• Data breaches are costly
  • ​internal costs related to security improvements, mitigation & notification
  • regulatory costs
  • costs arising from 3rd party claims
• Identify risks, which for construction include:
  • ​file sharing with subcontractors
  • espcially for projects critical to infrastructure- hospitals, roads, energy facilities, governmetn facilities
• Cyber Insurance to help your business cover costs

Miami Herald | Cyberattacks can cripple the construction industry

What White House Proposal on data security affecting health care? On May 25, 2016 the White House released its final Data Security Policy Principles and Framework (Security Framework) for President Obama’s Precision Medicine Initiative (PMI).

What are the goals of the White House data security proposal?

• Build patient trust
• Adapatable security protocols
• Dependable data preservation
• Identify risks
• Transparency with patients
• Responsibility
• Sharing. Collaboration

What requirements do the goals translate into?

• Have comprehensive security plans
• Utilize risk maangement approaches to data security
• Utilize periodic 3rd party reviews of data security
• Establish access controls for data
• Train your staff
• Employ encryption
• Audit for Threats &  Share threats

White House | Precision Medicine Initiative and Data Security

White House | PMI Security Principles 

Who:     Federal Trade Commission

What:    Amendments to how companies disclose privacy policies & information to consumers

When:     Begins this fall

Standard of Review: The FTC favors corporate disclosures to consumers that are:

• shorter
• clearer
• easier-to-use

The Hill | Consumer protection agency to look at disclosure issues

• 21 Governors are presiding over State Cyber Security Commission.
• The 2 most recent states:
  • Colorado
  • Indiana

Who sits on State Cyber Security Commissions?

• Top IT leader in state government
• public safety agency heads
• executives from cyber companies
• federal officials

What are the goals of State Cyber Security Commissions?

• asses the security of state networks
• develop cyber security legislation

4 Point Checklist for State Cyber Security Commissions:

• Who should sit on the commission?
• What’s the commission’s deadline?
• What is required of the commission? an assessment? legislative recommendations?
• How should the group be structured?

State Scoop | As more governors convene cyber commissions, questions arise over effectiveness

• Financial Services support national data security standards & require nationwide data breach notification requirements for business
• Retailers oppose federal legislation for the detrimental effect on retailers
• The detrimental effect on retailers: applying banking rules on non-banks 

The Hill | Financial industry spars with retailers over data breach bill

The Hill | Retailers battle financial sector over data breach legislation

“Learning to be Watched: Surveillance Culture at School” report published  by the National Center for Education Policy at the University of Colorado at Boulder finds:

• schools are soft targets for comapnies gathering data
• free technology to school leads to data collection by the company
• anonymized student data does not mean  students’ personally identifiable information (PII) is fully or permanently protected

Washington Post | Schools are now ‘soft targets’ for companies to collect data and market to kids — report

• In 2016, 31 states introduced student data security bills
• in 2016, a total of 94 student data security bills were introduced
• The 4 fastest states to act in 2016 were:
  • New Hampshire: a study to make recommendations
  • Utah: data governance standards
  • Virginia: contracting limitations, data limitations for student & teacher data
  • West Virginia: State Board level data governance standards

District Administration | CIO News | 31 states introduce student data privacy bills

4 Key Pieces of Intel from how strong data security laws protect businesses:

• Global market. EU contracts require strong data protections clauses
• U.S. weak data security laws create uncertainty in the global market
• Cost Opportunities. What might cost small companies to comply in the short run, the harm to innovation of not having high data standards cost U.S. businesses more. 
• U.S. should be a leader in data security standards.

TechCrunch | Startups to Congress: Strong data security keeps us competitive

Who are the targets of Connecticut’s student data privacy bill?

• contractors with local boards of education, the State Board of Education and the State Department of Education
• operators of websites, online services and mobile apps

What will be required of education vendors?

• outline and maintain security practices
• prohibited from using personally identifiable student information for :
  • advertising purposes
  • any purpose apart from what their contract stipulates
• vendors cannot retain student records after the contract services have been fulfilled
• vendors must have procedures to alert school boards and parents of any suspected breach of data in no more than 48 hours.

Additional requirements specific to online vendors and contractors:

• no targeted advertising using student information
• prohbition from using student information for purposes unrelated to school
• required deletion of student information upon:
  •  request of a student, parent or school board
  • failure to do so results  in a civil penalty 

Connecticut HB 5469

Wilton’s HamletHub | Student Privacy Bill Heads to Governor’s Desk: Parents Get High Praise for Advancing this Groundbreaking Legislation!

Which entity promulgated the new federal contracting rule? Federal Acquisition Regulations (“FAR”) Council

Which data security rule for contractors are we talking about? Basic Safeguarding of Contractor Information Systems

Which contracts will be hit by the new rule?

• all acquisitions by any federal executive agency
• beginning June 15, 2016
• If a contractor’s information system may contain “Federal contract information,” 
• Applies to all subcontractors too

All contractors, and affected subcontractors will be required to meet 15 safeguards:

• Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems);
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute;
• Verify and control/limit connections to and use of external information systems;
• Control information posted or processed on publicly accessible information systems;
• Identify information system users, processes acting on behalf of users, or devices;
• Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems;
• Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse;
• Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals;
• Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices; 
• Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; 
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
• Identify, report, and correct information and information system flaws in a timely manner; 
• Provide protection from malicious code at appropriate locations within organizational information systems;
• Update malicious code protection mechanisms when new releases are available; and
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed

Lexology | Wilmer Cutler Pickering Hale and Dorr LLP | Final Government Contractor Basic Data Security Rule Issued

• Performing due diligence on all data and security protocols when selecting and monitoring vendors;

• Developing privacy provisions for contracts with TPAs and other service providers over and above standard confidentiality agreements;

• Limiting access to sensitive information to necessary personnel;

• Training personnel on the law and the fiduciary responsibilities;

• Developing written policies and procedures detailing for personnel the applicable state and federal laws;

• Continuing to monitor and watch over service providers with access to sensitive data.

