How did Ohio switch from data centers to private cloud for data security?

Who led the switch to private data cloud in Ohio? Ohio Office of Information Technology 

How did the process start? legislation? No, it was by Executive Order.

How much will Ohio save?

• 2,459 to 1,896: Retirement and attrition of IT infrastructure staff
• $40 million to $980,000: Reductions in annual agency server hardware spending
• $28 million to $3 Million: Hardware repairs and maintenance
• $54 million to $35 Million: Backbone network optimization
• $34 million to $27 million: Software

State Tech | States Find Security and Savings in Private Clouds

4 Ways States Use Blockchain for Data Security

Where: Colorado

What are examples of state programs that lend themselves to blockchain?

• transferable licenses
• land rights
• tracking complex grant programs
• food safety

How has Colorado adapted to state use of blockchain/distributed ledger technology?

• Colorado created the position of Blockchain Architect

State Tech | Data Security Emerges as Top Government Application for Blockchain

Anatomy of a State Cyber Risk Fund. Procurement Opportunity for Insurance Carriers.

Where: Arizona

What is the funding request for the Arizona State Cyber Risk Fund? $22.5 Million

What would it fund? statewide insurance & response for data breaches to state agencies 

AZ Mirror | Arizona agency wants $22 million for ‘cyber risk fund’

New Report. Government Incentives for Cyber Insurance Policies

Who is recommending incentives for cyber insurance? Foundation for Defense of Democracies

Where did the Foundation for Defense of Democracies make this recommendation? In its report The Role of Cyber Insurance in Securing the Private Sector

What types of government incentives were recommended?

• tax credits for all government contractors who have cyber insurance

Why are government incentives necessary? Industry has failed to incentivize action

2 Reasons Schools & Libraries are the Preferred Target for Big Game Hackers

What commonalities do schools & libraries share that draws hackers to them?

• lack of funding
• lack of cyber security resources

2 most common hacks before ransomeware:

• malware
• banking trojans

Politico Morning CyberSecurity | School Blues

Local TREND. Cities + Private Business = Cyberthreat Warning

Where: Los Angeles

What is this non-profit public private partnership that L.A. created? LA Cyber Lab

Who is involved in LA CyberLab?

• IBM
• Entertainment industry
• Utility representatives
• Local Universities
• Health care industry
• Telecom

What are the goal os the LA Cyber Lab?

• provide businesses with threat intelligence
• build better local level digital defense

Politico Morning Cyber Security | L.A. (CYBER)STORY

Election Cybersecurity. 1st State to Ban Bar Codes.

Where: Colorado

What: Colorado is the 1st state to ban bar codes (QR Codes) from paper ballots

How are QR Codes/bar Codes used on paper ballots? The bar codes/QR codes are a means to count paper ballots

What did the Colorado Secretary of State say? Voters had no way to verify the bar code or QR code and as such the codes did nothing to secure elections or instill voter confidence

Fox 31 | Colorado becomes first state to ban barcodes for counting votes over security concerns

Business TREND. Tracking Event Ticket Holder Locations.

What ticketing entity is tracking its ticket holders? University Alabama at football games

Why are student location tracked when they attend football games? Incentives are given to students who stay through the 4th quarter

ESPN | Bama tracking students to check 4-quarter stays

+1 Legislature. Yes, cameras. No, Facial Recognition.

Where: California

What: AB 1215 (2019 | CA)

How did the Legislature split the difference to approve cameras and disapprove facial recognition?

• Approving law enforcement body cameras
• Excepting and prohibiting cameras with facial recognition
• Prohibiting using footage from body cameras for later use by facial recognition software

What arguments support prohibiting facial recognition?

• Privacy of California residents
• Need to encourage trust in communities
• Support of the transparency that cameras provide law enforcement
• Avoiding the police being seen as a tool of surveillance

Other states did the same? Yes, Oregon

CNBC | California legislature bars facial recognition for police body cameras

51 Tech Execs Calling for Federal Data Privacy.

Where can I find the list of 51 tech companies:

Their September 10, 2019 letter is here.

Did the tech companies work with a business group?

Yes, Business Roundtable

What are the top 3 arguments the 51 tech CEOS make:

• We support data privacy
• The burden shouldn’t be on consumers to keep up
• There can’t be 51 different sets of rules for data protection

What else do I need to think about? When Major US Auto Manufacturers asked for action on emissions and the federal government did not act, the major auto dealers negotiated a deal with California.

What states could the tech companies go to to negotiate a deal? States most active in data privacy: California, Washington State, New York

ZD NEt | 51 tech CEOs send open letter to Congress asking for a federal data privacy law

Cybersecurity +Pensions.

Who was hacked?

A law enforcement pension in Oklahoma

How much was stolen?

$4.2 Million

What happened?

• investment manager for the fund was hacked

What regulatory/legislative reaction is forthcoming?

• Cybersecurity standards for outside and internal investment managers at pension systems

Other pensions hacked:

•  2016 $100,000 hacked from a Pennsylvania borough’s police pension fund
• 2017 hackers stole the identities of more than 100 retired Iowa public employees to claim pension payments

InfoSecurity | Hackers Steal $4.2m from State Troopers’ Pension Fund

+1 State new blockchain legislation

Where:

Illinois

What bill did the Illinois Governor sign?

Public Act 101-0514, also known as the Blockchain Technology Act

HB 3575 (2019 | IL)

How does the bill embrace blockchain technology?

• legal recognition of smart contracts
• legal recognition of blockchain-based records
• legal recognition of blockchain-based signatures

Kane County Reporter | ILLINOIS STATE HOUSE DISTRICT 50: Governor signs Wheeler bill into law to make Illinois a leader in blockchain technology

3 Consumer Demands Post-Data Breach for your clients and companies.

WHO called for the study on consumer expectations and data breaches?

