The State: California

The Legislation: Assembly Bill 83

What does AB 83 require?

• expand data security requirements for businesses that retain biometric & geolocating data
• protect data collected by mobile apps or fitness devices
• protects data collected in photo taggins such as social media and photo storage services for photo tagging purposes.
• requires businesses to use a “reasonably prudent” standard

How does AB 83 accomplish its goals? By expanding the definitions of “personal information” to include “geolocation information” and “biometric information”

National Law Review | California Legislature Nearing Final Debate of Biometric and Geolocation Data Security Bill

Bloomberg Law | California Bill Would Add Security Standards to Data Breach Law

What entity is proposing model data security laws for insurance?  the Cybersecurity Task Force (Task Force) of the National Association of Insurance Commissioners (NAIC)

Is it final? No, its a revised draft after taking into account stakeholder positions

What issues are covered in the model act draft?

• Require licensees to create a “comprehensive written information security program”
• Required Data Security programs will detail the:
  • administrative,
  • technical, &
  • physical safeguards for the protection of personal information
• Require licensees to contract only with 3rd service providers who are “capable of maintaining appropriate safeguards for personal information.”
• Creates standards for investigations of a data breach, including:
  •  When a data breach occurs
  • That  the licensee must properly investigate the breach
  • Assessing the nature and scope of the breach
  • Identifying the personal information that may have been involved
  • Determining if the personal information had been acquired without authorization
  • Taking reasonable measures to restore the security of the systems compromised in the breach.

To comment: Email Sara Robben at srobben@naic.org by close of business on Friday, September 16, 2016.

Lexology | Mayer Brown | NAIC Issues Revised Insurance Data Security Model Law

Which banks are invloved? The 8 largest banks are joining forces. This includes Bank of America, JP Morgan, and Goldman Sachs.

What will the 8 banks do to protect against cuber crime? Share intel and conduct war games to improve data security.

Why did they form? The large banks issues are similar unlike the data security efforts among all financial institutions and the large banks share information with the federal governmet but believe they get little information in return.

Wall Street Journal | Big Banks Team Up to Fight Cyber Crime

Which state included data regulation of marijuana? Colorado

What is the goal of data regulation of marijuana legalization? safely and securely control the flow of the drug across the state

What state agency houses this data center? Marijuana Enforcement Division (MED) in the state’s Department of Revenue

Governing | Managing Marijuana: the Role of Data-Driven Regulation

The state: Alabama

The legislation: A State agency to track student data from early education through entering the workforce

What‘s the background? In 2015, the Governor issued an executive order to create a  longitudinal data system to track studnt data. This executive order requires legislation to fund it.

The projected cost to track student data? $1.6 million

What did the Governor’s Executive Order do?

• Created an advisory board
• “Developed a state talent pipeline capable of ensuring that all Alabama students graduate from school being college and career ready, improving decision-making on educational programs, making decisions based upon validated and objective measures of student outcomes, and permitting qualified researchers to collaboratively evaluate the success of state programs.”

Times Daily | Collins will bring back student data bill

• Impact to Candidates. Leaks from Guccifer of hacked information tageted certain candidates running for Congress in Florida
• Impact to Move Voters in a Direction. The target: to swing moderate voters to vote Republican

Reuters | Democrats fear hackers targeted tight Florida races for latest data leaks

The Electronic Privacy Information Center (EPIC.org) wants states to pass bills that:

• No Targeted Ads. prohibit K-12 mobile and online service operators from using student information to target advertisements to students;
• No Profiling Students. prohibit online service providers from creating K-12 student profiles for commercial purposes; 
• No Selling Info. forbid companies from selling student information;
• All Students (K-16) extend protection to all students, including college and post-graduate students;
•  Enforcement. strong enforcement mechanisms, including a private right of action against private companies that abuse student data;
•  Limit Data Collection. limiting the type of data that companies and schools collect (e.g., Social Security numbers, biometric information, social media information);
• Transparency. publishing the types of information companies and schools collect, the purposes for which the information will be used, and the security practices in place;
•  Data Retention Policies. data retention limitations that require companies to delete student data after the data is no longer needed;
• Student and Parental Control over Info. permitting students to delete & correct certain student information;
• Notification. data breach notification; and
• Schools Can’t Disclose Students. prohibiting schools from disclosing “directory information,” including student name and home address.

EPIC.org | State Student Privacy Policy

EPIC.org | EPIC Urges Wisconsin Legislature to Safeguard Student Privacy

The growth of investment in cybersecurity firms since 2011: 235%

SC Magazine | Investment in cybersecurity strong as cyberthreats increase

The Democratic National Committee this week announced a new cybersecurity advisory board. 

