Cybersecurity & Tech

Who was surveyed? 1000 IT decision makers across the UK and US

What did 76% say? 76% would “move their organization’s data to another country as a result of privacy concerns”

The privacy concern of businss: government snooping

How do the CEOs feel? 29% have moved data security to the top of the corporate agenda

Where are they moving their data storage? To Switzerland and Canada

The Data Center Journal | Information Exodus: 76% of IT Decision Makers Would Move Their Data to Another Country as a Result of Privacy Concerns

• “include specific data security procedure obligations in contracts with vendors

• verify a vendor’s capacity to adhere to the prescribed data security procedures

• look at data security practices from an expert’s perspective to determine whether such practices are reasonable”

National Law Review | Piercing Outsourcing Veil: FTC Says Data Security Obligations Remain 

• A patchwork of state laws is hard on business
• Requires a single regulatory agency
  • Currently the FTC, FCC & state agency wrangle over regulatory authority
• Clear legal standards on what constitute harm from a data breach

U.S. Chamber Institute for Legal Reform | A Perilous Patchwork: Data Privacy and Civil Liability in the Era of the Data Breach

The U.S. Senate passed Cybersecurity Information Sharing Act on a vote of 74-21 this week.

Tech Companies continue their opposition. The main bones of contention:

• Mechanism for sharing of cyber-threat information does not sufficiently protect users’ privacy ”  (Computer & Communications Industry Assoc.)
• “[ Does not ] appropriately limit the permissible uses of information shared within the government” (Computer & Communications Industry Assoc.)
• “Privacy-shredding” bill “in cybersecurity clothing” (ACLU)

Supporters of CISA, Cybersecurity Information Sharing Act say:

• Voluntary information-sharing provisions are key to defeating cyberattacks (Senator McConnell)
• Protects civil liberties and individual privacy  (Senator McConnell)
• Allows companies to share information in an effort to protect their systems from potentially damaging cyberattacks (Senator Feinstein)

Courthouse News Service | Cybersecurity Bill Sails Through Senate Despite Privacy Concerns

SC Magazine |CISA Watch: Bill passes Senate with 74-21 vote

Washington Post | Senate passes cybersecurity information sharing bill despite privacy fears

• The Cybersecurity Information Sharing Act passed the U.S. Senate on Thursday, October 22nd.
• Major Tech companies (Apple, DropBox) are opposed
• National Retail Federation support amendment to CISA that offer liability protection for business that share threat data with the FBI and Secret Service, and not just the Department of Homeland Security.

Washington Post | Cybersecurity bill advances in Senate, but hurdles remain

National Retail Federation | Borad based Coalition Supports Cotton Amendment

What agency is talking cybersecurity & cars? The FTC

What committee heard from the FTC? Subcommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee

What did the FTC testify to?

• FTC is the “the nation’s lead privacy and data security enforcement agency”
• Proposed legislation is weaker than the FTC rulemaking on “connected cars”
• Proposed safe harbor for auto manufacturers that submit privacy policies to the Department of Transportation was too broad
• The propsed legislation significantly limit consumer protections
• “Prevent the FTC from taking action related to privacy issues beyond a manufacturer’s cars, including its use of consumer data collected from its websites”
• Proposed legislation permits retoractive cahnges to privacy policies by manufacturers
• The proposal included a creation of a council to develop cybersecurity best practices for the industry with too many industry representatives

Imperial Valley News | FTC Testifies on Proposed Legislation Addressing Privacy and Security in Connected Automobiles

• It will “create a framework that would allow different healthcare entities to exchange information regarding cybersecurity”
• Allow for the exchange of  various potential threats
• Allow health care entities to share best practice security measures
• Cybersecurity bill would make the health care cybersecurity netowrk available to both private and federal healthcare entities
• Healthcare Information and Management Systems Society supports the bill

Health IT Security | Senate Pursues Legislation for More Health IT Cybersecurity

What happened and where? North Carolina Health Department announced a possible Medicaid data breach.

What personal data was included? confidential health information of 1,615 Medicaid patients. Only 2 Social Security Numbers were included, as most patients used Medicaid ID numbers. No birth dates were included.
 

How did it occur? a state employee sent unencrypted data to a local health agency

WRAL | DHHS reveals potential Medicaid data breach

The Missouri State Auditor is looking into data security, data breach, data retention policies in 5 school districts.

The review also included reviewing the state education agency data policies. The state agency will soon adopt policies related to data breaches.

MissouriNet | Missouri education department to change student data collection after audit

Which state is getting on the student data security bandwagon? Missouri

What prompted regulatory action by the Missouri Department of Education? An Audit that found the department of education “unnecessarily collected and kept personal information from students”

What chages will occur at this education agency? 

• Missouri will no longer colelct and store student social security numbers when they don’t need social security numbers
• Missouri will destroy unneeded sensitive data from its systems
• Missouri will maintain the information it does need safely and securely
• Missouri will create policies for dealing with data breaches & update its policy for recovering from a data breach

MissouriNet | Missouri education department to change student data collection after audit

• Cyber Resilient Energy Delivery Consortium heads the $28.1 effort
• Consists of 11 national laboratories and universities and is led by the University of Illinois
• Dartmouth received a $925,000 grant to “improve the protection of the electric grid and oil and natural gas infrastructure from cyber threats”

Concord Monitor | AP | Dartmouth College gets $925K cybersecurity grant

Multiple bills dealing with protecting student data have been filed in the Pennsylvania legislature.

The bills include provision to set standards on education vendors for:

• Prohibit tapping student information to target them with advertising;
• Prohibit amassing profiles of students for non-educational purposes; 
• Prohibit the sale or sharing of student information outside of narrow circumstances.
• Require vendors to secure student data and delete it all upon the district’s request.
• Districts could continue to hire cloud computing firms to handle student data.
• Vendors would be contractually required to ensure that the data remains the property of the school district
• Vendor contracts will prohibit the student data use  for purposes not outlined in the contract
• Permit students to review and correct their information.
• Require contracts with those vendors would oblige the companies to disclose any data breach in which student records are compromised.

Government Technology | Pennsylvania Legislation to Set Student Data Privacy Standards

California amended its data breach notification statutes this year to do 2 things:

1. Expand the definition of what type of information breach requires a notification for information gathered by an automatic license plate reader.