National Law Review | Jackson Lewis P.C. | Employee Benefit Plans and Data Security Issues

The FDIC announced on May 9th, 2 new data security initiatives:

• improved software to force encryption of portable devices
• hiring of a third party to assess FDIC information technology security and privacy programs

Bloomberg BNA | FDIC Takes New Initiative on Data Security Following Breaches

Executive GOV | FDIC Plans New Security Measures After Retroactive Data Breach Report

Will this be a legislative trend? Yes, because sextorition is not a crime. Individuals are charged under usual hacking crimes.

How does sextortion differ from ransomware?

• Ransomware is about money
• Sextorition is about power
• Ransomware holds your computer hostage
• Sextorition threatens to expose “secrets” unless certain nude images are transmitted

Who are the victims?

• 71% are under 18
• 91% are targeted by social media manipulation
• 7.3 years is the average state criminal sentence
• 29 years is the average federal criminal sentence

Sextortion | Brookings Institute 

Georgia Attorney General at the  National Association of Attorneys General said:

“I frankly think it’s absurd that there are 30 or 40 different state laws on cybersecurity and breach.”

Reed Smith LLP | Georgia Attorney General Supports Federal Data Breach Standard

In 2015, ​New Jersey expanded its data breach laws to apply to include these health care information holders that service New Jersey patients:

•  health insurance companies
• health service corporations
• hospital service corporations
• medical service corporations
• health maintenance organizations 

New Jersey also adopted new encryption standards that:

• Encrypt confidential patient information or secure personal information
• Utilize any method of technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person

What personal information must be protected by encryption?

A first name, or first initial and last name linked with at least one of the following:

(1) Social Security number

(2) driver’s license number or other state identification card number

(3) address, or

(4) identifiable health information

New Jersey law Examiner | Consumer protection for healthcare data breaches in New Jersey

The FBI advice for ransomeware attacks, which hold a businesses data hostage for a ransom:

DO NOT PAY THE RANSOM.

Refresh my memory, what are some of these ransomeware attacks? Several hospitals in California have had their systems frozen by ransomeware, forcing a move to manual paper hospital administration. The ransoms have been as small as $8,000.

WallStreet Journal | CIO Journal | FBI Cyber Division Chief Advises Companies Not to Pay Ransom for Release of Data

Which appellate court are we talking about? 7th Circuit

What did they do to keep a data breech law suit alive? held that the threat of impending future harm from a data breach was enough to keep a data breach lawsuit alive

Lexology | Seventh Circuit Reinstates Data Breach Suit Against P.F. Chang’s

Which state is considering new health care data breach laws? California

What health companies are the targets of new data security laws? wearable devices and consumer-facing apps  that track health data like steps taken, heart rate, etc…

Read the bill: California Assembly Bill 2688

The bill’s highlights:

• require customers’ permission—via an “opt-in” request
• Without an opt-in,  personally identifiable information cannot be shared with advertisers, health plans, data resellers
• Prohibit an employer from discriminating against a worker based on findings from that employee’s health-tracker

Business’ concerns: Support privacy, concerned about overreach by government

Privacy Advocate concerns: Seek to require the devices to comply with California’s Confidentiality of Medical Information Act.

The Recorder | Lawmakers Sweat Details of Consumer Health Privacy

Which Attorney General announced a 40% increase in data breach notifications? New York Attorney General Eric T. Schneiderman

Why does the state A.G. track data breach notifications? In NY, businesses must notify the A.G. of a data breach and the A.G. assists in reaching consumers

Has the state improved efficiency for businesses reporting data breaches? Yes, the state moved to an electronic, web-based reporting system

Hudson Valley News Network | A.G. Announces Record Data Breach Notifications

Wall Street Journal | Data Breaches Rise While Companies Struggle With Detection

Michigan is proposing life in prison for someone who is convicted of either:

• hacking a vehicle to gain control over it; or
• stealing a vehicle’s data by hacking.

Tech.Mic | Get Caught Hacking a Car and You Could Get Life in Prison, Thanks to Proposed Bill

Michigan Senate Bill 928 

Michigan Senate Bill 927

Your informed intel:

Which state is making a move to cloud computing that is triggering data security issues and new procurement opportunities? Arizona

What procurement opportunities does the move trigger? 

• Opportunities for cloud based computing storage
• Opportunities for data security firms

Which data security standards will be required? All new procurement contracts and state data centers will have to meet standards contained in:

•  Health Insurance Portability and Accountability Act standards

• the Family Educational Rights and Privacy Act guidelines

• the FBI’s Criminal Justice Information Services strictures

State Scoop: Arizona lawmakers advance bill to spur statewide cloud migration

Why is there a data security issue with 3rd party tax collectors? 3rd party tax collectors receive taxpayer information from taxing jurisdictions

Why is does this raise data security risks? data theft is on the rise & businesses aren’t keeping up with data security protocols to protect taxpayer information

Accounting Today | Saying No to Outside Agencies in Tax Collections

An Office of Inspector General, Security Concerns, and health care contractors– Sound like a familiar mix?

Which health care contractors is the HHS OIG looking into? Medicare administrative contractors

What is the data security concern that is raised? the number of health care data gaps is INCREASING

Healthcare Dive | OIG report: More data security gaps at Medicare administrative contractors

Let’s peak into the Electronic Payments Coalition:

Electronic Payments Coalition- who are they?

• payments industry stakeholders
•  credit unions
• community banks
• trade associations
• payment card networks
• banks

What’s the point of the EPC? 

• EPC protects the value, innovation, convenience, security and competition that exists in the modern electronic payments system

What’s the EPC saying about the federal Data Security Act of 2015 (H.R. 2205)​?

• Retailers are wrong about their position. These reforms are common sense consumer protections.
• This bill would have stopped data breaches. 
• This bill is flexible for all retailers.  H.R. 2205 is scalable and flexible to the size and risk profile of the covered entity

EPC | EPC SUPPORTS COMMONSENSE MEASURES TO PROTECT CONSUMER DATA

What 4 Ways does the Health & Human Services Data Protection Act protect health care data?

