Cybersecurity & Tech

4 ways mortgage companies can up their game and push back regulatory fines:

• Proper security frameworks and policies that secure data both inside and outside;
• Assess vendors and third parties for data breach risk;
• Work with experts to assess and manage the “risk across the supply chain and build better defense-in-depth to prevent a breach;” and
• “Use tools and analytics that are specially designed to monitor and assess the security posture of vendors in real-time, as well as improve contractual provisions that result in greater security performance.”

Housing Wire | Mortgage data isn’t secure: Here’s why and how to fix it

State: Delaware

 What is HB 180 in Delaware trying to do?

• Improve notification requirements
• Require 1 year of identity theft mitigation services when Social Security numbers are breached
• Require businesses to safeguard personal information
• Require notice to Delawareans affected by a breach within 60 days of discovery
• If more than 500 residents impacted, the Attorney General must be notified

If passed, Delaware would be state #2 to require ID theft services after a breach.

News.Delaware.Gov | Governor Carney and Legislators Announce Bill to Expand Cybersecurity Protections for Delawareans

Delaware HB 180 (2017) 

Legislative body is located where? Australia

What triggers licensing issues when failing to meet data security standards? 

• Licensing enforcement is triggered only for companies valued at greater than $3 million in revenue

The goal: Move data security to the forefront with business leadership

Intelligent Insurer | New data breach reporting legislation deemed cyber game changer in Australia

The advocates:  Parent Coalition for Student Privacy and the Campaign for a Commercial-Free Childhood

The toolkit for parents to empower them on student data privacy: toolkit

What’s the target: data privacy policies of school districts and ed tech companies

Education Week | New Student Data Privacy Toolkit Encourages Parent Advocacy

The Federal Trade Commission created  the website, FTC Small Business.

The goal of  FTC Small Business is to:

• become better prepared for dealing with scams
• securing computer networks

State agencies to follow…

SC Media | FTC launches cybersecurity site for small businesses

The State: Rhode Island

The New Executive Level Office in Rhode ISland:  state cybersecurity officer

The goal of the office:  developing and putting into place a comprehensive state cybersecuritystrategy

How did the state cybersecurity officer position emerge? It was a “key recommendation of the governor’s Cybersecurity Commission, established in 2015 with the aim to lay out plans to protect the state’s IT infrastructure as well as grow a thriving cybersecurity industry”

State Tech | Rhode Island Ups Cybersecurity With Creation of CSO Position

the federal legislation: Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology (MAIN STREET) Cybersecurity Act

how it helps small businesses: Adds small businesses to the list of things that the National Institute of Standards and Technology must consider  when updating its voluntary guidance on how to guard against cyberattacks. 

the state commission recommendation: Missouri’s Cybersecurity Task Force recommended increased support for small businesses around cybersecurity threats

Financial Regulation News | Sen. McCaskill introduces bill to protect small businesses from cyber-attacks

The state: Illinois

The election data target:  no specific data target, it was a broadly executed hack on the Illinois election system

The hack:  Retrieving voter information via voter identification number starting at “000000001 and incrementally adding one” digit

The Hill | Illinois voting records hack didn’t target specific records, says IT staff

The fake statistic: 60 percent of small businesses that suffer a cyberattack will go out of business within six months

The statistic is usually attributed to :   National Cyber Security Alliance

What legisaltion has this fake statistic appeared in?  HR 2105  & S770

NextGov | HOW A FAKE CYBER STATISTIC RACED THROUGH WASHINGTON

City: Seattle

Seattle’s Broadband Ordinance requires:

• ​requires Cable Operators to obtain opt-in consent before sharing a customer’s web browsing history
• Requires Cable Operators to obtain opt-in consent before they use customer web browsing history
• The exception: unless it is necessary to render a service ordered by the customer or pursuant to a subpoena or valid court order authorizing disclosure, or to a governmental entity.
• Cable operators must attest to compliance with this rule by September 30, 2017, and annually thereafter

Seattle.gov | Seattle issues rule to strengthen broadband privacy for consumers

Cybersecurity Risk Management Audits are a 2 step process:

• “criteria used by management to explain its cybersecurity risk management”
• “a control, outcome-based criteria that management can use to internally evaluate controls and processes in place”

Bloomberg | “COMMON LANGUAGE” ENVISIONED FOR CYBERSECURITY RISK MANAGEMENT AUDITS

First came New York. Now comes Colorado promulgating cybersecurity rules on their financial sector. 

The Colorado proposal will apply to:

• financial advisers
• broker-dealers
•  entities with state securities licenses

The Colorado rules will require securities licensees to:

•  conduct an annual assessment of their cybersecurity risks
• require written policies and procedures explaining how they are protecting clients’ personal and financial information

Bloomberg Law | Colorado Moving to Set Financial Adviser Cybersecurity Rule

Colorado’s Rulemaking Notice (2017)

The uptick in hacks as connectivity increases:

• 42% increase in the number of connected devices since 2016
•  number of attacks on critical infrastructure jumped from under 200 in 2012 to almost 300 attacks in 2015

Smart technology adoption is high, but:

• innovations are deployed without robust testing
• cybersecurity is often neglected
• security protocols are not kept current

A hypothetical hack of power systems impacting 93 Million in North America would cost:

 anywhere from $21 billion to $71 billion in damages.