2. Provide a model form for entities that experience a data breach

National Law Review | California Amends Data Breach Notification Statute by Requiring Specific Notification Content and Expanding the Definition of Personal Information 

Drones collect data. Data everywhere. Private data. Public Data.

Legislatures and local governments are focused on …How long that data is stored, under what conditions, and under what dislcosure requirements is legislative fodder.

Are these private drones or public drones? Data release and data storage could apply to either. Here’s some of the legislative questions:

• Are there penalties for a person’s private drone that collects data of someone’s orivate property?
• How long can law enforcement keep drone data?
• Can they release drone data if the data is superfilous to a criminal investigation?

Georgia is starting to tackle these issues with a focus on how much would it cost for law enforcement to keep or maintain non-investigative drone footage.

WABE Atlanta

• The local government creating the Cyber Security Squad: San Diego Regional Economic Development Corp
• Why? The region is replete with defense and communications technology expertise
• Goal of the Cyber Squad: “foster, enable and accelerate the cyber economy and to create an innovation hub for cyber here in the region”
• Economic Boost from the Cyber Squad? Yes. Yes. Yes. 13 percent growth in the region for cyber, with over 100 companies, & 6,500 jobs. The economic growth rate of other sectors is 2.2%.
• Which city or state has the best model for Cyber Squads? Look to Maryland

Governing: San Diego Now Has a Cybersecurity Squad

• Senate Finance
  • DIR’s moderninzation of state technology
• ​Senate Business & Commerce
  • Cyber Security/Storage: State policies, privacy implications, business confidential information. Recommend best protection of financial and personal information.
  • Current consent policy for state disclosure of personal data

Greater Houston Partnership for the upcoming Cybersecurity Forum: Protecting Your Business Online on Tuesday, October 13.

It’s part of the work of the Partnership’s Cybersecurity Task Force & stresses the import of cyber security to business. 

HAVE QUESTIONS?: Contact Amber Margraves at amargraves@houston.org or 713-844-3651.

Greater Houston Partnership Cybersecurity Forum

This week Berkshire Hathaway Specialty Insurance division unvieled 2 new speciality policies:

• Professional First Network Security & Privacy
•  Professional First Professional Liability and Network Security & Privacy

What do the policies cover?

• coverage for third-party exposures
• resulting from data security and privacy breaches, breach expense and extortion threats, media liability and business interruption.

SC Magazine | Berkshire Hathaway Specialty Insurance enters cyberinsurance arena

Why don’t Europeans want their data routed to the US by google or facebook? Europe has high data security protocols than the US.

Can’t the companies protect the European information?  Sure, Tim Cook Apple has said it will lead in data privacy, but the Patriot Act and other laws allow US to snoop on data. So, that European data gets siphoned up by the U.S. government.

So, what? Americans have learned to live with it? Remember the international kerfuffle that occured when it was learned that the US was spying on its German allies? Europeans place a higher value on data security.

What did the European Court do? 2 things:

1. it invalidated an internatioanl safe harbor agreemnt for the transfer of the data
2. It said that each EU country should have have oversight over how companies collect and use online information of their countries’ citizens.

NYTimes | Data Transfer Pact Between U.S. and Europe Is Ruled Invalid

Who is the expert? James Steyer

•  Founder and CEO of Common Sense Media, a San Francisco-based not-for-profit that, among other things, studies and advocates for children’s online privacy.
• He is a a former civil rights attorney
• Common Sense Media helped push 2014 California legislation, the Student Online Personal Information Protection Act, that bars operators of educational websites aimed at kids from amassing data profiles on their users

What are his points to protect student data?

• One, students’ personal information shall be used solely for educational purposes 
• Two, students’ personal information or online activity shall not be used to target advertising to students or families
• Three, schools and education technology providers shall adopt appropriate data security, retention and destruction policies.

Does he support federal student data security legislation or state based legislation?

He really likes his California legislation. Agrees that there needs to be uniformity, but that protection for student data should be high like the California model.

​The Recorder | Proponent of California Student Data Security Legislation

What happened to expose customer data at Trump Hotels? Hotel security systems were “compromised as a result of malware that went unnoticed on system computers for more than a year.”

How long did hackers potentially have access? 1+ year

What responses did Trump Hotels have?

• Hired independent investgators who found no instances of data being accessed through the malware
• “Immediately upon learning of a possible incident, we [Trump Hotels] notified the F.B.I. and financial institutions, and engaged an outside forensic expert to conduct an investigation of the incident.”

lawsuits?  oh, yes, there were lawyer patrons. A suit has been filed in U.S. District Court for the Southern District of Illinois on Oct. 2, asking for a class action suit to be opened.

Washington Times  | Donald Trump’s hotel chain confirms ‘data security incident’; customers of 7 properties affected

The New Jersey Legislature moved forward a data security law that will:

• Create the New Jersey Cyber Security Commission
  • It will be a 13-member commission within New Jersey’s Department of Criminal Justice.
  • 6 members will be:  representatives from the state Attorney General’s Office, the chief technology officer of the Office of Information Technology, the chief executive officer of the state Economic Development Authority, the commissioner of the Department of Education, the superintendent of the State Police and the director of the Office of Homeland Security and Preparedness.
  • 7  members will be private citizens:  2 with expertise in technology; 2 in finance, business administration or economics; 2 in public safety; and 1 in education.
  • The Commission’s goals will be:
    • To identify high-risk cybersecurity issues facing the state
    • To provide advice relating to the security of the state’s networks and systems
    • To suggest how to add cybersecurity to the state’s Office of Emergency Management’s response capabilities
    • To recommend science, technology, engineering and math programs for high schools, four-year colleges and community colleges
    • To develop strategies to enhance private-sector security.
    • To review and assess opportunities for private-sector involvement in cybersecurity issues relating to military facilities in the state.
    • To educate the public about the necessity of online security.
    • To issue an annual report about cybersecurity threats and measures taken to offset them.

