• data breach defined in new Orgegon law as:
  • “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.”
• personal information that triggers the notification statute
  • ​Social Security number;
  • Driver license number or state identification card number issued by the Department of Transportation;
  • Passport number or other United States issued identification number; or
  • Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account
• Statute only applies to unencyoted information
• law enforcement can delay notification if it would impede an investigation
• Statute does not apply to medical or health insurance information

Health Security | Oregon Data Breach Notification Law Goes Into Effect

What did hackers breach? Lawrence, MA Public Schools’ online database

How did the hackers breach the school database? A phishing attack 

What did hackers take? Teachers’ personal information:

• names
• phone numbers
• addresses
• Social Security numbers
• calendar year 2015 gross earnings

How did the school district respond?

• email to teachers informing them of the breach
• explained that the district would:
  • mitigate the breach
    • directing teachers to sign up for 90 days of free credit monitoring
  •  prevent future breaches
  • work with Massachusetts State Police, State Attorney General, & the state Office of Consumer Affairs and Business Regulations
• The day after emailing the teachers, the district issued a press release

Eagle Tribune | Teachers’ personal data hacked

Maryland’s concerns over data storage and security for police body cameras include:

• Price tag to store the data is prohibitively expensive
• The data costs have stopped police departments from using body cameras
• The storage retention policies differ for the recordings.
  • General 90 day retention
  • If there is an ongoing investigation data retention is for the length of the investigation
  • any video considered evidence must be maintained for 4 years

Record Journal | Legislature expected to revisit body camera law after worry about data storage cost

What kind of data breach triggered data breach law changes in Maine?  A health care data breach affecting 120,000.

What requirements does the legislator weant? Extended credit monitoring & fraud protection services requirement to total 2 years.

Are these legislative changes from a chairman? Yes, the Maine legislator behind this push is the House chairman of the Insurance and Financial Services Committee.

Kennebec Journal| Waterville legislator seeks more protection for victims of Augusta hospital data breach

• Data Breach Definition.
  • What data was breached?
  • The level of knowledge the data holder must have of the breach before notification is triggered. Did they know? Is it reasonable that this data was breached?
• How to treat good faith access to data by an unauthorized employee
• How to treat the breach of account creditial information.
  • user name, passwords, and security questions
• Timing.
  • ​When must notification be given?
• How to treat data processors, people who hold the data but are not the owners of the data.
  • Must data processers notify data controllers immediately?
  • An example would be a contractor who has a data breach of state employment records.
• Whether identify theft protection must be offered and for how long.
• Can companies waive their liability?
  • California law prohibits this waiver.
• Statutory risk mititgation requirements.

The Recorder | Know the Basics of Data Breach Notification Laws

• A limited time healthcare industry cybersecurity task force
• The taskforce includes cybersecurity experts and healthcare stakeholders
• The charge to the task force:
  • analyse the cybersecurity risks facing health care
  • recommend ‘actionable cyber threat indicators & defensive measures

The legislation people are looking to: Congress cyber security legislation.

The Global Legal post | Healthcare sector suffers chronic data breaches

What‘s happening? Affinity Gmaing, owners of 11 casinos, is suing the company it hired to contain a data breach.

How is this relevant to Texas government? Pay close attention to the enforcement actions and lawsuits that emerge from the federal government OPM data breach in which the company hired for remediation.

Why is this important? the laws related to data security are chaning at lightening fast speed. Faster than a lobbyist can walk, and on a very complex, technical topic which does make for smooth lobbying. 

iapp | Daily Dashboard | Is this case a new avenue for data breach liability?

The SEC is getting tough on data security. State financial agencies likely to follow suit. Here’s what’s happening:

• Enforcement actions against companies with weak security protocols
• The SEC expects financial firms to have security planning in place before a hack
• Periodic risk assessments and encryption are key

Financial Times | Securities and Exchange Commission gets tough on cyber security

Why is GM embracing white hat hackers? To help identify and notify of security risks.

What’s the industry response? Just announed Detroit’s first public security vulnerability disclosure program bringing together GM and HackerOne

What’s the benefit to white hat hackers? As long as thehackers follow basic published protocols, the hackers can challenge security without legal repercussions.

So, its creating charitable immunity for white hat hackers? in contract form, yes. It allows hacker alliance to continue its bounty hunting without legal ramifications. 

ARS Technica |  GM embraces white-hat hackers with public vulnerability disclosure program

What dam got hacked? Iranian hackers targeted a dam in New York. Shortly thereafter Ukranian hackers got into a power grid.

What type of hack triggers a state response or the creation of a new state penalty?

• Look to whether the hackers took control of the system or just “looked around”
• Look to whether any person was injured as a result

Just Security | Was the Cyber Attack on a Dam in New York an Armed Attack?

California Legislature has a newly formed Tech Caucus. It’s full name is the Legislative Technology and Innovation Caucus. 

One would think if any state had a tech caucus, it’d be California. Such is not the case. It was founded by the legislator pushing ride share legislation in California. 

The priorities of the fledgling tech caucus are:

• Touting the sharing economy. 
  •  ride share, fly share, move share, house share
• workforce training and workplace diversity
• bring together tech industries and associations

The Recorder | Tech Caucus Forms, But Hasn’t Taken Shape

• The City University of new York began purging data because it believes libraries should only keep information users want
• American Library Association doesn’t believe you are what you read and opposes law enforcement use of library records.
• The  Library Freedom Project supports protecting web searches on public computers, encouraging libraries to operte exit nodes and Tor, a difficult to trace web browser

The Guardian | You are not what you read: librarians purge user data to protect privacy

What was the state government data breach? in 2012, South Carolina suffered a data breach that exposed records for 6 million taxpayers.

What legislative fixes have emerged from South Carolina in wake of this data breach?

• Support agencies’ preventive measures
  •  dual-password programs
  • laptop encryption
• Centralize cybersecurity in an office under the governor.
  •  Allows an information security director to oversee and enforce statewide standards.

Governing | 2016’s Top Legislative Issues to Watch

• Treasure Trove of Data. House Oversight Committee Chairman Jason Chaffetz (R-Utah) is warning that a hack on the Department of Education would make the OPM data breach look like child’s play
• 1/2 of all U.S. government records are at the U.S. Department of Education
• Bad Inspector General Report. Deficiencies in security at Department of Education were called out by a November Inspector General report
•  An F In Security. The agency also got an F in implementing security requirements under the Federal Information Technology Acquisition Reform Act
•  Contractors have hands in 184 data cookie jars. Congress is laser focused on the 184 different programs that are used or maintained by 3rd party contractors.

The Hill  Oversight head: Hackers would hit mother lode at Education Department

Which state has an agency enforcement action against the sharing economy? New York’s Attorney General

Which part of the sharing economy is the NY Attorney General looking into? Ride Share

What’s the issue? Buzzfeed reported that company execuitves had access to rider locations through the ride share app

Let’s get to know what could happen in Texas, and look at what enforcement deal was worked out in NY. The settlement included:

• a 20K fine
• requiring ride share entity to adopt a data security plan
  •  encryption of  rider geo-location information
  • adopting  “multi-factor authentication
  • establish corporate data security safeguards like:
    • ​annual privacy and security training for employees
    • designation of a person to supervise a privacy and security program
    • maintain reasonable security practices

NY Daily News | Uber agrees to pay $20K fine, adopt data security provisions to settle probe by AG Schneiderman’s office

The Hill | Uber settles with New York AG over privacy

What State created an Office of Data Privacy and Protection? Washington

Did it do it by legislative action? No. It was created by Executive Action.