Harvard Business Review | Smart Cities Are Going to Be a Security Nightmare

• Self driving cars
  • The Hill | Cyber official: Feds, companies need better dialogue on security of self-driving cars
• Flying Cars
  • The Recorder | Who Will Regulate Flying Cars?

South Africa recently enacted a new data breach notification law that requires companies to:

• Notification by the company will have to factor in the needs of law enforcement
  • Delay is only permitted if it undermines or impedes an investigation
• Companies are asked to restore the integrity of their information system.
•  Notification itself must be in writing  either via email or regular mail 
• Alternative notification if mail fails, is  prominent position on the website, published in the media; or as directed by the Information Regulator.
• The notification must provide sufficient information to allow the person whose information was compromised to take protective measures against the potential consequences of the compromise.

• Notice must describe measures taken by the company  to address the security breach
• Notice must include recommendation on what measures  the person whose information was compromised should take to mitigate the possible adverse effects of the breach.

• If known to the company, the identity of the unauthorised person who may have accessed or acquired the personal information must also be divulged to the data subject.

Business Tech | SA companies will soon be forced to tell customers of a data breach by law​

City: Newark, NJ

The ransom: 24 bitcoins, or roughly $30,000

the impact to the city: Poilice operations were functioning, but the city’s administrative systems were functioning in safe mode.

The date of the attack: Began on April 21st.

SC Media | City of Newark reportedly hit in ransomware attack

Federal Agency Regulatory Oversight option(s):

•  FTC
•  Consumer Financial Protection Bureau
•  Office of the Comptroller of the Currency

4 identified data security areas in fintech:

• marketplace lenders
•  mobile payments
•  digital wealth platforms
• distributed ledger technology

Balance data security protections with the 3 benefits of fintech:

• lower costs
•  faster service
• expanded access to credit

The Recorder | GAO’s Fintech Report Highlights Data Security, Lack of Clarity on Regulatory Oversight

• Technology moves faster than legislation
• State based regulations are more uniformly enforced than federal
• State based legislation is more easily fixed than federal 

GCN | Closing the gap between technology and public policy

State: South Carolina

The Cyber Security Executive Level Entity: Critical Infrastructure Cybersecurity Executive Oversight Group

How was the Critical Infrastructure Cybersecurity Executive Oversight Group created? Executive order

 The Governor tasked the group with:

• examine, enforce, and strengthen cybersecurity
• aim to mitigate cyberattack

State Tech | South Carolina Establishes Cybersecurity Oversight Group

WISTV | McMaster looks to boost state’s cybersecurity through executive order

How the Spring Branch School District school was hacked: with a stolen password

What did the hacker do once in the SBISD computer system: changed grades

Was the hacker caught?

• Yes, the 10th grade student was arrested & charged with breaching a computer system, a state jail felony
• The student offered to change other student grades for a fee

SC Media | Texas 10th grader hacks school network to change grades

KHOU | Student accused of changing grades at Memorial HS

When considering legislation to protect state infrastructure and emergency management systems, it has beeen revealed that the hack that led to the triggering of the Dallas emergency alarms was not a computer hack, but a hack of the radio signals.

State Tech | Dallas Reveals Radio Signals, Not Network Hack, Triggered Emergency Sirens

State: Virginia

The breach that triggered legislation: rampant W-2 phishing e-mails that have plagued businesses

Why was a legislative fix necessary? These data breaches and scames cost many states millions of dollars as a result of payments made and investigations conducted on fraudulent tax returns.

The legislative fix:

• Notification to Attorney General & VA Department of Taxation
• When employers and payroll service providers experience a breach
• The breach must involve taxpayer identification numbers & withholding information 

Virginia H2113 (2017)

The survey of utility professionals: Utility Dive’s fourth annual State of the Electric Utility Survey, surveying more than 600 utility professionals

The #1 most pressing issue facing utility companies: cyber and physical security 

what you need to know:

• In 2015 & 2016 cyber and physical security was the 6th most pressing issue for utilities
• Increased media attention to cyber threats has raised the issue’s importance
• How the issues ranked as very important to the companies surveyed:
  • cyber and physical security  36%
  • DER policy. 32%
  • state regulatory model reform 32%
  • rate design reform. 29%
  • aging grid infrastructure 28%
  •  threat to reliability from integrating variable renewables and DERs 28%

Utility Dive | Why utilities say grid security is the most pressing sector issue of 2017

The U.K. Parliament is working to create an election hacking unit that:

• The unit’s goal: help ensure the integrity of UK Democracy & public confidence
• The unit will be monitoring only
• Recommendations focus on an executive level, law enforcement driven unit

SC Magazine UK | Parliamentary committee proposes unit to combat ‘election hacking’

Trendy new exception to data breach notifications: encrypted data

How Tennesee worded the exception in its legislation: 

Tennessee SB 547 (2017) 

The National Association of Insurance Commissioners is being urged to adopt New York’s Cyber Finance Security Rules in each of their respective states.