New Jersey Law Journal | NJ Legislature Moves on Cybersecurity Bill

1. known internet-related vulnerabilities. 
   • ​Especially the use of commercial ‘off-the-shelf’ software, which is cheaper but with greater access for hackers.
   • Lack of proper protection from internet access.
2. lack of nuclear facility personnel training
   • Many plants were built before cyber threats were an issue
   • A gap emerges between plant personnel and cyber security personnel
3. No proactive solutions for potential threats 
   • ​​Reacting to potential threats is not enough cyber security

A London based think tank produced a report, Cyber Security at Civil Nuclear Facilities: Understanding the Risks, after studying cyber risks to nuclear plants for 18 months, giving rise to these 3 identifiable probelms at nuclear power plants.

SC Magazine for IT Professionals | Cyber danger to nuclear power plants growing

In 2014 the New York Times “devoted more than 700 articles to data breaches.”

State Tech Magazine: Data Point 700

Who is fighting blight with data sharing? New York cities of Amsterdam, Gloversville, Schenectady and Troy and the University of Albany’s Center for Technology in Government

What data are these cities sharing? code enforcement–related data and develop best practices for tackling the problem

Why are they sharing data? Blight costs the cities.  Direct blight costs include:

• code enforcement
• administration
• engineering
• property maintenance

Indirect blight fighting costs for cities are: 

• uncollected taxes
• devaluation of adjacent properties
• impact on city services such as police and fire calls.

This new pilot project in a regional view is “groundbreaking.”

State Tech Magazine | Blight Busters

• Alabama: 
  • ​30 years of tax breaks
  • for data centers investing $400 million
  • that create at least 20 jobs
  • with an average annual compensation of $40,000
• Alaska NONE
• Arkansas None specific to data centers, have used other tax incentives for data centers
• California NONE
• ColoradoNONE
  • in 2015 Colorado tried to pass a sales tax refund on equipment for data centers
• Connecticut 
  • A state economic development ffice granted $6 million to a data center
• Delaware NONE
• Florida, none specific to data centers, have used other tax incentives for data centers
• Georgia
  • ​sales tax exemption for equipment in data centers investing at least $15 million annually
• Hawaii,  none specific to data centers, have used other job creation incentives for data centers
• ​Idaho NONE
• Illinois NONE
• Indiana
  • data centers investing at least $10 million can receive local personal property tax exemptions on their equipment
  • Other tax incentives have also been awarded
• Iowa
  • ​sales tax breaks to data centers investing as little as $1 million
  • larger incentives for projects topping $200 million
  • Iowa has no property tax on equipment
• Kansas, none specific to data centers, but
  • Kansas imposes no property tax on new equipment
• Kentucky
  • ​sales tax refund for computer system equipment for data centers investing at least $100 million
• Louisianna NONE
• Maine, None specific to data centers, have used general economic-development programs for data centers
• Maryland, none specific to data centers, but did authorize a conditional loan for $300,000 to a data center
• Massachusettes, None specific to data centers, but have awarded $25 million grant and $14.5 million in tax credits to data centers
• Michigan, none specific to data centers, but does use other economic development programs for data centers to a tune of $7 mllion
• Minnesota
  • ​data centers with 25,000 square feet
  • costing at least $30 million
  • qualify for 20-year sales tax exemption on equipment and energy
  • + a permanent property tax exemption on equipment
• Mississippi
  • ​sales tax exemption on computer equipment for data centers
  • that invest at least $50 million
  • that create at least 50 jobs
  • these jobs must pay 150% of the average state wage
• Missouri
  • ​New data centers can qualify for $25 million if
    • they employ at least 10 people in well-paying jobs.
  • Older data centers can qualify by:
    • investing at least $5 million and adding five well-paying jobs
• Montana NONE
  • And, no state sales tax
• Nebraska
  • ​Has a tiered system that allows  $3 million if the data center:
    • Employs at least 30 people, or
    • It invests at least $37 million while holding employment steady
• Nevada
  • ​ Expanded sales and property tax exemptions for data centers
    • amounted to  $229 million of tax breaks for Switch
• New Hampshire “No incentives for businesses”
• New Jersey
  • “​authorized a projected $134 million in incentives to about a dozen businesses for data-center projects since 2000″
• New Mexico NONE
• New York 
  • sales tax exemption for equipment used by Internet data centers
• North Carolina
  • ​sales tax exemption for equipment and electricity used by data centers that invest at least $150 million in poorer counties or $225 million in other counties.
• North Dakota
  • ​sales tax exemption on computer equipment for data centers of at least 16,000 square feet.
• Ohio
  • ​ sales tax break for data centers that invest at least $100 million &
  • have a required payroll threshold of  $1.5 million
• Oklahoma
  • ​sales tax exemption for equipment bought by businesses engaged in computer services or data processing, as long as most of the revenue comes from out-of-state sales
• Oregon None Specific to data centers, but
  • ​no sales tax & 
  • property tax exemptions through local enterprise zones
• Pennsylvania None
  • Bills calling for a sales tax exemption for data centers are pending  in the current legislatie session
• Rhode Island  NONE​
• South Carolina 
  • ​sales tax exemption on computer equipment and electricity used in data centers
  • that invest at least $50 million
  • employ at least 25 people in well-paying jobs.
• South Dakota None, but have used general economic development programs
• Tennessee
  • ​sales tax breaks on computer equipment and electricity for data centers that invest at least $250 million
• Texas
  • ​sales tax exemption on equipment and electricity for data centers 
  • that contain at least 100,000 square feet
  • invest at least $200 million
  • employ at least 20 people at above-average wage
• Utah ​None, but have used general economic development programs
• Vermont  NONE
• Virginia
  • ​sales tax exemptions for data centers
  • it is estimated Virginia authorized $48 million in incentives for data centers
• Washington
  • ​ sales tax exemption
• West Virginia 
  • ​sales tax exemption and a property tax break on equipment
• Wisconsin  None, but have used general economic development programs
• Wyoming 
  • ​Data centers that invest at least $5 million, receive  a sales tax exemption on computer equipment. 
  • Data centers that invest at least $50 million also can get a sales tax break on power supplies and cooling equipment.

NY Times | via AP | State-By-State Look at Incentives for Computer Data Centers

What have the feds done for us lately to protect our data security?

1.     Weeks ago the FDA stopped the use of a pump for infusion therapy because it could be hacked

2.     July’s recall of 1.4 million Chryslers, Dodges & Jeeps because of hacking the auto software

3.     The SEC following through on enforcement for insider trading due to a computer hack

Let’s not forget it has also been the year of:

• student data breaches
• insurance companies data breaches
• a fear of data security breaches at utilities, including power grids
• increase in the number of data security insurance policies

Total of 7 reasons, data security will move toward the top of legislative agendas.

