Cybersecurity & Tech

The Software & Information Industry Association writing to U.S. Senators support protecting student data, but oppose proposed reforms. Here’s why:

• Greater Enforcement Powers for State Attorneys General
• Protecting More types of data = more reasons to notify consumers
• Expanded liability for private companies that store state data
• Requiring companies that have a data breach to offer, at their cost, mitigation services that protect data- think Life Lock etc…
• Protecting Student Data
• Requiring encryption for stored data
  • As an example, see: 
    • “The new Washington law goes even further as it identifies a minimum standard for encryption, and grants safe harbor only when the breach does not also provide access to the encryption key, or other capacity to decrypt the data.”​

State AG Monitor: States Seek Strengthened Data Breach Laws

South Korea is incentivizing reporting data breaches by the private sector. Voluntarily reporting data breaches will save a company up to 30% on fines.

Lexology: Addelshaw Goddard LLP: South Korea introduces incentive for data breach reporting

KPMG reports on data security on health care, and here’s what they found:

• 81% of major hospitals and insurers have had a data breach in the past 2 years
• 50% of hospitals and insurrers are prepared to stop data breaches.
• 66% of execs at health plans said they were prepared for a data security attack
• 13% say they are targeted by external hack attempts about once a day
• 12 % see 2+ attacks per week
• 16% of healthcare organizations cannot detect in real-time if their systems are compromised

“The vulnerability of patient data at the nation’s health plans and approximately 5,000 hospitals is on the rise and health care executives are struggling to safeguard patient records,”  said Michael Ebert, leader in KPMG’s Healthcare & Life Sciences Cyber Practice.

The good folks at Governing have offered a white paper on local governments and dagta security.

3 Suggestions:

•  Transperancy- Tell Your Constituencies. Spelling out cybersecurity risks and providing information to help public officials fulfill their responsibilities and safeguard their communities
• Clear Local Gov. Policies. Put it in Writing People. CYA.Suggesting strategies for integrating cybersecurity into an organization’s risk management framework, and developing and adapting cybersecurity and cyber disruption response policies and plans
• Work with Private Sector. Discussing the private sector’s role in government cybersecurity efforts; although governments are often leery of collaborating and sharing with third parties, when it comes to cybersecurity, the private sector’s involvement is imperative

Uber is taking steps to protect customer data by:

• hiring Hogan Lovells US LLP to check out how the company collected and used customer data
• The lawfirm issued a report which led to Uber releasing a new privacy policy that more clearly notified customers that it can pretty much track everything they do while using the Uber application
  • This then led to a complaint at the FCC about the Uber App tracking customers when they were not actively using Uber
• ” Uber hired former cybercrime prosecutor and Facebook Inc. security leader Joe Sullivan as chief security officer, &  is reportedly looking to expand its in-house security team from 25 to 100 members by the end of 2015.” 

Bloomberg | Privacy & Data Security Blog

The Future of Privacy Forum released a poll showing that 87% of parents of K-12 students are concerned about dats privacy for their students. 

The entire survey will be released Monday, September 21, 2015, at the National Student Privacy Symposium according to The Journal Transforming Education through Technology.

2 big data security steps from the 2015 Legislature:

• SB1844 creates the Interagency Data Coordination and Transparency Commission.
  • staff from 10 legislative agencies
  • will evaluate how data is reported, shared, classified and used in the state.
•  HB1912 created the statewide data coordinator position at DIR to oversee data at all agencies.

State Tech Magazine

A health care company experiences a data breach, what’s the regulatory and legal landscape?

• Civil lawsuits that lead to Class Action lawsuits, check.
• Penalties imposed by a regulatory agency, check.
  • Health and Human Services reached a $750,000 settlement with Cancer Care Group over a data breach involving HIPPA records. 

What can we learn from this incident?

• health care companies should  conduct risk analysis of tinformation security policies
• health care companies should have a written policy for taking hardware and disks containing protected health information out of the office

Modern Healthcare

California Governor Jerry Brown announced a new Cybersecurity Task Force today. Its goal are to:

• “reinforce online security”
• “protect critical state information from data breaches”

The task force is in response to an audit that faulted California for:

• lax security measures
• finding 73 of 77 state entities comply with information security standards.
• “The 75-page audit criticized the California Department of Technology for failing to identify failing state agencies, and found the state vulnerable to hackers.”

Governor Brown Executive Order     Courthouse News Service

Pennsylvania State Rep. Dan Miller, a former teacher, is crafting student data security legislation that will:

• Require ed-tech vendors to delete their data on former students & alert victims of any data breaches.

Like other states, Pennsylvania is looking to California’s landmark student data protection legislation for guidance.

