Cybersecurity & Tech

The legislation:  Security and Privacy in Your Car Study Act of 2017

The authors:  Reps. Joe Wilson (R-SC) and Ted Lieu (D-CA)

What does the bill do? Brings together the following entities to determine how to regulate data for connected cars:

• National Highway Traffic Safety Administration
• Federal Trade Commission
• National Institutes of Standards and Technology
• Department of Defense
• OEMs and suppliers
• SAE international
• academics

What elements do these groups need to consider in their recommendations for regulation?

• identify what’s necessary to isolate critical systems in a vehicle from the rest of its software
• relevant standards for firewalls and anomaly detection systems
• techniques to prevent or discourage malicious intrusions
• best practices for storing the data generated by connected cars
• timeline for implementing all of this

How fast would they need to make recommendations?  Within 1 year

Ars Technica | Worried about cybersecurity and the connected car? There’s a bill for that

How constituents feel about data breach laws:

• 68% of internet users believe current laws are not good enough
• 64% believe the government should do more to regulate advertisers
• Favor limits on how long the records of their activity are stored
•  74% of Americans say it is “very important” to be in control of their personal information
• 64% of Americans have personally experienced a major data breach
• 49% feel that their personal information is less secure than it was 5 years ago
•  41% of Americans have dealt with fraudulent charges on their credit card
• 15% have received notice that their Social Security number had been compromised.
• 70% of Americans anticipate major cyberattacks in the next 5 years on our nation’s public infrastructure

EPIC.ORG | Pew Survey Finds Support for New US Privacy Laws, Limits on Data Retention: | Pew Survey Finds Majority of Americans Are Data Breach Victims

• 9.2 % were medical sector breaches
• 51% were business sector breaches
• 23.4% unknown industry sector
• 11.7% government breaches
• 4.7%  education sector breaches

Becker’s Review Health IT & CIO | Medical industry accounted for 9.2% of breaches in 2016

• adding biometric and geolocation data to the definition of personal information that triggers a data breach notification
• regulations related to surveilance equipment used by law enforcement
• protecting disclosure of a a person’s religious affilaition from the government

The Recorder | What to Expect in California Data Security and Privacy in 2017

• State Affairs recommendations:
  • a dedicated and collaborative cybersecurity initiaitive 
  • clear legislative direcetives
  • direct agencies to collaborate
  • a central repository for its cybersecurity program
• Urban Affairs recommendations:
  • appropriate funds for a grant program to support cybersecurity training and information sharing costs for small municipalities and utilities
  • creation of cybersecurity training and information sharing programs within agencies
  • increase the level of cybersecurity expertise in state agencies
  • statewide cybersecurity coordinator in the Governor’s office and improving the cybersecurity resources and structure of the Department of Information Resources 
• Government Operations and Transparency recommendations:
  • Require Executive Director, Commissioner, CEO level approval for annual agency cyber security risk report 
  • Increase the number of cybersecurity practitioners in Texas 
  • Create a Central Legislative Committee Responsible for Cyber Security Risks 
  • Funding to upgrade legacy systems
  • promoting collaboration, innovation, and entrepreneurship in cyber security to facilitate the commercialization of university research and development  
• Investments and Financial Services recommendations:
  • support fully funding strategies within the Texas Department of Information Resources’ (DIR) Legislation Appropriations Request (LAR) to protect the state government’s computer network from cybersecurity threats, including security policy and awareness and security services.
• County Affairs recommendations:
  • require all counties to install and maintain appropiate level of cybersecurity 

Massachusettes, home of the Draft Kings, passed new fantasy sports regulations.

The editorial board reactions: Fantasy Sports Regulations have no cybersecurity

The cybersecurity response from daily fantasy sports: 

• fantasy sports regulations do require comapnies to have security measures
• comapnies are subejct to prosecution for not following the regulations
• the beauty of fantasy sports is that the playing information is public information

What cybersecurity experts say:

• fantasy sports has 3 levels of cybersecurity to be concerned about: its operating platform, the application used by the player, and the network.
• target for hackers could either be player information or impacting the game itself
• recommend policymakers “borrow from other established security benchmarks, such as NIST, CIS, and ISO”

Legal Sports Report | Daily Fantasy Sports Regulation And Cybersecurity: A Closer Look

 CryptoMove embraces a business model that replaces encryption with breaking data into pieces and moving it around. 

Instead of hackers having  way to your document in a garbage can, hackers have to reassemble microshredded pieces. 

Beware regulators who set a standard level of encryption as a requirement. The industry changes.

Tech Crunch | Security startup CryptoMove fragments data and moves it around to keep it secure

1. Multidisciplinary application. Cybersecurity is not just for the Information Officer.
2. Data is an asset. Protect it. Have a game plan for how long you’re keeping the asset.
3. Data lives on mobile devices and moveable devices too. Protect those too.
4. Know the information you keep.
5. Train employees. Employees create cybersecurity breaches too.
6. Legislative and regulatory data security standards are the floor, not the ceiling.

Tech Target | Six keys to creating strong data-security measures

Train teachers in cybersecurity. Make data security part of the faculty and administrator school culture. 

In 2013,  400 school data security bills were considered.

Only 1, Colorado’s, included teacher training. 

Slate | The Best Way to Protect Students’ Personal Data

The European Union Agency for Network and Information Security recommends  3rd party cybersecurity evaluations for self driving and connected cars. 

Why the need for 3rd parties? The current cybersecurity standards for vehicles is not enough.