2 Reasons Why Washington State Created this new Data Office:

• Washington is the “world’s center for digital commerce.”
  • That’s sure to make Texans happy.
• “good cybersecurity is essential to the continuity of global commerce and to a thriving economy”

3 Powers the new Office of Data will have:

• Train state agencies on best privacy practices
• Assist Washington residents through consumer outreach and education programs
• Conduct annual reviews of the state’s privacy policies and practices

Governing | Washington State Creates Office of Privacy and Data Protection

The EU is revamping its data security statutes, why should Texas care? Because E.U. courts have taken a very libertarian and conservative view to protect personal information.

Did the EU take any actions that might translate to Texas? Yes, 4 Points to consider:

• Stronger requirements for obtaining consent to collect/store data
• Memorializing the “right to be forgotten”.Sounds an awful lot like the Texas Do Not Call List.
• 72 hour noptification requirement for comapnies to notify the EU of a breach
• Fines up to 4% of a company’s global revenue for its non-compliance 

National Law Review | EU Finalizes Text of New General Data Protection Regulation 

 Data security insurance is a hot commodity. Here’s why:

• Gross income from premiums will rise by 300+%  in the next 5 years
• More income is on the horizon, even with factoring in new regulatory and legislative changes for this burgeoning market

Why the boom? High profile data security breaches lead to more data security policies being written.

Bloomberg | Cybersecurity Insurance Explosion Poses Challenges

• A cyber security researcher in California discovered that Cyberattackers had opened a pathway into the networks running the United States power grid.
  • Digital clues show hackers tied to Iran have possession of passwords and engineering drawings of dozens of power plants
  • In 2012 and 2013 Russian hackers sent encrypted commands to points on the US power grid
• Why is the power grid so vulnerable? An aging, outdated power system
• Just like other hacks, vulnerabilities occur in 3rd party providers
  • Hundreds of contractors sell software and equipment to energy companies

Sacramento Bee | AP Investigation: US power grid vulnerable to foreign hacks

California revamped its data security statutes for education last year. California Education Code Section 49073.1 requires education contractors to:

• a statement that pupil records continue to be the property of and under the control of the local educational agency;

• a description of the means by which pupils may retain possession and control of their own pupil-generated content, if applicable, including options by which a pupil may transfer pupil-generated content to a personal account;

• a prohibition against the service provider using any information in the pupil record for any purpose other than those required or specifically permitted by the contract;

• a description of the procedures by which a parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil’s records and correct erroneous information;

• a description of the actions the service provider will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records;

• a description of the procedures for notifying the affected parent, legal guardian, or eligible pupil in the event of an unauthorized disclosure of the pupil’s records;

• a certification that a pupil’s records shall not be retained or available to the service provider upon completion of the terms of the contract and a description of how that certification will be enforced;

• a description of how the local educational agency and the service provider will jointly ensure compliance with the Family Educational Rights and Privacy Act (“FERPA”); and

• a prohibition against the service provider using personally identifiable information in pupil records to engage in targeted advertising.

California Education Code Privacy Chapter 

The Recorder | Keep Up with Data Security 

• Health care comapnies are required by HIPPA to report breaches 
• The federal government publishes breach information. Check out: Office of Civil Rights (OCR) under Health and Human Services
• 90% of health care breaches in 2015 were the result of a Hacking/IT Incident

Remember when Texas passed laws to go above and beyond over HIPPA? Look for it in health care data protection too.

Forbes | Data Breaches In Healthcare Totaled Over 112 Million Records In 2015

• Lots of cyber insurance policy litigation.
  • You know what lawyers mean- lawsuits and legislation.
• 2015 was once in a lifetime groeth in cyberinsurance market
  • Hyper growth leads to regulation and legislation as the unintended consequences emerge
• health care cyber insurance renewal rates are seeing 150% premium increases
  • Big premium cases mean, big regulatory and legislative changes are afoot

Property Casualty 360 | Cyber insurance 2015: Inside a robust and rapidly changing market

• IRS breach. 100,000 taxpayers exposed. Estimated cost $50 Million.
• Anthem health insurance breach. 80 million health insurance records leaked. Cost estimate $100 Million.
• Office of Personnel Management.  21 million federal employee and contact records breached. Minimum cost is the $133 million contract to a credit monitoring and mitigation services provider.
• Ashley Madison Breach. 37 million customer information hacked. A class action lawsuit seeks $578 million.
• Two Year 100 banks in 30 countries.  $1 billion over the course of two years.

Secure Speak | The Most Costly Data Breaches of 2015

Change general law in a spending bill? No, say it isn’t so. Yes, it is so. 

Congress is adding data security language to is spending authorization bill. Here are the highlights that have privacy advocaes on the right and left up in arms:

• The government already spies on its citizens too much
• Going light on businesses that share more information about data breaches with the government and other businesses isn’t helping privacy
• Protecting from disclosure under the Freedom of Information Act all this collected data breach information isn’t open government

Post Recorder | Major cyber security legislation tucked into US spending bill 

Who is funding cybersecurity grants? The Hewlett Foundation Cybersecurity Initiative

How much in grant fudning is available? Started at $20 Million. It’s at $45 Million now.

The lucky recipients are? University of California at Berkeley, Stanford & MIT

Any Texas recipients? No. As Hewlett chief alludes, more private interests need to support research about how cyber security should look in the future. Specifically:

• develop a comprehensive conceptual framework for cybersecurity.
• think broadly or systematically about a larger framework
• think about what cybersecurity should look like in the future
• how to balance new technology and privacy

Inside Philanthropy| Building a Field: Here’s a Case of a Foundation Creating New Knowledge and Expertise

What type of information could be valuable from parking?

• Name
• Credit Card Information
• Address
• Vehicle Information- make, model, VIN

Kent Online | Maidstone Borough Council refers parking permit data breach to Information Commissioner’s Office

U.S. Army National Guard announced “13 new cyber units that will be spread throughout 23 states by the end of fiscal year 2019.”

The U.S. Air Guard will be operating a new cyber squadron in Texas.

SC Magazine  | Army National Guard announces 13 new cyber units across 23 states

• More concerned about data breaches than lawsuits
• Worried about corporate image damage from data breaches
• Board Chairs and CEOs are more involved in data security than ever before
• Odds are high most comapnies have a data response plan
• Data breaches are increasing in severity and frequency

Credit Union National Association | Study: Companies losing confidence in data breach protections

What data center project? Microsoft bought 158 acres in the Texas Research Park real estate controlled by the Texas Research & Technology Foundation. 

How big of a project is this? It will be one of the largest data centers in the U.S.

Where’s the economic development angle? The Texas Research and Technology Foundation uses proceeds from the sale of the land to fund biotech companies

Puget Sound Business Journal | EXCLUSIVE: Microsoft buys nearly 160 acres in San Antonio for data center development

Data security landscape constantly changes and regulation will not keep up that pace.

