Topics
Cybersecurity & Tech
Cybersecurity & Tech
Business TREND. One State law. Company Applies Standard Nationwide.
What company? Microsoft
Which law? California’s Consumer Privacy Act
What is Microsoft saying in support?
- strong supporters of California’s new law
- support the expansion of privacy protections in the United States
- privacy is a fundamental human right
- privacy laws should be further strengthened by placing more robust accountability requirements on companies
Microsoft | Microsoft will honor California’s new privacy rights throughout the United States
New Study.Procurement. More Requirements for Election Vendors.
WHO: Brennan Center for Justice
WHAT: A Framework for Election Vendor Oversight
WHY:
- 80% of voting systems controlled by 3 vendors
- little or no oversight of the security of these vendors
RECOMMENDATIONS:
- New federal certification program to issue standards
- Enforce vendors’ compliance with the standards
- Institute mandatory compliance audits
- Utilize a Technical Guidelines Development Committee that includes cyber security experts
NIH Wants Industry Feedback on Data Security + Health
Where do I see the proposal: Federal Register Request for Public Comments on a DRAFT NIH Policy for Data Management and Sharing and Supplemental DRAFT Guidance
The goals: improve the current data management and sharing policy for NIH funded or conducted research (Bonjour, to all your medical research and pharmaceutical research clients)
What best practices does NIH want to establish?
- responsible management and sharing of scientific data
- including exceptions or limits to data sharing
Comment deadline: January 10, 2020.
Health IT Security | NIH Seeks Input on Data Sharing Plan, Including Privacy, Security
New Kid on the Block. Corporate Partnership to Protect Infrastructure
WHO: The Chertoff Group + Dragos
WHAT: A policy intelligence & communication shop + a industrial control system shop
WHY: High Tech infrastructure is a data security target
WHAT ARE INFRASTRUCTURE OPERATORS SAYING?
- Texas Central Rail: “As we usher in 21st century transportation solutions represented by high-speed rail, we believe that the safety of our future passengers is paramount.”
Data Breach at Health Agency. By the Numbers.
$1.6 million cost of federal fine to the state health agency
6,617 people had their personal health information accessible
How did the data breach occur?
- “an internal application was moved from a private, secure server to a public server, where a software flaw allowed the private information to be viewed without access credentials.”
- no risk analysis conducted
- no access and audit controls
The state agency: Texas Department of Aging and Disability Services
Government Technology | Data Breach Costs Texas Health Agency $1.6 Million
3 Reasons for Standard Cyberattack Reporting
Who is calling for standard reporting? Harvard Business Review
Why? The nature of attacks are borderless, fast moving and difficult to predict or manage
What reasons support standard cyberattack reporting?
- Information Sharing. The wheel isn’t being recreated. Attackers will repeat methods.
- Certain Data will inform planning and defenses. this includes:
- dates relevant to the incident
- type of incident
- size of impact on financial results or ability to conduct business
- type of impact
- method used to access the network or data
- how the incident was resolved
- Enforcement. Regulators need this data too to enforce bad actors and educate constituencies
Harvard Business Review | We Need a Global Standard for Reporting Cyber Attacks
Regulatory TREND. Allowing Cyber Security Donations to Physicians
Which regulatory agency is considering this? United States’ Department of Health and Human Services
What type of donations would be permitted? non-monetary exception to the regulatory Anti-Kickback Statute
What do the rules look like? DHHS proposed cybersecurity donation rules
Why is this critical? Interoperability and data sharing in healthcare makes an entire health care system vulnerable to one office with a cybersecurity weakness
InfoSecurity | US Proposes Legalizing Cybersecurity Tech Donations to Doctors
Legislation to Shore Up City Cyber Security
Where: Congress
What is the legislation: Klobuchar, Peters, Johnson, Lankford Introduce Bipartisan Bill to Strengthen Cybersecurity for Local Governments
What will it do?
- Require the Department of Homeland Security to provide resources and assistance to cities
- Provide cities with .gov domains administered by the federal government
The Hill | Senators introduce bill to strengthen cybersecurity of local governments
State School Grants for Cyber Security. Procurement Opportunity.
Where: Massachusetts
How much cybersecurity funding will Massachusetts offer schools? $250,000 to 94 municipalities and public school districts
What will the grants fund? training 42,000 employees
How does the funding flow? From the Governor’s Office, Executive Office of Technology Services and Security.
Center for Digital Education | Massachusetts Announces School Grants for Cyber Training
State Privacy Legislation 2020 Forecast
States Considering bills like the California Consumer Privacy Act legislation:
- Massachusetts
- Minnesota
- Pennsylvania
- New Jersey
- New York
States where legislation fell apart because of stakeholder disagreements in 2019:
- New York
- Washington state
States where privacy legislation failed:
- Arizona
- Florida
- Kentucky
- Mississippi
- Montana
States studying how to proceed:
- Connecticut
- Hawaii
- Louisiana
Coalition Against Facial Recognition Tech Regulation
What private business entities are concerned by facial recognition regulation?
- Airports Council International – North America
- American Association of Airport Executives
- Consumer Technology Association
- Global Business Travel Association
- Identification Technology Association
- International Biometrics + Identity Association
- NetChoice
- Security Industry Association
- U.S. Chamber of Commerce
Why are these business interests concerned about facial recognition tech regulation?
- a moratorium is premature
- we need responsible use of this software
- we can’t stifle innovation in this sector, and a moratorium would be stifling
US Chamber of Commerce | Coalition Letter on Facial Recognition Technology
Wall Street Journal | Business Groups Push Back Against Proposed Facial-Recognition Bans
3 Study Points for Governments + Biometric Data
Who is raising these points about biometric data? Silicon Valley Congressman Khanna
What should Government be asking about the collection of biometric data?
- is the data collected for a discriminatory reason?