Experian

WHAT did consumers say?

• 90% more forgiving of a company that responded to a breach in a prompt & transparent manner
• 66% would stop doing business with a company that dillydallied in the face of a data breach
• 6 weeks the number of weeks it took Experian to tell consumer

LA Times | Newsletter: Consumers would be more forgiving of data breaches if companies just came clean

3 Jurisdictions. Blockchain Voting.

WHERE is blockchain voting happening?

• Most recent: Utah County
• 2018 West Virginia tested it in federal elections
• May 2019 Denver tested blockchain voting for a municipal election

HOW did Utah County test blockchain voting?

On military ballots

WHAT are 4 benefits of blockchain technology for elections?

• ease of voting
• transparency of the process
• high security standards
• higher percentage of oversees voters will vote

Governing | Utah County Puts Blockchain Voting to Test in Live Audit

Hackermoon | Utah Becomes The Third U.S. Jurisdiction To Offer Blockchain-Based Mobile Voting

New Kid on the Block: Companies Data Gathering Properties that are AirBnB or VRBO

What triggered this new enterprise? enforcement of short term rental legislation

Where is their business? Local government contracts

Motherboard | The People Paid to Dox Airbnb Addresses

3 Calls for Transparency in Health Care Due to Data Breaches

Where: Massachusetts

What 3 Calls for Transparency:

• Prohibit removal of hard copy documents from office
• Disclosure of how long it took to locate a breach
• Engage in risk analysis and have a clear plan to mitigate risks

Health IT Security | Healthcare Most Impacted by Data Breaches, Insiders Root Cause

Health IT | In light of MGH healthcare data breach, experts call for transparency

New way to address facial recognition policies.

Where: E.U.

How are facial recognition software the GDPR interacting?

• Citizens would be given explicit rights over their facial recognition data
• Citizens would have a right to know when it’s used
• It would apply to facial recognition by business, governments, law enforcement and security forces

What is the policy stance of the EU’s incoming President? “a co-ordinated European approach on the human and ethical implications of artificial intelligence,” 

Engadget | The EU may give citizens more control of their facial recognition data

Legal & legislative TREND. When can a person sue for a data breach

Where: Georgia Supreme Court

What is the issue? Is actual financial harm required before a person can sue over a data breach?

Is this issue limited to Georgia? No

Decipher | GEORGIA SUPREME COURT CONSIDERS WHEN DATA BREACH VICTIMS CAN SUE

+1 State Insurance License Data Security Law

Where: Delaware

What legislation? HB 174 (2019 | DE)

What does HB 174 do?

• requires insurance licensees to implement information security programs
• report instances of data breaches
• Permits enforcement by the Department of Insurance to investigate violations & levy penalties

Delaware Business Now | Insurance Data Security Act signed into law after wave of data breaches

Election Security. Electronic Registration Information Center. 29 States.

Which state is the latest member of the Electronic Registration Information Center? Florida

What does the Electronic Registration Information Center provide states?

• ability to crosscheck voter registration data
• against the data in 29 other member states
• identify duplicates & outdated records from voters who have moved or died

Government Technology | Florida Joins Electronic Registration Information Center

Industry TREND. Confidential Computing Consortium.

Who announced the Confidential Computing Consortium? Linux Foundation

What other tech companies are involved?

• Alibaba
• Arm
• Baidu
• Google Cloud
• IBM
• Intel
• Microsoft
• Red Hat
• Swisscom
• Tencent

The goals of the consortium:

• defining and accelerating the adoption of confidential computing
• accelerate the confidential computing market
• influence technical and regulatory standards
• build open source tools

Linux Foundation | New Cross-Industry Effort to Advance Computational Trust and Security for Next-Generation Cloud and Edge Computing

Partnership Opportunities: Schools and CyberBullying

Where is a school district engaging in a partnership on cyberbullying? Harlingen CISD

Who is Harlingen CISD partnering with on cyberbullying? Department of Homeland Security

What are the goals of the partnership?

• educate the community on cyberbullying: the signs, how it occurs, who is involved, where it occurs (apps, email, the web)
• crack down on cyberbullying

4Valley Central | Cyber bullying on the rise, local school partners with Homeland Security

+1 Governor Executive Order on Ransomware Training

Where: Georgia

What action did the Georgia Governor take by Executive Order?

• reconstituted the State Government Systems Cybersecurity Review Board
• require all state workers to undergo training to prevent ransomware attacks

Georgia Governor Executive Order 08.13.19.01 

Atlanta Journal Constitution | Georgia governor orders new cybersecurity training after crippling attacks

Anatomy of a State Allocation of Cybersecurity Funding

Where: North Carolina

How is North Carolina proposing to allocate cybersecurity training funds?

• skip over state institutions of higher education
• allocate funds to a small private college

What is the higher education cybersecurity landscape in North Carolina?

• UNC cybersecurity program is well regarded, long standing for 20+ years
• National Security Agency and Department of Homeland Security have recognized five UNC system universities, two community colleges and Montreat as National Centers of Academic Excellence in Cyber Defense

Carolina Public Press | NC cybersecurity funds could bypass state schools, go to small college

Landscape of Data Security laws in 2019. Retreat. Retreat.

How many states considered legislation? 24

How many states enacted legislation? 3: Nevada, Illinois, and Maine

How many states created a task force instead? 5: Texas, Hawaii, Louisiana, North Dakota and Connecticut

How many states enacted legislation in 2018? 1: california

How many states pushed cybersecurity legislation to 2020? 7: Massachusetts, Minnesota, New Hampshire, New Jersey, New York, Pennsylvania, and Washington

How many states saw cybersecurity legislation fail? 7: Arizona, Florida, Kentucky, Maryland, Mississippi, Montana, and New Mexico

Stateline | States battle big tech over data privacy

Key to Cyber Security Laws: Liability Protection

Who is touting liability protection as integral to cybersecurity legislation? National Security Institute at George Mason Univeristy Antonin Scalia School of Law

Why is liability protection crucial?