Post Gazette

Delaware this year enacted a package of data security bills, including:

• The Delaware Online Privacy and Protection Act targeting interest service providers and modeled after the California Online Protection Act.
• The Student Data Privacy and Protection Act modeled after California’s landmark student data protection legislation
• The Victim Online Privacy Act which prohibits online posting, soliciting, or selling—with the intent of inciting use of the information to commit a violent crime—of the personal information 
• The Employee/Applicant Protection for Social Media Act prohibits employers from requiring employees or applicants to grant access to social networking accounts.

JD Supra

Family Education Rights and Privacy Act is undergoing an overhaul. Part of that overhsaul is to strengthen privacy protections for student data. 

The Internet Association opposes the current proposal  because:

•  it is too broad/vague
• it has unprecedented notification requirements
• it does not preempt state law

The Hill  The Internet Association Opposition Letter 

Illinois Governor Rauner vetoed a data security bill this week. 

The bill would have extended notification requirements to data breaches involving medical, health insurance, biometric, consumer marketing, and geolocation information.

The Governor stated that the bill established ““duplicative and burdensome requirements.”

Health IT Security   Law360  LexisNexis

This week, the 3rd Court of Appeals upheld an enforcement action against Wyndham for a series of data breaches that exposed the credit card data of 600,000 customers.  

The ruling solidies the FTC’s enforcement actions. This year alone there have been more than 90 reported data security incidents. 

CRM  The Center for Democracy & Technology  The Recorder   National Law Review

Add the Department of Defense to the long list of state, local and federal agencies increasing data security requirements for contractors.  Procurement beware, its time to get tech savvy. 

Talk Radio News Service

Local governments colelct volumes of data from infrastructure such as:

• fiber optics and wireless broadband data
• data from sensors embedded in buildings
• data sensors  in roadways 
• data from water, waste and energy use

The data security risks:

• hackers get into stop light and traffic management systems, security systems, electric grids or water systems
• internal unintentional or intentional leaks
• sensors being intentionally fed bad data

National Institute of Standards and Technology released a recommendation for local government computer frameworks to minimize risk. It’s tech heavy identification of risks and solutions based on computer system architecture.

Governing

In the political hot spot that is Denton County, Congressman Burgess noted the importance of bringing all stakeholders together on data security legislation by saying,

“I wanted to take an opportunity to hear from people who are working in the research area and the private sector and pull everyone together in a room for the morning and hear what the state of the industry is, and where they thought we might do things to improve it,” said Burgess, R-Lewisville.

Denton Record Chronicle

The last few weeks have cemented a growing trend of activist hackers. Examples from the last year:

• The Sony Pictures hack: Everything we know so far; 
• Anonymous hackers release emails ordering bear cubs be killed; 
• Hackers threaten to release names from adultery website; 
• How Latest Snowden Leak Is Headache for White House; 
• How DID hackers steal celebrities’ private iCloud photos?

Expect to see more moves into the realm of politics, social issues, and corporate interests.

Tech Crunch: Hacking for a Cause: Today’s Growing Cyber Security Trend

Only a few States prohibit kids’ personal information from being shared by schools with third party vendors, like marketers.

• California
• Oregon
• Delaware

States working to protect student data through legislation or regulation:

• Maine
• Maryland
• Florida
• Mississippi
• Georgia
• Hawaii
• Iowa,
• North Carolina
•  Illinois

CBS This Morning: How Safe is Your Kid’s Digital Data at School?

Privacy class action lawsuits in Illinois assert that Facebook violates a 2008 Illinois law protecting a peron’s biometric information with its facial recognition tagging software. 

The nuts and bolts of the Illinois law:

• Biometric Information Privacy Act makes it illegal for a company to:
• collect or access customers’ biometric identifiers
  • without first informing them in writing about what’s being collected,
  • how the biometrics are being used,and
  • how long biometrics are being stored
•  requires companies get a written release from those whose data is being collecting
• statutory damages of $1,000 for negligent violations, and $5,000 for those that are “intentional and reckless.”

The Recorder

Target has reached another tentative $67 million settlement with VISA over its 2013 data breach & is in ongoing negotiations with Mastercard.

Community banks and credit unions estimate they spent $350Million to re-issue cards after the data breach.

Target still faces a class action lawsuit from consumers.

WallStreet Journal

Office of Management and Budget  is setting forth data breach standards for federal contractors. The requirements include:

• Required improved data security controls
• Timely contractor reporting of all cyber incidents
• Contractors will be required to undergo Security assessments
• Contractors may face continuous monitoring by the government agency
• Increased business due diligence before entering into a contract

Details about the OMB workgroup and proposals for contract reform are available at the Improving Cybersecurity Protections in Federal Acquisitions wesbite.

Neiman Marcus experienced a data breach in 2013 that exposed credit card information for 350,000. And, as it is with every data breach, lawsuits ensued.