The Hill | Retailers pan cyber bills as holiday assault looms

• Holiday shopping spikes make tracking amonolous shopping transactions very difficult
• Overburdensome to small retailers
• Ignores the data security responsibility of 3rd party vendors and financial institutions

The Hill | Retailers pan cyber bills as holiday assault looms

The Montana Information Technology Managers Council this fall promulgaed policy to require Montana state agencies to classify information in 4 categories:

• public
• confidential
• secret
• top secret

Open government? The category names depcit a conflict between category names IT professionals regularly utilize & the categories that political types would prefer,

The policy is htting the Montana Legislature with a roar.

Montana Standard | State mulls policy on public, secret, top secret info

…California.

The Hill reports that Congressinaction  is by default allowing California’s data breach laws to precedence as a national standard.

California data security laws tackle business notification requirements; education data breaches; and health care data breaches.

10 States that strengthened daa security laws in 2015:

• Connecticut
• Montana
• Nevada
• New Hampshire
• North Dakota
• Oregon
• Rhode Island
• Washington
• Wyoming
• California 

The Hill | Has Congress allowed California to set a national standard for data breach notification?

Which agency is causing an uproar? The federal Office of Personnel Management. AKA “The OPM Breach of 2015”

How did the agency mishandle the data breach? A report this week from OPM’s Inspector General found 5 contracting irregularities when OPM awarded a $21M clean up the data breach contract. 

The 5 Government Contracting Problems:

• OPM did not offer a complete scope of the work
• Conduced inadequate market research
• had an incomplete acquisition plan
• exceeded dollar limits on blanket agreements
• Unreliable contract file

CNN | OPM hit for mishandling data breach cleanup

The 9th Circuit Court of Appeals is wrangling over wording in an anti-hacking statute.

What legislative craft became legal fodder? Whether a law that prevents hacking can be applied against a business.

Why does this matter to your clients? Businesses want to protect the data they retain and the data their customers have on their websites and computers. But, who owns that data?

Why does this matter in Texas? Data storage facilities in Texas, like the large Facebook data storage open Texas legal system to the issue. And state laws on the issue matter too. Are there tech companies in Texas? Yes. Are your clients storing data there? Yes, probably so.

This is confusing, give me an example. Hypothetically, there’s a website where people post every detail about their life. If the postings are targeted by a marketing company, the data accessed, does this hypoethical site with its walls of information have the right to stop it or do the people posting the info have privacy rights in their data?

What have courts done? In California, lower courts have sided with the business that stores the data, and not recognized personal privacy of the individual.

The Recorder | Hacking Law Gets Workout in Facebook Case

Australia is re-writing its data security laws. A draft proposal includes exemptions from notification requirements for governmental entities and telecommunications companies. 

Australia’s Draft Data Security Legislation 

The Guardian | Telcos and security agencies exempted from data breach rules in draft bill

Where? Virgina

What budget provisions are boosting data security? Governor McAuliffe says the state’s budget will include education investments for cybersecurity, including:

• scholarships for students who agree to serve two years of public service in the cybersecurity workforce after graduation
• increased cybersecurity training in high school including:
  • new virtual, secure platform to enhance student cyber skills
  • providing training on cyberattack detection and defense
  • developing cyber certifications
  • encouraging student collaboration within the industry, to conduct research
  • offering training for active duty military and veterans.
• higher education fudning for institutions that meet national standards for cybersecurity training

Why the state focus on cybersecurity? “Cybersecurity education is a key component to building the new Virginia economy.”

NBC 29 WVIR| Gov. McAuliffe Says Budget Would Boost Cybersecurity Industry

New York Legislature, at the behest of its Attorney General, is strengthening its data security laws. 

Assembly Bill 6866 adds new data to protection requirements and increases penalties.

This bill creates these standards that establish compliance with the law for businesses:

• a business that protects data more than the law requires
• a business that complies with Gramm-Leach-Bliley Act
• a business that meets international standards for information security
• a business that complies with HIPPA
• a business that complies with current National Institute of Standards and Technology Standards Special Publication 800-53
• a business that:
  • has a designated security employee
  • identifies reasonably foreseeable security risks
  • assesses safeguards and risks
  • selects providers that are have appropriate safeguards
  • regularly tests and monitors its business systems
  • maintains a Security Program Practices & Procedures
  • disposes of information in a manner that does not allow the information to be read or reconstructed

New York A06866

New York Legislature is considering stronger data security laws which would:

• increase penalties against companies from $150,000 to $1,000,000
• in addition to current required protected information of  Social Security, driver’s license and credit card numbers, this bill would require protection of biometrics like fingerprints
• user names, email addresses, securty questions and answers
• health information protected under HIPPA
• establishes reasonable safeguards for business
• establishes government data security standards in New York

Times Union | Santabarbara promotes data security bill on Cyber Monday

AO6866 Data Security Act in New York Legislature 

Moody’s is warning that its ratings analysis will include cybersecurity.

Moody’s big picutre cybsersecurity:

• cyber defense
• cyber detection
• cyber prevention and response

Moody’s specific analysis will include:

• Nature of the affected assets or businesses 
• Duration of service disruption and expected time to restore
• Scope of the affected assets or businesses 

Why does this matter to Texas? Every state entity and local governmental entity that issues bonds will be impacted.

Think Advisor | Threat of Cyberattacks Could Now Affect Moody’s Ratings

Legl Tech News | Threat of Cyberattacks Could Now Affect Moody’s Ratings

VTech, a manufacturer of electronic educational gadgets for kids, has been hacked.

Hackers took:

• headshots of kids & parents
• chat logs
• audio files of kids
• names of kids & parents
• email addresses
• home addresses
• birthdays

Remedies:

• A hacker contacted a tech company to expose VTECH’s unsecured data storage.
• VTECH took down their portals that allowed for data storage until a resolution can be reached.

Motherboard | Hacker Obtained Children’s Headshots and Chatlogs From Toymaker VTech

The Hill | Toy maker hack exposes data on 200K children

Mashable | The VTech data breach shows kids are just as vulnerable to hacking

Congress is working to secure the nation’s power grid because the power grid is facing a major cyberattack because:

• the power ” industry’s digital defenses are dangerously lagging and underfunded
• energy companies are “scrambling to play catch-up”
• energy companies  are ” leaving the all-important power grid exposed to hackers”
• “the industry isn’t fully prepared to stymie sophisticated hackers.”
• “In 2014, the energy sector was the most targeted of the nation’s critical infrastructure industry sectors,”

5 Solutions bandied about in D.C.:

• New presidential team to coordinate cyber threat assessment & response efforts 
• More funding for cybersecurity in energy and utilities
• More funding for the Energy Department program, Cybersecurity for Energy Delivery Systems, to research & develop tools to protect the grid
• Create “The Terrorism Prevention and Critical Infrastructure Protection Act” to direct DHS to work with critical infrastructure companies, like power grid operators and utilities to boost their cyber defenses

The Hill | Congress struggles to secure nation’s power grid

The IRS is asking a D.C. federal judge to bar a suit against one of its data breaches on the grounds that the IRS is immune from suit. 

Lexis Nexis Legal Room | IRS Says Data Breach Suit Barred By Sovereign Immunity

Anthem Inc. responded to a class action lawsuit concerning a data breach affecting 80 million by focusing on the 1 hot botton issue legislatures and regulators are focusing on:

whether the person whose personal information was hacked suffered any actual damages

Why is this response from Anthem important? Because courts, legislatures, and regulators have come down on all sides of whether actual damages is required in a data breach suit.