• incentivizes beneficial action by industry
• corrects negative incentives created by liability for technical missteps that do not harm consumers
• promotes sharing of security issues and solutions

National Security Institute at George Mason Univeristy Antonin Scalia School of Law | Privacy regulation and Unintended Consequences

3 Ways HIPPA Does not Address Modern Data

Who is making the argument about HIPPA needing to adjust to modern data? Apixio Chief Technology Officer 

What 3 reasons were given as HIPPA inability to meet modern data?

• healthcare providers cannot keep up with the threat on their own
• HIPPA created an unequal level of protection of data as data flows
• this is a system wide need to protect data and health agencies could benefit from insights from law enforcement and transportation agencies

Health IT Security | Healthcare Needs More than HIPAA, Legislation to Improve Security

Another Data Broker Registration Bill.

Where: Congress

What bill will require data broker registration? S2342 (116th Congress)

Which agency will oversee the registration? the FTC

How many requirements did the FTC want to place on data brokers? 3

•  consumers unlimited access to their data, including any sensitive data
• give consumers a reasonable level of detail to their data
• require opt-out tools for consumers to suppress the use of their data

Are states requiring registration of data brokers? Yes, Vermont already has

National Law Review | Bill Introduced to Require Data Brokers to Register With FTC

Tech Company Opposition Arguments to Arizona’s New Data Security Law for Car Dealers

Where: Arizona

What legislation: HB 2418 (2019 | AZ) a bill about data security and motor vehicles

What arguments are tech companies making in opposition?

• federal Constitutional preemption
• violation of Digital Millennium Copyright Act, Copyright Act, Defend Trade Secrets Act, Computer Fraud and Abuse Act, Gramm-Leach-Bliley Act, Federal Contracts Clause and Dormant Commerce Clause

The policy tech companies do not like: Allowing 3rd parties to have access to private consumer information in the  supply dealer management 

Legal Newsline | Tech companies challenge Arizona’s new cybersecurity law

Election Security. State with least paper ballot numbers: TX

Want to track election data on paper ballots and new machinery? Look no further than here from Politico

 69 of 254 Texas counties will remain paperless for the 2020 election

Politico | TRACKING THE PUSH TO PAPER

Does your State Legislature have Cyber Security Caucus? Health Care Record Hacker Briefings are a must

The U.S. Senate does.

The Senate Cybersecurity Caucus this week learned:

• January through June 2019 285 breaches of 31.6 million health records
• 28 % are insider threats looking at records that they should not

Politico | UNHEALTHY BREACH FIGURES 

1st Presidential Campaign to Hire Information Security Officer

Mayor Pete Buttigieg campaign is the first to hire a Chief Information Security Officer to cover every internal strategic meeting and plan.

Politico | Scoop: Buttigieg gets a CISO

Anatomy of a Hack of a City’s Water Department

Where: City of Murfreesboro, TN

What did the hack look like? The city’s water department page was replaced with a photo of Guy Fawkes

The hack target: a payment portal

AP | Tennessee city website compromised by ‘Iranian Hackers’

Bifurcated Data Security Laws. Who.What.Where.

Who & Where: Western Australian government

What: Data Security law that will create 2 parallel government oversights

What is the bifurcated approach?

• Privacy Commissioner
  • “promote privacy measures and ensure accountability, as well as receive and resolve complaints”.

• Chief data officer
  • “responsibility for supporting the public sector in the correct use and reuse of information, as well as management of data”.

Western Australia Privacy and Responsible Information Sharing

IT News | WA offers first glimpse at future data sharing laws

Research Fund Supports Cyber Security

What: Professional Services Council Foundation created the  Mark L. Cohn Research Fund

Why? ” promote innovation through research primarily focused on cybersecurity and other emerging technologies.”

Corporate Partner:  Unisys

PSC Foundation | PSC FOUNDATION LAUNCHES MARK L. COHN RESEARCH FUND TO HONOR VETERAN UNISYS FEDERAL CHIEF TECHNOLOGY OFFICER

Cyber Security Insurance. More Policies Purchased. Fewer Providers.

Why are providers concerned about writing cyber security insurance policies?

• From a business perspective: hard to ascertain the right information necessary to build the mathematical models to assign risk
• From a state policy perspective: the more cyber security laws that pass, the more attractive cyber insurance is

How much have policies increased since 2015? Total $2 billion last year, up 26% according to Moody’s Investors Service

3 Industries buying the most cyber policies: education, hospitality and retail industries

CyberScoop | Demand for cyber insurance grows as volatility scares off some providers

US Conference of Mayors + Data Protection at the Edge Resolution

What is Data Protection at the Edge Resolution?

• Security measures for
• Physical intrusion and infiltration of edge sensors
• Deployed with smart city technologies

What lingo do I need to know?

• “fault-tolerant technology solutions
• critically necessary for resilience, redundancy, and reliability of data systems”

Smart Cities World | US mayors approve resiliency resolution

4 Local Governments Ban Facial Recognition Software

San Francisco, CA , Somerville, MA, Oakland, CA & Berkeley, CA have all formally banned the use of facial recognition software

3 Reasons Cities are banning facial recognition software:

• it is often wrong
• often wrong identifying women
• often wrong identifying people of color

28 Congresspersons were misidentified as criminals in one case study use of facial recognition software

Governing | Cities Ban Government Use of Facial Recognition

States v. Tech Companies. What you need to know about policy of data protection

How many states tried to pass data security legislation in 2019? 24

How many succeeded? 3. Illinois, Maine, & Nevada

Why? Opposition from Tech Companies, The Internet Association, and Business Groups

Will there be more data security legislation? Yes, with record fines against Facebook and Equifax’s record breaking settlement in 2019

5 Opposition Arguments:

• unworkable for businesses
• wait for federal laws
• too vague for businesses to comply
• “further fragmentation of consumer privacy laws.”
• too hard to enforce because of “complex national industry”

Governing | When It Comes to Data Privacy, States Are Battling Big Tech

Procurement Openings. Blockchain Voting.