The 7th Court of Appeals answered a lingering legal and legislative issue– whether any actual injury has to occur before suit may be filed. “Chief Judge Diane Wood, who said that fear of hackers in the future is not too “speculative” for a day in court.”

The ruling is expected to apply to both pending lawsuits realted to Sony & Target data breaches.

Fortune     Bloomberg

Pearson’s SEC Form 20-F report warns investors about:

• the data breaches it has experiences
• its need to mine data for its products
• its concern over regulations and legislation that pose a threat to its ability to mine data for product development and to its finacial success

Missouri Education Watch Dog

In 2007, 17% of police departments were using license plate readers. That number increased rapidly. By 2012, 71% of police departments used license plate readers.

Whats the concern if these help lower crime? The data. Regulations seek to:

• How long the data is kept. Minnesota keeps it for 48 hours. New Jersey keeps it for 5 years.
• How safe is the data
• How much data is collected about law abiding citizens

6 states have limited the use of license plate readers or prohibited the use outright.

• Arkansas, Maine, Maryland, New Hampshire, Utah and Vermont
• In June 2015, Gov. Jindal vetoed a bill that would have clarified that Lousianna law enforcement may use licnese readers. His veto was based on:
  • fundamental risk to personal privacy
  • that it creates large pools of information belonging to law-abiding citizens
    • “that unfortunately can be extremely vulnerable to theft or misuse.”

Governing

UCLA finds itself facing a class action lawsuit over a data breach at hospitals in the UCLA hospital system.

So how does a state university system get sued?

• UCLA is accused of  not encrypting patient data invcuding:
  • names, dates of birth, Social Security numbers, health plan identification numbers, and medical information including patient procedures and diagnoses
• UCLA allegedly did not notify patientsin a timely manner
• UCLA’s lack of action allegedly violated multiple consumer and privacy protection laws

LATimes

Maine Municipal Association has added cyber-liability coverage to its insurance plan for municipalities.

Mount Desert Maine developed a data breach response policy in consultation with the Town Manager, the Police Chief, and a consultant. The data security policy:

• Defines a data breach as “any occurrence where personal identifying information (such as Social Security numbers or payroll information) is accessed by someone other than an authorized user for anything other than an authorized purpose.”
• If a breach is suspected, a response team consisting of the police chief, town clerk and contracted information technology (IT) coordinator will immediately investigate.
• The source of a breach shall be completely disconnected from the town network” and shall be “left powered on and idle until an investigation is completed,” 
• Notification will be provided to everyone whose personal information might have been compromised 

Data breach lawsuits are dominating courts. Judges are finding that no specific monetary harm is necessary for these suits to progress.

In the latest health care data breach suit, patients have filed a lawsuit against a medical software company for a data breach.

WNDU Indiana

Onstar–the savior for people who lock their keys in the car.  Onstar–the way for hackers to take over your car.

Until this week, hackers were able to take control of opening cars, turning on the ignition, and locating the vehicle. The hack took $100 of equipment but was an otherwise easy path to taking over Onstar.

Findlaw

Researchers testing the Tesla system also identified a potential vulnerability and sent out a wireless update to Tesla systems.

TechCrunch

Computer Weekly’s Security Editor has a more succinct explanation replete with tech jargon: 

 “common file synchronisation services such as GoogleDrive and Dropbox for command and control, data exfiltration and remote access, security firm Imperva has revealed.”

At the 2015 Blackhat Security conference, businesses were urged to  begin utilizing “perimeter security to data monitoring and data security.” For more advice, including their recommended security protocols for cloud computing, see Computer Weekly. 

Medical devices are interconnected. It creates better health care delivery and creates access points for hackers.

Federal regulators issued a warning that a pump used to deliver medicine to patients, the Symbiq Infusion System from medical device-maker Hospira, can be hacked by if access is gained to a hospital’s computer network.

Not the first time medical devices and hacking have ended up in the same sentence:

•  In 2011 it was shown that insulin pumps can be hacked. 
• In May , a security firm warned that hospital xray scanners can be used by hackers to gain access to patient information.

Washington Post

The National Cybersecurity Center of Excellence is soliciting comment on its guide to secure electronic health records on mobile devices. 

NCCOE Draft Guide    Comment is accepted until 9.25.15 here 

“The Consortium for School Networking, will work toward establishing a nationwide set of standards around student privacy. The end result will be known as the Trusted Learning Environment Seal that public schools can adopt to assure the community that their student’s data is protected.” 