The intel to keep you informed about the future of campaigns and data security:

• Created by new DNC Chair Donna Brazille
• Composed of security experts, including:
  • National Security. Rand Beers, former Department of Homeland Security acting secretary
  • Lawyer. Nicole Wong, former deputy chief technology officer of the U.S. and a former technology lawyer for Google and Twitter
  • Tech Expert. Aneesh Copra, co-founder of Hunch Analytics and former chief technology officer of the U.S.
  • Lawyer. Michael Sussmann, a partner in privacy and data security at the law firm Perkins Coie and a former Justice Department cybercrime prosecutor.
• The DNC is active in providing notification in those impacted by data breaches.

Politico | DNC creates cybersecurity advisory board following hack

The Hill | DNC creates cybersecurity board

What type of healthcare data? Medical records and wearable data from heart monitors to implanted devices to fitbits

What is crucial about protecting health care data? It must be protected as the information moves from device to cloud storage to medical records end point at a physician or hospital

What makes health records more valuable? 

• Unlike financial information, health data or changes to social security numbers are not quickly identifiable
• The release of health records includes social stigma that isn’t tied to financial records.
• Health records are personal and private, therefore the release is stigmatizing. 

Data Informed | Why Hackers Attack Healthcare Data, and How to Protect It

Why are businesses not securing all online information? Its profitable to not secure the data. The penalties for not securing data are not impactful.

What legislation or regulatory reform is crucial? Not government specifics on security but rather strong enforcement and meaningful fines from regulatory enforcement.

What’s the future in hacking? Its not buying and selling information, but rather modification of the data that is out there already.

Business insider | A security expert who in his spare time discovers data breaches affecting millions explains why he does it

The enforcing regulatory authority: U.S. Department of Health and Human Services

The data breach: 4 million patients personal data, financial information and electronic health information was exposed in 3 different incidents within 1 year. 

The Settlement amount: almost $6 million fine

Society for Human Resource Management | Health Care System to Pay Largest Data Breach Settlement Ever

What data security issues are being bandied about against Fantasy Sports?

• Communicating with consumers requesting personal information without the use of encryption
• Asking customers to send sensitive information, such as Social Security Numbers, and credit card images, via unencrypted email

Is ther an investigation? A complaint filed with the FTC 

Daily Dashboard | Daily fantasy sports sites face data security questions

A Tesla self driving car drove its owner to a hospital.

Tech Crunch | Autopilot in Tesla Model X helps driver get safely to a hospital

Why are voting machines an easy target for hackers? Most voting machines operate on Windows XP, which has not had a security patch from Microsoft since 2014

A hack isn’t the only way to cause voting chaos? Slowing the machines down can be enough to turn people away from the polls

Is this a real, existing problem? Yes, it is. “Virginia decertified thousands of insecure WinVote machines”

The best way to control for electronic voting machine intereference? Auditing the vote. 

Wired | America’s Electronic Voting Machines Are Scarily Easy Targets

• Cyber Insurance policies are still new and prone to litigation.
• Companies should vet all public statements through lawyers
• 2 federal Circuits have loosened up when a suit can continue. Its not as easy to get these cases kicked out of the courtroom.

Texas Lawyer | 3 Things GCs Should Know About Data Privacy Class Actions

California Legislature is pushing forward with a bill to prohibit the sharing of information from health trackers without express authorization.

The Recorder | Five Bills to Watch in the California Legislature

This week Apple joined other tech cmpanies in offering bounties to hackers who reveal security bugs.

The bounty: up to $200,000.

The Wall Street Journal | Apple Announces ‘Bug Bounty’ Program

“Albany Law School is launching the nation’s first online master’s program aimed at the legal studies of cybersecurity and data privacy.”

Albany Times Union | Albany Law launches online cybersecurity master’s program

Case Study: Target. Target’s Securities & Exchange Commission filings show:

• costs thus far of $290 Million
• estimated future costs will total $370 Million

Case Study: Anthem Insurance. Anthem’s SEC filings show it cannot estimate the cost of its data breach because:

• ongoing investigation
• early stage of legal proceedings progress
• unknown damages
• uncertain number of lawsuits that will be filed

In additional to actual costs, there are soft costs to a data breach such as:

• lost contract revenue
• lost customers
• brand damage

eweek | Researchers Struggle to Determine True Cost of Data Breaches

Which regulatory leader wants comprehensive data security laws? The FTC Chairwoman Edith Ramirez

Why the push for data security laws?

• Hacks aren’t going away
• Laws need to address how entities gather, save and disseminate personal information

Daily Dashboard | FTC’s Ramirez calls for comprehensive data security laws

Top business sector for data breach complaints: Finance

Have data security laws led to more enforcement actions?