NAIC will release proposed rules soon

Reuters | New York Regulator Wants Other States to Model Cyber Laws After Its Rules

Refresher on the New York Cyber Security Rules from January 2nd, 2017 informed:intel:

The state upping the ante on data security rules for the finance industry: New York

The new New York rules announced December 28th will:

• Effective Date will be March 1, 2017 instead of January 1st
• Require annual reporting to the state about data security compliance
• Requires financial institutions to maintain comprehensive audit trails
• Mandatory reporting of any cybersecurity event within 72 hours
• Financial institutions must appoint a Chief Information Security Officer (CISO)
• Required multifactor authentication for staff accessing internal networks or information systems externally

Business Insider | New York delays new cybersecurity rules for financial firms​

Background on the emergency system hack:

• all 156 of Dallas’ emergency sirens were hacked and triggered to sound last weekend
• The hack of the system exposed that the system had to be shut down 

Procurement Opportunities for Emergency IT:

• Mayor Rawlings called it “evidence of a need to upgrade and safeguard the city’s technology infrastructure”
• The hack was tracked down because of the ability to coordinate with other security professionals
• The sirens triggered a heavy load on the city’s 911 system that triggered up to 11 minute wait times

New York Times | Hacking Attack Woke Up Dallas With Emergency Sirens, Officials Say

An exception to Tennessee’s data notification law is if the data that was hacked was encrypted. 

Bloomberg Law | New Tenn. Law: No Breach Notice Needed if Data Encrypted

The  Bill:  Illinois Right to Know Bill

What does the Right to Know Bill in Illinois do? It allows a person to know what information is collected about the person and to which businesses that information could be sold.

Why is it considered bad for business? 

• complex compliance regulations, which would apply to businesses of all sizes,
• enormous burden on small businesses statewide
• “requires any business with a website — even a local flower  shop or pizza parlor — to draft privacy policies longer and more confusing than anything required by existing law and to create new IT (information technology) systems”
• pro-trial lawyer legislation

Dispatch Argus | Bill will crush small business, tech investment

Teaching Hospitals. 

Johns Hopkins Carey Business School looked at data for data breeches at hospitals:

•  1,798 data breaches hit hospitals from Oct. 21, 2009, to Dec. 31, 2016
• 33 hospitals reported more than one breach — many of them teaching hospitals. 
• Of the 141 acute care hospitals that reported breaches to HHS, 52 were major academic medical centers
• In 2016, the overall number of electronic records that were compromised grew by 566% to more than 4 billion

Health Care Dive | Teaching hospitals at higher risk for data breaches, study finds

75% of adults polled want digital privacy & “would not let investigators tap into their Internet activity to help the U.S. combat domestic terrorism”

Reuters | Most Americans unwilling to give up privacy to thwart attacks: Reuters/Ipsos poll

• Illinois
  • “right to know” bill
    • will let consumers find out what information about them is collected & what kinds of businesses the information is shared with
  • A bill to regulate when consumers’ locations can be tracked by smartphone applications
  • A bill to limit the use of microphones in internet-connected devices like mobile phones, smart TVs and personal assistants like Amazon’s Echo
• California and Connecticut
  • Updated their laws to restrict government access to online communications like email
• New Mexico 
  • Considering the California & Connecticut law to restrict government access to online communications
• Nebraska & West Virginia
  • Enacted laws that limit how companies can monitor employees’ social media accounts
• Hawaii & Missouri
  • Pending legislation limits how companies can monitor employees’ social media accounts & may move to add the same protctions for students and tenants.

New York Times | Push for Internet Privacy Rules Moves to Statehouses

A March 2017 GAO highlights flaws with credit monitoring services.

Credit monitoring services do not address these cyberthreats:

• medical identity
• tax refund fraud 

GAO | IDENTITY THEFT SERVICES 

State: Ohio

IT Procurement Issue: How to get innovative tech firms to bid on IT contracts, especially for data analytics.

The procurement change: Remove the old school, clunky procurement process

The procurement fix:

•  streamline the procurement process by creating a request for proposal that prequalifies companies to provide analytics according to a range of disciplines, such as fraud, auditing, risk management, public safety…
• remove the requirement that a vendor has to have worked for a state of similar size before the vendor works with Ohio

Governing | Letting the Little Guy In: How Ohio Expanded Its IT Expertise

What guidance is the FBI giving medical and dental providers on cybersecurity? That file transfer protocols, FTP, transfers csn be accessed by anonymous users without passwords. Cyber secuity measures should be taken to correct server settings.

What speficially did the FBI say about protected health information (PHI) pr personally identifiable information (PII) ? PHI & PII should not be kept on FTP servers allowing for anonymous operation

National Law Review | New FBI Warning for Healthcare Providers: Cybersecurity

No, thank you. Or, thank you, but no. 