Chalkbeat Colorado

• Georgia Department of Human Services Division of Aging Services |  Atlanta Business Chronicle 
• Planned Parenthood  |  The Hill
• Online Photo Printing for a variety of retailers |   WBOY 12
• Kansas Hospitals and Clinics that Use NOMoreClipboard software  |  KCUR
• US Census Bureau | Softpedia 

1. Credit card breaches will rise over the next few months as hackers try to beat the October deadline set by Visa and MasterCard for merchants to accept only the new generation of credit cards that are embedded with computer chips.
2. Hackers increasingly will target data stored in the cloud. “Hackers are eager to capitalize on the value of consumer online credentials,” according to the report.
3. Expect more breaches of health care data. One reason: the growing number of access points to protected health info. Another: the growing popularity of wearable technology, which can transmit data to doctors but provide an entry point to hackers.
4. In light of all the recent high-profile hacks of major companies, legal and regulatory pressure will increase on CEOs and boards. “It is clear that security can no longer be viewed as just an IT issue,” the report said.
5. Despite all the headlines involving breaches by hackers and foreign countries, disgruntled or negligent employees will be companies’ biggest security threats.
6. The Internet of Things will become a buzzword in insurance circles. The term refers to the growing cloud-based connectivity of people and their devices, which may provide an easy entry point to all your devices and data.

Crain’s Detroit Business 

Connecticut’s enacted Senate Bill 949 contains significant data security requirements for entities contracting with state agencies and entities in the health insurance and administration business. 

Contracting entities must provide:

• Comprehensive data-security program, including:
  • the use of security policies,
  • annual reviews of such policies,
  • access restrictions, and
  • mandatory security awareness training for employees beginning July 1, 2015.
• Restrict access to Confidential Information only to authorized contractor employees,
• Maintain the Confidential Information in secure servers with firewall protections
• Implement security and breach investigation procedures.
• Undergo annual reviews
• Include ongoing employee security awareness program.

National Law Review

A bipartisan duo of Congressmen and women (Congresspersons?) has a new student data security bill.

Reps. Todd Rokita (R-Ind.) and Marcia Fudge (D-Ohio) rolled out the Student Privacy Protection Act this week. It will:

• bar schools or private technology companies from selling or using student data for targeted ads.
• set minimum data security standards for companies handling sensitive student information
• update the Family Educational Rights and Privacy Act (FERPA) for mobile apps and cloud computing
• give parents the right to access, alter or delete certain information about their child

The Rokita-Fudge bill would be a companion to an effort from Sens. Orrin Hatch (R-Utah) and Ed Markey (D-Mass.), as both measures revise FERPA.

The Hill

The emergency contract for $20M was the tip of the ice berg. By August 14th. the federal government will award a 5 year contract for data security protection for the 21.5M federal employees whose data was hacked. Washington Post

Oh, and that pesky, initial contract of $20M isn’t going so well.  The Austin, TX based vendor cannot keep up with demand. Washington Post

Health care orgnaizations are experiencing high levels of data breaches. A poll of health care data security  experts list 2 challenges:

1. shortages of cyber security experts in health care
2. financial shortages for cyber security

Health IT Outcomes

The Neiman Marcus data breach lawsuit can continue according to the 7th Circuit. 

Courts have wrangled with whether a person who had her information stolen in a dat abreach must have had that information used in a manner to cause harm before a lawsuit can continue.

The 7th Circuit said no to that specific standard and is allowing more damages like the cost of credit monitoring.

Law360

A reporter for Wired details what parts of a car hackers can control while you’re driving. 

Hackers are able to control a vehicle’s:

• A/C system, changing the temperature in the car
• The radio, changing channels and volume control
• Windshield wipers
• Windshield washer fluid blurring the windows
• dashboard functions
• steering
• brakes
• transmission

All of the car functions above can be controlled from a laptop by a nefarious hacker. Wired. Congress is trying to stop it with the Spy Car Act.

Lifelock, the company advertising its ability to protect your financial data, violated its 2010 $12 million settlement with 35 state attorneys general according to the FTC.  

“LifeLock vigorously opposed the FTC’s allegations.” The case is heading to the courts.

The Hill   Forbes (Lifelock value tumbles)

A JP Morgan hack led to the arrest of 4 in Florida. Federal officials are linking the dta hack and stock manipulation.

The financial data breach had previously been thought to be the work of Russian gangs.

The Hill  Bloomberg

HomeDepot Shareholders are taking action against Home Depot. They have filed suit  to request corporate documents, potentially for the purpose of investigating wrongdoing by corporate officers or directors.

Above The Law

“In the 2015 first half, venture firms invested $1.2 billion in cybersecurity startups, according to researcher CB Insights.”

Data breaches are taking this nerdy issue, cyber and data security, and turning it into big business, well funded, with a lot of government regulation, oversight, and contracting opportunities.

WallStreet Journal

For the first time ever, Zurich Surety registers as a lobbyist in Canada amid interest in data security legislation.

Folks, data security insurance is a business that is growing exponentially. The well read will remember that just last week, Information Intelligence brought you news of the first lawsuit concerning insurance coverage in a data breach. 