Anthem also provided all 80 million customers with 2 years of free credit monitoring.

The Recorder | Anthem Fires Back at Data Breach Suit

When did the Inspector General testify that U.S. Department of Education data is not safe? While testifying at a November 17, 2015 hearing of the House Committee on Oversight and Government Reform

Why is federal education data vulnerable to hackers?

• lax controls over who can access student data
• outdated technology
• inadequate data security

What type of student data does USED keep?

• 139 million Social Security numbers
• sensitive financial aid borrower information about students and families
•  97,000 account/users with access to this information
  • Less than 20% have had a background check to receive a security clearance.
• Chairman Rep. Jason Chaffetz (R-UT) summed up the problem: “[A]most half of the population of the United States of America has their personal information sitting in this database, which is not secure.”

Breitbart | U.S. Department of Education Data System Riddled With Vulnerabilities For Students

McAfee Labs 2016 Threats Predictions puts hacking cars as the top security risk, & here’s why:

• ” rapid increase in connected automobile hardware built without foundational security principles”
• In August 2015, a white hat hacker discovered a security flaw in GM Onstar that allowed a hacker to take over a vehicle

Findlaw | Technologist | Car Hacking Tops List of 2016 Cybersecurity Threats

California’s state auditor released a report on the California’s technology department that:

• found 73 of 77 failed to meet state cyber security standards
• a recently adopted state pilot program to beef up cybersecurity compliance was blasted for taking too long & that compliance verification would take 20 years with existing state resources
• self certification of agencies lacked enforcement mechanisms

The audit recommends:

• a mandate that California’s technology department undertake a more rigorous security assessment of the state’s information assets
• the state shore up funding for cybersecurity

Legslation was filed in response that:

• requires a technology security audit of every agency at least once every 2 years

Governing | States Are Slacking on Cybersecurity

Security Experts say health care data is 4 to 12 times more valuable than credit card data to hackers. 

Why is health care data so valuable?

• Health care data sets are “extremely detailed personal information.”
• Health care data alone allows a hacker to:
  •  Apply for credit cards or loans
  • “Allows a hacker to generate huge sums from fraudulent medical charges,” 
• Average financial loss for stolen health care data: $13,500 per victim

Health care Informatics | Survey: Majority of Americans Underestimate the Threat of Stolen Medical Data

Courts and legislatures have differed as to whether a person can bring a lawsuit when their personal data is stolen, but the data has not been used to harm the person.

What happened in this administrative law case? The FTC has been trying to enforce sanctions against a health care company for a data breach.

The FTC legalese is that the health care company’s ” purported failure to institute reasonable data security constituted an unfair trade practice under section 5 of the FTC Act, because the conduct caused or is likely to cause substantial injury to consumers.”

Wait, I thought it was the FCC that did data security regulatory enforcement? Several federal agencies have regulatory authority. The FCC, the FCC, HHS and the SEC have all been involved.

What did the ALJ order in this case? That since there was no proven injury from the data security breach at the health care company, and the only measure of injury was through speculation; therefore FTC you lose.

Reed Smith | Technology Law Dispatch |  ALJ Dismisses FTC’s Data Security Suit Against LabMD for Failure to Prove ‘Substantial Injury’ to Consumers

Morgan Stanley’s chief information officer of technology and risk information told the Securities Industry and Financial Markets Association’s annual conference that there are 4 industries at the highest threat level for cyber security attacks:

• Financial services
• energy
• health care
• defense sectors

Think Advisor | 3 Emerging Cyber Threats to Watch in 2016: SIFMA

Morgan Stanley’s chief information officer of technology and risk information told the Securities Industry and Financial Markets Association’s annual conference that there are 3 new cyber security threats emerging:

• ransomware- targets an entity, holds your systems hostage until a ransom is paid
• malicious insiders- someone with valid apparently credentials that seeks to “expose” the entity
• destructive malware which hits the energy sector more than financial sectors

Think Advisor | 3 Emerging Cyber Threats to Watch in 2016: SIFMA

Data Security

Businesses | Financial Institutions | Law Enforcement | Education | Local Governments | State Data Safety | Data Security in State Contracting

THE INTERIM CHARGES

• Business & Industry: data security in the sharing economy and business cybersecurity
• County Affairs: County data security and data retention
• Government Transparency & Operation: state cyber security standards, agency cyber security, data retention and protection of personal information, cloud computing, higher education cloud computing
• Higher Education: data systems related to veterans in higher education
• Homeland Security & Public Safety + Government Transparency & Operation: data veracity of criminal records
• House Administration: Legislature’s cybersecurity policies
• Insurance: data trends in weather related claims
• Investments & Financial Services: financial institutions & data security
• Juvenile Justice & Family Issues: data security & data sharing between DFPS, TJJD & local probation departments
• Public Education: data in the classroom & digital learning opportunities
• Public Health: data use in health agencies related to chronic disease
• Urban Affairs: local government cybersecurity
• Ways & Means: Data Processing and information services sales and uses (tax the cloud?)
• Select Committee on Emerging Issues in Law Enforcement + Government Transparency & Operation: data security & privacy in emerging law enforcement technology
• Select Committee on Emerging Issues in Texas Law Enforcement: data from body cameras; use, security & retention of emerging technology data by law enforcement

YOUR INFORMED INTEL

• AG Opinion Request: Privacy. License Plate Readers. Data Use. Fine for No Insurance. Vendors Beware
• New Issue: Data Security. Insurance. Indemnification. 3rd Party Contractors
• 76% of IT Decision Makers would Move Data Centers out of the US over Privacy
• Regulatory Trend: Cybersecurity & Connected Cars. (Wifi Cars, not Trains)
• Millions of Funding for Data Security for Electric Generation, Electric Grids & Oil & Gas
• Lege Trend: Model forms for Data Breach Notifications
• Drones & Data Storage. A Legislative Trend
• City Creates CyberSecurity Squad. 5 Details to Build Your Own
• A State Auditor Looks into 5 School District Student Data Collection
• Lege Trend: New State Data Security Laws. New State Cyber Security Agency. 8 Goals
• 24 States Provide Economic Incentives for Data Centers
• Lege Trend: State Data Security Laws Apply to Insurers. 8 states and counting
• 3 Recommendations for Health Care Data Security Legislation
• 6 Trends in State Data Breach Laws
• Lege Trend: Incentives for Companies Reporting Data Breaches
• Lege Trend: Legislative Data Task Force. Protect the Data
• Lege Trend: Peach Blossom State Passes Package of Data Security Bills: Internet Providers. Education. Employers. Healthcare
• Neiman Marcus Ruling Makes it Easier to Sue a Company for a Data Breach

Background: Modern technology in cars was once 8 tracks. Today it’s wifi because no one wants to deal with a 5 year old who has no access to the internet on the highway. 

How do internet connected cars and data security intersect? Hackers have shown how they can take over the controls of vehicles. It’s a Stephen King book come to life. 

What’s Congress doing?  Some say nothing. Others say on November 18, 2015 the House Oversight and Government Reform is having a hearing on the internet of cars.

What potential legislation?