Where: Cities will being using blockchain voting systems for citizens voting abroad

The cities: Denver, multiple cities in Utah, & the state of West Virginia

Policy goals:

• increased return of foreign ballots
• improved election integrity

How will ballots be verified? facial recognition has been selected as the default verification method

Route Fifty | Ready or Not, Blockchain-Based Mobile Voting Is Getting Closer

State TREND. Digital Currency Task Force.

Where: New York

Who sits on New York’s Digital Currency Task Force?

• ConsenSys founder Joseph Lubin
• Global Blockchain Business Council CEO Sandra Ro
• adjunct fellow at the foundation for Defense of Democracies Yaya Fanusie
• co-founder of Blockchain @ Microsoft York Rhodes
• director of regulatory relations a Ripple Ryan Zagone
• professor of law at Cardozo School of Law Aaron Wright

What are the Task Force goals?

•  “regulate, define and use” cryptocurrencies
• report on the state of the crypto industry by December 15, 2020

How did the Task Force come about? AB 8783 (2017 | NY)

Coin Desk | New York Legislature Names Initial Members to Crypto Task Force

NY Assemblyman Vanel | NY to Have First Crypto Task Force

Anatomy of a State Cybersecurity Audit

Where: California

How many agencies had data security flaws? “high risk deficiencies” at 21 state agencies

What regulatory action was called for?

•  comprehensive information security assessment at least every 3 years
• prompt resolution by agencies of security issues

KCRA | Report finds California government IT security flaws

Regulatory TREND. Requiring Data Security in Ride Share

Where: Columbia (the country)

What happened? a data breach impacted 267,000 Columbians at a ride share company

How did regulators exercise enforcement powers?

• The government will suspend drivers licenses of ride share drivers for 25 years
• actively protect the affected Columbians
• develop a protocol for handling future data security breaches
• train staff
• adopt permanent monitoring system to determine whether the new data security measures are adequate

Reuters | Colombia orders Uber to improve data security after 2016 breach

2 Statewide Regulatory Implications. School Cyberattack

Where: Louisiana

What happened in Louisiana? Several school systems experienced cyberattacks

How did government respond?

• Governor declares statewide emergency
• The declared emergency allows local governments to access cybersecurity experts from the Louisiana National Guard, Louisiana State Police, & the Office of Technology Services

CNN | Louisiana’s governor declares an emergency after cyberattacks on several school systems

3 Reasons Education Data Hacks are Rising

• Valuable Data. Education data is valuable for its quantity and youth
• Unreported Hacking. Education hacks are often unreported when data is viewed but not sized or removed
• Little Data Security. School networks are more open than corporate networks
  • Small schools and small school districts often don’t have resources for a technology watchdog

AP | Cyberattacks inflict deep harm at technology-rich schools

Legal TREND. Suing Telecommunications Companies that sell Location Data to Bounty Hunters.

What is happening? Electronic Frontier Foundation filed a class action lawsuit against AT&T + 2 data brokers over the sale of AT&T customers’ real-time location data

Is this common? Tech types say all the telecoms sell real time location data to location aggregators to bounty hunters and bail bondsman

What state laws are we talking about? A state’s deceptive trade practices act + data protection and privacy laws

Motherboard | EFF Hits AT&T With Class Action Lawsuit for Selling Customers’ Location to Bounty Hunters

Does your state have a law against hacking medical equipment?

Let’s look at how insulin machines can be hacked.

When a medical devices manufacturer would correct known flaws, researchers built the system that would kill people by hacking the devices.

Were regulators involved? yes, but slow to act, hence why researchers built an app that would kill people if it were deployed to the insulin device

Wired | THESE HACKERS MADE AN APP THAT KILLS TO PROVE A POINT

Business TREND. Employees Calling for Corporate Social Repsonsibility.

WHAT? Amazon protests

WHY? Protestors do not support the use of Amazon technology by ICE

WHERE does this business trend get interesting? In the company’s response (emphasis added):

An Amazon representative said in an emailed statement: “There is clearly a need for more clarity from governments on what is acceptable use of [artificial intelligence] and ramifications for its misuse, and we’ve provided a proposed legislative framework for this. We remain eager for the government to provide this additional clarity and legislation.”

Wall Street Journal | Protesters Disrupt Amazon Event Over Its Ties With ICE

Data Security . Corporate Social Responsibility. The Consumer Numbers. New Study.

The study: Authenticity Gap report by FleishmanHillard Fishburn

What did consumers say for this 7th annual Authenticity Gap report?

• 66% consumers want companies to show greater purpose & societal impact
• 73% consumers say companies must show its data security policies & go beyond required regulations
• 62% say companies take too long to disclose & provide solutions to data breaches

What did it say about how this message should be conveyed?

• 76% expect CEOs to first and foremost communicate issues that impact customers
• 71% expect CEOS to first and foremost communicate issues that impact employees
• 55% believe Companies should act on issues with a large societal impact, even if there is no significant affect to the company
• 48% consumers think companies must take a stand on controversial issues that influenced government policy changes
• 43% consumers think corporations should take stands on issues concerning the CEOs own personal views and beliefs 

The Holmes Report | Study: Consumer Expect Brands To Take A Stand On Climate Change & Data Security

Sliding Insurance Data Security Requirements into a State Budget. 3 Steps.