Rapidly growing industry. Not Yet in Texas. Hello opportunities. 

Canadian Underwriter

This week, Rep. Mo Brooks (R-Ala.)  introduced the “Protect US Act,” which would:

• Give the president and Congress the power to add foreign powers accused of harboring or conducting hacking to a “State Sponsors of Cyberattacks” list.
• The president would be granted power to impose a wide range of trade sanctions on those countries.

China/Chinese hackers were allegedly behind the massive federal government data breach.

The Hill

Sen. Debbie Stabenow (D-Mich.) and Sen. Martin Heinrich (D-N.M) say the Energy and Water Development funding bill shortchanges our electric grid from being properly protected from a cyber attack.

They call for funding the following data security protections:

• virtual forensics platform,” intended to detect malicious actors sitting on the network
• Replace the $11M removed from the Cybersecurity for Energy Delivery Systems

The Hill

Connecticut and Oregon both strengthened laws protecting health care data this year. Specifically the states , strengthened protections of personally identifiable information (“PII”).

• Connecticut did this:
  • Effective October 1, 2015, S.B. 941 
    • Requires notice of a breach of personal information within 90 days of discovery
    • If a breach involves social security numbers, must offer a year of complimentary identity theft prevention and mitigation services, and the notifications must include information on signing up for these services, as well as information on placing a credit freeze. 
    •  Health insurance companies must implement, maintain, and update annually a “comprehensive information security program” to protect personal information (including protected health information, government-issued ID numbers, biometric data, and financial information).
• Oregon did this:
  • Senate Bill 601 (SB 601) is effective January 1, 2016, and will:
    •  Expand the definition of “personal information” triggering a required notification to include:
      • 1) biometrics
      • 2) health insurance policy number or subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the individual; or
      • 3) any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the individual.
    •  The Attorney General must be notified for breaches of personal information involving 250 residents of the state or more & may bring Deceptive Trade Practices Act violations.
    • The threshold for notification is altered  to an “unlikely to suffer harm” standard in place of the previous standard of “no reasonable likelihood of harm” and requires this determination be made in writing by the effected entity and maintained for at least five years.  

The Beat @ CooleyHealth

In an effort to protect data,  large financial entities, like credit card companies, are looking to collecting facial recognition software to further protect their and your financial data.

Storing biometric information along side financial information at one company seems like that company is putting put a neon sign that reads, “Hacker Dreams Come True Here.” 

Coin Telegraph: Future of Money

47 Attorneys General signed a letter supporting state authority over data breach enforcement and strongly opposing any attempts at federal preemption.

 Gen. Paxton is notably absent from the list: Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts and Nebraska, was also joined by the following states and territories, according to the news release: Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, North Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.

LasCruces Sun News      Montana Department of Justice 

A company that controls concession stands at 9 zoos across the country announced a data breach just in time for summer tourism. 

Washington Times

Say you’re a health care provider. You buy data breach insurance policy to cover any potential hacks or breaches. you think you’re doing the right thing to protect your business.

Then, your data gets hacked. You file a claim with your insurance company. You’re denied. You go to court.

The insurance company says the health care provider failed to provide the required minimum security standards. 

Its a case of first impression. It’ll make history and make legislation far and wide as the claims are state law and federal (HIPPA).

Crowell Moring Data Law

Ft. Worth is home to a new $500 Million Facebook data center, powered by renewable energy.  

The facility broke ground this week and will be up and running by 2016 with 40 full time employees.

TechCrunch   Governor Abbott

Learning Curve conducted a poll about technology in education, and student data is in its scope:

•  71% believe technology has improved their child’s education
• 79% concerned about the privacy and security of their child’s data
• 75% worried about advertiser access to that data

First Look | The Intercept

NAPA has new data breach compliance and certification. Data breaches are big business, people.  

Data breaches and protecting against data breaches generate:

• Big legislative pushes
• New regulations
• Procurement Opportunities (hello, $21M emergency contract that the federal data breach sparked)

Data breaches impact:

• bankers, credit unions, financial institutions
• retailers
• corporations
• new lawsuit filings
• health data
• student data
• +more

NAPA

Federal employees this week filed suit over the June 4th federal data breach. The breach is said to the largest in government history, and allegedly the result of Chinese hackers seeking super secret spy information. 

The crux of the lawsuit is something all corporations should pay heed to as its the same argument made by plaintiffs in Target and HomeDepot breaches too- how much knowledge did the government have about potential breaches and did the government fail to act? As for the feds, the  lawsuit alleges:

• The federal government was on notice because:
• “10 million confirmed intrusion attempts targeting its network in an average month”
• OPM Breach potentially affects 18 million federal applicants
• OIG found that in many areas the OPM’s performance actually got worse in that “a 2014 OIG report, the ‘drastic increase in the number of [software] systems operating without valid authorization is alarming and represents a systemic issue of inadequate planning by the OPM offices to authorize the [software] systems they own.”