- no profiling
- no systemic bias
- are there clear ethical guidelines?
- if there are complaints that show a disparate impact on race, religion, or gender
- the biometric data use should be halted until the disparate impact is corrected
NextGov | Silicon Valley Rep Calls For Task Force, Legislation on Government Use of Biometrics
+1 State Cyber Reserve
What is a Cyber Reserve? A special unit in the national guard but for cyber events
Where: Ohio
The legislation: SB 52 (2019 | OH)
The state funding to support the special unit: FY1 $100,000 & FY2 $550,000
Sandusky Register | DeWine signs cyber reserve law
Cincinnati Public Radio | DeWine Signs Bill Creating Ohio Cyber Reserve
What is this new term “zero data”?
What does zero data mean? Isn’t everything data and data is king, queen & court jester? companies that don’t store their own data
Where is the data being stored? 3rd party companies store the data for use by the company that originated the data
What’s the benefit to companies? The liability for the data goes to the 3rd party
Tech Crunch | Very Good Security raises $35M in Series B in ‘zero data’ push
3 Reasons For a National Crypto Currency
Who is calling for a national cryptocurrency? Congressmen French Hill & Bill Foster
Who are the Congressmen asking to authorize a national cryptocurrency? Chairman of the Federal Reserve System
Why a national crypto currency?
- to bolster the dollar’s strength
- other countries are doing it:
- Sweden has an electronic krona
- Uruguay an electric peso
- The Central Bank of China is unveiling an electronic currency in 2020
- Private Sector in the US is also creating digital currencies including JP Morgan & Wells Fargo
Cryptocurrency Post | US Congress calls on Fed to consider creating “national digital currency”
Data Privacy Legislation. Criminal Penalties for CEOs
Where: Congress
What: Senator Wyden’s Mind Your Own Business Act
How would the criminal penalties attach?
- “Consumers must be able to control their own private information
- Companies must provide vastly more transparency about how they use and share our data
- Corporate executives need to be held personally responsible when they lie about protecting our personal information.”
Is this about a specific tech company? “Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences,” the senator said this week. “A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government.”
NextGov | Privacy Bill Could Put Dishonest Tech Execs Behind Bars
3 Things Tim Cook Said about Crypto Currency
Who said this? Apple CEO Tim Cook
Who did he say it to? Les Echos newspaper
What did he say?
- Apple has no crypto currency plans
- Private Entities should not try to gain power by creating currencies ( we see you Facebook)
- Currency should “stay in the hands of countries”
Cryptocurrency News | Tim Cook Talks Cryptocurrencies: It’s a No for Tech Behemoth
3 Reasons Medical Data is the Most Valuable Data
What value is attributed to medical data? 50 times more valuable than a credit card number
Who is offering that valuation? ClearDATA Chief Privacy and Security Officer and Founder
Why is medical data valuable?
- Can build an entire identity
- The person can access drugs & medical treatment
- The life span of the data is longer than a credit card
Healthcare Dallas CEO | Why Medical Data is 50 Times More Valuable Than a Credit Card
How a State’s Public Education Privacy Council Tackles Student Data Privacy
Where: Maryland
How did we get action from the Maryland’s Privacy Council?
- 2019 audit of Maryland Education Department’s data-storage practices revealed 1.4 million students and 233,000 teachers personal data at risk
- 2015 state law, Student Data Privacy Act of 2015
- 2018 the Parent Coalition for Student Privacy gave Maryland a D+
Who serves on the privacy council?
- Deputy state superintendent for the Maryland Office of Teaching and Learning
- 2 state congressional representatives
- data-privacy experts
- state Education Department administrators
EdScoop | Maryland privacy council tackles substandard student data protections
Anatomy of Tech Local Campaign Contributions.
Who: Amazon
Where: Seattle
What does their local political contribution plan look like?
- 11 members of Amazon’s so-called “S Team” — senior leaders who report directly to CEO Jeff Bezos
- Many 1st time contributors
- record-setting $1 million contribution to a pro-business political-action committee
- 2017 was the first year Amazon began local contributions in Seattle
Seattle Times via Governing | Amazon Buys in Heavily to Seattle Council Races
+1 City Cyber Insurance. Anatomy of the $20M Policy Purchase.
Where: Baltimore
What happened to spark the $20M cyber insurance policy? The city experienced a ransomeware attack that cost the city $18M
How did the bidding process work?
- 17 different carriers bid
- 2 contracts issued
- combined total of $835,103
- Chubb will provide $10 million in coverage, with a price tag of $500,103
- AXA XL price tag of $335,000 for coverage of $10 million
Governing | Baltimore Authorizes Purchase of $20M Cyberinsurance Policy
International CryptoCurrency Laws & Regulations Forthcoming
Who is calling for international rules for cryptocurrency?
deputy governor of the Banque De France, the central bank of France
Where were the remarks made?
Forum of Monetary and Financial Institutions
Why now? Cryptocurrency isn’t that new? Facebook. Its proposed cryptocurrency “could become a threat to international stability due to its huge user base.”
IHODL | Deputy Governor of Bank of France: We Must Develop Standard Crypto Regulation
3 More Data Sets Covered by Data Breach Laws
Where: California
What: AB 1130 (2019 | CA)
Which new pieces of data are protected and trigger breach notifications?
- passport information
- taxpayer identification numbers
- military identification numbers
Bloomberg Law | California Extends Data Breach Law to Passports, Biometric Data
On Your RADAR: Facial Recognition Software Rules for Schools
What are the benefits of facial recognition software in schools?
- SAFETY. Ability to identify who is in a school with proper permissions
What are the harms of facial recognition software?