Bonjour, new opportunities to provide cybersecurity evaluations…

The European Union Agency for Network and Information Security | Cyber Security and Resilience of smart cars

Texas House Rules debate on Wednesday, January 11, 2017, added cybersecurity issues to the jurisdiction of the House Committee on Government Transparency and Operation.

Local governments are concerned about federal DHS cybersecurity regulations for local elections, because those federal regulations may :

• Add an unnecessary layer of bureaucratic oversight
• Would centralize an inherently local — and decentralized — system

What did DHS do to trigger these concerns? Declared elections to be critical infrastructure, which triggers additional protections and resources from the federal government.

Governing | New Election Cyberprotections Cause Confusion and Concern

New York Governor Andrew Cuomo set forth his plan for protecting the cybersecurity of New Yorkers by:

• Creating a “response team” to handle confidential information breaches from state & local governments 
• Create a graduated system of punishments for computer tampering crimes based on the amount of damage
• More severe punishments for identity Theft

New York Law Journal | Cuomo Promises New Cybersecurity Measures in 2017

States are changing their cybersecurity statutes to include as protected information:

• usernames
• email addresses
• passwords
• security questions
• security  answers

Mondaq | Morgan Lewis | Three States Join Others to Expand Personal Information Definition to Include Usernames or Email Addresses

What entity promulgated new medical device cybersecurity rule guidance? The FDA

What prompted the new guidance? Claims of heart device hacking

Policy Issues around medical device hacking:

• assess whether the risk of patient harm is sufficiently controlled or uncontrolled
• protection of PHI- protected health information- by devices
• comprehensive risk management programs
• NIST cybersecurity protocols should be the standard

Where did the data breach occur? State of Nevada medical marijuana database

How many people had personally identifiable records affected? more than 11,000, but no patient records

The response by the state: Take the database offline

Weed News | Nevada Medical Marijuana Data Breach Highlights Need For Industry Information Security

Reno Gazette Journal | Thousands of Nevada medical marijuana dispensary applications exposed online

• 3.7 million patients and customers affected
• Phoenix, AZ
• Banner Health
• Hackers accessed credit card processing information + patient data information

Beckers Health IT & CIO Review | 11 of the biggest healthcare data breaches of 2016

Banner Health | Banner Health Identifies Cyber Attack

The state upping the ante on data security rules for the finance industry: New York

The new New York rules announced December 28th will:

• Effective Date will be March 1, 2017 instead of January 1st
• Require annual reporting to the state about data security compliance
• Requires financial institutions to maintain comprehensive audit trails
• Mandatory reporting of any cybersecurity event within 72 hours
• Financial institutions must appoint a Chief Information Security Officer (CISO)
• Required multifactor authentication for staff accessing internal networks or information systems externally

Business Insider | New York delays new cybersecurity rules for financial firms​

What do you need to know about data breaches?

• 93% could have been prevented according to the Internet Society Study
• breaches cost the US $500 billion per year

The carrot & the stick:

• Increase the accountability of entities that hold data
• By requiring the entities to shoulder more of the cost of a breach
• Allow these entities to offer “credible security signals to the market” to provide a benefit to the entity

Tech Crunch | The carrot and stick of data breaches

The state: Maryland

The data breach: Student records, including names, brthdates and Social Security numbers in Frederick County Public Schools

Why legislation was triggered? 

• A state senator didn’t think he was getting enough answers from education officials
• An April 2015 audit called for increased data security measures for student data

The legislative proposal: 

• Requiring up to 5 years of identity and credit monitoring for data breach victims
• Not require schools to transfer student records to the state education agency until the state has “an industry-accepted standard in their information technology systems”

Government Technology | Maryland Delegate Promises New Legislation in Wake of Student Data Breach

• Support the establishment or continuation of a valid patient-physician relationship;
• Have a clinical evidence base to support their use in order to ensure mHealth app safety and effectiveness;
• Follow evidence-based practice guidelines, to the degree they are available, to ensure patient safety, quality of care and positive health outcomes;
• Support care delivery that is patient-centered, promotes care coordination and facilitates team-based communication;
• Support data portability and interoperability in order to promote care coordination through medical home and accountable care models;
• Abide by state licensure laws and state medical practice laws and requirements in the state in which the patient receives services facilitated by the app;
• Require that physicians and other health practitioners delivering services through the app be licensed in the state where the patient receives services, or be providing these services as otherwise authorized by that state’s medical board; and
• Ensure that the delivery of any services via the app be consistent with state scope of practice laws.

Data Law Insights | Crowell Morning | Illinois’ First Settlement under Biometric Law; AMA Adopts Principles for Mobile Health Apps; Ecuador to Enact Data Privacy Law

On the horizon is rulemaking to make cars talk to each other. Cars will transfer information about how the car is moving and where it is, that gives rise to these legislative and regulatory questions?

• Can the data stored or transmitted by cars be used in tort litigation?
• Can the data stored or transmitted by cars be used in any litigation?
• Do data breach standards apply of this information is hacked?

The future is here. U.S. Department of Transportation is proposing new rules to require new cars to talk to each other.

NY Times | Cars Talking to One Another? They Could Under Proposed Safety Rules

The U.S. Air Force forewarns that data security is more than computers. Its networked mechanics and platforms.

There’s even handy jargon sure to catch on- operationalize cyber security.

Sound familiar? Sounds likeutilize medical equipment that transmits information, or dolls that contain information about children, or your Fitbit.