Courthouse News Service

The Federal Trade Commission has released new guidelines for corporate data security. FTC has the power to fine companies for data breaches, so take heed. 

Recommendations include:

1. Start with security.
2. Control access to data sensibly.
3. Require secure passwords and authentication.
4. Store sensitive personal information securely and protect it during transmission.
5. Segment your network and monitor who’s trying to get in and out.
6. Secure remote access to your network.
7. Apply sound security practices when developing new products.
8. Make sure your service providers implement reasonable security measures.
9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
10. Secure paper, physical media, and devices.

FTC Start with Security coming to UT law November 5th

FTC Guide for Businesses

Healthcare Management Information Systems Society released a new survey about data security and healthcare, the results:

• 2/3 of healthcare companies repsonsing experienced a data security issue within the last year
• 87% say data security is a increasingly higher business concern for healthcare
• 69% say their concern about data security is motivated by phishing
• 46% say the highest data security concern is internal negligence
• 57% have at least 1 full time staff person dedicated to data security

MedCity News

An immentn departure by the director of the Office of Personnel Management, Katherine Archuleta, appears likely.

She leads the federal agency at the center of the largest government data breach-ever.

What we know: Alleged Chinese hackers. Forthcoming federal agency resignations.

The Hill

Data Security from student data to retail data to contracts to clean up data breaches is big business. The EU is often seen as taking a stronger approach to data protection predicts it will be big business at the tune of 415 Billion Euros a year.

Psst- a Euro is more valuable than a US Dollar.

Computer Weekly

• “Expands the statute’s definition of “personal information” to include a resident’s biometric or medial information;
• Requires entities or persons that own or license consumer personal information to notify the Oregon Attorney General of a data breach if the entity must notify more than 250 residents;
• Raises the threshold for notifying Oregon consumers to a more generous “unlikely to suffer harm” standard;
• Lowers the threshold for reporting to consumer report agencies (CRAs) by requiring notice to CRAs whenever a breach affects more than 1,000 residents;
• Exempts covered entities under the Health Insurance Portability and Accountability Act (HIPAA) from compliance, so long as a copy of the notice sent to either the entity’s primary functional regulator or to state residents is sent to the Attorney General; and
• Allows the Attorney General to bring action against entities that violate the data breach statute, pursuant to Oregon’s Unlawful Trade Practices Act (Ore. Rev. Stat. § 646.607).”

JD Supra | Privacy & Security Law

Will Congress pass a national data security bill after the massive federal employee data breach. Odds are not high. There is a higher liklihood that next week there will be a new food trailer opening in Austin. 

What does this mean? States will pass stronger data security bills from everything from retailers to public education contractors to health care data.

Health Data Management

Protecting citizen data from the prying eyes of the government, hackers, and neighbors is the rally cry of everyone from Rand Paul to the Wyoming Legislature.

 Wyoming’s Task Force on Digital Information will recommend whether the Legislature should move forward with its constitutional amendment again in 2016.

In 2015, the constitutional amendment ran into hurdles when legislators realized that protecting privacy might make a mess of open records.

To head this disaster off at the pass, some press types recommended a right to know addition to the constitutional amendment. 

Courthouse News Service

One of Governor Abbott’s line item vetoes struck $5,000,000 in funding for University of Texas Center for Identity.  The Center seeks to limit impact of data security breaches.

The Governor’s rational: “If The Center þr ldentíty is a príority, the University may use íts appropriationfor ínstitutional enhancement, leverage public-private partnerships, or allocate other resources þr this purpose. “

Governor Abbott Budget Vetoes   UT Center for Identity

SOPIPA and Student Privacy Pledge are all the talk among Edtech companies gathered in NYC. 

California’s SOPIPA passed in 2014 has influenced other state legislation.  Student data protection isn’t just for state legislatures. Its also federal- Hello, FERPA.

And, state boards of education have used rule making to address data protection that can can hinder or assist edtech companies. 

EdSurge

The federal employee data breach this week, triggered an emergency contract of $20+million to provide credit monitoring services.

It’s a common response to offer these services. The Texas Comptroller did the same a few years ago when state employee records were breached/exposed.

The techies say credit monitoring is only part of the solution when a person’s data is breached. Other parts to the solution are:

• Watching for phishing emails.
  • Employees can be coerced into providing information without realizing they are being coerced
• upgrade their personal systems
•  invest in firewall protections

Government Executive

A data breach at Texas Department of Aging and Disability Services made 6,600 Medicaid patients’ information, including Social Security numbers and private health information, available online.

DADS

Fierce Health IT

A federal judge in Los Angeles Monday refused to throw out legal claims that Sony was negligent in maintaining adequate data security.