Microsoft has taken the stand  that the only way it will turn over data to the government  is if Microsoft is legally compelled to do so.

What is Microsoft saying? Sue me or more politically correct, “”We will not help any government, including our own, hack or attack any customer anywhere,””

SC Media | Microsoft president takes stand against turning over data

The U.S. Chamber of Commerce is making cyber security recommendations for regulators and policy makers, including:

• agency leadership needs to work with business to “harmonize cyber regulations”
• modernize government IT structure
• clarify the roles and responsibilities of the public and private sectors when it comes to cybersecurity

The Hill | Chamber of Commerce urges Trump to get business input for cyber strategy

The data breach: Denton Health Group had thieves steal 7 years of patient data

The cyber theft: The thieves stole physical hard drives which were not encrypted

Encryption & health care:

• 65% of health care providers encrypt in the cloud

Health Care Dive IT | Cyber thieves steal 7 years worth of unencrypted data from Denton Health Group hard drive

The Legislation: Strengthening State and Local Cyber Crime Fighting Act of 2017

What does the bill do? Allows the National Computer Forensics Institute to train law enforcement to combat cyberthreats

Will training be available for state and local law enforcment? yes

Rep. Ratcliffe introduces bill to provide cybersecurity training to local law enforcement

• Manufacturing is the 2nd most hacked industry, behind health care
• Cybersecurity risks include:
  • operational downtime
  • physical damage
  • product manipulation
  • theft of intellectual property and sensitive data
• Cybersecurity in  manufacturing isn’t an IT issue, its a business issue

Global Manufacturing | The importance of data security in manufacturing

The Agencies: FTC and NHTSA

The goal of rulemaking: fight cybersecurity and privacy threats from vehicles with systems that connect to the internet

Bloomberg Privacy & Security Law Report | CONNECTED CAR CYBERSECURITY: DRIVING HARD FOR PRIVACY AND SECURITY

State: California

The legislation: 

• require manufacturers to secure the cyberprotections of consumer goods sold in the state
• require consumer consent before the device stores consumer data

Sacramento Bee | Are your household items spying on you? One California lawmaker has an answer

California SB 327 (2017) 

State: Indiana

Indiana legislation: HB 1444

What Indiana’s legislation does to penalize ransomeware users:

• Creates a new cyber crime for ransomeware
• Currently ransomeware would be a misdemeanor, this bill makes it a felony

Do other states treat ransomeare differently from other cyber crimes? Yes, California and Wyoming

SC Media | Cybercrime bills advance in two states

Wyoming legislature had a package of student data privacy bills which will:

• A bill to protect college students’ work and privacy- passed
• 2 bills protecting students’ digital information privacy
• A bill which would require the state superintendent and other agencies to develop guidelines for student data privacy, security and privacy- passed

Uinta County Herald | Legislative session wraps

State: California

The student data security bill:  Removes schools from the  California Electronic Communications Privacy Act

Where would student daat security responsibility lie? each school district

The profferred reasons why: Cyber bullying, schools need access to student electronic use

Record Bee | Bill would strip privacy protections from students and teachers

California’s AB 165 (2017)

State: Kansas

Details of the new Kansas agency on cybersecurity:

•  centralizing cybersecurity operations of state government within a new Cabinet-level agency
  • Kansas Information Technology Enterprise Agency.
• $10 M in annual funding just to combat hackers
• Exempts:
  • Elected state officials
  • Board of Regents’ at Kansas’ colleges and universities
  • Will exempt pension systems based on federal investment standards

Kansas House Bills 2331 and 2359 (2017)

Hutchinson News | In effort to shore up cybersecurity, Kansas panel supports formation of agency

The legislation:  Active Cyber Defense Certainty Act

The decriminlaization of hacking: If you’re a vicitm of hacking, this bill would allow you to hack the hackers. It’s like a Castle Doctrine for your Cyber Home.

Sophos | Bill proposes letting victims of cybercrime hack the hackers

The lawmakers: Rep. Joaquin Castro (D-Texas) and Sen. John Cornyn (R-Texas)

The legislative concept: Allow agencies, like Department of Homeland Security, to work with consortia

What could the private entities do for the agencies?

• help train local law enforcement and other government
• develop information sharing programs
• plan local cybersecurity strategies

The Hill | Bipartisan bill would let DHS team with consortiums on cybersecurity

Goals of Georgia’s Cyber Innovation Center:

• bring together government, universities and the private sector to develop and practice protocols that will mitigate attacks
• protect  Georgia’s citizens, businesses and institutions
• give Georgia’s technology economy a boost

Georgia’s Investment in the Cyber Innovation Center:

• Millions in state funds
• 15,000 sq.ft. facility to be an incubator for startup cybersecurity companies

State Tech Magazine | Q&A: Georgia CIO Calvin Rhodes on Launching a Cyber Innovation Center

• Influencing standards and best practices that are relevant to the understanding, adoption and widespread application of secure solutions, including smart cards, embedded chip technology, and related hardware and software
• Serving as an educational resource to its members and industry stakeholders implementing secure solutions
• Providing a forum for cutting-edge discussions and projects on issues surrounding the implementation of secure solutions
• Maintaining a voice in public policy that affects adoption and implementation of smart card, embedded chip and other security technologies
• Supporting the adoption and implementation of smart cards and smart card technology

Secure Technology Alliance | Smart Card Alliance Becomes Secure Technology Alliance as the Organization Expands Its Mission to Include a Broader View of Security Technologies

Pennsylvania courts have determined that an employer owes no duty to an employee against a data breach. Next Stop: Codification via the Legislature.