• Creates the  Office of the Chief Information Security Officer (CISO) within HHS
• Creates a data protection arrangement between the new CISO, the HHS General Counsel, & the HHS CIO
• Keeps information technology & information security separate to ensure the highest level of security
• Incentivizes better security to protect health care data

Health IT Security | Healthcare Cybersecurity Bill Introduced for HHS Operations

What is the question answered by Attorney General Opinion KP-0076? Whether Bowie County can engage a private company to use a license plate reader data looking for vehicles that don’t have liability insurance?

Is there a fee splitting arangement in this scenario? Yes, the vehcile owner will get a letter from the District Attorney office, and fees will be split 50-50 between the County and the company.

Can this fee splitting arrangement with automatic license plate readers work? No.

What is the statutory solution to make automatic license plate readers ok for counties? Counties need specific authority for the “use of automated photographic or similar technology to enforce the state’s vehicle financial responsibility laws. “

What does the Attorney General analysis look like? Its a laundry list of all the uses for photo enforcement in Texas. The highlights:

• statutes  limit what local government it applies to
• statutes limit specifically what can be captured by the photgraphic enforcement
• statutes limit the kind of penalty that is permitted. (i.e. civil or criminal penalties)

Retailers and Financial Institutions are like the Hatfields & the McCoys when it comes to federal data security legislation.  

Here’s what you need to know when this fight comes to your state legislature:

• Fairness.  Retailers think it unfair to hold retialers to the financial institution standards for customer notification upon a data breach.
• Impact Beyond Small Businesses. The impact of imposing financial institution standards on businesses will impact businesses large and small that operate in the retail sector and all other ecnomc sectors.
• Agreement: Federal Laws are better than state laws. They agree that uniform federal laws that preempt state laws would be preferred for data security.
• Consumer Protections v. Overzealous Regulators. Priority of Democrats is  strong consumner protections, while Republicans are concerned about overzealous federal regulators.

The Hill | Retailers battle financial sector over data breach legislation

What group is calling for improved state data security systems? National Association of State Chief Information Officers

What sparked the call to arms? the cost of cyber crime world wide is $375 billion to $575 billion, which is labled a threat to democracy

What do the NASCIO propose states do? Create statewide cybersecurity ecosystem 

What would a statewide cybersecurity ecosystem link? 

NASCIO |  Advanced Cyber Analytics | April 2016

Politico | Morning CyberSecurity | STATES PUSHED TO UPGRADE CYBER ANALYTICS

WHO WAS CONVICTED: A woman in Pennsylvania reported her rape to the police

WHAT EVIDENCE LED TO CONVICTION: When police came to the scene, they collected as evidence the woman’s fitbit found laying in a hallway

WHY DID THE EVIDENCE INDICATE GUILT: The woman claimed she had gone to sleep and was later attacked, but the data downloaded from the Fitbit indicated the woman was walking about at the time and logged her heart rate

Wall Street Journal | Prosecutors Say Fitbit Device Exposed Fibbing in Rape Case

No. Nien. Nyett. Nej. A federal judge ruled that people caught in the data breach at Ashley Madison cannot remain anonymous. 

Why did these plaintiffs want to be anonymous? Fear of the impact to the professional and personal lives.

Why did the court deny the request? Because the data breach is not equal to instances when a person can remain anonymous. Those instances are reserved for minors, rape, or other highly sensitive matters.

Washington Post | People suing Ashley Madison for last year’s hack can’t be anonymous, judge rules

A poll commissioned by The App Association reveals a distrust of government on data security issues.

The informed intel:

• 54% trust tech companies to secure their personal information
• 21% trust the government to secure their personal information
• 7 in 10 believe hacking is increasing

The Hill | Poll: Voters trust tech companies ahead of FBI on data security

The Credit Union National Association proposed the following changes to credit card processing in Texas to improve data security:

• Data Security at Merchant Level. Require merchants receiving payment by credit or debit cards to protect the sensitive personal financial information they receive;
•  Require Consumers to Notify Card Processors of Breaches. Require card recipients to notify their card processor immediately upon detecting a breach, and require the information be provided to the issuing financial institutions by the card processors;
• Card Issues Should Cover Costs. Allow card issuers to recover costs and losses resulting from a business’s failure to protect or destroy the data; and
• Prohibit Merchants from Storing Card Data Beyond Transactions. Require anyone taking credit or debit cards to remove card data once the transaction is completed.

Credit Union National Association | Texas House committee hears CU’s data breach concerns

Which state jumped on the enanced data breach notification law bandwagon? Nebraska

What 3 changes did Nebraska make to its data breach laws?

• Expand the Data Triggering Notification to incude:
  • user name or email address along with
  • a password or security question and answer
  • that would permit access to an online account
• Expands who Receives notice of a breach. Companies also have to notify the State Attorney General.
• Encryption standard changed so that if the hackers got a hold of the encryption key, the data is no longer considered encrypted.

Nebraska’s LB 835

AdLaw Access | Nebraska Amends Data Breach Notification Law

Where did the ride share data report originate? UBER produced its first ever transparency report

The numbers of data requests from July 2015 to December 2015:

• 33 requests from government agencies
• 11,644,000 riders affected
• 583,000 drivers affected
• California, NYC, and Chicago governmental entities requested the most data
• 517,000 riders & 14,000 drivers impacted by a Houston, TX data request
• 370 riders & 370 drivers impacted by a San Antonio, TX data request

Uber | Transparency Report 

• Liability. did the data security standards create a lawsuit free for all because of the security standard minimum?
• Security Standards required for businesses.
  • the laws calls for reasonable standards
  • the Attorney General reported that Critical Security Controls created by the  Center for Internet Security should be the minimum

WallStreet Journal | Are California’s New Data Security Standards a Recipe for Liability?

Which legislative body is considering data security from the angle of improving existing computer infrastructure in government? Congress

What’s the cost associated with modernizing government computers? $ 3.1 Billion.

Bonjour procurement opportunities.

What’s the argument supporting infrastructure investment? “If we do not invest in our technology and cybersecurity now, we will have no one to blame for the next data breach but ourselves,” Rep. Ted Lieu (D-Calif.)

How will the funding operate? 