• A stand alone criminal sanction for hacking into a vehicle that is in Texas or being an individual in Texas hacking into a car located out of state.
• Data Security state standards for the sale of a vehicle in Texas
• Data Security requirements for cars manufactured in Texas

EPIC.org | EPIC to Testify on Car Privacy and Data Security

• California Hospital Association warns its members that health care is behind on data security
• HIPPA compliance isn’t enough.
• Hospitals also have to protect data in electronic medical equipment
• Regulatory Fines are increasing exponentialluy every year. 
• A Cybersecurity firm recommends these 3 corrective measures:
  • “1) adopt two factor authentication for access to databases containing sensitive patient information;
  • 2) use behavioral analytics to identify suspicious behavior and encrypt data;
  • 3) realize that identity protection is no longer a good enough mea culpa.”

California Hospital Association | Healthcare Way Behind on Data Security, Cyber Firm Says

NBC News | Healthcare Way Behind on Data Security, Cyber Firm Says

• Hackers are looking for personally identifiable information such as:
  • credit card or bank account information
  • login credentials
  • employment details
  • physical address, e-mail address, and phone
  • social security number
• Small Businesses account for the majority of the attacks according to the National Association of Realtors® technology policy expert
• Real Estate can be impacted in 4 major ways:
  • financial harm from expenses resulting from the breach
  • legal risks from lawsuits from clients or others impacted by the hack
  • reputational risks from having to publicly disclose the hack.
  • commercial properties are also vulnerable from hacks into their automated or building control systems.  
• Most of the data security laws & regulations are at the state level.

PRNewswire | Cybercriminals Targeting Real Estate Transactions

• In 2014 Cox Communications was hacked. Millions of customer personal data was exposed.
• Cox paid for notification and credit monitoring services for the millions of impacted customers.
• Cox also faces regualtory enforcement from the FCC. The FCC is requiring:
  • A comprehensive compliance plan
  • A written information security program
  •  Cox will be monitored by the FCC for 7 years

JD Supra | FCC settles data security enforcement action with Cox

The Illinois Department of Insurance accidentally led to the posting of Social Secrity Numbers of health records online. 

How did a 3rd party get caught in a date release of health records? The agency sent records, including social security numbers, to Blue Cross Blue Shield which Blue Cross Blue Shield posted online. 

What happened to the 3rd party? The Department of Insurance took immediate corrective measures against Blue Cross Blue Shield

What is the 3rd party’s responsibility? Providing notice to affected persons, whose health records were identifiable by social security number. Potentially also required data protection services paid for by the 3rd party for all affected individuals.

lesson:  3rd party contracts should verify the information received from a state agency complies with all data security laws or the 3rd party maybear the cost of repairing the data breach.

A push in the UK is campaigning to move forward with expedited data security legislation to secure networks in light of the November 13, 2015 terrorism in Paris. 

Why is this relevant?

• Because legislation passed under the threat of security issues can bring in corporate client data security mandates
• And, can include mandates for the world’s most valuable data security records– health care records.

Press Association | Lord Carlile wants communications data legislation ‘expedited’

A cybersecurity report from Forrester is not good for health care. The report concludes:

• health care is ” woefully behind” in preparedness
• HIPPA compliance is not enough. HIPPA doesn’t keep up with wearable technology like GPS astham inhalers or wearable tattoos that transmit health care data.
• HHS is imposing sanctions on unprepared health care companies that suffer data breaches.

3 Recommendations:

 1) adopt two factor authentication for access to databases containing sensitive patient information;

2) use behavioral analytics to identify suspicious behavior and encrypt data;

3) realize that identity protection is no longer a good enough mea culpa.

CNBC | US health care way behind on data security, says Forrester

• Data Recording Limitations. Data breach included recorded attorney-client phone calls.
• Data Retantion Limitations. If calls are recorded, how long are they to be kept and under which security protocols.
• Data Protection. Attorney-client recorded calls were shared with prsoecutors.

Think Progress | Prison Phone Company Hit With Massive Data Breach

Indemnification Clauses in Insurance Cybersecurity policies should do 3 things:

• Be clear which entities are covered, none of this any and all other related entities mumbo jumbo
• Explicitly state details like whether “indemnity for third parties extends beyond the policy’s expiration date”
• Be flexible to constantly evolving laws and case law

Business Insurance | Precise policy language needed to cover affiliated businesses

• Campaigns have no legal obligation to protect personal information data that they gather.
• Campaigns have a trove of information from credit cards, answers to personal profile questions, and personal identification
• Its unclear which agency would regulate and enforce campaign data security

The Hill  How presidential campaigns could be putting your data at risk

Who was surveyed? 1000 IT decision makers across the UK and US

What did 76% say? 76% would “move their organization’s data to another country as a result of privacy concerns”

The privacy concern of businss: government snooping

How do the CEOs feel? 29% have moved data security to the top of the corporate agenda

Where are they moving their data storage? To Switzerland and Canada

The Data Center Journal | Information Exodus: 76% of IT Decision Makers Would Move Their Data to Another Country as a Result of Privacy Concerns

• “include specific data security procedure obligations in contracts with vendors

• verify a vendor’s capacity to adhere to the prescribed data security procedures

• look at data security practices from an expert’s perspective to determine whether such practices are reasonable”

National Law Review | Piercing Outsourcing Veil: FTC Says Data Security Obligations Remain 

• A patchwork of state laws is hard on business
• Requires a single regulatory agency
  • Currently the FTC, FCC & state agency wrangle over regulatory authority
• Clear legal standards on what constitute harm from a data breach

U.S. Chamber Institute for Legal Reform | A Perilous Patchwork: Data Privacy and Civil Liability in the Era of the Data Breach

The U.S. Senate passed Cybersecurity Information Sharing Act on a vote of 74-21 this week.

Tech Companies continue their opposition. The main bones of contention:

• Mechanism for sharing of cyber-threat information does not sufficiently protect users’ privacy ”  (Computer & Communications Industry Assoc.)
• “[ Does not ] appropriately limit the permissible uses of information shared within the government” (Computer & Communications Industry Assoc.)
• “Privacy-shredding” bill “in cybersecurity clothing” (ACLU)

Supporters of CISA, Cybersecurity Information Sharing Act say:

• Voluntary information-sharing provisions are key to defeating cyberattacks (Senator McConnell)
• Protects civil liberties and individual privacy  (Senator McConnell)
• Allows companies to share information in an effort to protect their systems from potentially damaging cyberattacks (Senator Feinstein)

Courthouse News Service | Cybersecurity Bill Sails Through Senate Despite Privacy Concerns

SC Magazine |CISA Watch: Bill passes Senate with 74-21 vote

Washington Post | Senate passes cybersecurity information sharing bill despite privacy fears

• The Cybersecurity Information Sharing Act passed the U.S. Senate on Thursday, October 22nd.
• Major Tech companies (Apple, DropBox) are opposed
• National Retail Federation support amendment to CISA that offer liability protection for business that share threat data with the FBI and Secret Service, and not just the Department of Homeland Security.

Washington Post | Cybersecurity bill advances in Senate, but hurdles remain

National Retail Federation | Borad based Coalition Supports Cotton Amendment

What agency is talking cybersecurity & cars? The FTC

What committee heard from the FTC? Subcommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee

What did the FTC testify to?