Defense Systems | Air Force: Cyber security extends beyond IT

• 60+ carriers offer stand-alone cyber insurance policies
• $3.25 billion in gross written premiums
• growth potential to $7.5 billion
• Cyber security breaches are the 3rd highest global business risk
• $7 million is the average cost of a breach

Insurance Information Institute | U.S. Cyber Insurance Market Grows Amid Data Breach Concerns

• 23 of the 47 states that have data breach laws require the state Attorney General to be notified
• State Attorney Generals litigate data breaches
  • in Texas, the Attorney General reached a settlement with Paypal app, Venmo, for $175,000 requiring the company to “improve disclosures regarding security and privacy”
• many state Attorney Generals set policy like hio Attorney General who launched, CyberOhio

Lexology | McGuirre Woods | In Data Privacy, Don’t Forget the State Attorneys General

What to do when retired Lt. Gen. Michael Flynn is reported to have installed secret data lines in his Pentagon office?

If you’re a U.S. Senator you request a denial of security clearance.

U.S. Senator Shaheen | Shaheen, Blumenthal Call on Top Intelligence Officials to Review Security Clearance Given to Lt. Gen. Michael Flynn

Internal data security threats top all but 0.3% of cyber security concerns.

What are examples of internal data security threats? 

• malware being installed by workers
• stolen or compromised credentials
• stolen data
• abuse of administrative privileges

SC Media | Everyone is worried about internal cybersecurity threats, report

To meet federal data security requirements in contracts, GSA added Adobe’s data-centric security and electronic signature solutions to GSA’s IT Schedule 70.

The key facts from GSA:

• Increased acquisition efficiency for data security and electronic signatures.
• Over $350 million in potential cost savings for the American taxpayer.
• Agencies will be afforded tiered discounts by leveraging the buying power of the federal government.
• Reduced contract duplication and administrative cost with clear Terms & Conditions.
• Enhanced security of government data.
• Users afforded the option to replace paper processes with fully automated electronic signature workflows.

GSA | GSA & Adobe to Deliver Streamlined Data Security, Electronic Signature Solutions for Government

FCW| The Business of Federal Technology | GSA adds data security solutions to Schedule 70

• Experian predicts hackers will target hospital networks above insurance companies.
• Why? hospital patient data is very valuable
• How? hospital networks are decentralized and its harder to maintain data security protocols

Becker’s ASC Review | Data breach forecast for 2017: Cyber criminals to target healthcare

The gift: talking dolls

The data security threat: The dolls record, without consent, children’s voices and saves the voices.

The laws and rules at issue both federal and state: Deceptive Trade Practices Act. Federally enforced by the FTC, and by the AG in Texas. 

Wallstreet Journal | Talking Dolls Pose Privacy Risk to Children, Advocacy Groups Allege

Tech companies are calling for a Treasury Department UnderSecretary for Technology.

Which tech companies? The big ones- Google, Amazon and Apple- and others

What tech issue are they wanting eyes on? FinTech- of technology in finance

FinTech laws coming to a state near you…

The Hill | Apple, Google, Amazon ask Trump for focus on financial tech

What data was shared? Chicago Public Schools improperly shared student information that led to direct advertising by a Charter School. 

How did a 3rd party gain access to public school data? A school employee willingly shared it with the Charter School.

SC Media | Chicago Public School data improperly shared

The legislative step that could protect utility districts from ransomeware threats? 15 minute backup intervals

The 15 minute regular backup allowed Nebraska’s Central Platte Natural Resources District to thwart a ransomeware attack.

SC Media | Nebraska irrigation district thwarts ransomware attack with automatic backup

How did San Francisco’s Muni system stop a ransomeware attack that held its system hostage? In 3 steps:

• Shut down electronics- opened fare gates & shut down ticket machines
• Contacted Homeland Security
• Relied on its technology team to restart the system from a backup

The success of Muni’s actions:

• Friday night the electronic ticketing shut down, by Monday the system was up and running
• No confidential information was obtained by the hackers
• Muni never communicated with the hackers during the process

Governing | How San Francisco’s Transit System Warded Off Ransomware Hackers

Where: Michigan

The regulators who want to impsoe data security standards on utilities: Michigan Public Service Commission

What data security requirements would be added to utlities?

• require annual reporting that overivews:
  • utility cybersecurity programs
  • staffing numbers
  • describes employee training
  • explains cybersecurity threats that have been experienced

Washington Times | State wants rules to toughen utilities’ cybersecurity

What medical information isn’t covered by HIPAA?genomic, lifestyle, financial, environmental and other information that wearbale devices and meters store

Is all the genomic and lifestyle data HIPAA worthy? Some of it probably should be covered

What do we need to know about geonomic and lifestyle data? We have to think about medical information outside the traditional format. 

Security Privacy & the Law | Cybersecurity 2017 – The Year In Preview: HIPAA Compliance

Senate Business & Commerce interim report offers these recommendations on cybersecurity:

• the voluntary nature of state cybersecurity policies are a problem (i.e. need more requirements with hint, hint: more procurement opportunities)
• require technical risk assessments at state agencies
• USE PRIVATE SECTOR TECHNOLOGIES like cloud storage

A plethora of procurement opportunities abound.

The U.S. Senate Cybersecurity caucus is compromising to move forward with a national commission to investigate the difficulties encryption has created for law enforcement.

Politico Morning Cybersecurity | November 17, 2017

What’s missing from self driving car regulations? Assurances that governmental agencies aren’t trying to gather data.