• The $3.1 billion will go into the Information Technology Modernization Fund
• Self-sustaining investment fund
• Allows for innovative & rapid upgrades to outdated & vulnerable IT systems
• Creates support for future federal technology infrastructure 

The Hill | House Dem stumps for Obama’s tech modernization push

What have state courts been saying across the country about data breach insurance? General Liability policies don’t cover data breaches

What happened this week to alter this legal trend? The U.S. Fourth Circuit Court of Appeals in Virginia found that a ageneral liability policy covered a data breach

What does the insurance company say? The 4th Circuit Court of Appeals got it wrong. General liability policy that covered “electronic publication of material” with “unreasonable publicity” is not a data breach policy

SC Magazine | Federal court bucks trend, rules general liability insurance covers data breach

What state legislature considered a bill to fine companies that do not decrypt after receiving a court order? California

What happened to this bill to fine companies? Died in committee without a vote

What did opponents to the bill say?

• forced decryption weakens security and personal privacy
• “Do we have a world where there’s no privacy whatsoever for the average citizen?
• Assuming that this body is OK with every agency in the U.S. having access to everything, every application, every phone … are we OK then with the government of Russia having it? China? Iran?
• Because once a backdoor is created, a backdoor exists.”

Who supports the bill? law enforcement

Who opposes the bill? Civil libertarians and tech companies
California Assembly Bill 1681

The Recorder | State Lawmakers Reject Decryption Bill

When did Dallas County have a data breach? In December 2015, it came to light that Dallas County had left personally identifiable information from 10s of 1000s accessible online for more than a decade.

How much does an average data breech cost to remediate? $80 per record. If it exposed 50,000 records that is a $4 million remediation minimum.

How does the remediation cost cover for Dallas County?

• information technology experts to investigate, repair, and secure data (Procurement Opportunity)
• expenses to provide legally required notifications to the citizens (Procurement Opportunity)
• costs to offer identity theft monitoring services (Procurement Opportunity)
• attorney fees (Procurement Opportunity)

  Legal Intelligencer | Cybersecurity Threats Pose Big Risks for Local Governments
   

• Tech & Privacy Interests don’t like provisions forcing technical assistance to government investigations
• Why the hestiancy over forced assistance? It will lead to greater data insecurity
• Ties the hand of businesses that want to provide their customers greater security

The Hill | Encryption bill draft worries tech community

CNET | Encryption bill would force companies to surrender user data

• The Bill creating the Washington State’s new Office of Privacy and Data Protection: Washington State House Bill 2875
• What will be the purpose of the new Office of Privacy & Data Protection?
  • ​Determine what information state agencies are collecting
    • Do we know in Texas? No
  • Work with agencies to reduce the amount of consumer data being collected
  • Monitor & assist wit citizen complaints
  • Annual privacy review of state data collection
  • Educate Washington State residents about consumers about privacy protection

University of Washington Today | UW law students lay groundwork for new state privacy office

CloudPassage has a new report on cybersecurity and high education institutions. Here’s the big picutre:

• None, Zero, Zilch, Nien of the Top 10 Computer Science programs in the country require security courses to graduate
• Of the Top 26 computer science programs, only #12 Michigan requires cyber security
• In 2015, there were 200,000 OPEN computer security positions in the U.S.

Why the lack of focus on cyber or data security among undergrads?

• Its been pushed as a niche area for graduate programs
• not enough graduate students are pursuing cyber security
• there is more of deamnd for “flashy” computer science programmers who can build apps

SC Magazine | Cybersecurity being overlooked by American universities: Report

In Legislative Appropriation Request Trends:

• 3rd party contracts to assess security at agencies
• HB 2783 (2013) required a study to see if agency computer systems were legacy.
  • Hello, 3rd party contracts to replace or upgrade legacy systems
  • Legacy systems are a higher security risk
  • Over 1/2 agency computer systems are

In 2015’s State Budget:

• Article IX, Section 9.10 : DIR prioritization of state agencies’ cybersecurity projects
• Article IX, Section 9.11, Cybersecurity Initiatives 
  • ​10 agency focus to improve data security by coordination & bulk purchasing:

                  (1)  Department of Aging and Disability Services;

• 1. (2)  Department of Assistive and Rehabilitative Services;

  2. (3)  Department of Family and Protective Services;

  3. (4)  Department of State Health Services;

  4. (5)  Health and Human Services Commission;

  5. (6)  Higher Education Coordinating Board;

  6. (7)  Office of Court Administration;

  7. (8)  Parks and Wildlife Department;

  8. (9)  Department of Insurance; and

  9. (10)  Department of Licensing and Regulation. 

  10. Strategy A.1.3, Statewide Security for DIR funding for statewide security policy & procedures 

  11. Strategy C.2.2.NetworkandTelecommunicationsSecurityServices  

      Strategy B.3.1, Statewide Cyber Security Services  for DIR risk managment & 3rd party security assessments

       

      LBB | Overview of Cybersecurity Provisions in the 2016-17 General Appropriations Act 

Health insurance and health data sells for 60 to 70 times what social security numbers sell for on the black market.

IT Portal Pro  | Why your medical information is gold for hackers

• State Attorney Generals oppose federal control over health care data security and data privacy
• States are better equipped to make fast changes in the data driven economy
• Breaches that are small and localized are better handled by local authorities and not the federal government

Health IT Security | Are State Health Data Breach Notification Laws Needed?

What state recently enacted new telemedicine laws? Washington State

What data security elements were included in the Washington State legislation? 

• Establishes best practices that complies with ““generally accepted health care practices and standards.” 
  • Boils down to HIPAA and the HITECH Act & existing state law
• Establishes a technology standard of ““the standards required by state and federal laws governing the privacy and security of protected health information.”
• Allows Health Plans to deny coverage if these standards are not met

WA SB 6519

Davis Wright Tremaine LLP | M.D. Phone Home: New Legislation Expands Telemedicine in Washington

Hacking incidents by industry:

• 23% of data breaches occured in healthcare
• 18% of data breaches occured in financial services
• 16% of data breaches occured in education

34% of healthcare data breaches are caused by employee error

The average notification timeline after a breach:

• 69 days to detect the incident
• 7 days to contain it
• 43 days to analyze what happened
• 40 days to notify potentially affected individuals

Health IT Security | Healthcare Data Breaches Most Common in 2015 Incidents

Which state is making a new move to protect student data? Colorado

What does it mean for education contractors? New Rules. New Data Security Requirements.