Inside Council | Cybersecurity litigation: The tip of the iceberg, part two: Regulation and legislation

Texas Congressman Hurd, the chairman of the new House Oversight Subcommittee on Information Technology, in an interview with Passcode says:

• “One of the things that was so egregious to me is that OPM never said, ‘I’m sorry,’
•  He also “criticized the agency for its failure to be transparent about notifying victims of the breach.”

Key words for business and policy people: transparency & notification.

The Hill: IT lawmaker: ‘Outrageous’ that OPM hasn’t apologized

Insurer Allianz Global Corporate & Specialty offers caluclated predictions about cyber security and insurance policies:

• Cyber security costs the US $108 billion/year
• By 2025, cyber security insurance will be a $20 billion in annual premiums globally
  • In 2015, annual cyber insurance premiums are $2 Billion globally
• 70% of breaches occur in restaurants
• To recoup losses after a hack, companies should count on  $200 per record that gets compromised.
   

North Bay Business Journal: As data breaches grow, so does cyber liability insurance
 

Which agency is issuing fines for lacking data security policies? The Securities and Exchange Commission. 

Why is the SEC fining a company? Two reasons:

1. It failied to have an adequate daa security policy in place before it experienced a data breach that exposed financial records of 100,000.
   1. Let’s repeat, the company never adopted written policies and procedures
   2. The company did not conduct periodic risk assessments
   3. The company did not implement a firewall
   4. The company did not encrypt its personally-identifiable information
   5. The company did not maintain a response plan for any incidents either. 
2. The financial information was stored on a third party-hosted web server.

What was the data breach that triggered the $75,000 fine? In July 2013, the 3rd party web server was breached by an unknown hacker from China after which the financial company contacted all parties offering free identity theft monitoring

Investment News: SEC nails advisory firm for cybersecurity failure before data breach

The federal government data breach not only compromised personal data of 21.5 Million former and current federal employees but also compromised 5.6 Million finger prints. 

That’s 4.5 million more than initially reported. 

Rueters | Deluth News Tribune | Hackers steal 5.6 million fingerprint records in government data breach

The Consumerist: Federal Data Breach Included 5.6M Compromised Fingerprints, Five Times The Original Estimate 

1. A study funded by data security firm, ID Experts, found since 2010, health care data breaches up 125%
2. In 2015,  100 million health care files stolen (Think: Anthem, Premera, Carefirst breaches)
3. In 2014, the medical/healthcare sector accounted for the highest percentage of breaches at 42.5% according to the data security firm, IDT911
4. This year’s largest health care data breach so far is the Premera medical data compromise, which may have exposed 11 million medical records

ABC News: The Medical Identity Theft Apocalypse? Fear the Walking Files

8 states have specifically applied thier data breach notificagtion requirements to insurers. 

• California
• Connecticut
• Maine
• New Hampshire
• Ohio
• Rhode Island
• Vermont
• Washington
• Wisconsin

The laws vary on these points, but all specifically apply to insurers:

• who has to be notified
• when notification has be given
• what information triggers a notification
• what powers an Attorney General has
• which entities have to provide the notification

JD Supra | Baker Hostetler | State Data Breach Notification Requirements Specifically Applicable to Insurers

A a security and privacy group of tech savvy types reviewed presidential candidate websites, and the results are not good if you like security and privacy.

17 of 23 candidates failed according to the The Online Trust Alliance, a nonprofit backed by businesses in the tech industry.

Why such a poor showing for data security this campaign season?

• nonexistent or inadequate privacy policy disclosures
• they reserve the right to liberally share or sell their donors and site visitors’ personally identifiable information

Some positive moves on data security by campaigns:

• 70 percent using encrypted website

Which candidates fared the best?

• Jeb Bush
• Chris Christie
• Rick Santorum
• Scott Walker
• Martin O’Malley
• Lincoln Chafee

 The Hill  Most 2016 campaign websites receive failing privacy grades

Fortune:  Here’s why Donald Trump and Hillary Clinton’s campaign websites failed a security test

• 64% of registered U.S. voters believe it is likely that a 2016 presidential campaign will be hacked
• Who is most qualified to protect the US against a cyber attack?
  • 42%  of registered voters surveyed think Hillary Clinton
  • Donald Trump 24%
  • Scott Walker 18%
  • Jeb Bush 15%
• Which party is better at protecting personal information? 38% say Democrats. 36% say Republicans. But, Millinials give Deomcrats 56%.
• 56% of of registered voters would allow government searching their personal information if it meant protecting against terrorism
• Which country has the best hackers? 51% say China; 30% say the U.S.; 13% Russia; 7% North Korea
• 34% say Improved defense against hackers is the top cyber security issue
• 47% of voters say they use encryption
• 56% worry that their social security number is their personal data they worry most about

CSO Online

The American Society of Clinical Oncology recently told Congress that coordination of care is key to fight cancer.

To support the coordination of care, they recommend the following when considering health care data security legislation:

• Congress should pass legislation to remove barriers to interoperability, especially information blocking.
• Policymakers should ensure that cancer patients, oncologists and other oncology providers do not bear the costs of achieving interoperable electronic health records and of companies refraining from information blocking.
• Federal officials should work with ASCO and other stakeholders to ensure that healthcare providers have the information necessary to be prudent purchasers and users of health information technology systems.

Health IT Security: Will Information Blocking Ban Affect Health Data Security?

Health care data is richer in personal information than banking records which makes it an ideal target for identity theft with its longer informational shelf life. 

InforWorld: Why Hackers Want Your Healthcare Data Most of All

This week a judge certified a group of banks/credit unions/financial institutions as a class so that their lawsuits against Target can proceed in unison. 

This business class action against Target also improves settlement odds.