- WATCHING. Actively monitoring and watching students raises eyebrows to Dan Levy heights
- UNRELIABLE. Facial recognition software is not reliable especially for people of color and women
What schools are in the spotlight for using facial recognition software? Texas City High School, Putnam City Schools in Oklahoma, West Platte, Missouri, Spring Hill Independent School District in East Texas
Are there schools prohibited from using facial recognition software? Yes, San Francisco, Oakland
Wired | The Delicate Ethics of Using Facial Recognition in Schools
3 Ways TX used disaster plan to counter ransomware
Who explained the situation? Texas CIO Todd Kimbriel
To whom was the situation explained? National Association of State Chief Information Officers annual conference in Nashville, Tennessee
How did the disaster plan work?
- 1st city to detect something was wrong called its managed service provider in the early morning of Aug. 16. By 8:46 a.m.
- Department of Information Resources had been alerted that several local governments around the state had been hit with ransomware
- By noon, the state operations center in Austin was up and running
- Coordinating several different agencies to begin responding to the attack
What agencies coordinated efforts?
- DIR
- Texas Department of Emergency Management
- National Guard
- Texas A&M University
What facilitated this coordination? 2017 legislation that expanded the Governor’s emergency declaration powers to cover cyber events
State Scoop | How Texas used its disaster playbook after a huge ransomware attack
RFRA Bills Meet Tech Companies
Where: Michigan
What’s RFRA? Religious Freedom Restoration Act
Why are new state bills being filed? To keep tech companies like Google and Facebook content neutral
What’s the actual issue? Whether tech companies should monitor fake news and hate speech
What’s the legislation in Michigan? HB 4801 (2019 | MI)
Governing | Michigan Bill Aims to Stop Facebook, Google From Blocking Speech
Data Sale Prohibition. First Responders.
Where: New York
The legislation: S4119 (2019 | NY) signed by Governor
Who can first responders sell patient information to under this bill?
- health providers
- the patient’s insurer
- parties with appropriate legal authority
Who cannot buy 1st responder patient data under this bill?
- advertisers
- marketers
- promoters
- to any activity used to influence sales
Health IT Security | New York Law Bans First Responders from Selling Patient Data
Legislative Future: Blockchain + Education Policy
What are 4 ways public education can use blockchain technology?
- smart boards
- student records
- control the dispersal of copyrighted materials
- innovative learning platforms
5 GDPR Enforcement Issues for Governments
How do you make companies report breaches?
How to do you make companies comply with reporting deadlines?
How do you make companies comply with data security assessment requirements?
How do you get companies to conduct privacy impact assessments to understand cyber vulnerabilities?
How do governments manage fine penalty revenue?
Data Security Rulemaking Unintended Consequence
What is the unintended consequence? Public comments submitted by political operatives without permission or comments from a dead person
How many fake public comments are we talking about? The NY Attorney General estimates 9.6 million stolen identities submitted comments
Where is the image problem? The stolen identities have allegedly been traced to a political organization backed by the largest telecommunications companies
Fiscal Impact of Data Breaches on Health Care Providers
Who gathered the data? American Medical Association, IBM, Ponemon Assoc., American Dental Assoc.
What does the data say?
- 3 Alabama hospitals operating under emergency procedures since a cyberattack on Oct. 1
- Healthcare has the highest cost per record hacked
- More than $400 per consumer record cost to healthcare providers
Reasons healthcare data is sought by hackers?
- sold for insurance-fraud purposes
- used for extortion purposes against affected health organizations
Wall Street Journal | Smaller Medical Providers Get Burned by Ransomware
Why a State Suspended its Bitcoin Tax Payment System.
Where: Ohio
What: Ohio created a system to permit taxes to be paid by cryptocurrency
When did they suspend the bitcoin payments? less than a year after it was created
What entity suspended the system? A vote by a state panel that oversees the state’s banking and financial methods
What are the next steps? The State Attorney General will investigate if the bitcoin tax payment system was legally created
Are there non-cryptocurrency reasons behind this? Yes, a change in State Treasurer, the office that created the bitcoin payment system + a non-competitively bid contract to operate the bitcoin tax payment portal
Cleveland.com | Ohio suspends bitcoin tax-payment program. And it’s not clear if it’s coming back.
3 Budget Line Items Veto due to cybersecurity concerns.
Which Governor said funding cyber security concerns supported line item vetos? Michigan’s Governor
What items were vetoed to protect the state’s cybersecurity?
- school aid spending focused on specific vendors
- increase per student funding for charter schools
- funding for a tourism campaign
Detroit News | Gov cuts GOP pet projects in bid to restart budget, road aid talks
New Ransomware Study. Number of Attacks. Cities. Healthcare. Schools.
Who authored the ransomware study? The security firm Emsisoft
What time period does the data cover? January 2019-September 2019
What is the impact of ransomware attacks?
- 621 US government entities, healthcare providers and school districts, colleges and universities were hit this year
- 68 state, county and municipal entities
- $5.3 million in total ransom demands
- 62 incidents involving school districts and other educational establishments
- impact to 1,051 individual schools, colleges and universities
- 491 ransomware attacks this year affected US health care providers
- $8 billion in global losses from ransomware, up 60% from 2018
Security Week | Ransomware Hits Hundreds of US Schools, Local Governments: Study
Business TREND. Retailers Accepting Crypto Currency.
Where: Sephora stores in France
What protocols will be used to accept bitcoin/cryptocurrency? Global POS’ Easy2Play payment platform and EasyWallet app
Global Cosmetic News | SEPHORA TO ACCEPT CRYPTO CURRENCY IN STORE
Policy Issues for Cyber Security in Autonomous Vehicles
Where is there pending legislation for cybersecurity of autonomous vehicles (AVs)? Congress
What is the legislation? S.1885 – AV START Act (115th Congress)
What are the policy issues for AVs?
- requiring autonomous vehicle manufacturers to develop and execute a plan for reducing cyber vulnerabilities
- should a manufacturer have a cybersecurity plan before it can sell vehicles?