3 Key prohibitions in the bill:

• prohibit education contractors from selling personally identifiable student information
• prohibit use of student information for targeted advertising to students
• Prohibitions follow to the subcontractors
• Establishes data security protocols tied to education contractors

CO HB 16-1423

Chalkbeat Colorado | Colorado lawmakers try again to tighten protection of student data

Which state updated its data breach law in March to shorten the time line for notification? Tennessee

How long do Tennessee businesses with data breaches have for notification? 14 days from discovery or notification of the breach

Is there an exception to the 14 days? yes, a legitimate law enforcement need

Did Tennessee also expand what triggers a notification? Yes

What new event triggers a notification? When the breach is caused by your own employee

TN SB 2005

JD Supra | Alston & Bird | Tennessee Updates Data Breach Statute to Require Notice in 14 Days

Which state passed new data security laws in 2016? Wyoming

Were the new laws the result of a breach or a legislative mandate? The result of a 2 year,  4-member Joint Task Force on Digital Information Privacy

What are agencies asked to do?  2 tasks

• Agencies must review their data collection, handling, security and management.
• Agencies must assess their stored data and explain why it collected it; and whether it really still needs to be stored

Where does procurement come into play? To fix and protect the data in perpetuity as state and local governmental entities determine industry best practices. Any wagers on whether government currently implements best practices protect data?

Wyoming SF 38 

Wyoming Tribune Eagle | Law requires state agencies take 2nd look at data security

Wyoming Business Report 

What entity released guidelines on teleworking and cyber security? The National Institute of Standards and Technology

What suggestions in the guidelines that will direct procurement opportunities?

• virtual mobile infrastructure technologies

  • that create temporary, secure environments for teleworkers who need to access organizational data that are destroyed when the session is over

• mobile device management technology
  • technology to force devices to adhere to certain security standards before granting them access to sensitive data

Fed Scoop | NIST issues draft cybersecurity guidelines for teleworking

• Methodist Hospital in Kentucky was hit by ransomeware
• The ransomeware, of the “Locky” strain,  encrypted, deleted original files  and is holding hostage all its data for $1,600, or 4 bitcoins
• Hospital paperwork is being processed by hand

Krebs on Security | Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection

Governing | Hackers Target Hospitals for Ransom

• Cyber security is a dynamic problem
• Flexible solutions include cyber insurance
• Cyber Insurance is in a nascent market stage 
• Cyber Insurance can mitigate risk and help consumers see their cyber exposure

KOAM 7 | AIA Statement on House Homeland Security Committee Hearing on the Role of Cyber Insurance

Why are wireless mice vulnerable to hacking? Unencrypted communication with computers is what guide the mice.

What does that mean? For $20, someone a block away can trick your computer into using its mouse and steal your data.

Why would regulators care? Because regulators stress encryption in data security. 

Reuters | Wireless mice leave billions at risk of computer hack: cyber security firm

What entities are the new targets for data security enforcement? HIPPA adjacent health and wellness companies. 

Why are HIPPA adjacent health and wellness companies the focus of regulators? These companies collect and store personal health information. For example:

• Fitbit & health apps. That data from your fitbit gets stored somewhere and if it was collected and stored by a health care provider, it would be protected information. 
• Medical billing companies
• Medical Transcription Services.

What kind of enforcement actions are being considered for this health care app data? Regulators are looking for reasonable & appropriate data storage and data security protection. 

Health Data Management | FTC steps up protection of consumer health data

The U.S. Justice Department arrested invididuals that attempted to break into a small dam to disrupt operations. The informed intel:

• 1st time someone has been charged with disrupting, or attempting to disrupt, critical U.S. infrstructure. 
• The charges are” cyber myham” to disrupt the water infrastructure. 

Washington Post | U.S. charges Iran-linked hackers with targeting banks, N.Y. dam 

• Gain legitimacy as mode of information providers & conduits
• More than 1/2 of the debates have been co-sponsored by tech companies
• Gaining traction as a baramoter for public mood via:
  • YouTube debate questions
  • Google analytics use in debate questions
  • Twitter posts utilized in debate questions
• They host spin rooms, debate lounges to discuss candidates
• Develop campaign technology
• Advertising mediums

The Hill | Tech’s Big Play in 2016

What happened that led to a lawsuit? A health care network experienced a data breach, followed its internal protocols to handle the data breach.

What did the plaintiff’s allege that the health care network didn’t do that caused them harm? health network had violated the HITECH Act in protecting personal health information

What did the courts say? “There is no case law that suggests that an isolated privacy breach or discrete series of related breaches constitute a violation of the HITECH Act,” states the district court opinion. “Moreover, the Relator fails to allege that KHN failed to implement policies and procedures to address various security risks.”

What’s the take away? When a health care provider follows data breach protocols to protect health records, following those steps shows protections for health records.

Health IT Security | US Appeals Court Affirms FCA Healthcare Data Breach Case

What happened on University of California campuses to cause a UC hacker policy? In 2015 Hackers Broke into the UCLA Medical Center.

In response to the hack what policy did UC officials enact? UC installed data monitors that stores internet traffic on campuses for 30 days

Do faculty like this idea? No, UC has a policy dating back to the 1930s that providers for collaborative policy making in conjunction with faculty input. It’s all very Californian.

Did UC create a greater data security risk? Some say yes, because capturing and storing 30 days of university internet traffic is a treasure trove of data for hackers

Which UC official decided to install data collection monitors? Janet Napolitano, the university president and a former secretary of homeland security in the Obama administration

NPR | All Things Considered | At Calif. Campuses, A Test For Free Speech, Privacy And Cybersecurity

Who is touting new legislative approach to cyberstalking? Rep. Katherine Clark (D-Mass.)

What does her bill do? 

• make it easier for law enforcement to arrest cyberstalkers 
• create a $20 million grant to aid local and state law enforcement
• Create a national resource center for research & technical information for law enforcement officers and prosecutors.