Data Protection Report | Pa. Appellate Court: Employer Owes No Duty of Care to Protect Employee Data Against Breach

The State:  Kansas

The issues that are clouding a bill to protect data stored in the cloud:

• Language that protects attorneys who strore client information in the cloud.
  • Opponents say it elevates this privilge above other privileges
• Language that limits release of the information to the subscriber.
  • Law enforcment says they can now gain access without a warrant to the information.
• Language that requires a warrant.

Topeka Capital Journal | Kansas House panel debates security of high-tech ‘cloud’ information storage

Long live the bitcoin in the Texas Constitution thanks to HJR 89 that protects all mediums of currency.

Texas HJR 89 (2017) 

The race: Ft. Lauderdale A1A Half Marathon

The runner’s claim to fame: 2nd fastest time for the race

Any guesses, man or woman who claimed the fast time? a woman

How did she get caught? She posted her GPS race data

SC Media | Char-IOTs of Fire: Marathon cheater exposed by own fitness tracking device, app

• 88% of ransomware attacks are health care
• In June 2016, health care records breached hit a high of 10,880,605
• cybersecurity breachs cost health care $6.2 BILLION
• 300% increase in big breaches- hackers are looking for data in large quantities

Health Care Dive | Charts: Must-know healthcare cybersecurity statistics

What screams fix cybersecurity laws? A breach of a voice recording teddy bear

What’s the issue that would be addresed in legislation?  The Teddy Bear company stored customer data and information on a public database that required no authentication. 

What does no authentication mean? No security protocols, no passwords, no limited IP addresses etc… It’d be like leaving your credit card statement on a public park bench.

TechHive | Smart teddy bears for kids suffer a contentious data breach

FoxNews | CloudPets data breach: Toy security in the spotlight

• 88% of hackers at the 2016 DEF CON conference say they can hack a target in 12 hours
• 81% of hackers say that they can identify and exfiltrate a target’s data in 12 hours
• 50% of hackers change their method each time
• 84% of hackers social engineer their vicitms- hello Facebook profiles
• 52% say training employees is effective

SC Media | Survey explores the minds of hackers: 81% claim they can compromise target in under 12 hours

Alexa, the Amazon product, home guru records voices. 

Alexa also records suspected murderers, at least it did in Arkansas. 

What kind of protection is Amazon seeking for the Alexa recordings? 

• Until law enforcement creates a compelling enough case, no Alexa recordings
• Amazon wants prosecutors to “prove the data isn’t available anywhere else and that it’s sufficiently related to the subject of the investigation”

Next step: Legislative fixes

The Verge | Amazon says Alexa’s speech is protected by the First Amendment

The Public Private Partnership: Virginia and Amazon

The role of Amazon: to support scalable cloud infrastructure and collaborate on cybersecurity educational efforts 

How far down the state employee food chain will education go? The partnership will also help educate teachers with cybersecurity courseware

Governor Terry McAuliffe | Governor McAuliffe Announces New Strategic Relationship With Amazon Web Services to Expand Cybersecurity Education  

A former top national security adviser says the cybersecurity legislation that is necessary is:      uniform definitions for cybersecurity across all government levels.

Why do we need uniform definitions?  Uniform defintions improve strategy for enforcement and legislation.

Defense of Democracies | Framework and Terminology for Understanding Cyber-Enabled Economic Warfare

5 ways oil and gas comapnies can minimize legal exposure from a data breach:

• Plan ahead. Have an incident reponse team in place.
• Insurance. Lots of policies cover data security now, check your policy.
• Stay up to date on data security laws & regulations. There are overlapping levels of laws between state and federal and overlapping agency jurisdictions.
• Create & Maintain a data policy. Prescribe what is retained and for how long.
• Train and test your employees.

Oil and Gas Financial Journal | Legal Liability From Cyber Attacks

What group is launching a new campaign fundraising tool? the Internet Association (Google, Facebook, et.al.)

How does the new fundraising tool work? 

• The Internat Association selects candidates for virtual meetings
• The virtual meetings allows people to ask candidates questions
• During which, people can donate money to the association’s political action committee and will be directly transferred to the candidate featured during the virtual meeting

The Hill | Internet group rolls out new political fundraising tool

What survey reveals that 1 in 4 U.S. Consumers had a health care data breach?  An Accenture survey released at HIMSS2017 in Orlando

What is the impact to health care providers? 25% changed health care providers

The Chair of the National Governor’s Association lays out 3 ways states can tackle data and cyber security:

• share disruption response plans
• establish cybersecurity operations centers
• convening cooperation among public safety agencies, the National Guard, and private partners.