Who are stakeholders in the legislation?
- a coalition of consumer rights
- public health and first responder groups
- vehicle manufacturers
- ride share companies
The Hill | Cyber rules for self-driving cars stall in Congress
Crypto Currency + Human Trafficking Legislation + Utilities
Who is calling for Human Trafficking legislation to include a cryptocurrency angle? former director of the Office of Illicit Finance at the U.S. Department of Treasury
What is the link between human trafficking and cryptocurrency? human traffickers use anonymous, decentralized financial systems (bitcoin etc…) to shield payments of unlawful activities from police and regulators
How can this be regulated?
- Better oversight over cryptocurrency miners by tracking excessive electricity usage
- Create a new form of regulated financial institution, a “virtual asset transaction validators,” , crypto miners
- the financial transaction validators would be gatekeepers to watch for bad actors
National Law Review | Former Director of Office of Illicit Finance Calls on U.S. Congress to Regulate Crypto Miners in Effort to Combat Human Trafficking
State Procurement. Consolidating Data Centers. Welcoming Private Cloud Computing.
What are 3 ways Nebraska reduced spending by consolidating data centers?
- Closed a statewide data recovery center
- Co-located the data center with a county data center
- State runs a private data cloud that local governments use to store data
How long did the process take? 18 months to consolidate 22 state agencies
State Tech | States Find Security and Savings in Private Clouds
How did Ohio switch from data centers to private cloud for data security?
Who led the switch to private data cloud in Ohio? Ohio Office of Information Technology
How did the process start? legislation? No, it was by Executive Order.
How much will Ohio save?
- 2,459 to 1,896: Retirement and attrition of IT infrastructure staff
- $40 million to $980,000: Reductions in annual agency server hardware spending
- $28 million to $3 Million: Hardware repairs and maintenance
- $54 million to $35 Million: Backbone network optimization
- $34 million to $27 million: Software
State Tech | States Find Security and Savings in Private Clouds
4 Ways States Use Blockchain for Data Security
Where: Colorado
What are examples of state programs that lend themselves to blockchain?
- transferable licenses
- land rights
- tracking complex grant programs
- food safety
How has Colorado adapted to state use of blockchain/distributed ledger technology?
- Colorado created the position of Blockchain Architect
State Tech | Data Security Emerges as Top Government Application for Blockchain
Anatomy of a State Cyber Risk Fund. Procurement Opportunity for Insurance Carriers.
Where: Arizona
What is the funding request for the Arizona State Cyber Risk Fund? $22.5 Million
What would it fund? statewide insurance & response for data breaches to state agencies
AZ Mirror | Arizona agency wants $22 million for ‘cyber risk fund’
New Report. Government Incentives for Cyber Insurance Policies
Who is recommending incentives for cyber insurance? Foundation for Defense of Democracies
Where did the Foundation for Defense of Democracies make this recommendation? In its report The Role of Cyber Insurance in Securing the Private Sector
What types of government incentives were recommended?
- tax credits for all government contractors who have cyber insurance
Why are government incentives necessary? Industry has failed to incentivize action
2 Reasons Schools & Libraries are the Preferred Target for Big Game Hackers
What commonalities do schools & libraries share that draws hackers to them?
- lack of funding
- lack of cyber security resources
2 most common hacks before ransomeware:
- malware
- banking trojans
Local TREND. Cities + Private Business = Cyberthreat Warning
Where: Los Angeles
What is this non-profit public private partnership that L.A. created? LA Cyber Lab
Who is involved in LA CyberLab?
- IBM
- Entertainment industry
- Utility representatives
- Local Universities
- Health care industry
- Telecom
What are the goal os the LA Cyber Lab?
- provide businesses with threat intelligence
- build better local level digital defense
Election Cybersecurity. 1st State to Ban Bar Codes.
Where: Colorado
What: Colorado is the 1st state to ban bar codes (QR Codes) from paper ballots
How are QR Codes/bar Codes used on paper ballots? The bar codes/QR codes are a means to count paper ballots
What did the Colorado Secretary of State say? Voters had no way to verify the bar code or QR code and as such the codes did nothing to secure elections or instill voter confidence
Fox 31 | Colorado becomes first state to ban barcodes for counting votes over security concerns
Business TREND. Tracking Event Ticket Holder Locations.
What ticketing entity is tracking its ticket holders? University Alabama at football games
Why are student location tracked when they attend football games? Incentives are given to students who stay through the 4th quarter
+1 Legislature. Yes, cameras. No, Facial Recognition.
Where: California
What: AB 1215 (2019 | CA)
How did the Legislature split the difference to approve cameras and disapprove facial recognition?
- Approving law enforcement body cameras
- Excepting and prohibiting cameras with facial recognition
- Prohibiting using footage from body cameras for later use by facial recognition software
What arguments support prohibiting facial recognition?
- Privacy of California residents
- Need to encourage trust in communities
- Support of the transparency that cameras provide law enforcement
- Avoiding the police being seen as a tool of surveillance
Other states did the same? Yes, Oregon
CNBC | California legislature bars facial recognition for police body cameras
51 Tech Execs Calling for Federal Data Privacy.
Where can I find the list of 51 tech companies:
Their September 10, 2019 letter is here.
Did the tech companies work with a business group?
Yes, Business Roundtable
What are the top 3 arguments the 51 tech CEOS make:
- We support data privacy
- The burden shouldn’t be on consumers to keep up
- There can’t be 51 different sets of rules for data protection
What else do I need to think about? When Major US Auto Manufacturers asked for action on emissions and the federal government did not act, the major auto dealers negotiated a deal with California.
What states could the tech companies go to to negotiate a deal? States most active in data privacy: California, Washington State, New York
ZD NEt | 51 tech CEOs send open letter to Congress asking for a federal data privacy law
Cybersecurity +Pensions.