Refresher: the Sony data hack led to the release of:

• employee salaries
• worker health data
• racially tinged e-mail banter and
• other sensitive information.

Bloomberg

4.1 million current and former federal employees had their information exposed in a federal government data hack. California’s Department of Technology regulates data security.

The California Department of Technology reports 204 data breaches in 2014 among state agencies. 

State cybersecurity jobs are notoriously tough to fill. The private sector pays better and state hiring moves at a glacial pace. As a result, data security is often outsourced which opens the data up to another layer of potential data breaches.

Sacramento Bee

Rand Paul has filabuster against the Patriot Act and has outspoken opinions on NSA data collection.

His opinions are echoed by Ted Cruz and Bernie Sanders. 

Factor in the recent federal government employee data breach and Hillary Clinton’s Department of State email, and data security and data privacy will play a key role in upcoming elections.

Advertising Age

FBI is investigating a data breach allegedly pertetrated by the St. Louis Cardinals back office.  

If you see one mouse in the barn, there are likely a lot more mice.  Corporate data breaches are likley far more common.

Wallstreet Journal   NewYork Times  Houston Chronicle 

Connecticut passed new data breach laws that will:

• require businesses to notify affected person within 90 days of the breach
• Require businesses to provide 1 year of identity-theft protection if their Social Security number is compromised

CT SB 949    Consumer Financial Services Law Monitor

“Sweeping changes to provincial health privacy laws will soon cut down the red tape preventing authorities from prosecuting snoopers and force hospitals to declare all breaches of patient records to the privacy watchdog.” 

• the six month deadline to lay charges would be wiped out
• potential fine for snoopers would be doubled from $50,000 to $100,000
• Hospitals would also be forced to report all breaches to regulatory colleges and the provincial privacy commissioner

Toronto Star

Cyber Security Firms & their Investors according to the WallStreet Journal.  

In the honorable mention category- are the data breach fixing firms, like the quick $21M federal contract to CSID. WashingtonPost

TexasTURF is sounding the alarm on data collection by TXDOT. As we know, data collection is ripe for a data breach. 

Texas TURF says “TxDOT tracks drivers to mine data without their consent” 

The numbers on the Chinese data hack at the IRS:

• $20.7 M private contract to notify those who had information hacked
• 3.2 million notifications will be sent by e-mail and snail mail
• Hacking victims will receive: “…$1 million identity theft insurance policy in case their identity is stolen, 18 months of credit monitoring and other security protections as part of the contract.”
• 4 million current and former federal employees affected

Washington Post

TexasLegislature passed body cameras for law enforcement officers, SB 158 by West. It’ll create a lot of data.

“Seattle Police Department alone produced over 360 terabytes of data from dashboard cameras.” its a lot of data, that must be stored securely, whcih can be costly. 

Recently updated FBI Criminal Justice Information Services (CJIS) policies offer guidance on safe data storage. 

Federal Times

last week a district court blocked a Texas Medical Board rule that required a face to face video conference or an in person meeting prior to telemedicine. It was a win for telehealth. 

“Officials of the College of Healthcare Information Management Executives (CHIME) have sent a letter to two U.S. Representatives – Fred Upton (R-Michigan) and Diana DeGette (D-Colorado) – expressing their concern about the need for better patient identification. ”  

They point to:

• “As data exchange increases among providers, patient data matching errors and mismatches will become exponentially more dangerous and costly.” 
•  Congress should lift prohibitions against a national patient ID.
• Increased interoperability comes increased “threats to data integrity.” 

GlobalMD

“The U.S. Office of Personnel Management on Thursday said personal information for as many as 4 million current and former employees of the federal government may have been compromised in a recent cyberattack.” Law 360

Small businesses are not pleased with a data security proposal by House Financial Institutions and Consumer Credit Subcommittee Chairman Randy Neugebauer(R-Texas) and fellow Financial Services Committee member Rep. John Carney (D-Del.).

National Retailers Federation response: “Congress should take concrete steps to make sure the credit card cartel finally does the right thing and makes its cards secure.”

The Hill 

Does the Chief Information Officer take the fall? Nope, it’s the CEO.

SC Magazine for Information Security Professionals

“On a 39-0 vote, senators on Wednesday approved tech industry-backed legislation that would require law enforcement to obtain warrants before accessing emails, text messages and other digitally stored data.”

The Recorder 

Tax returns for 104,000 households were hacked.

The hackers used hacked personal information to re-hack into the IRS to view past tax returns.

This allows the hackers to build fuller identiy profiles and to file tax returns with the fradululently obtained information. 

WallStreetJournal CNN Credits Russian Hackers

Retailers scuttled the $19 million settlement with mastercard issuers over the Target data breach. This keeps Mastercard in the class action lawsuit. 