3 States with model public-private partnerships, task forces, and cybersecurity commissions:

• California
• Indiana
• Virginia

The state landscape: Virginia

The cyber security proposals: make it a felony for cyber criminals to use ransomware

The reasons that the change in law may do more harm than good:

• the laws a jumbled with overlapping enforcement of multiple agencies
• the jumbled laws make it overburdensome for businesses to comply
• technology advances more quickly than laws

What do good cyber security laws do?

• They are principle-based
• Specify outcomes
• Do not target specific methods of action 
• Respect a business’s right to make informed, risk-based decisions 

Virginia Business | Cybersecurity legislation may do more harm than good

New Mexico’s House Bill 15  wants to put the state on par with other states by remedying  a gap in our existing consumer protections by:

• Requiring notice within 45 days 
• After Personal Identifying Information is Compromised
• With notification to the state attorney general and consumer credit reporting agencies

Los Alamos Daily Post | House Passes Data Breach Notification Act

A lawyer for Google says new laws are needed to cover data stored on the cloud for these reasons:

• Clear guidance for law enforcement and corporations
• Takes corporations out of the untenable position of being in the middle between customer privacy and law enforcement
• Laws crafted before cloud storage are not keeping up. Cloud data can’t be treated like paper documents

The Recorder | Google Lawyer Says New Laws Needed to Govern Cloud Data

Who was targeted by hackers? Backers of Mexico’s soda tax

The hack: text messages that family members had died, with funeral information. Dark, dark stuff.

It’s dark hacktivism in repsonse to activism.   Indeed there are companies that sell services in these dark arts.

NY Times | Spyware’s Odd Targets: Backers of Mexico’s Soda Tax

The Legislature: Congress

The data protection bill: Email Privacy Act to update a 1986 law on email

Where is the bill? It passed the House and is moving to the Senate

What’s the fundamental change in the Email Privacy Act? To universally require warrants for emails stored on 3rd party servers

Is this in line with industry standards? Yes, Google, Facebook, Apple, Microsoft and Verizon require warrants before they release emails stored on their servers

The Hill | House passes bill requiring warrants for email searches

State: California

Who pays for ID Protection when a private corportation has a data breach? The corporation

Who currently pays for ID protection when a locla government has a data breach? The person whose data was hacked

Is there a bill to make local governments pay for ID protection when a hack occurs? Yes, California Assembly Bill 241

Government Technology | When a Data Breach Happens, Will California Pay for Protection?

Long gone are the days when data breach notifications only applied to retailers, or so says New Mexico.

The Bill: House Bill 15 (2017) The Data Breach Notification Act

What it does:

• Any person who possess personal information about a New Mexican has 30 days to disclose any data breach
• Requires the state attorney general office to work with any person who has suffered a data breach that triggers notification to New Mexicans.

KOB 4 | Lawmaker sponsors data breach notification bill

The Company: Vizio 

The privacy breach:  installed software in televisions that recorded consumers tv habits

The regulatory enforcement: Federal Trade Commission and the New Jersey Attorney General

The fine: $2.2 million + must delete customer data by March

Engadget | Vizio tracked and sold your TV viewing habits without consent (updated)

the hospital: Children’s Medical Center of Dallas 

the data security charge: years of noncompliance with HIPAA rules and after failing to request a hearing on the penalty. Since 2010 the hospital used unencrypted devices to store HIPAA protected info

the regulator: U.S. Department of Health and Human Services’ Office for Civil Rights

the fine: $3.2 million civil money penalty

Day Pitney LLP | United States: Hospital Hit With $3.2M Penalty for Ongoing Health Data Security Lapses

Add Nevada to the list of states moving to create an Office of Cyber Defense. Governor Sandoval proposes funding it with $3.5 million.

The Office of Syber Defense will be within the Nevada Department of Public Safety and will offer assistance to local government agencies and private industry.

Las Vegas Review Journal | Marijuana, cybersecurity among debates to happen in Nevada Legislature

Where: California

How is cybersecurity impacting education statutes? Requiring instruction on determining truth. 

Is this a way to repsond to fake news and election hacking? Yes. 

How did they wrap this up in pretty policy words?  By requiring instruction in “civic online reasoning” means the ability to judge the credibility and quality of information found on Internet Web sites, including social media.”

California’s AB 155 (2017)

Holland- the country, not the city in Michigan, will count all its ballots by hand as a reaction to the possibility of election tampering by hackers.

USA Today | Amid hacking fears, Dutch to use pen, paper for vote

The Government cannot compete with tech companies for the employees. Money, money, money.