Who was hacked?
A law enforcement pension in Oklahoma
How much was stolen?
$4.2 Million
What happened?
- investment manager for the fund was hacked
What regulatory/legislative reaction is forthcoming?
- Cybersecurity standards for outside and internal investment managers at pension systems
Other pensions hacked:
- 2016 $100,000 hacked from a Pennsylvania borough’s police pension fund
- 2017 hackers stole the identities of more than 100 retired Iowa public employees to claim pension payments
InfoSecurity | Hackers Steal $4.2m from State Troopers’ Pension Fund
+1 State new blockchain legislation
Where:
Illinois
What bill did the Illinois Governor sign?
Public Act 101-0514, also known as the Blockchain Technology Act
How does the bill embrace blockchain technology?
- legal recognition of smart contracts
- legal recognition of blockchain-based records
- legal recognition of blockchain-based signatures
3 Consumer Demands Post-Data Breach for your clients and companies.
WHO called for the study on consumer expectations and data breaches?
Experian
WHAT did consumers say?
- 90% more forgiving of a company that responded to a breach in a prompt & transparent manner
- 66% would stop doing business with a company that dillydallied in the face of a data breach
- 6 weeks the number of weeks it took Experian to tell consumer
3 Jurisdictions. Blockchain Voting.
WHERE is blockchain voting happening?
- Most recent: Utah County
- 2018 West Virginia tested it in federal elections
- May 2019 Denver tested blockchain voting for a municipal election
HOW did Utah County test blockchain voting?
On military ballots
WHAT are 4 benefits of blockchain technology for elections?
- ease of voting
- transparency of the process
- high security standards
- higher percentage of oversees voters will vote
Governing | Utah County Puts Blockchain Voting to Test in Live Audit
Hackermoon | Utah Becomes The Third U.S. Jurisdiction To Offer Blockchain-Based Mobile Voting
New Kid on the Block: Companies Data Gathering Properties that are AirBnB or VRBO
What triggered this new enterprise? enforcement of short term rental legislation
Where is their business? Local government contracts
3 Calls for Transparency in Health Care Due to Data Breaches
Where: Massachusetts
What 3 Calls for Transparency:
- Prohibit removal of hard copy documents from office
- Disclosure of how long it took to locate a breach
- Engage in risk analysis and have a clear plan to mitigate risks
Health IT Security | Healthcare Most Impacted by Data Breaches, Insiders Root Cause
Health IT | In light of MGH healthcare data breach, experts call for transparency
New way to address facial recognition policies.
Where: E.U.
How are facial recognition software the GDPR interacting?
- Citizens would be given explicit rights over their facial recognition data
- Citizens would have a right to know when it’s used
- It would apply to facial recognition by business, governments, law enforcement and security forces
What is the policy stance of the EU’s incoming President? “a co-ordinated European approach on the human and ethical implications of artificial intelligence,”
Engadget | The EU may give citizens more control of their facial recognition data
Legal & legislative TREND. When can a person sue for a data breach
Where: Georgia Supreme Court
What is the issue? Is actual financial harm required before a person can sue over a data breach?
Is this issue limited to Georgia? No
Decipher | GEORGIA SUPREME COURT CONSIDERS WHEN DATA BREACH VICTIMS CAN SUE
+1 State Insurance License Data Security Law
Where: Delaware
What legislation? HB 174 (2019 | DE)
What does HB 174 do?
- requires insurance licensees to implement information security programs
- report instances of data breaches
- Permits enforcement by the Department of Insurance to investigate violations & levy penalties
Delaware Business Now | Insurance Data Security Act signed into law after wave of data breaches
Election Security. Electronic Registration Information Center. 29 States.
Which state is the latest member of the Electronic Registration Information Center? Florida
What does the Electronic Registration Information Center provide states?
- ability to crosscheck voter registration data
- against the data in 29 other member states
- identify duplicates & outdated records from voters who have moved or died
Government Technology | Florida Joins Electronic Registration Information Center
Industry TREND. Confidential Computing Consortium.
Who announced the Confidential Computing Consortium? Linux Foundation
What other tech companies are involved?
- Alibaba
- Arm
- Baidu
- Google Cloud
- IBM
- Intel
- Microsoft
- Red Hat
- Swisscom
- Tencent
The goals of the consortium:
- defining and accelerating the adoption of confidential computing
- accelerate the confidential computing market
- influence technical and regulatory standards
- build open source tools
Partnership Opportunities: Schools and CyberBullying
Where is a school district engaging in a partnership on cyberbullying? Harlingen CISD
Who is Harlingen CISD partnering with on cyberbullying? Department of Homeland Security
What are the goals of the partnership?
- educate the community on cyberbullying: the signs, how it occurs, who is involved, where it occurs (apps, email, the web)
- crack down on cyberbullying
4Valley Central | Cyber bullying on the rise, local school partners with Homeland Security
+1 Governor Executive Order on Ransomware Training
Where: Georgia
What action did the Georgia Governor take by Executive Order?
- reconstituted the State Government Systems Cybersecurity Review Board
- require all state workers to undergo training to prevent ransomware attacks
Georgia Governor Executive Order 08.13.19.01
Anatomy of a State Allocation of Cybersecurity Funding
Where: North Carolina
How is North Carolina proposing to allocate cybersecurity training funds?
- skip over state institutions of higher education
- allocate funds to a small private college
What is the higher education cybersecurity landscape in North Carolina?
- UNC cybersecurity program is well regarded, long standing for 20+ years
- National Security Agency and Department of Homeland Security have recognized five UNC system universities, two community colleges and Montreat as National Centers of Academic Excellence in Cyber Defense
Carolina Public Press | NC cybersecurity funds could bypass state schools, go to small college
Landscape of Data Security laws in 2019. Retreat. Retreat.