Where: Connecticut

How: CT’s state budget contains a provision requiring:

• All insurance licensees
• implement an information security program
• by October 1, 2020
• Covering administrative, technical & physical safeguards to protect non-public information

What does this mean? Employee training, Record retention program, Risk assessment process, Incident response process, and annual assessments

National Law Review | Connecticut’s Insurance Data Security Law

Business TREND meeting Regulatory & Legislative TREND. Data stored in clothing

Why is clothing storing data? smart fabrics

What data is gathered and stored? Biometrics

Does HIPPA apply? NO

How are legislatures handling it? An Amendment to California’s Consumer Privacy Act is leading the way

Retail Dive | Wear it out: How smart tech and data collection will impact retail

Automotive Data. The Auto Dealers and the 5 States Tackling this

• Montana, Arizona and Oregon enacted dealer protections for control over data stored in a DMS & preventing the software providers from charging a fee to third parties
• Similar protections passed in Hawaii and North Carolina

When does the issue arise legislatively? When states implement new titling software

Do dealers want to leave it up to the courts? NO

Autonews | Dealers to states: Let us control data

Regulatory TREND. Blockchain as a solution to a State Agency Data Breach

Where are the data breaches? Maryland Department of Labor  & Oregon’s Department of Human Services

How does blockchain help prevent this?

• It eliminates a centralized server or a non-auditable database
• It limits human error
• It is efficient
• It can eliminate the need for 3rd party data bases

Would this really work?  Support inthis paper from NASA

CCN | Cybersecurity Breach at Maryland Agency Spotlights Need for Blockchain

Business TREND. Businesses Calling for More Data Security. Rules, Laws, Actions

Which businesses? 

• Toyota
• IBM
• NEC
• Nippon Telegraph & Telephone
• Thomson Reuters
• Cisco Systems
• Mastercard
• Airbnb

What do they want protected? software source codes, algorithms and encryption keys

Why do they want this protected? Critical corporate information

What regulations/laws do they fear? Anything that requires the disclosure thereof

What these businesses are asking for is part of Japanese Prime Minister Shinzo Abe’s initiative for “data free flow with trust”

Nikkei Asian Review | Toyota, IBM and more push for global data security ahead of G-20

+1 Local Gov. Bans Facial Recognition Software = Legislative Pressure

Where: Sommerville, Mass.

What: City Council unanimously banned the use of facial recognition software

Why is this a legislative issue?

• Sommerville is the 2nd city after San Francisco to ban the technology
• Calls are on full-time legislatures to pass statewide bans on the software

How is the issue being messaged?

• “…dystopian technology further outpaces our civil liberties protections”
• Need for “transparent” and “just” regulations

What concerns do researchers find?

• 20% of women are misidentified
• 35% of women of color are misidentified

Boston Herald | Somerville ban puts pressure on Legislature to slow unregulated facial recognition tech

Lege TREND. Internet Service Provider Privacy Requirements. +1 State.

State: Maine

The legislation: LD 946 (2019 | ME)

What does Maine’s LD 946 do?

• applies only to internet service providers
• requires ISPS to get express consent from customers before the customer’s data or information can be sold, disclosed or accessed

What do opponents say? The bill does not go far enough because many other companies like Google and Facebook collect mountains of data that should also be protected.

Central Maine | Maine Compass: Privacy bill doesn’t go far enough

+1 Texas City Cyber Attack

Laredo Texas suffered a cyber attack.

KGNS | City of Laredo still recovering from cyber-attack

TREND. Hacking License Plate Reading Software

Where is the hacked license plate reading software used? it is being used by US government near the border with Mexico

What data was hacked?

• databases
• company documents
• financial information

Motherboard | Hackers Breach Company That Makes License Plate Readers for U.S. Government

Lege TREND. Disclosure of Election Hacks. Disclosure, Good for the Goose & the Gander?

The legislation: Congress’ Achieving Lasting Electoral Reforms on Transparency and Security Act (ALERTS Act)

The government disclosure requirement: 

• Disclosue to state and local officials and Members of Congress i
• Disclose credible evidence of an unauthorized intrusion into an election system
• If they have a reasonable basis to believe that such intrusion could have resulted in voter information being altered or otherwise affected.
• Rquires state & local officials to alert potentially affected voters 

How quickly does notice need to occur? 

• ​promptly alert

 

Congresswoman Stehpanie Murphy | Murphy, Waltz Announce Legislation Requiring Public Alerts After Elections Infiltration

State Scoop | U.S. House bill would require feds to notify public of election hacking

Lege TREND. Prohibiting Loot Boxes. Wait, What's a Loot Box?

A loot box is an incentive for gamers that  “give users a nominal advantage for a fee or loot boxes which allow users to essentially play a slot machine for gaining rare or important items

What’s wrong with this? Gateway drug for gambling

Who is first out of the gate with legislation? US Senator Hawley (MO)

Senator Hawley | Frequently Asked Questions Regarding Legislation on Pay-to-Win and Loot Boxes

TechCrunch  | The US Senate is coming after loot boxes 

Anatomy of an "Aggressive" Cybersecurity Measure by the Razorbacks

Where: Arkansas

The legislation: Senate Bill 632 (2019 | AR)

What does SB632 do?

• Creates the Cyber Initiative
• Housed within the Economic Development Commission
• mitigate the cyber-risks to Arkansas
• increase education relative to threats and defense
• provide the public and private sectors with threat assessments and other intelligence
• foster growth and development around tech, IT and defense
• create a “cyber alliance” made up of partnerships with a variety of insitutitions like “universities, colleges, government agencies and the private business sector

Partners include:

• the Forge Institute
• Department of Homeland Security, the Arkansas National Guard, Walmart and the University of Arkansas Little Rock via Forge’s American Cyber Alliance

Government Technology | Aggressive Initiative to Shore Up Cybersecurity in Arkansas 

Regulatory TREND. What do I need to know about Active Cyber Defense?