Reuters: U.S. judge certifies class action over Target Corp data breach

StreetInsider

The Software & Information Industry Association writing to U.S. Senators support protecting student data, but oppose proposed reforms. Here’s why:

• Greater Enforcement Powers for State Attorneys General
• Protecting More types of data = more reasons to notify consumers
• Expanded liability for private companies that store state data
• Requiring companies that have a data breach to offer, at their cost, mitigation services that protect data- think Life Lock etc…
• Protecting Student Data
• Requiring encryption for stored data
  • As an example, see: 
    • “The new Washington law goes even further as it identifies a minimum standard for encryption, and grants safe harbor only when the breach does not also provide access to the encryption key, or other capacity to decrypt the data.”​

State AG Monitor: States Seek Strengthened Data Breach Laws

South Korea is incentivizing reporting data breaches by the private sector. Voluntarily reporting data breaches will save a company up to 30% on fines.

Lexology: Addelshaw Goddard LLP: South Korea introduces incentive for data breach reporting

KPMG reports on data security on health care, and here’s what they found:

• 81% of major hospitals and insurers have had a data breach in the past 2 years
• 50% of hospitals and insurrers are prepared to stop data breaches.
• 66% of execs at health plans said they were prepared for a data security attack
• 13% say they are targeted by external hack attempts about once a day
• 12 % see 2+ attacks per week
• 16% of healthcare organizations cannot detect in real-time if their systems are compromised

“The vulnerability of patient data at the nation’s health plans and approximately 5,000 hospitals is on the rise and health care executives are struggling to safeguard patient records,”  said Michael Ebert, leader in KPMG’s Healthcare & Life Sciences Cyber Practice.

The good folks at Governing have offered a white paper on local governments and dagta security.

3 Suggestions:

•  Transperancy- Tell Your Constituencies. Spelling out cybersecurity risks and providing information to help public officials fulfill their responsibilities and safeguard their communities
• Clear Local Gov. Policies. Put it in Writing People. CYA.Suggesting strategies for integrating cybersecurity into an organization’s risk management framework, and developing and adapting cybersecurity and cyber disruption response policies and plans
• Work with Private Sector. Discussing the private sector’s role in government cybersecurity efforts; although governments are often leery of collaborating and sharing with third parties, when it comes to cybersecurity, the private sector’s involvement is imperative

Uber is taking steps to protect customer data by:

• hiring Hogan Lovells US LLP to check out how the company collected and used customer data
• The lawfirm issued a report which led to Uber releasing a new privacy policy that more clearly notified customers that it can pretty much track everything they do while using the Uber application
  • This then led to a complaint at the FCC about the Uber App tracking customers when they were not actively using Uber
• ” Uber hired former cybercrime prosecutor and Facebook Inc. security leader Joe Sullivan as chief security officer, &  is reportedly looking to expand its in-house security team from 25 to 100 members by the end of 2015.” 

Bloomberg | Privacy & Data Security Blog

The Future of Privacy Forum released a poll showing that 87% of parents of K-12 students are concerned about dats privacy for their students. 

The entire survey will be released Monday, September 21, 2015, at the National Student Privacy Symposium according to The Journal Transforming Education through Technology.

2 big data security steps from the 2015 Legislature:

• SB1844 creates the Interagency Data Coordination and Transparency Commission.
  • staff from 10 legislative agencies
  • will evaluate how data is reported, shared, classified and used in the state.
•  HB1912 created the statewide data coordinator position at DIR to oversee data at all agencies.

State Tech Magazine

A health care company experiences a data breach, what’s the regulatory and legal landscape?

• Civil lawsuits that lead to Class Action lawsuits, check.
• Penalties imposed by a regulatory agency, check.
  • Health and Human Services reached a $750,000 settlement with Cancer Care Group over a data breach involving HIPPA records. 

What can we learn from this incident?

• health care companies should  conduct risk analysis of tinformation security policies
• health care companies should have a written policy for taking hardware and disks containing protected health information out of the office

Modern Healthcare

California Governor Jerry Brown announced a new Cybersecurity Task Force today. Its goal are to:

• “reinforce online security”
• “protect critical state information from data breaches”

The task force is in response to an audit that faulted California for:

• lax security measures
• finding 73 of 77 state entities comply with information security standards.
• “The 75-page audit criticized the California Department of Technology for failing to identify failing state agencies, and found the state vulnerable to hackers.”

Governor Brown Executive Order     Courthouse News Service

Pennsylvania State Rep. Dan Miller, a former teacher, is crafting student data security legislation that will:

• Require ed-tech vendors to delete their data on former students & alert victims of any data breaches.

Like other states, Pennsylvania is looking to California’s landmark student data protection legislation for guidance.

Post Gazette

Delaware this year enacted a package of data security bills, including:

• The Delaware Online Privacy and Protection Act targeting interest service providers and modeled after the California Online Protection Act.
• The Student Data Privacy and Protection Act modeled after California’s landmark student data protection legislation
• The Victim Online Privacy Act which prohibits online posting, soliciting, or selling—with the intent of inciting use of the information to commit a violent crime—of the personal information 
• The Employee/Applicant Protection for Social Media Act prohibits employers from requiring employees or applicants to grant access to social networking accounts.

JD Supra

Family Education Rights and Privacy Act is undergoing an overhaul. Part of that overhsaul is to strengthen privacy protections for student data. 

The Internet Association opposes the current proposal  because:

•  it is too broad/vague
• it has unprecedented notification requirements
• it does not preempt state law

The Hill  The Internet Association Opposition Letter 

Illinois Governor Rauner vetoed a data security bill this week. 

The bill would have extended notification requirements to data breaches involving medical, health insurance, biometric, consumer marketing, and geolocation information.

The Governor stated that the bill established ““duplicative and burdensome requirements.”

Health IT Security   Law360  LexisNexis

This week, the 3rd Court of Appeals upheld an enforcement action against Wyndham for a series of data breaches that exposed the credit card data of 600,000 customers.  

The ruling solidies the FTC’s enforcement actions. This year alone there have been more than 90 reported data security incidents. 

CRM  The Center for Democracy & Technology  The Recorder   National Law Review

Add the Department of Defense to the long list of state, local and federal agencies increasing data security requirements for contractors.  Procurement beware, its time to get tech savvy. 

Talk Radio News Service

Local governments colelct volumes of data from infrastructure such as:

• fiber optics and wireless broadband data
• data from sensors embedded in buildings
• data sensors  in roadways 
• data from water, waste and energy use

The data security risks:

• hackers get into stop light and traffic management systems, security systems, electric grids or water systems
• internal unintentional or intentional leaks
• sensors being intentionally fed bad data

National Institute of Standards and Technology released a recommendation for local government computer frameworks to minimize risk. It’s tech heavy identification of risks and solutions based on computer system architecture.