How many states considered legislation? 24
How many states enacted legislation? 3: Nevada, Illinois, and Maine
How many states created a task force instead? 5: Texas, Hawaii, Louisiana, North Dakota and Connecticut
How many states enacted legislation in 2018? 1: california
How many states pushed cybersecurity legislation to 2020? 7: Massachusetts, Minnesota, New Hampshire, New Jersey, New York, Pennsylvania, and Washington
How many states saw cybersecurity legislation fail? 7: Arizona, Florida, Kentucky, Maryland, Mississippi, Montana, and New Mexico
Key to Cyber Security Laws: Liability Protection
Who is touting liability protection as integral to cybersecurity legislation? National Security Institute at George Mason Univeristy Antonin Scalia School of Law
Why is liability protection crucial?
- incentivizes beneficial action by industry
- corrects negative incentives created by liability for technical missteps that do not harm consumers
- promotes sharing of security issues and solutions
3 Ways HIPPA Does not Address Modern Data
Who is making the argument about HIPPA needing to adjust to modern data? Apixio Chief Technology Officer
What 3 reasons were given as HIPPA inability to meet modern data?
- healthcare providers cannot keep up with the threat on their own
- HIPPA created an unequal level of protection of data as data flows
- this is a system wide need to protect data and health agencies could benefit from insights from law enforcement and transportation agencies
Health IT Security | Healthcare Needs More than HIPAA, Legislation to Improve Security
Another Data Broker Registration Bill.
Where: Congress
What bill will require data broker registration? S2342 (116th Congress)
Which agency will oversee the registration? the FTC
How many requirements did the FTC want to place on data brokers? 3
- consumers unlimited access to their data, including any sensitive data
- give consumers a reasonable level of detail to their data
- require opt-out tools for consumers to suppress the use of their data
Are states requiring registration of data brokers? Yes, Vermont already has
National Law Review | Bill Introduced to Require Data Brokers to Register With FTC
Tech Company Opposition Arguments to Arizona’s New Data Security Law for Car Dealers
Where: Arizona
What legislation: HB 2418 (2019 | AZ) a bill about data security and motor vehicles
What arguments are tech companies making in opposition?
- federal Constitutional preemption
- violation of Digital Millennium Copyright Act, Copyright Act, Defend Trade Secrets Act, Computer Fraud and Abuse Act, Gramm-Leach-Bliley Act, Federal Contracts Clause and Dormant Commerce Clause
The policy tech companies do not like: Allowing 3rd parties to have access to private consumer information in the supply dealer management
Legal Newsline | Tech companies challenge Arizona’s new cybersecurity law
Election Security. State with least paper ballot numbers: TX
Want to track election data on paper ballots and new machinery? Look no further than here from Politico
69 of 254 Texas counties will remain paperless for the 2020 election
Does your State Legislature have Cyber Security Caucus? Health Care Record Hacker Briefings are a must
The U.S. Senate does.
The Senate Cybersecurity Caucus this week learned:
- January through June 2019 285 breaches of 31.6 million health records
- 28 % are insider threats looking at records that they should not
1st Presidential Campaign to Hire Information Security Officer
Mayor Pete Buttigieg campaign is the first to hire a Chief Information Security Officer to cover every internal strategic meeting and plan.
Anatomy of a Hack of a City’s Water Department
Where: City of Murfreesboro, TN
What did the hack look like? The city’s water department page was replaced with a photo of Guy Fawkes
The hack target: a payment portal
AP | Tennessee city website compromised by ‘Iranian Hackers’
Bifurcated Data Security Laws. Who.What.Where.
Who & Where: Western Australian government
What: Data Security law that will create 2 parallel government oversights
What is the bifurcated approach?
- Privacy Commissioner
- “promote privacy measures and ensure accountability, as well as receive and resolve complaints”.
- Chief data officer
- “responsibility for supporting the public sector in the correct use and reuse of information, as well as management of data”.
Western Australia Privacy and Responsible Information Sharing
IT News | WA offers first glimpse at future data sharing laws
Research Fund Supports Cyber Security
What: Professional Services Council Foundation created the Mark L. Cohn Research Fund
Why? ” promote innovation through research primarily focused on cybersecurity and other emerging technologies.”
Corporate Partner: Unisys
Cyber Security Insurance. More Policies Purchased. Fewer Providers.
Why are providers concerned about writing cyber security insurance policies?
- From a business perspective: hard to ascertain the right information necessary to build the mathematical models to assign risk
- From a state policy perspective: the more cyber security laws that pass, the more attractive cyber insurance is
How much have policies increased since 2015? Total $2 billion last year, up 26% according to Moody’s Investors Service
3 Industries buying the most cyber policies: education, hospitality and retail industries
CyberScoop | Demand for cyber insurance grows as volatility scares off some providers
US Conference of Mayors + Data Protection at the Edge Resolution
What is Data Protection at the Edge Resolution?
- Security measures for
- Physical intrusion and infiltration of edge sensors
- Deployed with smart city technologies
What lingo do I need to know?
- “fault-tolerant technology solutions
- critically necessary for resilience, redundancy, and reliability of data systems”
Smart Cities World | US mayors approve resiliency resolution
4 Local Governments Ban Facial Recognition Software
San Francisco, CA , Somerville, MA, Oakland, CA & Berkeley, CA have all formally banned the use of facial recognition software
3 Reasons Cities are banning facial recognition software:
- it is often wrong
- often wrong identifying women
- often wrong identifying people of color
28 Congresspersons were misidentified as criminals in one case study use of facial recognition software
States v. Tech Companies. What you need to know about policy of data protection
How many states tried to pass data security legislation in 2019? 24
How many succeeded? 3. Illinois, Maine, & Nevada
Why? Opposition from Tech Companies, The Internet Association, and Business Groups
Will there be more data security legislation? Yes, with record fines against Facebook and Equifax’s record breaking settlement in 2019
5 Opposition Arguments:
- unworkable for businesses
- wait for federal laws
- too vague for businesses to comply
- “further fragmentation of consumer privacy laws.”