Active Cyber Defense uses private sector cyber bounty hunters and hackers  to protect critical infrastructure.

Who is behind this concept?

• An Atlantic Council report,
• by, Frank Kramer, Assistant Secretary for International Security Affairs for the Clinton administration
• and by, Bob Butler, Deputy Assistant Secretary for Space and Cyber in the Obama administration

How would this private sector system work?  the private sector hackser would be deputized  “certified active defenders” to assist with the creation of an active cyber defense strategy

 

CPO Magazine | Active Cyber Defense Strategy Could Use Private Sector Bounty Hunters to Protect Critical Infrastructure

Regulatory TREND. Anatomy of the Cybersecurity Solarium Commission

The U.S. Cybersecurity Solarium Commission is taking inspiration from the 1950s era commission that studying nuclear strategy.

The 14 member Cybersecurity Solarium Commission will be comprised of:

• 4 current lawmakers
• director or deputy director of National Intelligence
• drector or deputy director of Defense
• director or deputy director of the FBI
• director or deputy director of Homeland Security
• academics
• industry representatives

Strategies to develop:

•  persistent engagement
• deterrence (which will include increasing resiliency)
• development of diplomatic norms — global rules of the road for cyber operations

AXIOS | New cybersecurity task force draws inspiration from ’50s

Data Security Workforce by the Number of Women.

 

• 20% of Fortune 500 CISOs will be women by 2020
• 13% were women in 2017
• Capitol Hill hearings hear testimony from women 20% of the time on information security

Tech Target | Women in cybersecurity work to grow voice in US lawmaking

Anatomy of a Data Breach law in New Jersey

What additional information is protected:

• user name
• email address
• any other account holder identifying information
• + in combination with any password or security question and answer that would permit access to an online account

Can notice be given to a consumer electronically? Yes, unless it was the account that was breached

The bill: A-3245 (2019 | NJ)

National Law Review | New Jersey’s Data Breach Notification Amendment Signed into Law 

Inside NJ | Caputo & Murphy Bill Requiring Disclosure of Online Security Breaches Signed into Law

Anatomy of a Data Security Bill in North Carolina

The legislation: HB 904 (2019 | NC)

How does it impact businesses: Creates a duty on businesses to maintain reasonable security procedures and practices

Notification time frame: 15 days

Free credit freezes, thaws and monitoring? yes, yes and yes

Consent: Requires consent to access a consumers credit report

NC Attorney General Talking Points on HB 904 

Local TREND. It's Official. City Bans Facial Recognition

Where: San Francisco

What else does the ban on facial recognition tech by municipal entities and local law enforcement do ? 

• requires disclosure of surveillance technology they currently use
• requires approval from the Board of Supervisors on any new technology that either collects or stores someone’s data

What are supporters saying?

• “This is really about saying we can have security without being a security state.”
• “We can have good policing without being a police state.”

2 More cities set to consider the ban:

• Oakland, CA
• Somerville, Mass

Governing | San Francisco the First U.S. City to Ban Facial Recognition Technology

KQED | San Francisco Bans Police, Municipal Use of Facial Recognition Technology

Business TREND. 3 Ways Tech Business Spin Data Privacy/Data Security

• Facebook
  • The future is private
  • We will make your information private
• Google
  • What you get in return is more valuale
  • We make it wasier for you to navigate the world, so its all ok
• Microsoft
  • We can make your elections safer
  • “privacy is a human right”

What do they say to legislators? Trust US

What do they say to consumers? We won’t misues your data, AKA trust us

What are they saying to investors? There won’t be any regulations, trust us, returns will be great still

Fast Company | 3 Big Tech CEOs, 3 ways of spinning privacy

Election Security. +1 State Secretary of State Candidate to Clean Voter Roles

Bonjour to Kentucky Secretary of State Candidate Stephen Knipper. It’s an elected office in Kentucky.

The Knipper wants to improve data security and clean voter rolls of persons not eligible to vote.

Courier Journal | Stephen Knipper: As secretary of state, I would clean up voter rolls

Lege TREND. Tax Data Use by Entities that Retain, Hold and Track Your Data

Where is this proposal progressing? California

What is the proposed fee/tax? Data Dividend to be paid by businesses that hold.sell,track, sell data

The messaging: “We trade it away for so much of our experience on the internet. Money from a data tax could begin to counter this trade imbalance.”

Governing | Should Big Tech Be Taxed for Using Our Data?

Lege TREND. 3 Ways Tech Companies Lobbying Against Data Privacy laws

 

• Carving out exceptions to the  California Consumer Privacy Act
  • The message: “addressing workability issues from a business compliance standpoint, to strengthening the law from a consumer and privacy protection standpoint”
• Coalition of business entities including:
  • Internet Association
  • TechNet
  • Consumer Technology Association
  • Chamber of Commerce
  • Large Tech Companies
  • Wireless Association,
• Plausible Deniability
  • Tech Companies and associations are not attending technical negotiations

Wired | TECH LOBBYISTS PUSH TO DEFANG CALIFORNIA’S LANDMARK PRIVACY LAW

LegeTREND. Public Education Data. Student Data. Notification Standard for Small and Rural Schools.

Texas HB 2689 (2019 | TX)  would set a standard that all public schools should have a liaison that can communicate data security/cyber security issues with their local communities.

 

Lege TREND. Facial Recognition Software & Public Education.

State : New York

Legislation: AB 6787 (2019 | NY)

What does this bill do? 

• Prohibit schools from using biometric software for 1 year
• Study the use and safety of biometric identifying software
• Make recommendations for the use of biometric software to further school safety

Lockport Union Sun Journal | Bill calls for study of facial recognition systems in schools 

Regulatory TREND. Anatomy of an Attorney General Investigation into a Healthcare Data Breach.