What type of data could be collected about a self driving car?

• identifying information including:
  • names,
  • phone numbers
  • credit card info
  • usage data
  • real-time and historic geolocation data

The legislative/policy/regulatory buzz word? Privacy.

Tech Crunch | Lyft wants more explicit protection of consumer data from NHTSA on self-driving

Can a business buy a list of breached users from another business for the purpose of notifying the hacked users?

uh, what? Facebook wants to buy a list of hacked users from another comapny so it can don the white hat and tell its members they were hacked.

For your consideration while legislatures consider how to protect consumers whose information has been hacked. Anyone for a prohibition on the sale of the hacked information?

CSO | Security experts divided on ethics of Facebook’s password purchases

+26 House: 

• Valoree Swanson
  • Baylor. Concerned Women of America. Real Estate Broker.
• Shawn Thierry
  • Attorney. Howard Univ. & South TX College of Law. Big Borther Big Sisters.
• Mary Ann Perez
  • U of H. Insurance. Former HCC Trustee.
• Jarvis D. Johnson
  • Former Houston Council Member. Restraunteur & Consultant African Trade. Texas Southern.
• Tom Oliverson
  • Anesthesiologist. Home Schools. Baylor College of Medicine.
• Briscoe Cain
  • U of H. South Texas College of Law. Raised working class. 
• Kevin Roberts
  • Texas Tech. Riased by Grandparents in Amarillo. COO Lanier Lawfirm.
• Barbara Gervin-Hawkins
  • University of Eastern Michigan. Sister of NBA Player George Gervin. Together founded community center and charter school.
• Tomas Uresti
  • Former School Board member. Legal Assistant. Uresti Law Firm.
• Philip Cortez
  • UT Austin. Working on PhD in Educational Administration. Fraternal Order of the Eagles.
• Diana Arevalo
  • Executive Director for an after school affordable music program. Former DNC staff. BBA from UTSA.
• Victoria Neave
  • Attorney. Texas Southern University. Community Service focused on the elderly.
• Lina Ortega
  • UT Austin. Attorney. Helped Created El Paso Co. Code of Ethics. 
• Kyle Biedermann
  • Univ. of South Florida. Small Business Owner. Primary Win touted by Empower Texas.
• Stan Lambert
  • Abilene Christian Univ. SMU. Former Banking Exec. Athletic Director at Abilene Christian. Former School Board Trustee.
• Lynn Stucky (Mr.)
  • Veterinarian.  Kansas State. Former School Board Trustee.
• Mike Lang
  • Grew up on a farm in Illinois. TCU. Retired law enforcmeent officer.
•  Hugh Shine
  • Held the seat 30 years ago. Sam Houston State. Army retired after 30 years of service. Colonel Shine.  MBA Baylor.
• Scott Cosper
  • Former Mayor of Killeen. Former City Council member. Cosper Custom Homes and Construction. Member of the Texas Department of Transportation Policy Board for 16 years
• Gina Hinojosa
  • UT-Austin. George Washington Univ. Attorney. School Board Trustee. 
• Justin Holland
  • City Council Member. Mayor Pro Tem. Realtor.Texas Tech.
• Terry Wilson
  • Combat veteran. Retired from Army after 30 years. Touted by Empower Texas.
• Ernest Bailes
  • Texas A&M. Whitetail deer genetics company founder. Served on an Appraisal Board.
• Jay Dean
  • Former Mayor of Longview. The mayor who paid to stop Ted Nugent from performing a 4th of July concert. LSU.
• Cole Hefner
  • Former Upshur Co. Commissioner. Independent Insurance Agent. Pilot.
• Lance Gooden
  • Will be his 3rd session. UT Austin. Business Development Consultant.

+3 Senate: 

• Dawn Buckingham
  • Volunteer firefighter. UT-Austin. Lake Travis ISD trustee.
• Borris Miles
  • Sam Houston State. Former law enforcement officer. 
• Bryan Hughes
  • UT-Tyler. Baylor School of law. Supported by the Lt. Gov. during the 2016 primary.

Federal legislators will be asked to consider incentivizing businesses to build in cyber security into their products.

3 IoT Questions for House Energy & Commerce about Cybersecurity | Pwnie Express

The EU cyber security laws have experts touting that there will be bigger fines if companies fail to notify customers of data breaches. 

Out-Law.com | Failing to notify known data breach could lead to bigger fine, says expert

Germany has created a mobile Quick Reaction Force to quickly address cyberthreats.

Which cyber threats will the Quick Reaction Force respond to? Cyber attacks on government agencies & critical infrastructure

Will there be cyber threat information sharing between business interests and the state? yes.

Why did they enact this Quick Reaction Force for cybersecurity? To protect Germany’s elections from Russian or Chinese hackers

DW.com | German cabinet approves cyber security strategy

Analytics firms noted that Trump social media numbers among swing voters increased after the leaked Access Hollywood tape.

Other social media analysts say Trump’s social media sentiments were more positive than Clinton’s.

Tech Crunch | Analysis of social media did a better job at predicting Trump’s win than the polls

The flaw in cybersecurity law: Not modernizing the law to address white hat hackers

The  goals of the legislative fixes: 

• legislation more friendly to legitimate research
• by improving relationship improves between white-hat hackers & the owners of the products they investigate

The legislative fixes:

• The research by white hat hackers has to be for security purposes only.
• The exemption covers consumer devices, voting machines, medical devices, but not things like critical infrastructure, airplanes and major hospital equipment.
• The product being investigated by white hat hackers has to have been lawfully acquired.
• The white hat hacker research has to be done in a safe environment so techniques used to hack or otherwise compromise a product are not released in the wild.
• The white hats cannot violate other laws.