- too hard to enforce because of “complex national industry”
Governing | When It Comes to Data Privacy, States Are Battling Big Tech
Procurement Openings. Blockchain Voting.
Where: Cities will being using blockchain voting systems for citizens voting abroad
The cities: Denver, multiple cities in Utah, & the state of West Virginia
Policy goals:
- increased return of foreign ballots
- improved election integrity
How will ballots be verified? facial recognition has been selected as the default verification method
Route Fifty | Ready or Not, Blockchain-Based Mobile Voting Is Getting Closer
State TREND. Digital Currency Task Force.
Where: New York
Who sits on New York’s Digital Currency Task Force?
- ConsenSys founder Joseph Lubin
- Global Blockchain Business Council CEO Sandra Ro
- adjunct fellow at the foundation for Defense of Democracies Yaya Fanusie
- co-founder of Blockchain @ Microsoft York Rhodes
- director of regulatory relations a Ripple Ryan Zagone
- professor of law at Cardozo School of Law Aaron Wright
What are the Task Force goals?
- “regulate, define and use” cryptocurrencies
- report on the state of the crypto industry by December 15, 2020
How did the Task Force come about? AB 8783 (2017 | NY)
Coin Desk | New York Legislature Names Initial Members to Crypto Task Force
Anatomy of a State Cybersecurity Audit
Where: California
How many agencies had data security flaws? “high risk deficiencies” at 21 state agencies
What regulatory action was called for?
- comprehensive information security assessment at least every 3 years
- prompt resolution by agencies of security issues
Regulatory TREND. Requiring Data Security in Ride Share
Where: Columbia (the country)
What happened? a data breach impacted 267,000 Columbians at a ride share company
How did regulators exercise enforcement powers?
- The government will suspend drivers licenses of ride share drivers for 25 years
- actively protect the affected Columbians
- develop a protocol for handling future data security breaches
- train staff
- adopt permanent monitoring system to determine whether the new data security measures are adequate
Reuters | Colombia orders Uber to improve data security after 2016 breach
2 Statewide Regulatory Implications. School Cyberattack
Where: Louisiana
What happened in Louisiana? Several school systems experienced cyberattacks
How did government respond?
- Governor declares statewide emergency
- The declared emergency allows local governments to access cybersecurity experts from the Louisiana National Guard, Louisiana State Police, & the Office of Technology Services
CNN | Louisiana’s governor declares an emergency after cyberattacks on several school systems
3 Reasons Education Data Hacks are Rising
- Valuable Data. Education data is valuable for its quantity and youth
- Unreported Hacking. Education hacks are often unreported when data is viewed but not sized or removed
- Little Data Security. School networks are more open than corporate networks
- Small schools and small school districts often don’t have resources for a technology watchdog
AP | Cyberattacks inflict deep harm at technology-rich schools
Legal TREND. Suing Telecommunications Companies that sell Location Data to Bounty Hunters.
What is happening? Electronic Frontier Foundation filed a class action lawsuit against AT&T + 2 data brokers over the sale of AT&T customers’ real-time location data
Is this common? Tech types say all the telecoms sell real time location data to location aggregators to bounty hunters and bail bondsman
What state laws are we talking about? A state’s deceptive trade practices act + data protection and privacy laws
Does your state have a law against hacking medical equipment?
Let’s look at how insulin machines can be hacked.
When a medical devices manufacturer would correct known flaws, researchers built the system that would kill people by hacking the devices.
Were regulators involved? yes, but slow to act, hence why researchers built an app that would kill people if it were deployed to the insulin device
Wired | THESE HACKERS MADE AN APP THAT KILLS TO PROVE A POINT
Business TREND. Employees Calling for Corporate Social Repsonsibility.
WHAT? Amazon protests
WHY? Protestors do not support the use of Amazon technology by ICE
WHERE does this business trend get interesting? In the company’s response (emphasis added):
An Amazon representative said in an emailed statement: “There is clearly a need for more clarity from governments on what is acceptable use of [artificial intelligence] and ramifications for its misuse, and we’ve provided a proposed legislative framework for this. We remain eager for the government to provide this additional clarity and legislation.”
Wall Street Journal | Protesters Disrupt Amazon Event Over Its Ties With ICE
Data Security . Corporate Social Responsibility. The Consumer Numbers. New Study.
The study: Authenticity Gap report by FleishmanHillard Fishburn
What did consumers say for this 7th annual Authenticity Gap report?
- 66% consumers want companies to show greater purpose & societal impact
- 73% consumers say companies must show its data security policies & go beyond required regulations
- 62% say companies take too long to disclose & provide solutions to data breaches
What did it say about how this message should be conveyed?
- 76% expect CEOs to first and foremost communicate issues that impact customers
- 71% expect CEOS to first and foremost communicate issues that impact employees
- 55% believe Companies should act on issues with a large societal impact, even if there is no significant affect to the company
- 48% consumers think companies must take a stand on controversial issues that influenced government policy changes
- 43% consumers think corporations should take stands on issues concerning the CEOs own personal views and beliefs
The Holmes Report | Study: Consumer Expect Brands To Take A Stand On Climate Change & Data Security
Sliding Insurance Data Security Requirements into a State Budget. 3 Steps.