Governing

In the political hot spot that is Denton County, Congressman Burgess noted the importance of bringing all stakeholders together on data security legislation by saying,

“I wanted to take an opportunity to hear from people who are working in the research area and the private sector and pull everyone together in a room for the morning and hear what the state of the industry is, and where they thought we might do things to improve it,” said Burgess, R-Lewisville.

Denton Record Chronicle

The last few weeks have cemented a growing trend of activist hackers. Examples from the last year:

• The Sony Pictures hack: Everything we know so far; 
• Anonymous hackers release emails ordering bear cubs be killed; 
• Hackers threaten to release names from adultery website; 
• How Latest Snowden Leak Is Headache for White House; 
• How DID hackers steal celebrities’ private iCloud photos?

Expect to see more moves into the realm of politics, social issues, and corporate interests.

Tech Crunch: Hacking for a Cause: Today’s Growing Cyber Security Trend

Only a few States prohibit kids’ personal information from being shared by schools with third party vendors, like marketers.

• California
• Oregon
• Delaware

States working to protect student data through legislation or regulation:

• Maine
• Maryland
• Florida
• Mississippi
• Georgia
• Hawaii
• Iowa,
• North Carolina
•  Illinois

CBS This Morning: How Safe is Your Kid’s Digital Data at School?

Privacy class action lawsuits in Illinois assert that Facebook violates a 2008 Illinois law protecting a peron’s biometric information with its facial recognition tagging software. 

The nuts and bolts of the Illinois law:

• Biometric Information Privacy Act makes it illegal for a company to:
• collect or access customers’ biometric identifiers
  • without first informing them in writing about what’s being collected,
  • how the biometrics are being used,and
  • how long biometrics are being stored
•  requires companies get a written release from those whose data is being collecting
• statutory damages of $1,000 for negligent violations, and $5,000 for those that are “intentional and reckless.”

The Recorder

Target has reached another tentative $67 million settlement with VISA over its 2013 data breach & is in ongoing negotiations with Mastercard.

Community banks and credit unions estimate they spent $350Million to re-issue cards after the data breach.

Target still faces a class action lawsuit from consumers.

WallStreet Journal

Office of Management and Budget  is setting forth data breach standards for federal contractors. The requirements include:

• Required improved data security controls
• Timely contractor reporting of all cyber incidents
• Contractors will be required to undergo Security assessments
• Contractors may face continuous monitoring by the government agency
• Increased business due diligence before entering into a contract

Details about the OMB workgroup and proposals for contract reform are available at the Improving Cybersecurity Protections in Federal Acquisitions wesbite.

Neiman Marcus experienced a data breach in 2013 that exposed credit card information for 350,000. And, as it is with every data breach, lawsuits ensued.

The 7th Court of Appeals answered a lingering legal and legislative issue– whether any actual injury has to occur before suit may be filed. “Chief Judge Diane Wood, who said that fear of hackers in the future is not too “speculative” for a day in court.”

The ruling is expected to apply to both pending lawsuits realted to Sony & Target data breaches.

Fortune     Bloomberg

Pearson’s SEC Form 20-F report warns investors about:

• the data breaches it has experiences
• its need to mine data for its products
• its concern over regulations and legislation that pose a threat to its ability to mine data for product development and to its finacial success

Missouri Education Watch Dog

In 2007, 17% of police departments were using license plate readers. That number increased rapidly. By 2012, 71% of police departments used license plate readers.

Whats the concern if these help lower crime? The data. Regulations seek to:

• How long the data is kept. Minnesota keeps it for 48 hours. New Jersey keeps it for 5 years.
• How safe is the data
• How much data is collected about law abiding citizens

6 states have limited the use of license plate readers or prohibited the use outright.

• Arkansas, Maine, Maryland, New Hampshire, Utah and Vermont
• In June 2015, Gov. Jindal vetoed a bill that would have clarified that Lousianna law enforcement may use licnese readers. His veto was based on:
  • fundamental risk to personal privacy
  • that it creates large pools of information belonging to law-abiding citizens
    • “that unfortunately can be extremely vulnerable to theft or misuse.”

Governing

UCLA finds itself facing a class action lawsuit over a data breach at hospitals in the UCLA hospital system.

So how does a state university system get sued?

• UCLA is accused of  not encrypting patient data invcuding:
  • names, dates of birth, Social Security numbers, health plan identification numbers, and medical information including patient procedures and diagnoses
• UCLA allegedly did not notify patientsin a timely manner
• UCLA’s lack of action allegedly violated multiple consumer and privacy protection laws

LATimes

Maine Municipal Association has added cyber-liability coverage to its insurance plan for municipalities.

Mount Desert Maine developed a data breach response policy in consultation with the Town Manager, the Police Chief, and a consultant. The data security policy:

• Defines a data breach as “any occurrence where personal identifying information (such as Social Security numbers or payroll information) is accessed by someone other than an authorized user for anything other than an authorized purpose.”
• If a breach is suspected, a response team consisting of the police chief, town clerk and contracted information technology (IT) coordinator will immediately investigate.
• The source of a breach shall be completely disconnected from the town network” and shall be “left powered on and idle until an investigation is completed,” 
• Notification will be provided to everyone whose personal information might have been compromised 

Data breach lawsuits are dominating courts. Judges are finding that no specific monetary harm is necessary for these suits to progress.

In the latest health care data breach suit, patients have filed a lawsuit against a medical software company for a data breach.

WNDU Indiana

Onstar–the savior for people who lock their keys in the car.  Onstar–the way for hackers to take over your car.

Until this week, hackers were able to take control of opening cars, turning on the ignition, and locating the vehicle. The hack took $100 of equipment but was an otherwise easy path to taking over Onstar.

Findlaw

Researchers testing the Tesla system also identified a potential vulnerability and sent out a wireless update to Tesla systems.

TechCrunch

Computer Weekly’s Security Editor has a more succinct explanation replete with tech jargon: 

 “common file synchronisation services such as GoogleDrive and Dropbox for command and control, data exfiltration and remote access, security firm Imperva has revealed.”