CSO Online | Protection of white-hat hackers slow in coming

U.S. military  hackers have penetrated Russia’s electricty grid & telecommunications in repsonse to Russian attempts on U.S. infrastructure.

NBC News | U.S. Govt. Hackers Ready to Hit Back If Russia Tries to Disrupt Election

The sex scandal Senator’s home: Nebraska

The new legislative policies for the Nebraska Legislature:

• “Prohibits senators and their staff from posting information on personal, campaign and commercial social media websites through the state’s secure network or state equipment.”
• Require user passwords
• Require user passwords to be updated annually

Background on Nebraska’s IT protocols:

• No password policy
• No requirement to change passwords
• Senators’ state-issued computers DO NOT require access with log-in credentials

Omaha World Herald | Kintner’s cybersex scandal spurs new technology guidelines for state senators, staff

Which two states have national guard cyberteams monitoring the election? Ohio and Maryland

What’s swing state Ohio doing?

• conducting penetration testing to see if state systems contain vulnerabilities
• monitoring election data systems for irregularities
• From Ohio’s Secretary of State: “Cyberwarfare is a new front for the military, for business and now for elections.”

What’s Maryland’s plan? ​

• Maryland was one of the first states to engage their national guard in cyberdefense.

Politico | Protecting election systems against cyberattack

Apple is poised to enter health care in these 7 ways:

• clinical trial partnership with Beth Israel Deaconess Hospital
• precision medicine initiative with Scripps Translational Science Institute
• partnered with IBM, Johnson & Johnson and Medtronic on cognitive computing platform called Watson Health Cloud
  • offering  tailored data analytics services to clinicians
• bought a health care tech firm to advance interoperability by aggregating health data into a single digital patient record
• build up healthcare credentials with Apple’s HealthKit, ResearchKit and CareKit platforms
• patent application pending for a new wearable device that can accurately measure electrocardiographic information across different areas of the body
• two new health apps for Apple devices — AirStrip and 3D4Medical
  • AirStrip allows doctors to check appointment schedules on an Apple Watch and get feedback on patients’ diagnoses
  • 3D4Medical’s large portfolio of 3D anatomical images, doctors can help patients visualize injuries and other medical conditions.

Regulations will protect the health care data on the device, in transit, and in storage from disclosures and from ransomware.

Health Care Drive | What’s up with Apple in healthcare?

• None of the companies will give users proper notice about changes in their terms
• All of the wristbands collect more data than what is necessary to provide the service
• None of the companies fully explain who they may share user data with
• None of the companies state how long they will retain user data

Tech Crunch | Fitbit, Jawbone, Garmin and Mio fitness bands criticized for privacy failings

Voting machines need a tech upgrade like a 2005 laptop needs an upgrade. Technology changes. Hackers adapt faster than lawmakers.

The hurdle to upgrade voting machines?

• Taxpayers have to foot the bill. 
• Legislatures are going to have vote to fund it
• There will have to a repeat of the 2002 federal funding to upgrade voting equipment

Techwire | Voting Technology Needs an Upgrade, But Who Will Pay for It?

Who identified the public education data security risks? Missouri State Auditor 

Was the auditor acting under a special audit program? The Cyber Aware School audits initiative

What 5 data security risks did the MO auditor identify?

• Data management programs are not fully utilized to ensure senstive data is available to those who need the data but maintains privacy
• Account management. Need policies and procedures for authorizing, reviewing and removing user access
• Security precautions  Need security training for teachers and staff and designated security  administrators
•  Incident response planning.  need a formal breech response plan
• Vendor contracts need data security provisions and contract monitoring of those provisions.

Christian County Headliner News | Auditor Galloway issues report on school data security risks

The agency with new data protection rules: The FCC

The new FCC rules will require broad band and wireless providers to:

• offer 3 tiers of privacy protections: opt-in, opt-out, and inferred
• opt-in will be the standard for this information held by providers:
  • sensitive personal data
  • financial data
  • location
  • social security numbers
  • health or medical information
  • internet browsing or app history
  • message content
  • data belonging to minors.
• opt-out standard for non-sensitive data like email addresses
• providers also have to provide clear, conspicuous and persistent notice about information gathering

Think Progress | Internet users will have more control over their private information, thanks to new FCC rules

New York.

The pinnacle of these regulation is New York Department of Financial Services rule, known as Cybersecurity Requirements for Financial Services Companies. 

The New York rules target financial services companies and their advisors. Lawyers call the NY rules “… a more comprehensive framework for cybersecurity than has been seen in any other U.S. jurisdiction.”

insurance news net | New York Jumps Ahead In Data Security Regs

Texas Congressional representatives push the most cybersecurity legislation.

Leading the pack are McCaul, Ratcliffe, Jackson Lee, and Smith. The Texans filed 42 bills, that accounts for 53% of all the cybersecurity legislation. 

Cyber Scoop | This state is becoming America’s factory for cybersecurity legislation

• U.S. Chamber of Commerce supports cybersecurity czars to reign in regulation
• Any czat should work under this industry developed framework: National Institute of Standards and Technology Cybersecurity Framework
   

Cyber Scoop | U.S. Chamber of Commerce calls for cyber (anti-)regulation czar

To whom does the model insurance-cybersecurity law apply?  To anyone who holds a license, registration or is authorized by a state insurance agency

There’s a revision to the model law, what’s changed?