Where: Connecticut
How: CT’s state budget contains a provision requiring:
- All insurance licensees
- implement an information security program
- by October 1, 2020
- Covering administrative, technical & physical safeguards to protect non-public information
What does this mean? Employee training, Record retention program, Risk assessment process, Incident response process, and annual assessments
National Law Review | Connecticut’s Insurance Data Security Law
Business TREND meeting Regulatory & Legislative TREND. Data stored in clothing
Why is clothing storing data? smart fabrics
What data is gathered and stored? Biometrics
Does HIPPA apply? NO
How are legislatures handling it? An Amendment to California’s Consumer Privacy Act is leading the way
Retail Dive | Wear it out: How smart tech and data collection will impact retail
Automotive Data. The Auto Dealers and the 5 States Tackling this
- Montana, Arizona and Oregon enacted dealer protections for control over data stored in a DMS & preventing the software providers from charging a fee to third parties
- Similar protections passed in Hawaii and North Carolina
When does the issue arise legislatively? When states implement new titling software
Do dealers want to leave it up to the courts? NO
Regulatory TREND. Blockchain as a solution to a State Agency Data Breach
Where are the data breaches? Maryland Department of Labor & Oregon’s Department of Human Services
How does blockchain help prevent this?
- It eliminates a centralized server or a non-auditable database
- It limits human error
- It is efficient
- It can eliminate the need for 3rd party data bases
Would this really work? Support inthis paper from NASA
CCN | Cybersecurity Breach at Maryland Agency Spotlights Need for Blockchain
Business TREND. Businesses Calling for More Data Security. Rules, Laws, Actions
Which businesses?
- Toyota
- IBM
- NEC
- Nippon Telegraph & Telephone
- Thomson Reuters
- Cisco Systems
- Mastercard
- Airbnb
What do they want protected? software source codes, algorithms and encryption keys
Why do they want this protected? Critical corporate information
What regulations/laws do they fear? Anything that requires the disclosure thereof
What these businesses are asking for is part of Japanese Prime Minister Shinzo Abe’s initiative for “data free flow with trust”
Nikkei Asian Review | Toyota, IBM and more push for global data security ahead of G-20
+1 Local Gov. Bans Facial Recognition Software = Legislative Pressure
Where: Sommerville, Mass.
What: City Council unanimously banned the use of facial recognition software
Why is this a legislative issue?
- Sommerville is the 2nd city after San Francisco to ban the technology
- Calls are on full-time legislatures to pass statewide bans on the software
How is the issue being messaged?
- “…dystopian technology further outpaces our civil liberties protections”
- Need for “transparent” and “just” regulations
What concerns do researchers find?
- 20% of women are misidentified
- 35% of women of color are misidentified
Lege TREND. Internet Service Provider Privacy Requirements. +1 State.
State: Maine
The legislation: LD 946 (2019 | ME)
What does Maine’s LD 946 do?
- applies only to internet service providers
- requires ISPS to get express consent from customers before the customer’s data or information can be sold, disclosed or accessed
What do opponents say? The bill does not go far enough because many other companies like Google and Facebook collect mountains of data that should also be protected.
Central Maine | Maine Compass: Privacy bill doesn’t go far enough
+1 Texas City Cyber Attack
Laredo Texas suffered a cyber attack.
TREND. Hacking License Plate Reading Software
Where is the hacked license plate reading software used? it is being used by US government near the border with Mexico
What data was hacked?
- databases
- company documents
- financial information
Motherboard | Hackers Breach Company That Makes License Plate Readers for U.S. Government
Lege TREND. Disclosure of Election Hacks. Disclosure, Good for the Goose & the Gander?
The legislation: Congress’ Achieving Lasting Electoral Reforms on Transparency and Security Act (ALERTS Act)
The government disclosure requirement:
- Disclosue to state and local officials and Members of Congress i
- Disclose credible evidence of an unauthorized intrusion into an election system
- If they have a reasonable basis to believe that such intrusion could have resulted in voter information being altered or otherwise affected.
- Rquires state & local officials to alert potentially affected voters
How quickly does notice need to occur?
- promptly alert
State Scoop | U.S. House bill would require feds to notify public of election hacking
Lege TREND. Prohibiting Loot Boxes. Wait, What's a Loot Box?
A loot box is an incentive for gamers that “give users a nominal advantage for a fee or loot boxes which allow users to essentially play a slot machine for gaining rare or important items
What’s wrong with this? Gateway drug for gambling
Who is first out of the gate with legislation? US Senator Hawley (MO)
Senator Hawley | Frequently Asked Questions Regarding Legislation on Pay-to-Win and Loot Boxes
Anatomy of an "Aggressive" Cybersecurity Measure by the Razorbacks
Where: Arkansas
The legislation: Senate Bill 632 (2019 | AR)
What does SB632 do?
- Creates the Cyber Initiative
- Housed within the Economic Development Commission
- mitigate the cyber-risks to Arkansas
- increase education relative to threats and defense
- provide the public and private sectors with threat assessments and other intelligence
- foster growth and development around tech, IT and defense
- create a “cyber alliance” made up of partnerships with a variety of insitutitions like “universities, colleges, government agencies and the private business sector
Partners include:
- the Forge Institute
- Department of Homeland Security, the Arkansas National Guard, Walmart and the University of Arkansas Little Rock via Forge’s American Cyber Alliance
Government Technology | Aggressive Initiative to Shore Up Cybersecurity in Arkansas
Regulatory TREND. What do I need to know about Active Cyber Defense?
Active Cyber Defense uses private sector cyber bounty hunters and hackers to protect critical infrastructure.
Who is behind this concept?
- An Atlantic Council report,
- by, Frank Kramer, Assistant Secretary for International Security Affairs for the Clinton administration
- and by, Bob Butler, Deputy Assistant Secretary for Space and Cyber in the Obama administration
How would this private sector system work? the private sector hackser would be deputized “certified active defenders” to assist with the creation of an active cyber defense strategy
Thank you for subscribing to our newsletter.
Great things are just around the corner!