The Recorder | NY Law Journal | FBI Official: Feds Can’t Compete With Top Tech Companies for Cybersecurity Analysts

Where:  Maryland

The Governor’s cybersecurity proposal:  tax credit accessibility to investors in cybersecurity startups

The state goal: Make Maryland a leader in cybersecurity

WCBM | Governor Larry Hogan’s Robust 2017 Legislative Agenda

Which police department? Cockrell Hill Police Department

What digital data was lost by way of a ransomware attack? video evidence & digital documents

How was the ransomware attack triggered?  “someone clicked on a cloned email made to look like it was sent from a department email address”

What did the police department do in response to the ransomeware? wiped their servers in lieu of paying the ransom

WFAA | Cockrell Hill police lose years worth of evidence in ransom hacking

A ransomware attack hit Washington D.C.’s closed circuit tv 8 days before inauguration. Here’s what you need to know to get up to speed:

• 70% of storage devices recording data from D.C. police surveillance cameras were hit
• Forced major city wide reinstallation
• The city addressed the ransomeware without paying a ransom by:
  • taking devices offline
  • removing all software
  • restarting the system

Washington Post | Hackers hit D.C. police closed-circuit camera network, city officials disclose

The legislation:  Security and Privacy in Your Car Study Act of 2017

The authors:  Reps. Joe Wilson (R-SC) and Ted Lieu (D-CA)

What does the bill do? Brings together the following entities to determine how to regulate data for connected cars:

• National Highway Traffic Safety Administration
• Federal Trade Commission
• National Institutes of Standards and Technology
• Department of Defense
• OEMs and suppliers
• SAE international
• academics

What elements do these groups need to consider in their recommendations for regulation?

• identify what’s necessary to isolate critical systems in a vehicle from the rest of its software
• relevant standards for firewalls and anomaly detection systems
• techniques to prevent or discourage malicious intrusions
• best practices for storing the data generated by connected cars
• timeline for implementing all of this

How fast would they need to make recommendations?  Within 1 year

Ars Technica | Worried about cybersecurity and the connected car? There’s a bill for that

How constituents feel about data breach laws:

• 68% of internet users believe current laws are not good enough
• 64% believe the government should do more to regulate advertisers
• Favor limits on how long the records of their activity are stored
•  74% of Americans say it is “very important” to be in control of their personal information
• 64% of Americans have personally experienced a major data breach
• 49% feel that their personal information is less secure than it was 5 years ago
•  41% of Americans have dealt with fraudulent charges on their credit card
• 15% have received notice that their Social Security number had been compromised.
• 70% of Americans anticipate major cyberattacks in the next 5 years on our nation’s public infrastructure

EPIC.ORG | Pew Survey Finds Support for New US Privacy Laws, Limits on Data Retention: | Pew Survey Finds Majority of Americans Are Data Breach Victims

• 9.2 % were medical sector breaches
• 51% were business sector breaches
• 23.4% unknown industry sector
• 11.7% government breaches
• 4.7%  education sector breaches

Becker’s Review Health IT & CIO | Medical industry accounted for 9.2% of breaches in 2016

• adding biometric and geolocation data to the definition of personal information that triggers a data breach notification
• regulations related to surveilance equipment used by law enforcement
• protecting disclosure of a a person’s religious affilaition from the government

The Recorder | What to Expect in California Data Security and Privacy in 2017

• State Affairs recommendations:
  • a dedicated and collaborative cybersecurity initiaitive 
  • clear legislative direcetives
  • direct agencies to collaborate
  • a central repository for its cybersecurity program
• Urban Affairs recommendations:
  • appropriate funds for a grant program to support cybersecurity training and information sharing costs for small municipalities and utilities
  • creation of cybersecurity training and information sharing programs within agencies
  • increase the level of cybersecurity expertise in state agencies
  • statewide cybersecurity coordinator in the Governor’s office and improving the cybersecurity resources and structure of the Department of Information Resources 
• Government Operations and Transparency recommendations:
  • Require Executive Director, Commissioner, CEO level approval for annual agency cyber security risk report 
  • Increase the number of cybersecurity practitioners in Texas 
  • Create a Central Legislative Committee Responsible for Cyber Security Risks 
  • Funding to upgrade legacy systems
  • promoting collaboration, innovation, and entrepreneurship in cyber security to facilitate the commercialization of university research and development  
• Investments and Financial Services recommendations:
  • support fully funding strategies within the Texas Department of Information Resources’ (DIR) Legislation Appropriations Request (LAR) to protect the state government’s computer network from cybersecurity threats, including security policy and awareness and security services.
• County Affairs recommendations:
  • require all counties to install and maintain appropiate level of cybersecurity 

Massachusettes, home of the Draft Kings, passed new fantasy sports regulations.

The editorial board reactions: Fantasy Sports Regulations have no cybersecurity

The cybersecurity response from daily fantasy sports: 

• fantasy sports regulations do require comapnies to have security measures
• comapnies are subejct to prosecution for not following the regulations
• the beauty of fantasy sports is that the playing information is public information

What cybersecurity experts say:

• fantasy sports has 3 levels of cybersecurity to be concerned about: its operating platform, the application used by the player, and the network.
• target for hackers could either be player information or impacting the game itself
• recommend policymakers “borrow from other established security benchmarks, such as NIST, CIS, and ISO”

Legal Sports Report | Daily Fantasy Sports Regulation And Cybersecurity: A Closer Look

 CryptoMove embraces a business model that replaces encryption with breaking data into pieces and moving it around. 