• No preemption by the model law
• No private causes of action. tort reformers rejoice. 
• No contractual requirements for 3rd party vendors, but 3rd part vendors must be capable of protecting information
• Stronger notification requirements that trigger notification within 3 days of learning that personal information has been taken, removing a requirement that the information be toed to “substantial harm or inconvenience”
• Penalties have been removed and left to state regulators

National Law Review | Insurance Regulators Fine Tuning Cybersecurity Guidance

Your informed intel from August 25, 2016:

Hackers targeting voting machines is passe’.

The new cyber threat theory- hackers will target media outlets to corrupt the election data that goes out to the public. It’s an old school espionage information campaign with 2016 tools.

Politico | Media vulnerable to Election Night cyber attack

The U.S. Chamber of Commerce penned a cybersecurity letter to President #45. The highlights:

• Cybersecurity is the most urgent threat to our security
• Keep the cybersecurity public-private partnership between business and government growing 
• Too many overlapping regulations among all agencies. Harmonize regulations.
• Foster information sharing ecosystem
• Cybersecurity is international our laws and regulations should take that into consideration

U.S. Chamber| Dear 45: Let’s Make Strides Towards Better Cybersecurity

The state: Vermont.

The players in this drama: Vermont College, the Vermont Attorney General, and the 3rd party software company whose product was breached

Why did the Attorney General get involved?

• the 3rd party vendor software affects more than just the Vermont College
• the 3rd party vendor software will affect Vermont’s businesses
• its an outreach opportunity to educate people about Vermont’s data breach notification law

Vermonth Biz | Attorney general enters data security settlement after college breach

Business gather and analyze data to make business decisions. Some businesses are embracing philanthropy and sharing that data with cities.

Examples of cities using data to improve public service:

•  New York City created the Mayor’s Office of Data Analytics
• Chicago has Array of Things, a sensor system to gather and collect data
• Boston and Uber are partnering to utilize Uber data to help Boston improve  congestion and community planning

Governing | How Companies Can Help Cities Close the Data Gap

• Katy ISD experienced a data breach
• The data breach came  by way of a third party vendor breach that exposed Katy ISD student data
• The data breached was on a secure server and included:
  • student names
  • birthdates
  • social security numbers/state ID numbers
  • email addresses
  • zip codes
• The 3rd party vendor will offer identification monitoring to impacted students

KHOU | Katy ISD notifies parents of potential data breach of students’ info

Houston Chronicle | Katy ISD warns staff, students after data breach

Health care attorneys agree that health care industry is at a higher risk for cyber crime. Here’s the data to support it:

• 88% of ransomeware targets are health care entities
• 84% of health care attorneys have been involved with clients who must dtermine issues like notification after a breach and adopting internal cyber security controls.

It must be bad if attorneys are agreeing with each other. 

Health Care Dive | Healthcare attorneys: Industry is at higher risk of cybercrime than others

The California Attorney General launched the California’s Cyber Crime Center (C4)

What’s the purpose of the state’s Cyber Crime Center? assist local law enforcement with investigations where digital expertise or assistance is required

What law enforcment collaboration will occur?  C4 will bring together:

• California’s eCrime unit that investigates & prosecutes large-scale identity theft and technology crimes
• California’s DOJ’s Office of Cyber Security experts
• California’s Digital Evidence Unit which uses scientific methods to extract and analyze information from items like cell phones

Government Technology | California Attorney General Unveils Cyber Crime Center

Where: Singapore and neighboring countries

What is this fund to help cyber security protections? Singapore is putting in $10 million to help Asean nations build up their cyber response capabilities

The goals:

• strengthen regional responses to cyber threats
• strengthen technical capabilities
• train technical officers, policy makers, and prosecutors

The Straits Times | Govt launches $10m fund to help Asean fight cyber threats

The cost of cyber security laws cause the greatest concern for state law makers. The solution: States are studying cyber security needs.

Governmetn Technology | Legislating Cybersecurity: Breaches Grab Lawmakers’ Attention

The National Association of Fleet Administrators issued a white paper making these recommendations for fleets:

• Address the most significant data threat, fleet telematics systems
  • tracking and wirelessly communicating the location, movement, behavior and health of a vehicle in real time make the system subject to hacking
• Highlights Chesterfield County, Virginia, which prohibits bluetooth in fleet vehicles to minimize hacking potential
• Establish communication protocols to exchange hacking threats
• Prioritize security within their organizations

SC Magazine | Connected car threats endanger corporate and municipal vehicle fleets; experts make policy recommendations

What sparked the push for more and new state regulation on data security? New York’s Cybersecurity regulations

Which industries are taking note? Finance & Insurance

Do legal experts think New York’s regulations will be a model for other states?  Yes, yes and yes. 

Law.com | NY Cybersecurity Regs Could Spur Legal Work Nationwide

New York’s Cybersecurity regulations

Welcome to the U.S., :  the 57-country Organization for Security and Cooperation in Europe

The OSCE will send 426 people to oversee U.S. elections.

The Hill links the oversight to : “rigged” election allegations

is this new? No, the OSCE has watched US elections since 2002

The Hill | Election observers to monitor US voting amid warnings from Trump

Mind readers, psychics and political pundits say Congress will pass data security legislation in easrly 2017.