At the 2015 Blackhat Security conference, businesses were urged to  begin utilizing “perimeter security to data monitoring and data security.” For more advice, including their recommended security protocols for cloud computing, see Computer Weekly. 

Medical devices are interconnected. It creates better health care delivery and creates access points for hackers.

Federal regulators issued a warning that a pump used to deliver medicine to patients, the Symbiq Infusion System from medical device-maker Hospira, can be hacked by if access is gained to a hospital’s computer network.

Not the first time medical devices and hacking have ended up in the same sentence:

•  In 2011 it was shown that insulin pumps can be hacked. 
• In May , a security firm warned that hospital xray scanners can be used by hackers to gain access to patient information.

Washington Post

The National Cybersecurity Center of Excellence is soliciting comment on its guide to secure electronic health records on mobile devices. 

NCCOE Draft Guide    Comment is accepted until 9.25.15 here 

“The Consortium for School Networking, will work toward establishing a nationwide set of standards around student privacy. The end result will be known as the Trusted Learning Environment Seal that public schools can adopt to assure the community that their student’s data is protected.” 

Chalkbeat Colorado

• Georgia Department of Human Services Division of Aging Services |  Atlanta Business Chronicle 
• Planned Parenthood  |  The Hill
• Online Photo Printing for a variety of retailers |   WBOY 12
• Kansas Hospitals and Clinics that Use NOMoreClipboard software  |  KCUR
• US Census Bureau | Softpedia 

1. Credit card breaches will rise over the next few months as hackers try to beat the October deadline set by Visa and MasterCard for merchants to accept only the new generation of credit cards that are embedded with computer chips.
2. Hackers increasingly will target data stored in the cloud. “Hackers are eager to capitalize on the value of consumer online credentials,” according to the report.
3. Expect more breaches of health care data. One reason: the growing number of access points to protected health info. Another: the growing popularity of wearable technology, which can transmit data to doctors but provide an entry point to hackers.
4. In light of all the recent high-profile hacks of major companies, legal and regulatory pressure will increase on CEOs and boards. “It is clear that security can no longer be viewed as just an IT issue,” the report said.
5. Despite all the headlines involving breaches by hackers and foreign countries, disgruntled or negligent employees will be companies’ biggest security threats.
6. The Internet of Things will become a buzzword in insurance circles. The term refers to the growing cloud-based connectivity of people and their devices, which may provide an easy entry point to all your devices and data.

Crain’s Detroit Business 

Connecticut’s enacted Senate Bill 949 contains significant data security requirements for entities contracting with state agencies and entities in the health insurance and administration business. 

Contracting entities must provide:

• Comprehensive data-security program, including:
  • the use of security policies,
  • annual reviews of such policies,
  • access restrictions, and
  • mandatory security awareness training for employees beginning July 1, 2015.
• Restrict access to Confidential Information only to authorized contractor employees,
• Maintain the Confidential Information in secure servers with firewall protections
• Implement security and breach investigation procedures.
• Undergo annual reviews
• Include ongoing employee security awareness program.

National Law Review

A bipartisan duo of Congressmen and women (Congresspersons?) has a new student data security bill.

Reps. Todd Rokita (R-Ind.) and Marcia Fudge (D-Ohio) rolled out the Student Privacy Protection Act this week. It will:

• bar schools or private technology companies from selling or using student data for targeted ads.
• set minimum data security standards for companies handling sensitive student information
• update the Family Educational Rights and Privacy Act (FERPA) for mobile apps and cloud computing
• give parents the right to access, alter or delete certain information about their child

The Rokita-Fudge bill would be a companion to an effort from Sens. Orrin Hatch (R-Utah) and Ed Markey (D-Mass.), as both measures revise FERPA.

The Hill

The emergency contract for $20M was the tip of the ice berg. By August 14th. the federal government will award a 5 year contract for data security protection for the 21.5M federal employees whose data was hacked. Washington Post

Oh, and that pesky, initial contract of $20M isn’t going so well.  The Austin, TX based vendor cannot keep up with demand. Washington Post

Health care orgnaizations are experiencing high levels of data breaches. A poll of health care data security  experts list 2 challenges:

1. shortages of cyber security experts in health care
2. financial shortages for cyber security

Health IT Outcomes

The Neiman Marcus data breach lawsuit can continue according to the 7th Circuit. 

Courts have wrangled with whether a person who had her information stolen in a dat abreach must have had that information used in a manner to cause harm before a lawsuit can continue.

The 7th Circuit said no to that specific standard and is allowing more damages like the cost of credit monitoring.

Law360

A reporter for Wired details what parts of a car hackers can control while you’re driving. 

Hackers are able to control a vehicle’s:

• A/C system, changing the temperature in the car
• The radio, changing channels and volume control
• Windshield wipers
• Windshield washer fluid blurring the windows
• dashboard functions
• steering
• brakes
• transmission

All of the car functions above can be controlled from a laptop by a nefarious hacker. Wired. Congress is trying to stop it with the Spy Car Act.

Lifelock, the company advertising its ability to protect your financial data, violated its 2010 $12 million settlement with 35 state attorneys general according to the FTC.  

“LifeLock vigorously opposed the FTC’s allegations.” The case is heading to the courts.

The Hill   Forbes (Lifelock value tumbles)

A JP Morgan hack led to the arrest of 4 in Florida. Federal officials are linking the dta hack and stock manipulation.

The financial data breach had previously been thought to be the work of Russian gangs.

The Hill  Bloomberg

HomeDepot Shareholders are taking action against Home Depot. They have filed suit  to request corporate documents, potentially for the purpose of investigating wrongdoing by corporate officers or directors.

Above The Law

“In the 2015 first half, venture firms invested $1.2 billion in cybersecurity startups, according to researcher CB Insights.”

Data breaches are taking this nerdy issue, cyber and data security, and turning it into big business, well funded, with a lot of government regulation, oversight, and contracting opportunities.

WallStreet Journal

For the first time ever, Zurich Surety registers as a lobbyist in Canada amid interest in data security legislation.

Folks, data security insurance is a business that is growing exponentially. The well read will remember that just last week, Information Intelligence brought you news of the first lawsuit concerning insurance coverage in a data breach. 

Rapidly growing industry. Not Yet in Texas. Hello opportunities. 