• FTC is the “the nation’s lead privacy and data security enforcement agency”
• Proposed legislation is weaker than the FTC rulemaking on “connected cars”
• Proposed safe harbor for auto manufacturers that submit privacy policies to the Department of Transportation was too broad
• The propsed legislation significantly limit consumer protections
• “Prevent the FTC from taking action related to privacy issues beyond a manufacturer’s cars, including its use of consumer data collected from its websites”
• Proposed legislation permits retoractive cahnges to privacy policies by manufacturers
• The proposal included a creation of a council to develop cybersecurity best practices for the industry with too many industry representatives

Imperial Valley News | FTC Testifies on Proposed Legislation Addressing Privacy and Security in Connected Automobiles

• It will “create a framework that would allow different healthcare entities to exchange information regarding cybersecurity”
• Allow for the exchange of  various potential threats
• Allow health care entities to share best practice security measures
• Cybersecurity bill would make the health care cybersecurity netowrk available to both private and federal healthcare entities
• Healthcare Information and Management Systems Society supports the bill

Health IT Security | Senate Pursues Legislation for More Health IT Cybersecurity

What happened and where? North Carolina Health Department announced a possible Medicaid data breach.

What personal data was included? confidential health information of 1,615 Medicaid patients. Only 2 Social Security Numbers were included, as most patients used Medicaid ID numbers. No birth dates were included.
 

How did it occur? a state employee sent unencrypted data to a local health agency

WRAL | DHHS reveals potential Medicaid data breach

The Missouri State Auditor is looking into data security, data breach, data retention policies in 5 school districts.

The review also included reviewing the state education agency data policies. The state agency will soon adopt policies related to data breaches.

MissouriNet | Missouri education department to change student data collection after audit

Which state is getting on the student data security bandwagon? Missouri

What prompted regulatory action by the Missouri Department of Education? An Audit that found the department of education “unnecessarily collected and kept personal information from students”

What chages will occur at this education agency? 

• Missouri will no longer colelct and store student social security numbers when they don’t need social security numbers
• Missouri will destroy unneeded sensitive data from its systems
• Missouri will maintain the information it does need safely and securely
• Missouri will create policies for dealing with data breaches & update its policy for recovering from a data breach

MissouriNet | Missouri education department to change student data collection after audit

• Cyber Resilient Energy Delivery Consortium heads the $28.1 effort
• Consists of 11 national laboratories and universities and is led by the University of Illinois
• Dartmouth received a $925,000 grant to “improve the protection of the electric grid and oil and natural gas infrastructure from cyber threats”

Concord Monitor | AP | Dartmouth College gets $925K cybersecurity grant

Multiple bills dealing with protecting student data have been filed in the Pennsylvania legislature.

The bills include provision to set standards on education vendors for:

• Prohibit tapping student information to target them with advertising;
• Prohibit amassing profiles of students for non-educational purposes; 
• Prohibit the sale or sharing of student information outside of narrow circumstances.
• Require vendors to secure student data and delete it all upon the district’s request.
• Districts could continue to hire cloud computing firms to handle student data.
• Vendors would be contractually required to ensure that the data remains the property of the school district
• Vendor contracts will prohibit the student data use  for purposes not outlined in the contract
• Permit students to review and correct their information.
• Require contracts with those vendors would oblige the companies to disclose any data breach in which student records are compromised.

Government Technology | Pennsylvania Legislation to Set Student Data Privacy Standards

California amended its data breach notification statutes this year to do 2 things:

1. Expand the definition of what type of information breach requires a notification for information gathered by an automatic license plate reader.

2. Provide a model form for entities that experience a data breach

National Law Review | California Amends Data Breach Notification Statute by Requiring Specific Notification Content and Expanding the Definition of Personal Information 

Drones collect data. Data everywhere. Private data. Public Data.

Legislatures and local governments are focused on …How long that data is stored, under what conditions, and under what dislcosure requirements is legislative fodder.

Are these private drones or public drones? Data release and data storage could apply to either. Here’s some of the legislative questions:

• Are there penalties for a person’s private drone that collects data of someone’s orivate property?
• How long can law enforcement keep drone data?
• Can they release drone data if the data is superfilous to a criminal investigation?

Georgia is starting to tackle these issues with a focus on how much would it cost for law enforcement to keep or maintain non-investigative drone footage.

WABE Atlanta

• The local government creating the Cyber Security Squad: San Diego Regional Economic Development Corp
• Why? The region is replete with defense and communications technology expertise
• Goal of the Cyber Squad: “foster, enable and accelerate the cyber economy and to create an innovation hub for cyber here in the region”
• Economic Boost from the Cyber Squad? Yes. Yes. Yes. 13 percent growth in the region for cyber, with over 100 companies, & 6,500 jobs. The economic growth rate of other sectors is 2.2%.
• Which city or state has the best model for Cyber Squads? Look to Maryland

Governing: San Diego Now Has a Cybersecurity Squad

• Senate Finance
  • DIR’s moderninzation of state technology
• ​Senate Business & Commerce
  • Cyber Security/Storage: State policies, privacy implications, business confidential information. Recommend best protection of financial and personal information.
  • Current consent policy for state disclosure of personal data

Greater Houston Partnership for the upcoming Cybersecurity Forum: Protecting Your Business Online on Tuesday, October 13.

It’s part of the work of the Partnership’s Cybersecurity Task Force & stresses the import of cyber security to business. 

HAVE QUESTIONS?: Contact Amber Margraves at amargraves@houston.org or 713-844-3651.

Greater Houston Partnership Cybersecurity Forum

This week Berkshire Hathaway Specialty Insurance division unvieled 2 new speciality policies:

• Professional First Network Security & Privacy
•  Professional First Professional Liability and Network Security & Privacy

What do the policies cover?

• coverage for third-party exposures
• resulting from data security and privacy breaches, breach expense and extortion threats, media liability and business interruption.

SC Magazine | Berkshire Hathaway Specialty Insurance enters cyberinsurance arena

Why don’t Europeans want their data routed to the US by google or facebook? Europe has high data security protocols than the US.

Can’t the companies protect the European information?  Sure, Tim Cook Apple has said it will lead in data privacy, but the Patriot Act and other laws allow US to snoop on data. So, that European data gets siphoned up by the U.S. government.

So, what? Americans have learned to live with it? Remember the international kerfuffle that occured when it was learned that the US was spying on its German allies? Europeans place a higher value on data security.

What did the European Court do? 2 things:

1. it invalidated an internatioanl safe harbor agreemnt for the transfer of the data
2. It said that each EU country should have have oversight over how companies collect and use online information of their countries’ citizens.

NYTimes | Data Transfer Pact Between U.S. and Europe Is Ruled Invalid

Who is the expert? James Steyer

•  Founder and CEO of Common Sense Media, a San Francisco-based not-for-profit that, among other things, studies and advocates for children’s online privacy.
• He is a a former civil rights attorney
• Common Sense Media helped push 2014 California legislation, the Student Online Personal Information Protection Act, that bars operators of educational websites aimed at kids from amassing data profiles on their users

What are his points to protect student data?

• One, students’ personal information shall be used solely for educational purposes 
• Two, students’ personal information or online activity shall not be used to target advertising to students or families
• Three, schools and education technology providers shall adopt appropriate data security, retention and destruction policies.

Does he support federal student data security legislation or state based legislation?