What does Texas love? It loves when the Feds tells it and Texas businesses what they have to do. In this case what levels of data protection and when, who and how to notify of a breach.

The Hill | Yahoo hack spurs push for legislation

Which device? Johnson & Johnson warns that its insulin pumps are suspectible to hacking

What would be required of the hacker? A hacker in close proximity to the device could isolate hte unencrypted radio signal used by the device

Wall Street Journal | J&J Warns Insulin Pump Vulnerable to Cyber Hacking

The data collection: Collecting data in violation of Children’s Online Privacy Protection Act, including IP and GPS data on children utilizing an App

The violation of Texas law: Deceptive Trade Practices for collecting data on Texans younger than 13 via an App

Office of Attorney General Ken Paxton | AG Paxton Settles Suit with App Company Collecting Children’s Information

Top 5 data security vulnerabilities for local governments:

• passwords of officials and staff
• providing too great of access to computer network to officials/employees
• failure to automatically locking systems after non-use
• inadequate backups
• failure to restrict editing by users and failure to track edits by users

Missouri State Auditor | Findings in the summary report of common cybersecurity mistakes 

• The organizers were a Reddit group of 200,000 Trump supporters
• The organizers gave the supporters the polls to target
• and the modes of target: brigading, bots, and other forms of manipulation

The goal: impact the mainstream media 

Daily Dot | 4chan and Reddit bombarded debate polls to declare Trump the winner

Federal Trade Commission wants enforcement powers over communications common carriers for data security and data breach issues.

Currently the FTC enforcement powers have an exemption for communications common carriers.

Inside Cybersecurity | FTC commissioners call for data-breach legislation, repeal of ‘common carrier’ exemption

Legislation aimed at curtailing election machine hacking would:

• require electronic machines to generate a paper trail
• declare voting systems to be critical infrastructure
• establish security standards
• establish protocols for security failures

H.R. 6072 by Congressman  Johnson (D-GA)

SC Magazine | Rep. Johnson introduces bill designed to deter electoral hacking

Critics lambast New York’s proposed financial cyber security regulations as:

• unlikely to improve security at financial institutions
• financial institutions need a consolidation of cyber security regulations at all governmental levels
• this is nothing more than more paperwork and overregulation

CNBC | Critics are skeptical of New York’s proposed financial cybersecurity rules

Your Informed Intel on the 14th of September 2016:

Reg. Trends. Gov. & Banking Regulator. State Banking Cyber Security Requirements.

Which 5 cities are first out of the gate to consider ordiannces to improve transparency in police surveillance?

• New York City
• Washington DC
• Seattle
• Milwaukee
• Richmond

What does the coaltion of supporters look like?

• privacy groups
• civil libertians
• civil rights groups
• minority & ethnic groups

What technology is likely to be dislcosed?

•  StingRay/ IMSI catchers
• RFID plate readers
• CCTV cameras
•  biometric surveillance software and databases
• X-ray backscatter vans
• LED surveillance light bulbs
• through-the-wall radar sensors
• forensic and hacking software

SC Magazine | Cities planning transparency laws for police surveillance tech

The legislation: Cybersecurity Responsibility and Accountability Act of 2016 by Rep. Ralph Abraham, R-La.

What does it do?

• If an agency has a data breach
• Cause in whole or in part by the agency’s failing
• (Cue eery music) The head of the agency gets das boot
• Also prohibits agency head from getting “any cash or pay awards or bonuses for a period of one year” after a data breach

NEXTGOV | CYBER BILL WOULD LET AGENCY HEADS BE FIRED IF THERE’S A DATA BREACH

The goal: Provide cybersecurity awareness and training programs for small businesses

The federal legislation: H.R. 5064 To amend the Small Business Act to allow small business development centers to assist and advise small business concerns on relevant cyber security matters, and for other purposes. 

SC Magazine | House plans vote on bill to improve small business cyber preparedness

Rand researchers put the cost of an average data breach at: t $200,000, much lower than the millions estimated elsewhere.

How much are cyber security costs per year for a business? An estimated 0.4% of annual revenues

Information Week | Rand Study: Average Data Breach Costs $200K, Not Millions

Scenario: School provides kid laptop/ipad. Kid uses laptop/ipad for school work and personal use.  School learns kid likes to watch YouTube at 3am and sleeps in class.

How can schools track students:

• schools can access what programs/websites kids use
• schools can access where the kids were when they used the laptop/ipad
• some schools remotely monitor students through cameras on the devices

Are 3rd parties involved to monitor kids activity on school laptops/ipads? yes & they flag unusual behavior for schools.

What does this mean for kid’s privacy?

• Schools can assemble behavioral patterns, learning habits or disabilities, and intellectual interests, stored and analyzed outside of the control of parents/students

Tech Crunch | Kids need to reclaim their data and security… especially at school

Which car was hacked? Tesla Model S

Who did the hacking? Researchers

Does Tesla have a bounty program to report vulnerabilities? yes

What were the hackers able to control?  