What type of healthcare data breach? electronic health information was exposed online 

How did it happen? a misconfigured web setting

What went wrong with notification that caught the Michigan Attorney General’s attention? Patients were receiving notifications addressed to other patients and contacted the Attorney General

Health IT Security | Michigan Attorney General Looking into Inmediata Breach, Mailing Error 

Lege TREND. Require Internet Service Providers to Ask Customer Permission to Sell Data

Where: Maine

The legislation: LD 946 (2019 | ME) 

What would this bill do? Require Internet Service Provers to get Customers to OPT IN to sell cusotmer data

Government Technology | Maine Bill Would Force ISPs to Ask to Sell Customer Data

Lege TREND. Tech Rich State. Yes to Data Breach Bill. No to Data Privacy Bill.

State: Washington

The bills that succeeded: HB 1071 (2019 | WA)

What does the data breach bill do?

• 30 days to notify the state Attorney General and consumers (down from the current 45 days)
• What information triggers a breach notification?
  • Social Security numbers
  • driver’s license numbers
  • state ID numbers
  • financial account information
  • full birth dates
  • health insurance ID numbers
  • medical histories
  • student ID numbers
  • military ID numbers
  • passport ID numbers
  • username-password combinations
  • biometric data

SC Magazine | Washington state legislature passes data breach law, but punts on privacy law

Lege TREND. Anatomy of a Failed Data Privacy Bill in a Tech State

Washington State Legislature did not enact SB 5376, a GDPR like data privacy bill, here are some reasons why:

• Supporters, privacy advocates, started calling for a stronger bill
• Critics harped on the bill still permitting facial recognition software
• Negotiations did not include more than 1 Republican and no consumer advocates

SC Magazine | Washington state legislature passes data breach law, but punts on privacy law

2 reasons OHIO's state cybersecurity law is popular

• Ohio’s law doesn’t require action by businesses
• Ohio’s law incentives actions by businesses, by providing for liability protection

Tech Target | State data privacy laws, regulations changing CISO priorities

Business TREND. Nonprofit for Campaign CyberSecurity

Who: Defending Digital Campaigns, the nonprofit spinoff of a Harvard cybersecurity project

What: FEC is considering allow campigns to get free cybersecurity help

Why? Elizabeth Warren, Kamala Harris are disclosing funds spent on cybersecurity and the retention of cybersecurity experts

The catch: the nonprofit is founded by Hillary Clinton’s campaign manager

Slate | This Nonprofit Wants to Offer Political Campaigns Free Help With Cybersecurity

Lege TREND. Revisiting How one State Responded to Equifax Breach

State: Massachusetts

Legislation: H 4806 (2018 |MA)

What did Massachusetts enact?

• consumer consent before any third party can obtain the consumer’s credit report
• free credit freezes and thaws
• entieis that have suffered a data breach have enhanced reporting requirements
• free credit monitoring to affected consumers

Leominster Champion | Governor Signs Bill to Enhance Credit Data Security

 

Lege TREND. Bill lets Texas Sue Social Media.

What? SB 2373 (2019 | TX) 

What legal challenges would be allowed? Deceptive Trade Practices Act challenges

What does this mean? Know those press releases from the Attorney General Office about how much its collected in fines (hint: it is A LOT). Yes, it means business fines.

Texas Tribune | Texas bill would allow state to sue social media companies like Facebook and Twitter over free speech

Lege TREND. Anatomy of an election security bill

Where: Georgia

The legislation: HB 392 (2019 | GA) 

What would this bill require:

• the state Secretary of State
• required to create security protocols for voter registration information
• follow and be consistent with standards set by national cybersecurity and election organizations

Atlanta Journal Constitution | New safeguards for Georgia election security await Kemp’s signature

Local TREND. City Seeks to Ban Facial Recognition Software.

The city: San Francisco

The proposal: 

• new regulations on the city’s process for acquiring surveillance equipment
•  total ban on municipal use of facial recognition software

How many other cities have done this? none

Opponents: law enforcement

The policy goal: ““The propensity for facial recognition technology to endanger civil rights and civil liberties substantially outweighs its purported benefits,”

Government Technology | Will San Francisco Ban Facial Recognition Technology?

Lege TREND. Death of a Bitcoin Bill in a Gaming State.

State: Nevada

The legislation: SB 195 (2019 | NV)

Why did SB 195 die a legislative death?

• opponents say the bill was not beneficial to the crypto markets
• the bill would have implemented the ULC’s Uniform Regulation for Virtual Currency Business Act
• opponents say it doesn’t protect investors and traders enough

Read an opposition letter from the cryptocurrency industry.

CoinGeek | Nevada lawmakers scrap controversial Bitcoin bill

+1 IOT Bill. Lege Trend. Individual passwords for your Fridge and your Porch lightbulb.

State: Oregon

The legislation: House Bill 2395 (2019 |OR)

What would HB 2395 require?

• require manufacturers to take implement a process for each device a unique password

Why? So that a hacker could access only 1 device in 1 hack.

Oregonian | Oregon House passes bill requiring security for online devices

Lege TREND. Data Minimization in Cybersecurity bill drafts

What do I need to know about data minimization? It means that companies shouldn’t collect personal data “beyond what is adequate, relevant and necessary” for the product or service.

What’s an example? Your takeaway driver doesn’t need access to your photo library to scan your credit card

NextGov | Inside One Lawmaker’s Proposal for a Privacy Bill of Rights

3 State Variations in the Model Insurance Data Security Legislation

North Carolina: the 1st State to pass the model legislation imposed the 72-hour notice requirement in the model.