He really likes his California legislation. Agrees that there needs to be uniformity, but that protection for student data should be high like the California model.

​The Recorder | Proponent of California Student Data Security Legislation

What happened to expose customer data at Trump Hotels? Hotel security systems were “compromised as a result of malware that went unnoticed on system computers for more than a year.”

How long did hackers potentially have access? 1+ year

What responses did Trump Hotels have?

• Hired independent investgators who found no instances of data being accessed through the malware
• “Immediately upon learning of a possible incident, we [Trump Hotels] notified the F.B.I. and financial institutions, and engaged an outside forensic expert to conduct an investigation of the incident.”

lawsuits?  oh, yes, there were lawyer patrons. A suit has been filed in U.S. District Court for the Southern District of Illinois on Oct. 2, asking for a class action suit to be opened.

Washington Times  | Donald Trump’s hotel chain confirms ‘data security incident’; customers of 7 properties affected

The New Jersey Legislature moved forward a data security law that will:

• Create the New Jersey Cyber Security Commission
  • It will be a 13-member commission within New Jersey’s Department of Criminal Justice.
  • 6 members will be:  representatives from the state Attorney General’s Office, the chief technology officer of the Office of Information Technology, the chief executive officer of the state Economic Development Authority, the commissioner of the Department of Education, the superintendent of the State Police and the director of the Office of Homeland Security and Preparedness.
  • 7  members will be private citizens:  2 with expertise in technology; 2 in finance, business administration or economics; 2 in public safety; and 1 in education.
  • The Commission’s goals will be:
    • To identify high-risk cybersecurity issues facing the state
    • To provide advice relating to the security of the state’s networks and systems
    • To suggest how to add cybersecurity to the state’s Office of Emergency Management’s response capabilities
    • To recommend science, technology, engineering and math programs for high schools, four-year colleges and community colleges
    • To develop strategies to enhance private-sector security.
    • To review and assess opportunities for private-sector involvement in cybersecurity issues relating to military facilities in the state.
    • To educate the public about the necessity of online security.
    • To issue an annual report about cybersecurity threats and measures taken to offset them.

New Jersey Law Journal | NJ Legislature Moves on Cybersecurity Bill

1. known internet-related vulnerabilities. 
   • ​Especially the use of commercial ‘off-the-shelf’ software, which is cheaper but with greater access for hackers.
   • Lack of proper protection from internet access.
2. lack of nuclear facility personnel training
   • Many plants were built before cyber threats were an issue
   • A gap emerges between plant personnel and cyber security personnel
3. No proactive solutions for potential threats 
   • ​​Reacting to potential threats is not enough cyber security

A London based think tank produced a report, Cyber Security at Civil Nuclear Facilities: Understanding the Risks, after studying cyber risks to nuclear plants for 18 months, giving rise to these 3 identifiable probelms at nuclear power plants.

SC Magazine for IT Professionals | Cyber danger to nuclear power plants growing

In 2014 the New York Times “devoted more than 700 articles to data breaches.”

State Tech Magazine: Data Point 700

Who is fighting blight with data sharing? New York cities of Amsterdam, Gloversville, Schenectady and Troy and the University of Albany’s Center for Technology in Government

What data are these cities sharing? code enforcement–related data and develop best practices for tackling the problem

Why are they sharing data? Blight costs the cities.  Direct blight costs include:

• code enforcement
• administration
• engineering
• property maintenance

Indirect blight fighting costs for cities are: 

• uncollected taxes
• devaluation of adjacent properties
• impact on city services such as police and fire calls.

This new pilot project in a regional view is “groundbreaking.”

State Tech Magazine | Blight Busters

• Alabama: 
  • ​30 years of tax breaks
  • for data centers investing $400 million
  • that create at least 20 jobs
  • with an average annual compensation of $40,000
• Alaska NONE
• Arkansas None specific to data centers, have used other tax incentives for data centers
• California NONE
• ColoradoNONE
  • in 2015 Colorado tried to pass a sales tax refund on equipment for data centers
• Connecticut 
  • A state economic development ffice granted $6 million to a data center
• Delaware NONE
• Florida, none specific to data centers, have used other tax incentives for data centers
• Georgia
  • ​sales tax exemption for equipment in data centers investing at least $15 million annually
• Hawaii,  none specific to data centers, have used other job creation incentives for data centers
• ​Idaho NONE
• Illinois NONE
• Indiana
  • data centers investing at least $10 million can receive local personal property tax exemptions on their equipment
  • Other tax incentives have also been awarded
• Iowa
  • ​sales tax breaks to data centers investing as little as $1 million
  • larger incentives for projects topping $200 million
  • Iowa has no property tax on equipment
• Kansas, none specific to data centers, but
  • Kansas imposes no property tax on new equipment
• Kentucky
  • ​sales tax refund for computer system equipment for data centers investing at least $100 million
• Louisianna NONE
• Maine, None specific to data centers, have used general economic-development programs for data centers
• Maryland, none specific to data centers, but did authorize a conditional loan for $300,000 to a data center
• Massachusettes, None specific to data centers, but have awarded $25 million grant and $14.5 million in tax credits to data centers
• Michigan, none specific to data centers, but does use other economic development programs for data centers to a tune of $7 mllion
• Minnesota
  • ​data centers with 25,000 square feet
  • costing at least $30 million
  • qualify for 20-year sales tax exemption on equipment and energy
  • + a permanent property tax exemption on equipment
• Mississippi
  • ​sales tax exemption on computer equipment for data centers
  • that invest at least $50 million
  • that create at least 50 jobs
  • these jobs must pay 150% of the average state wage
• Missouri
  • ​New data centers can qualify for $25 million if
    • they employ at least 10 people in well-paying jobs.
  • Older data centers can qualify by:
    • investing at least $5 million and adding five well-paying jobs
• Montana NONE
  • And, no state sales tax
• Nebraska
  • ​Has a tiered system that allows  $3 million if the data center:
    • Employs at least 30 people, or
    • It invests at least $37 million while holding employment steady
• Nevada
  • ​ Expanded sales and property tax exemptions for data centers
    • amounted to  $229 million of tax breaks for Switch
• New Hampshire “No incentives for businesses”
• New Jersey
  • “​authorized a projected $134 million in incentives to about a dozen businesses for data-center projects since 2000″
• New Mexico NONE
• New York 
  • sales tax exemption for equipment used by Internet data centers
• North Carolina
  • ​sales tax exemption for equipment and electricity used by data centers that invest at least $150 million in poorer counties or $225 million in other counties.
• North Dakota
  • ​sales tax exemption on computer equipment for data centers of at least 16,000 square feet.
• Ohio
  • ​ sales tax break for data centers that invest at least $100 million &
  • have a required payroll threshold of  $1.5 million
• Oklahoma
  • ​sales tax exemption for equipment bought by businesses engaged in computer services or data processing, as long as most of the revenue comes from out-of-state sales
• Oregon None Specific to data centers, but
  • ​no sales tax & 
  • property tax exemptions through local enterprise zones
• Pennsylvania None
  • Bills calling for a sales tax exemption for data centers are pending  in the current legislatie session
• Rhode Island  NONE​
• South Carolina 
  • ​sales tax exemption on computer equipment and electricity used in data centers
  • that invest at least $50 million
  • employ at least 25 people in well-paying jobs.
• South Dakota None, but have used general economic development programs
• Tennessee
  • ​sales tax breaks on computer equipment and electricity for data centers that invest at least $250 million
• Texas
  • ​sales tax exemption on equipment and electricity for data centers 
  • that contain at least 100,000 square feet
  • invest at least $200 million
  • employ at least 20 people at above-average wage
• Utah ​None, but have used general economic development programs
• Vermont  NONE
• Virginia
  • ​sales tax exemptions for data centers
  • it is estimated Virginia authorized $48 million in incentives for data centers
• Washington
  • ​ sales tax exemption
• West Virginia 
  • ​sales tax exemption and a property tax break on equipment
• Wisconsin  None, but have used general economic development programs
• Wyoming 
  • ​Data centers that invest at least $5 million, receive  a sales tax exemption on computer equipment. 
  • Data centers that invest at least $50 million also can get a sales tax break on power supplies and cooling equipment.