SC Magazine | SXSW: Dem. lawmaker plans to introduce online harassment legislation

BuxxFeed | Congresswoman Unveils Plans To Prosecute Severe Online Threats Against Women

Data security of self-driving cars spurs calls for uniform data security standards for self-driving cars.

Have there been a push for self driving car regulations or statutes in Texas ? Yes, why yes, there has. 84R HB 933

Did those pushes include data security issues? No.

The Hill | Lawmakers worry about cyberattacks on self-driving cars

• Spanish hackers discovered that devices that make logisitics companies more efficient are subject to being controlled by hackers
• Companies use “telematics gateway units” or TGUs, small radio-enabled devices attached to industrial vehicles’ networks to track their location, gas mileage and other data“
• The ability to locate large vehicles and ambulences creates public safety concerns

Wired | Thousands of Trucks, Buses, and Ambulances May Be Open to Hackers

What’s Congress’ new cybersecurity idea? To ” increase information sharing among the Homeland Security Department and state and local governments about cyber threats and vulnerabilities”

Whose idea is this? Congressman Will Hurd filed a bill in December 2015 & Sens. Gary Peters and David Perdue are introducing a bill in March 2016
 

Politico | Warner, McCaul and Obama talk tech in Austin

DATA SECURITY.

Emergency Management | Cybersecurity Tops County and City IT Director’s Concerns

• Improving Health Information Technology Act (S. 2511)
  • electronic health records interoperability
  • establishing a medical device postmarket surveillance system
  • loyal subscribers will recall the hacking of medical devices
• Ranking Member Patty Murray’s amendment to S.1878
  • medical device data safety and effectiveness
  • how do we keep consumers aware of medical device data security issues?

Healthcare IT | How Recent Senate HELP Bills Affect Healthcare Data Security

• By 2020 the worldwide cybersecurity market will reach $170Billion
• In 2015 the world wide cybersecurity market is $75 billion
• Cybersecurity related firms will spend $170 Billion 
• By 2019, the cost of data breaches will be $2.1 trillion

researcher Markets and Markets | Cyber Security Market by Solution (IAM, Encryption, DLP, Risk and Compliance Management, IDS/IPS, UTM, Firewall, Antivirus/Antimalware, SIEM, Disaster Recovery, DDOS Mitigation, Web Filtering, and Security Services) – Global Forecast to 2020

Forbes | Worldwide Cybersecurity Spending Increasing To $170 Billion By 2020

What local governmental entity department was the newest target to hackers holding data for ransom? Durham, N.H., Police Department

How did the hackers do it? Attached a file to a email on a relevant police investigation that appeared to be fax file.

What did the police department do? Pay the ransom? Beat the ransom technology? The police department mitigated damage by recovering the locked files from a backup copy that hadn’t been infected. The department paid no ransom.

Is this an isolated example? No, these police departments have also been affected by ransomeware:

• 5 small police departments in Maine
• Police departments in these states have been hit by ransomeware:
  • Illinois
  • Massachusettes
  • Tennessee
• These local governments have been hit by ransomeware:
  • Detroit
  • Medfield, Massachusettes

How has ransomeware grown in private sector? FBI says in 2014 the number of incidents grew 114%

Governing | Hackers Hold Police Files Hostage for Ransom

• the Consumer Financial Protection Bureau levied a fine against an online payment system company for the company’s data security practices in violation of the Consumer Finance Protection Act
• Consumer Financial Protection Bureau? Sounds Like Consumer Credit Commissioner?
• The regulators say the encryption touted by the company did not live up to its hype

Bloomberg BNA | Consumer Finance Agency Levies First Data Security Fine

National Law Review | Dwolla Fined $100,000 by CFPB in First Data Security Enforcement Action

Consent Order Between the Consumer Financial Protection Bureau and Dwolla

Who is issuing the warning? The Obama Adminsitration

What entities are being warned about data security threats?

• power companies
• water suppliers
• transportation networks

What’s sparked the warning? The attack n the Ukraine’s power grid 2 months ago. It was the first cyberattack that produced a wide spread blackout

What was the target of the cyber attack? industrial control systems that act as the intermediary between computers and the switches

What could hackers do with control over industrial control systems?

• distribution of electricity
• guidance systems for trains
• valves that control water supplies
• machinery that mixes chemicals at factories.

New York Times | Utilities Cautioned About Potential for a Cyberattack After Ukraine’s

Which governmetnal entity is seeking contractors for data security? Department of Defense

What is the data security objective? $600 million in computer system for background checks

Can similar procument opportunities present itself in Texas? Absolutely, keep your eyes open and subscribed to informedintel.com

Reuters | Pentagon to tap private industry for background check IT system

What group issued this report? The Institute of Directors and is supported by Barclay’s 

What did the report find the rate of businesses reporting data breaches? 1/3

What percentage of businesses maintained cybersecurity insurance? 20%

WSJ | Report Warns U.K. Businesses to ‘Get Real’ on Cyberattacks

AT&T.

The ad:

Cyber Security for Government

Help keep your agency’s information protected. Our proactive network-based approach to managed security delivers some of today’s most powerful weapons to combat cyber security attacks — helping to safeguard the elements of your IP infrastructure. To learn more about security solutions for your agency, please visit www.att.com/govsecurity.

Data security and new government agency leadership posts and new agencies go hand in hand. 

Pending federal legislation would create the National Commission on Security and Technology Challenges.

Here’s the info you need abou the National Commission on Security and Technology Challenges:

• its bipartisan: Senate Intelligence Committee member Sen. Mark R. Warner (D-Va.) & House Homeland Security Committee Chairman Michael McCaul (R-Tex.)
• required new agency report detailing:
  • benefits of encryption in protecting privacy and civil liberties
  • costs of weakening encryption
  • versus
  • impact on criminal investigations and counterterrorism
• 16 members chosen equally between House and Senate, majority and minority parties

Multichannel News | Encryption Commission Legislation Introduced

From where did this cyber security czar idea eminate?  It was in the 2016 proposed federal budget from the White House. The feds had a gigantic data breach, so its time to fix it.