Canadian Underwriter

This week, Rep. Mo Brooks (R-Ala.)  introduced the “Protect US Act,” which would:

• Give the president and Congress the power to add foreign powers accused of harboring or conducting hacking to a “State Sponsors of Cyberattacks” list.
• The president would be granted power to impose a wide range of trade sanctions on those countries.

China/Chinese hackers were allegedly behind the massive federal government data breach.

The Hill

Sen. Debbie Stabenow (D-Mich.) and Sen. Martin Heinrich (D-N.M) say the Energy and Water Development funding bill shortchanges our electric grid from being properly protected from a cyber attack.

They call for funding the following data security protections:

• virtual forensics platform,” intended to detect malicious actors sitting on the network
• Replace the $11M removed from the Cybersecurity for Energy Delivery Systems

The Hill

Connecticut and Oregon both strengthened laws protecting health care data this year. Specifically the states , strengthened protections of personally identifiable information (“PII”).

• Connecticut did this:
  • Effective October 1, 2015, S.B. 941 
    • Requires notice of a breach of personal information within 90 days of discovery
    • If a breach involves social security numbers, must offer a year of complimentary identity theft prevention and mitigation services, and the notifications must include information on signing up for these services, as well as information on placing a credit freeze. 
    •  Health insurance companies must implement, maintain, and update annually a “comprehensive information security program” to protect personal information (including protected health information, government-issued ID numbers, biometric data, and financial information).
• Oregon did this:
  • Senate Bill 601 (SB 601) is effective January 1, 2016, and will:
    •  Expand the definition of “personal information” triggering a required notification to include:
      • 1) biometrics
      • 2) health insurance policy number or subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the individual; or
      • 3) any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the individual.
    •  The Attorney General must be notified for breaches of personal information involving 250 residents of the state or more & may bring Deceptive Trade Practices Act violations.
    • The threshold for notification is altered  to an “unlikely to suffer harm” standard in place of the previous standard of “no reasonable likelihood of harm” and requires this determination be made in writing by the effected entity and maintained for at least five years.  

The Beat @ CooleyHealth

In an effort to protect data,  large financial entities, like credit card companies, are looking to collecting facial recognition software to further protect their and your financial data.

Storing biometric information along side financial information at one company seems like that company is putting put a neon sign that reads, “Hacker Dreams Come True Here.” 

Coin Telegraph: Future of Money

47 Attorneys General signed a letter supporting state authority over data breach enforcement and strongly opposing any attempts at federal preemption.

 Gen. Paxton is notably absent from the list: Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts and Nebraska, was also joined by the following states and territories, according to the news release: Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, North Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.

LasCruces Sun News      Montana Department of Justice 

A company that controls concession stands at 9 zoos across the country announced a data breach just in time for summer tourism. 

Washington Times

Say you’re a health care provider. You buy data breach insurance policy to cover any potential hacks or breaches. you think you’re doing the right thing to protect your business.

Then, your data gets hacked. You file a claim with your insurance company. You’re denied. You go to court.

The insurance company says the health care provider failed to provide the required minimum security standards. 

Its a case of first impression. It’ll make history and make legislation far and wide as the claims are state law and federal (HIPPA).

Crowell Moring Data Law

Ft. Worth is home to a new $500 Million Facebook data center, powered by renewable energy.  

The facility broke ground this week and will be up and running by 2016 with 40 full time employees.

TechCrunch   Governor Abbott

Learning Curve conducted a poll about technology in education, and student data is in its scope:

•  71% believe technology has improved their child’s education
• 79% concerned about the privacy and security of their child’s data
• 75% worried about advertiser access to that data

First Look | The Intercept

NAPA has new data breach compliance and certification. Data breaches are big business, people.  

Data breaches and protecting against data breaches generate:

• Big legislative pushes
• New regulations
• Procurement Opportunities (hello, $21M emergency contract that the federal data breach sparked)

Data breaches impact:

• bankers, credit unions, financial institutions
• retailers
• corporations
• new lawsuit filings
• health data
• student data
• +more

NAPA

Federal employees this week filed suit over the June 4th federal data breach. The breach is said to the largest in government history, and allegedly the result of Chinese hackers seeking super secret spy information. 

The crux of the lawsuit is something all corporations should pay heed to as its the same argument made by plaintiffs in Target and HomeDepot breaches too- how much knowledge did the government have about potential breaches and did the government fail to act? As for the feds, the  lawsuit alleges:

• The federal government was on notice because:
• “10 million confirmed intrusion attempts targeting its network in an average month”
• OPM Breach potentially affects 18 million federal applicants
• OIG found that in many areas the OPM’s performance actually got worse in that “a 2014 OIG report, the ‘drastic increase in the number of [software] systems operating without valid authorization is alarming and represents a systemic issue of inadequate planning by the OPM offices to authorize the [software] systems they own.”

Courthouse News Service

The Federal Trade Commission has released new guidelines for corporate data security. FTC has the power to fine companies for data breaches, so take heed. 

Recommendations include:

1. Start with security.
2. Control access to data sensibly.
3. Require secure passwords and authentication.
4. Store sensitive personal information securely and protect it during transmission.
5. Segment your network and monitor who’s trying to get in and out.
6. Secure remote access to your network.
7. Apply sound security practices when developing new products.
8. Make sure your service providers implement reasonable security measures.
9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
10. Secure paper, physical media, and devices.

FTC Start with Security coming to UT law November 5th

FTC Guide for Businesses

Healthcare Management Information Systems Society released a new survey about data security and healthcare, the results:

• 2/3 of healthcare companies repsonsing experienced a data security issue within the last year
• 87% say data security is a increasingly higher business concern for healthcare
• 69% say their concern about data security is motivated by phishing
• 46% say the highest data security concern is internal negligence
• 57% have at least 1 full time staff person dedicated to data security

MedCity News

An immentn departure by the director of the Office of Personnel Management, Katherine Archuleta, appears likely.

She leads the federal agency at the center of the largest government data breach-ever.

What we know: Alleged Chinese hackers. Forthcoming federal agency resignations.

The Hill

Data Security from student data to retail data to contracts to clean up data breaches is big business. The EU is often seen as taking a stronger approach to data protection predicts it will be big business at the tune of 415 Billion Euros a year.

Psst- a Euro is more valuable than a US Dollar.

Computer Weekly