• sunroof
• central display
• door locks
• braking system
• activate the steering light
• reposition the driver’s seat
• windshield washers
• open the trunk
• fold in the side mirrors

PC World | Researchers hack Tesla Model S with remote attack

Alliance members include:  Uber, Airbnb, Atlassian, Docker, Dropbox, GoDaddy, Palantir, Square, and Twitter

Goal of the Alliance: “streamline the vetting process that businesses use for evaluating vendors’ cybersecurity risks”

October 1st unvieling: security and compliance questionnaire to benchmark vendor risks

SC Magazine | Uber, Airbnb, Dropbox, and others form coalition to evaluate vendor cyber risks

A recent Tripwire survey of energy cybersecurity experts reveals:

• Most energy security experts don’t know what would happen if their systems were breached
• Only 59% know how long it would take to find a hacker on their system
• 73% believe they could detect unauthorized intrustions in their network

SC Magazine | Energy sector cybersecurity workers overconfident in their capabilities

The State: New York

NY Settled a suit with Hasbro, JumpStart Games, Mattel & Viacom for violating what law? The federal Children’s Online Privacy Protection Act

What did the companies do? Gather personal data about children under 13

The settlement: collective $835,000 in penalties plus regular reporting to New York regulators

Engadget | Websites settle with New York over online child tracking

Which state? New York

Which state officials are proposing cyber security regulations for banks/financial institutions? Governor Cuomo & New York State top banking regulator.

What will be required of financial institutions under these state data security regulations?

• Required to hire a chief information security officer
• Must implement measures that detect and deter cyber intrusions
• Must meet consumer protection standards, with companies able to assess their own needs and adopt standards that meet their business
• 72 hours to report a breach to  New York’s Department of Financial Services

The Wall Street Journal | New York Proposes Cybersecurity Regulations for Banks

New York’s Proposed Data Security Regulations for Banks

New York Department of Financial Services | GOVERNOR CUOMO ANNOUNCES PROPOSAL OF FIRST-IN-THE-NATION CYBERSECURITY REGULATION TO PROTECT CONSUMERS AND FINANCIAL INSTITUTIONS

Engadget | New York proposes online security rules for banks and insurers

Where is this happening? Oregon courts

What is the complaint by the credit union and the other financial institutions in the class action? 

• A restaurant chain failed to implement or maintain adequate data security measures for customer information
• This caused the credit union to pay:
  • fraudulent charges 
  • replace cards
  • stop payments
  • block transactions
  • and other costs

SC Magazine | Oregon credit union sues Noodles & Company over breach

Who is recommending student data protections?  A report from new report on data privacy from the Southern Regional Education Board

What are the 4 recommendations?

• Clear & transparent state data governance policies. Make the policies easy to find for parents.
  • Print the policies out and pin them to parents at orientation
• Fund & improve student data security
  • Stop being so stingy
• Train the people who handle student data
  • Teach the teachers
• Fund IT support at schools
  • Again, stop being so stingy, we know computers are scary. But, it’s 2016.

eschool news | Report: 4 security recommendations to keep student data safe

• Hacking voter information is about grabbing personal data
• Vote tabulation databases are not connected to the internet & thus cannot be hacked.

The Hill | Hacking the election is nearly impossible. But that’s not Russia’s goal.

Alphabet Inc. spent more on lobbying efforts, $16.6 million. For those keeping count that’s more than AT&T & Lockhead Martin.

Wall Street Journal | What Your CEO Is Reading: Tech Lobbying; Cloud Quandaries; The Fed’s Social Pummeling

Add Kansas to the list of states working with the FBI to protect state voting machines from hackers.

Other states seeking federal protection for voting machines:

• Illinois
• Arizona
• Kansas
• North Carolina

Governing | Kansas Works With Feds to Protect Elections From Hackers

Governing | North Carolina Asks Feds to Assess Its Elections Cybersecurity

The Data:  Seattle police cameras had 2,283 recordings erased by a glitch

The data glitch impact: 500 videos were to be used in criminal cases

Governing | 2, 283

Seattle Times | Thousands of Seattle police dashcam videos lost due to computer glitch

Biggest data security concern: 3rd party vendors. Especially free web based vendors.

The school district’s solution: Training teachers and staff about data privacy standards

The contracting change the district made: Standard privacy clauses that do not shift privacy liability to the school district

EdScoop | Small Missouri school district thinks big about privacy and security

Which states require notification to the state attorney general of a data breach? Nebraska and Rhode Island

How did Nebraska tackle the legislation? Requiring companies to notify the Attorney General in the same time that they notify a resident

How did Rhose Island tackle the issues? Requiring Attorney General notification if more than 500 people had their data compromised

National Law Review | Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way

What change did the Nevada & Rhode Island Legislatures make? Changed the definition of personal information for data breaches

What was added to the definition of personal information?

• medical identification number
• a health insurance identification number
• a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that permits access to an online account

The difference between the 2 states? Rhode Island clarified which accounts were protected by clarifying that it applies to “personal, medical, insurance or financial account.”

National Law Review | Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way

Which state is facing privacy concerns over its automatic toll road system? Massachusettes

What is the primary concern? How the license plate readers can be used by police

The state‘s policy: According to the Fortune article, the state’s policy is devoid of detail

Fortune | Massachusetts’ Automated Toll System Raises Privacy Concerns

What sparked this lawsuit? Facebook’s acquisition of WhatsApp and concerns that WhatsApp data will be shared with Facebook

What law is at the center? Deeptive Trade Practices Act

Tech Times | Privacy Groups Prepare To File Complaint Over WhatsApp Sharing Data To Facebook 

The state creating an opioid database: California

What will be required of physicians before writing an opioid prescription?  Physicians will have to check a database of patient prescription histories before recommending addictive drug.

The legislation: Senate Bill 482 by Lara

Bryan College Station Eagle | The Latest: Senate backs health plan pricing bill