Instead of hackers having  way to your document in a garbage can, hackers have to reassemble microshredded pieces. 

Beware regulators who set a standard level of encryption as a requirement. The industry changes.

Tech Crunch | Security startup CryptoMove fragments data and moves it around to keep it secure

1. Multidisciplinary application. Cybersecurity is not just for the Information Officer.
2. Data is an asset. Protect it. Have a game plan for how long you’re keeping the asset.
3. Data lives on mobile devices and moveable devices too. Protect those too.
4. Know the information you keep.
5. Train employees. Employees create cybersecurity breaches too.
6. Legislative and regulatory data security standards are the floor, not the ceiling.

Tech Target | Six keys to creating strong data-security measures

Train teachers in cybersecurity. Make data security part of the faculty and administrator school culture. 

In 2013,  400 school data security bills were considered.

Only 1, Colorado’s, included teacher training. 

Slate | The Best Way to Protect Students’ Personal Data

The European Union Agency for Network and Information Security recommends  3rd party cybersecurity evaluations for self driving and connected cars. 

Why the need for 3rd parties? The current cybersecurity standards for vehicles is not enough.

Bonjour, new opportunities to provide cybersecurity evaluations…

The European Union Agency for Network and Information Security | Cyber Security and Resilience of smart cars

Texas House Rules debate on Wednesday, January 11, 2017, added cybersecurity issues to the jurisdiction of the House Committee on Government Transparency and Operation.

Local governments are concerned about federal DHS cybersecurity regulations for local elections, because those federal regulations may :

• Add an unnecessary layer of bureaucratic oversight
• Would centralize an inherently local — and decentralized — system

What did DHS do to trigger these concerns? Declared elections to be critical infrastructure, which triggers additional protections and resources from the federal government.

Governing | New Election Cyberprotections Cause Confusion and Concern

New York Governor Andrew Cuomo set forth his plan for protecting the cybersecurity of New Yorkers by:

• Creating a “response team” to handle confidential information breaches from state & local governments 
• Create a graduated system of punishments for computer tampering crimes based on the amount of damage
• More severe punishments for identity Theft

New York Law Journal | Cuomo Promises New Cybersecurity Measures in 2017

States are changing their cybersecurity statutes to include as protected information:

• usernames
• email addresses
• passwords
• security questions
• security  answers

Mondaq | Morgan Lewis | Three States Join Others to Expand Personal Information Definition to Include Usernames or Email Addresses

What entity promulgated new medical device cybersecurity rule guidance? The FDA

What prompted the new guidance? Claims of heart device hacking

Policy Issues around medical device hacking:

• assess whether the risk of patient harm is sufficiently controlled or uncontrolled
• protection of PHI- protected health information- by devices
• comprehensive risk management programs
• NIST cybersecurity protocols should be the standard

Where did the data breach occur? State of Nevada medical marijuana database

How many people had personally identifiable records affected? more than 11,000, but no patient records

The response by the state: Take the database offline

Weed News | Nevada Medical Marijuana Data Breach Highlights Need For Industry Information Security

Reno Gazette Journal | Thousands of Nevada medical marijuana dispensary applications exposed online

• 3.7 million patients and customers affected
• Phoenix, AZ
• Banner Health
• Hackers accessed credit card processing information + patient data information

Beckers Health IT & CIO Review | 11 of the biggest healthcare data breaches of 2016

Banner Health | Banner Health Identifies Cyber Attack

The state upping the ante on data security rules for the finance industry: New York

The new New York rules announced December 28th will:

• Effective Date will be March 1, 2017 instead of January 1st
• Require annual reporting to the state about data security compliance
• Requires financial institutions to maintain comprehensive audit trails
• Mandatory reporting of any cybersecurity event within 72 hours
• Financial institutions must appoint a Chief Information Security Officer (CISO)
• Required multifactor authentication for staff accessing internal networks or information systems externally

Business Insider | New York delays new cybersecurity rules for financial firms​

What do you need to know about data breaches?

• 93% could have been prevented according to the Internet Society Study
• breaches cost the US $500 billion per year

The carrot & the stick:

• Increase the accountability of entities that hold data
• By requiring the entities to shoulder more of the cost of a breach
• Allow these entities to offer “credible security signals to the market” to provide a benefit to the entity

Tech Crunch | The carrot and stick of data breaches

The state: Maryland

The data breach: Student records, including names, brthdates and Social Security numbers in Frederick County Public Schools

Why legislation was triggered? 

• A state senator didn’t think he was getting enough answers from education officials
• An April 2015 audit called for increased data security measures for student data

The legislative proposal: 

• Requiring up to 5 years of identity and credit monitoring for data breach victims
• Not require schools to transfer student records to the state education agency until the state has “an industry-accepted standard in their information technology systems”

Government Technology | Maryland Delegate Promises New Legislation in Wake of Student Data Breach