment from the school district? Concord, N.H.

When did the breach occur? April

How did the breach occur? Social engineering, a targeted approach in which the hacker masquerades as the superintendent soliciting information

Did the data breach result in the information being used? Yes, false tax returns were filed based on the hacked information

When did the school district discover the data breach? June 1st

When did the school district notify persons that their personal information was compromised? June 3rd

What 3 things did the notification suggest people do to protect their information?

•  Contact your personal banking institution(s) to make them aware of this breach; 
•  Register for a fraud alert; 
•  Contact institutions that hold any personal assets to make them aware of this breach.

What is ransomware? A data security attack that freezes computer data, but leaves the business, such as a hospital, otherwise functioning so that services are not disrupted. A ransom is  asked for and in exchange the data is liberated.

What statutes are states amending? Computer crimes to apply extortion to computer violations

What specific statutory tweaks is California considering after ransomware attacks at California hospitals?

• defines ransomware
• makes it a crime to use ransomware
• the criminal offense is punishable by 2-4 years in jail and a $10,000 fine

California Senate Bill 1137

Health IT Security | How Ransomware Affects Hospital Data Security

3 pieces of ransomware intel critical to hospital data security:

• Institute for Critical Infrastructure Technology calls 2016 the year of ransomware
• Targets for ransomware are mobile devices and connected medical devices that offer access points for unauthorized users
• States are passing anti-ransomware legislation
  • College of Healthcare Information Management Executives support stronger hospital specific ransomwate legislation

Health IT Security | How Ransomware Affects Hospital Data Security

The equation for a data breach of NFL records:

• Store the health records on an athelic trainer’s laptop
• Print off some hard copies of medical records
• Leave the laptop and paper records in a car
• + one car burgular = NFL medical records stolen

The Hill | Report: Thousands of NFL medical records stolen