National Law Review

Data collectors and analyzers, IBM and Ponemon Institute, released the 2015 Cost of Data Breach Study: Global Analysis, which shows the average data breach cost increased 23% over the past two years to $3.79 million.

The report recommends mitigating costs with insurance and technology enhancements.

Security Intelligence  PC World

Radion Shack filed for bankruptcy protections. In that process, it has valuable consumer marketing information that it would like to sell. The FTC is entering the fray, in its newly amped role as data protector. 

Law 360

U.S. Senators Hatch & Markey this month filed a measure to protect student data. Following suit is Senator Vitter. 

Hatch & Markey focus on amending FERPA. Yes, that FERPA at issue in the UT System/Wallace Hall debacle. The Senators’ Protecting Student Privacy Act seeks to:

• Require that “data security safeguards be put in place to protect sensitive student data that is held by private companies,”
• Prohibit “the use of students’ personally identifiable information to advertise or market a product or service,”
• Provide “parents with the right to access the personal information about their children—and amend that information if it is incorrect—that is held by private companies,”
•  Make “transparent the names of all outside parties that have access to student information,”

Hatch-Markey Press Release

Vitter’s covertly named Student Privacy Protection Act will:

• ” Reinstate protections originally outlined under [FERPA] by clarifying who can access student data and what information is accessible,”
• “Require educational agencies to gain prior consent from students or parents and implement measures to ensure records remain private,”
• Hold liable through monetary fines “[a]ny educational agency, school, or third party that fails to get consent.” 
• Extend “FERPA’s protections to ensure records of homeschooled students are treated equally”
• Prohibit “educational agencies, schools, and the Secretary of Education from including personally identifiable information obtained from federal or state agencies through data matches in student data.” 

Vitter Press Release

A class action lawsuit was certified this week against yahoo, which has a process to intercept, scan and store incomiong, non-yahoo emails of its users for advertising purposes.

Something to think about when you’re sending confidential or privileged information via email.

The Recorder

Chicago Public Schools accidentally released personal information on 4,000 students to 5 potential vendors.

Chicago Public Schools assures the public that social security numbers were not released by the inadvertant data breach. 

NBC 5 Chicago

Within the last few years, the FTC has increased its data security enforcement. Including issuing record breaking fines against companies from big banks to major telecommunications providers.

An FTC Posting touts the favorable treatment for companies that self report data breaches to the FTC.

The Hill   FTC.GOV

A school district in Ohio suffered a data breach that exposed the names, addresses and social security numbers of students. The hacker? a student, who shared the information.

Young adult data is very valuable on the black market, because the identity is freely adaptable.

News-Herald Columbus Dispatch

California Attorney General Kamala Harris, front runner to succeed U.S. Senator Barbara Boxer, is urging Congress to allow states to have stonger data security bills.  

Her concerns about the federal bill are many, including:

• Allowing breached companies to determine whether harm has occurred
• Need to protect  medical data and health insurance information
• Need for a stronger notification timeframe for companies targeted by identity thieves and hackers.

Law360

Nevada is the most recent state to expand the definition of personal information that trigger data security laws. 

The expanded definition includes:

• individual’s medical identification number or health insurance identification number and
• a user name, unique identifier or email address with its associated password, access code or security question and answer that would permit access to an online account

This reflects a growing trend to include email address/usernames along with passwords in state data security statutes. 

Assembly Bill 179   

Thieves aquired names, addresses, social security numbers and other personal information from a database owned by CICS employment services., whiched housed employment background check information.

The thieves then took the personal information and filed false IRS forms to obtain tax refunds. The company does not know how the informaiton was taken, but they know it was when the theft ring was busted.

Oregon Live

The National Association of State Chief Information Officers, an organization for states’ chief information technology officials, found states are plagued by problems with hiring cybersecurity experts.

Why? 

• “Nearly 92 percent of states said salary and pay grades presented a challenge in attracting and keeping employees.
• 86 percent of states said they’re having trouble recruiting people to fill vacant slots. Four years ago, only 55 percent of states reported having that problem.
• 46 percent of states said that it takes three to five months to fill senior positions.”

Governing

Humans. Human error causes more data leaks, breaches, and exposure than hackers. A law firm report says data breaches are caused by:

• 37% human error
• 22% theft from outside
• 16% theft from inside
• 14% malware
• 11% phishing

Health IT Security

Data security:

• “knowing where your data is located”
•  ” who may access the data. “

Data privacy:

• “predicated on data security”
• “requires further understanding how personal data is being collected, processed (and by whom), and transferred,”
• “and the consistency of these practices with applicable laws, regulations, and the reasonable expectations of the relevant consumers”

National Law Review

Some proposals in Congress will allow corporations to determine whether the breach justifies notification.   WallStreet Journal