Are state’s picking up on a state cyber security czar position? Yes, including a proposal this week from California

What moves states to implement a state cyver security czar?  Here’s what motivated California legislators:

• 160 state departments hold personal information about residents including:
  • SSNs
  • home addresses
  • medical information
• On a voluntary state audit, 73 of the 77 responding state agencies said their departments “are not in compliance with cyber security standards”
• The State Department of Technology says its because agencies do not have enough funding for up to date technology

The Recorder | Lawmakers Seek Fix for State’s Cybersecurity Woes

• On Friday, February 26, 2016, the IRS sais oops, there were more taxpayers affected by the data breach than we thought. Our bad.
• How much worse? Oh, just a couple extra 100,000s.

The Hill | IRS: Taxpayer breach much larger than previously reported

Drug Delivery Systems data is a new target and concern for data security.

Medical Device & Diagnostic Industry | The Data Revolution Comes to Drug Delivery

…hackers. Yes, that’s right 98% of the data breaches in 2015 that occured in health care were initiated by hackers.

That’s an 80% increase over 2014.

What is the intent of the hackers that seek health care information? 

•  identity theft
•  leverage the health care data to access medical care
•  conduct corporate extortion 

AJMC.com | Cyberattack on Hollywood Hospital Part of a Growing Trend

Stacey Napier will lead the Department of Information Resources as the its executive director beginning mid-March 2016.

Napier replaces Todd Kimbriel, the interim executive director of DIR. 

An overview of her background:

• She arrives from Governor Abbott’s office.
• She was with the Texas Attorney General’s Office for 10 +years
• She was previously the Chief of Staff to former state Sen. Florence Shapiro

Austin Business Journal | Texas names Capitol veteran as technology agency director

Spec’s experienced a data breach that resulted in legal fees. Spec’s was insured and has sued its insurer over the coverage of costs incurred from the data breach.

3 Take aways from a Texas Company with data breach insurance coverage:

• Spec’s wants its insurance company to pay its legal fees for a legal fight between Spec’s and the credit card processor that experienced the data breach
• Insurance companies have become good at covering the initial expenses (notifications, initial legal fees, computer foresenics) of a data breach, it’s these longer term expenses, like litigation, where it gets murky
• Insurance companies have been re-writing general commercial liability policies to expressly exclude coverage for data breaches and instead offering a separate policy

Houston Business Journal | Spec’s lawsuit raises questions on how insurance companies should handle data breaches

The question for Texas, does holding business data hostage constitute a crime?

Where did data get held hostage? In California

How was the data held hostage? “malicious “ransomware” application to encrypt data on the hospital’s computer system, demanding payment in exchange for a decryption key” 

What type of business?  Hollywood Presbyterian Medical Center  patient input information 

What did the hackers want? $17,000 worth of bitcoin was paid to retrieve an encryption code.

Where patients harmed? No patient records or hospital care was impacted.

The Hill  Ransomed hospital pays $17K to hackers to restore computer access

How much data has been gathered by license plate readers in Texas? Estimated 10 million license plate pictures, with locations, collected by month.

What can be done with this stored license plate information?  It can track the location of a vehicle by plotting its sightings by day and time

What’s happening on this legislatively?

• In 2015, Texas bills preventing license plate recording & collection died
• Arkansas & Utah prohibit private companies from amassing license plate data collection
• California permits the collection of license plate data for 60 days, longer if the information is being used in an active felony investigation
• Colorado allows for data retention for 3 years, then the data must be destroyed
• Maine allows license plate readers for limited law enforcement purposes and data can only be retained for 21 days
• Maryland prohibits license plate readers
• New Hampshire allows license plate readers for limited law enforcement purposes
• Tennessee limis license plate data retention to 90 days

What happened to spark stronger student data privacy protections? A court allowed for the release of student data to a group of parents who are fighting a court battle over the quality of education for disabled students.

What data do legislators want to prevent schools from releasing?

• student social security numbers
• medical histories
• mental health assessments
• student disciplinary records

​What is the nobel purpose of the legislative action? Schools collect data that is neither required by law nor required for public education purposes

The Recorder | Lawsuit Spurs New Student Privacy Proposal

California Assembly Bill 2097 

What data is being collected and sold by electronic devices? Smart televisions gather information about viewing habits and that data is sold to third parties .

Do owners of smart tvs know or have they consented to the data collection? According to a series of law suits, no, owners neitehr know of the data collection nor consent to it. 

WFAA | Vizio’s smart TVs are snitches, lawsuit alleges

What class action is progressing?  The suit involving the Anthem Inc. health breach that affected 97 million.

What did the judge do that allowed the class action to move forward? Rejected Anthem’s argument that a data breach is not a recognizeable injury

What does this mean? Courts have split on whether a data breach, with no proof that the stolen data has been used to cause a harm, is enough of an injury to satisfy a lawsuit. The California Judge’s order says it is enough of an injury for a lawsuit under New York’s General Business Law, similar to California’s Unfair Competition Law. 

The Recorder | Judge Rejects Key Defense in Anthem Data-Breach Suits

Which Attorney General office analyzed state data security breaches? California

What is the most popular data to breach?

• social security numbers
• credit card information
• medical information

What recommendations to policymakers emerged?

• Follow all the 20 controls in the Center for Internet Security’s Critical Security Controls, otherwise your company isn’t offering reasonably data security
• multi-factor authentication must be available
• encryption must be standard business practice
• All states should harmonize their data breach laws to make them effective

Lake County News | State attorney general releases Data Breach Report; more than 49 million records compromised

California Attorney General Data Breach Report

• Auto Manufacturers are facing data security issues related to connected cars
• Car Dealers are facing dats security issues related to customer data, the link of that customer data ties to car data
• This combination that ties customer data privacy to hackable connected cars requires “robust cyber security infrastructure could give his firm competitive advantages against their competitors.”

Computer Business Review | Cyber security showroom – How Lookers put data security into car dealership

Providing mechanisms to address a decedent’s online presence is a growing trend. 

This sounds rather nerdy, why is it important to a corporate client? Because the state may tell your client what it can and cannot do with customer data.