Michigan:  opted for a 10 day notice requirement

Ohio:  allows licensees that have certain cybersecurity programs to use an affirmative defense against tort claims

Bloomberg | States Imposing New Cybersecurity Requirements on Insurers

Local TREND. Addressing Crypto Currency with Local Ordinances

Where: Missoula County, Montana

The County adopted rules for crypto miners that:

• health & safety. County is “protecting the health, safety, morality and general welfare of the people in the district” by ensuring electricity for local residents
• use limitation. crypto mining activities only in areas of light and heavy industry
• waste limitations. provide evidence that all e-waste generated will be processed by a licensed waste management company

The Cryptoo Currency Post | Montana County issued a decree obliging crypto miners to use renewable energy

Lege TREND. Blockchain and Bitcoin Bills.

Michigans HB 4103 (2019 | MI) would:

• add bitcoina nd blockchain into existing legal & financial statutes
• prohibit rackteering related to blockchain and bitcoin
• apply existing financial crimes to crimes utilizing blockchain, distributed ledger techniology and bitcoin

The definition of cryptocurrency used in Michigan: “digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, and that operates independently of a central bank.”

Detroit News | Bitcoin, blockchain crime bills clear Michigan House

Regulatory TREND.Biometric Security Oversight Commissions. Forward Thinking Procurement Opportunities.

Where: Australia

What group is recommending a Biometric Security Oversight Commission? The Parliamentary Joint Committee on Law Enforcement

In its report  the joint committee found that:

• need to protect biometric data collected and shared among law enforcement agencies
• increase IoT security awareness
• review of biometric and persoinal information security legislation to keep it up to date,
• consider hybrid storage facilities
• consider advanced techniques like  artificial intelligence for handling and analyzing large volumes of data

Biometric Update | Committee recommends Australia set up biometric data security oversight body

 

IOT Lege TREND. +1 IOT hackable Item

IOT legislation is the hot topic for 2019. Also known as how to keep your thermostat from being the way hackers hack your personal information.

So, what is the next hacker target? Indoor Garden sellers that offer a light source and temperature control gardening.

Tech Crunch | AeroGarden maker says hackers stole months of credit card data

Business TREND. Industry Calls for First Amendment Rules with Data Privacy Rules.

Who: Facebook

What does Facebook want? It wants to know the rules of the game for political speech and the Constitution

Why? The government rather than a private comapny, like facebook shuld detemrine constitutional limitations

Variety | Facebook’s Mark Zuckerberg Says ‘We Need New Rules’ Regulating Political Speech

Regulatory TREND. Anatomy of a State Cyber Office. How to hold agencies accountable to the Executive Branch?

West Virigina HB 2452 (2019 |WV)  created the a new Cybersecurity Office within the Office of Technology.

Goals of the a new Cybersecurity Office:

• risk assessment across state agencies
• establish unifying security standards among state agencies
• will leverage a risk management approach
• provide for “apples-to-apples comparison of cyber-risk assessments across all agencies within the Executive Branch.”  

Stems from WV’s 2018 particiaption in the National Governors Association (NGA) cybersecurity policy academy.

Government Technology | W.Va. to Open Cybersecurity Office, Launch Unification Plan

Regulatory TREND Medical Equipment and Data Breaches

The latest medical equipment suseptible to hackers are CT scans that would allow hackers access to alter images raising regulatory concerns about data security of medical equipment.

Washington Post | Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists

Data Security new Threats to Water and Wastewater. Regulatory & Legislative Fixes on the Horizon.

IN March 2019 hackers got into a small Colorado water utility.

Are there regualtory parallels that can be made to secure the water and waste water systems? Yes, Water utilities & power distributors share similar industrial control systems

Which states have taken water security measures forward? NJ, NY 

E& E News | Hackers force water utilities to sink or swim

Lege TREND. Cybersecurity legislation for state 911 systems.

Maryland HB 397 (2019 | MD) would increase telecom fees to harden the state 911 system.

Why the legislation? the Maryland 911 system has overloaded and resulted in death of injured residents

Why is data security an issue with 911?

• to conenct to cell phones and via text message, it exposes 911 systems to the internet
• 337 successful attacks (on public safety networks) across 49 states and DC in the past 24 months
  • 186 %increase over the previous 24 months

Baltimore Sun | Modern 9-1-1 system will increase state and local fees

 

Business TREND. State adoption of GDPR standards.

Facebook CEO is the latest tech CEO calling for adoption of GDPR standards.

CNBC | Mark Zuckerberg says he wants stricter European-style privacy laws — but some experts are questioning his motives

 

Lege TREND. State Contracting. Coalition Opposes Contracts with Software Requirements. 3 Key Points.

The Coalition: Organizations representing accountants, techNet, AGC, engineers and technology professionals, + ALEC. Separate opposition stems from National Association of Chief Information Officers

The coalition opposes: state legislative efforts to require contracts install monitoring software

What sparked this? 30 states have a legislative push by TransparentBusiness that claims to ahve software that stops contractors from over-billing their clients

State Scoop | Industry groups urge state legislators to oppose tracking software bills 

Lege TREND. Legislating Blockchain and Bitcoin in Western Independent States

Nevada’s Uniform Regulation of Virtual-Currency Businesses Act SB 195 (2019 | NV) would require:

• crypto currency to register with the state  Department of Business and Industry
• blockchain groups oppose the legislation since the industry is nascent and the legislation could inhibit growth

Are other states considering uniform bitcoin legislation? Yes, CA, HI and OK

Bitcoin Exchange Guide | Nevada Bill Regarding Multiple Uniform Standards Sees Pushback from Blockchain and Crypto Proponents 

Lege TREND. + 1 Expansion of what triggers notification on a data breach

D.C. Attorney General new proposal  would add the following to the list of information that would trigger notification in a data breach:

• passport numbers
• military IDs
• biometric data
• health information
• taxpayer identification numbers
• health insurance info
• genetic information
• DNA profiles

Security Week | D.C. Attorney General Introduces New Data Security Bill