NY Times | via AP | State-By-State Look at Incentives for Computer Data Centers

What have the feds done for us lately to protect our data security?

1.     Weeks ago the FDA stopped the use of a pump for infusion therapy because it could be hacked

2.     July’s recall of 1.4 million Chryslers, Dodges & Jeeps because of hacking the auto software

3.     The SEC following through on enforcement for insider trading due to a computer hack

Let’s not forget it has also been the year of:

• student data breaches
• insurance companies data breaches
• a fear of data security breaches at utilities, including power grids
• increase in the number of data security insurance policies

Total of 7 reasons, data security will move toward the top of legislative agendas.

Inside Council | Cybersecurity litigation: The tip of the iceberg, part two: Regulation and legislation

Texas Congressman Hurd, the chairman of the new House Oversight Subcommittee on Information Technology, in an interview with Passcode says:

• “One of the things that was so egregious to me is that OPM never said, ‘I’m sorry,’
•  He also “criticized the agency for its failure to be transparent about notifying victims of the breach.”

Key words for business and policy people: transparency & notification.

The Hill: IT lawmaker: ‘Outrageous’ that OPM hasn’t apologized

Insurer Allianz Global Corporate & Specialty offers caluclated predictions about cyber security and insurance policies:

• Cyber security costs the US $108 billion/year
• By 2025, cyber security insurance will be a $20 billion in annual premiums globally
  • In 2015, annual cyber insurance premiums are $2 Billion globally
• 70% of breaches occur in restaurants
• To recoup losses after a hack, companies should count on  $200 per record that gets compromised.
   

North Bay Business Journal: As data breaches grow, so does cyber liability insurance
 

Which agency is issuing fines for lacking data security policies? The Securities and Exchange Commission. 

Why is the SEC fining a company? Two reasons:

1. It failied to have an adequate daa security policy in place before it experienced a data breach that exposed financial records of 100,000.
   1. Let’s repeat, the company never adopted written policies and procedures
   2. The company did not conduct periodic risk assessments
   3. The company did not implement a firewall
   4. The company did not encrypt its personally-identifiable information
   5. The company did not maintain a response plan for any incidents either. 
2. The financial information was stored on a third party-hosted web server.

What was the data breach that triggered the $75,000 fine? In July 2013, the 3rd party web server was breached by an unknown hacker from China after which the financial company contacted all parties offering free identity theft monitoring

Investment News: SEC nails advisory firm for cybersecurity failure before data breach

The federal government data breach not only compromised personal data of 21.5 Million former and current federal employees but also compromised 5.6 Million finger prints. 

That’s 4.5 million more than initially reported. 

Rueters | Deluth News Tribune | Hackers steal 5.6 million fingerprint records in government data breach

The Consumerist: Federal Data Breach Included 5.6M Compromised Fingerprints, Five Times The Original Estimate 

1. A study funded by data security firm, ID Experts, found since 2010, health care data breaches up 125%
2. In 2015,  100 million health care files stolen (Think: Anthem, Premera, Carefirst breaches)
3. In 2014, the medical/healthcare sector accounted for the highest percentage of breaches at 42.5% according to the data security firm, IDT911
4. This year’s largest health care data breach so far is the Premera medical data compromise, which may have exposed 11 million medical records

ABC News: The Medical Identity Theft Apocalypse? Fear the Walking Files

8 states have specifically applied thier data breach notificagtion requirements to insurers. 

• California
• Connecticut
• Maine
• New Hampshire
• Ohio
• Rhode Island
• Vermont
• Washington
• Wisconsin

The laws vary on these points, but all specifically apply to insurers:

• who has to be notified
• when notification has be given
• what information triggers a notification
• what powers an Attorney General has
• which entities have to provide the notification

JD Supra | Baker Hostetler | State Data Breach Notification Requirements Specifically Applicable to Insurers

A a security and privacy group of tech savvy types reviewed presidential candidate websites, and the results are not good if you like security and privacy.

17 of 23 candidates failed according to the The Online Trust Alliance, a nonprofit backed by businesses in the tech industry.

Why such a poor showing for data security this campaign season?

• nonexistent or inadequate privacy policy disclosures
• they reserve the right to liberally share or sell their donors and site visitors’ personally identifiable information

Some positive moves on data security by campaigns:

• 70 percent using encrypted website

Which candidates fared the best?

• Jeb Bush
• Chris Christie
• Rick Santorum
• Scott Walker
• Martin O’Malley
• Lincoln Chafee

 The Hill  Most 2016 campaign websites receive failing privacy grades

Fortune:  Here’s why Donald Trump and Hillary Clinton’s campaign websites failed a security test

• 64% of registered U.S. voters believe it is likely that a 2016 presidential campaign will be hacked
• Who is most qualified to protect the US against a cyber attack?
  • 42%  of registered voters surveyed think Hillary Clinton
  • Donald Trump 24%
  • Scott Walker 18%
  • Jeb Bush 15%
• Which party is better at protecting personal information? 38% say Democrats. 36% say Republicans. But, Millinials give Deomcrats 56%.
• 56% of of registered voters would allow government searching their personal information if it meant protecting against terrorism
• Which country has the best hackers? 51% say China; 30% say the U.S.; 13% Russia; 7% North Korea
• 34% say Improved defense against hackers is the top cyber security issue
• 47% of voters say they use encryption
• 56% worry that their social security number is their personal data they worry most about

CSO Online

The American Society of Clinical Oncology recently told Congress that coordination of care is key to fight cancer.

To support the coordination of care, they recommend the following when considering health care data security legislation:

• Congress should pass legislation to remove barriers to interoperability, especially information blocking.
• Policymakers should ensure that cancer patients, oncologists and other oncology providers do not bear the costs of achieving interoperable electronic health records and of companies refraining from information blocking.
• Federal officials should work with ASCO and other stakeholders to ensure that healthcare providers have the information necessary to be prudent purchasers and users of health information technology systems.

Health IT Security: Will Information Blocking Ban Affect Health Data Security?

Health care data is richer in personal information than banking records which makes it an ideal target for identity theft with its longer informational shelf life. 

InforWorld: Why Hackers Want Your Healthcare Data Most of All

This week a judge certified a group of banks/credit unions/financial institutions as a class so that their lawsuits against Target can proceed in unison. 

This business class action against Target also improves settlement odds.

Reuters: U.S. judge certifies class action over Target Corp data breach

StreetInsider