So, what state is now wading into this territory? Wyoming

What could happen with data at death?

• A user would be able to direct a service, like Facebook,  to turn their accounts over to a fiduciary at death
• Or, if a will isn’t so set up, then a data custodian  may turn the user’s account information over to a fiduciary or representative of the estate through a court direction

Government Technology | Data Protection, Privacy Bills Make their Way Through Wyoming State House

What regulation proposals are floating around related to connected cars and data security?

• U.S. Senator Markey’s SPY Car Act
• Congressmen Wilson and Lieu offer Examining Ways to Improve Vehicle and Roadway Safety: Vehicle Data Privacy
• Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers, Inc., want self regulation  Consumer Privacy Protection Principles: Privacy Principles for Vehicle Technologies and Services
• Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers, Inc., are collaborating on data securtiy by their Information Sharing and Analysis Center (ISAC)

Data Security Monitor | Automotive IT News | Legal Developments in Connected Car Arena Provide Glimpse of Privacy and Data Security Regulation in Internet of Things

Which executive is proposing a new cabinet level position to coordinate cybersecurity? President Obama’s proposed budget includes the creation of “new high-level federal official to coordinate cybersecurity across civilian agencies and to work with military and intelligence counterparts”

Is there a new cyber security plan? Yes, the “Cybersecurity National Action Plan”

What’s the goal?  build a cohesive, broad federal cybersecurity response that will:

• “drive cybersecurity policy, planning, and implementation for IT systems across” the federal government
• set and monitor performance goals for agencies

What will the new position do?

• Offer more training for the private sector, including:
  • password and pin authentication to sign onto tax data
  • 2 step authentication for government benefits
  • Reduce the use of Social Security numbers for identification

Top Tech News | Obama Administration Plans New High-Level Cyber Official

Wall Street Journal | White House Proposes New Cybersecurity Plan

What do the feds want to stop the state legislatures from doing? barring the manufacture and sale of unbreakably encrypted smartphones

Why does this matter? California and New York have pending legislation to bar the manufacturing and sale of unbreakably encrypted smartphones.

Why would the state want to prevent unbreakably encrypted smnartphones? Law enforcement wants access to smart phone data.

What groups are involved in this policy fight? tech companies v. law enforcement

The Recorder | Bill Would Bar Encryption Measures at State Level
 

The Virginia legislature is considering the Government Data Collection and Dissemination Practices Act which would:

• prohibit the state from secretly collecting data
• prohibit data collection “without a clear need for its collection”
• prohibit data collection by “fraudulent or unfair means”
•  targets of data collection would be notified about the purpose of the information gathering and would be given the opportunity to amend, correct and erase “inaccurate, obsolete or irrelevant information,”
• require agencies that store data to use secure methods for holding the data

Governing | 7 Tech Policy Issues to Watch in 2016

The Hewlett Foundation has a $65 million initiative in cyber security.

Robert and Renee Belfer just added $15 million for the Belfer Center for Science and International Affairs at Harvard’s Kennedy School to establish the Cyber Security Project. 

Inside Philanthropy | Meet a Wealthy Family That Cares About Cybersecurity

Minnesota wants to do a better job protecting student data privacy. Here’s what the land of 10,000 lakes is proposing in its House Bill 2386:

• prohibit schools from forcing students to supply their access information to personal social media accounts
• prohibit school employees from forcing students to alter the settings of their accounts to make information visible to the public
• opens violating schools up for legal action on the part of the affected student

Governing | 7 Tech Policy Issues to Watch in 2016

New Jersey Legislature is considering SB 808 that would:

• Create a 6 member Cybersecurity Commission under the Department of Law and Public Safety
• tasked with evaluating New Jersey’s “informational infrastructure”
• private and public collaboration on cybersecurity
• Issue recommendations on:
  • securing state networks
  • offering strategies to bolster the cybersecurity industry in the state
  • providing cyberhygiene and awareness

Governing | 7 Tech Policy Issues to Watch in 2016

• 31%  worry about internal controls over financial reporting;
• 26% are sleepless over data infiltration and IT security;
• 20% aren’t cozy over tax compliance;
• 17% fear the madness of future regulatory mandates.

Bloomberg BNA | DATA SECURITY SEES POLL NUMBERS RISE

• Fitbits will get hacked.
• The E.U. and U.S. fight on datat security will continue
• Businesses should have data security policy & do risk assessments
• Data Security will be guided by industry specific standards 
• Telephone Consumer Protection Act will be a new source of data security lawsuits
• Company issued electronic devices vs. personal electronic devices means more now that we’re in the age of data security
• Curate and protect your social media like you do your health data from your fitbit
• FTC and FCC will go stronger to protect data
• HIPPA and data security will see a renaissance
• Develop a breach notification plan (regulators are rewarding those that do)

National Law Review | Top 10 for 2016 – Happy Data Privacy Day

• Which states have pending legislation to penalize fully encrypted cell phones? California & New York
• What fine is being imposed under these bills? $2500
• What’s the goal of these encryption bans?
  • help law enforcement better combat human trafficking and other serious criminal activities that are being conducted over hidden encrypted networks and locked devices.
• What groups oppose these encryption penalties?  The tech and privacy community

The Hill | Calif. bill would ban fully encrypted smartphones

The IRS has ruled that businesses can go tax free for credit monitoring & identity theft protection services that:

• are provided by employers to employees following a data breach
• are provided before a data breach

national law review | Tax Benefit for Early Cybersecurity Protections

4 Key points to know now:

• Incentives for corporations to share data is a ruse for law enforcement to access data without a warrant
• Libertarians are calling the 2015 law, “the worst anti-privacy law since the USA Patriot Act”
• Undermine government accountability
• Erode American privacy protections

The Hill | Critics urge lawmakers to repeal recently passed cyber law

California Assembly has a new committee to handle privacy and technology issues. What’s the committee jurisdiction?

• drones
• data security & breaches including in health care
• Smart cities that use technologies to communicate with residents
• security of networks
• oversight of state computer data security

The Recorder | Calif. Lawmaker Forecasts Busy Year in Privacy