What benefit of data security laws is highlighted? breach notification to impacted customers

Information Age | The financial data divide: regulations are not having the desired effect

The state: New York

The NY State Agency: New York Comptroller

The School District: Avon School District

The Avon School District’s data security failings:

• not adopting policies for managing passwords
• not backing up data
• not protecting its employees’ and students’ personal, private and sensitive information
• making the school district more vulnerable to data breach
• providing too many employees access to financial information of the school district
• for failing to implment the recommended data security policies under a 2009 review

Livingston County News | State faults Avon schools’ lack of data security policies

Which state added curriculum changes in its student data protection laws? Delaware

What changes ere made to public school curriculum? data security training

Why train teachers and students on data security? because human error is the largest driver of data breaches

Delaware Public Meda | First State working to incorporate data privacy training into ed prep programs

Bonjour to Canada’s Privacy Commission who oversees the data privacy of Canadians. 

The Privacy Commissioner recommended these changes to national data security laws for 2016:

Data security breach reporting should include:

• The company’s name;
• Contact information for someone who can answer questions on the company’s behalf;
• Description of the breach, including:
  • The estimated number of users affected;
  • The personal information leaked;
  • The date of the breach, if known, or an estimated date or date range if unknown;
• A list of other organizations involved in the breach, such as affiliates or third party processors;
• An assessment of the risk faced by individuals as a result of the breach;
• A description of any steps planned or taken to notify affected individuals, including:
  • A notification date;
  • Whether the party has been or will be notified, whether they will be notified directly or indirectly, and if indirectly notified, why (more on this below);
  • A copy of the notification;
• A list of third party organizations that were notified of the breach;
• A description of measures the company has taken or will be taking to contain the breach and reduce its risk to affected users;
• A description of the organization’s related safeguards, taking improvements against future breaches into account.

Which state passed student data protection bills in 2016? Colorado

What does the new legislation cover? 

• the gathering of student data
  • requires notice & consent
• the storage of student data
  • limits on the length of storage
• require all contractors to maintain comprehensive information security programs
  • limits contractors from sharing information unless there is express consent
• no target advertising 
• no building student profiles

JD Supra | Thompson Coburn LLP| Colorado jumps into student data privacy protection with new privacy law

Colorado joins 35 states that have passed student data protection laws in the last 2 years.

JD Supra | Thompson Coburn LLP| Colorado jumps into student data privacy protection with new privacy law

Connecticut passed student data privacy legislation in 2016.

A group of mothers who started the push for student data privacy reform are touting its benefits:

• Restricting student information use by contractors providing educational software and electronic storage of student records and by operators of websites, online services, or mobile applications (i.e., apps).
• Clarifying ownership student data collected for school purposes is not owned by any of these third-party contractors.
• Parental Notification. Requiring local boards of education to notify parents when they execute a new contract with a software, data storage, or internet service provider.
• Procurement Contract Requirements. Stipulating data security and privacy provisions that must figure in all contracts between local school districts and software, data storage, and internet service providers.
• Local Control. Requiring school districts to withhold the release of student directory information if the local or regional board of education determines that a request for such information is not related to school purposes.

Easton Courier | Legislation will protect student data privacy

What groups are concerned by model student data privacy laws? 24+ civil liberties and advocacy organizations

What’s the model act called? Employee and Student Online Privacy Protection Act

The privacy concerns about the model act:

• broad and vague

• does not prevent school administrators & employers from coercing or requiring students and employees to turn over highly sensitive social media account information

• violates the Fourth or Fifth Amendment

Electronic Fronteir Foundation | EFF and ACLU-led Coalition Opposes Dangerous “Model” Employee and Student “Privacy” Legislation

Why do health and services entities need to pay more attention to ransomware?

• Ransomware is different from a regular data breach
• Ransomware impacts patient safety by siezing a health care provider’s computer systems
• Ransomware directly impacts health care operations

Gov Info Security | Congressmen: Ransomware Requires New Guidance​

Concerns related to maintaining  data collection: Make certain the state collects enough data necessary  to improve schools

Concerns to protect student data from voucher schools: Student data must be protected from “voucher schools” that would use the data to advertise to public school students

Milwaukee Star Tribune | Legislators to study how to protect student data

The state: Minnesota

The approach to student data protection: Recommendations for the 2017-2018 Minnesoata Legislature

The focus: 3 Points of focus:

• The information collected by its state department of education
• Whether it is necessary for the state to collect the student data
• The use of student data by vendors

Milwaukee Star Tribune | Legislators to study how to protect student data

The State: North Carolina

The cybersecurity apprenticeship qualifications:

• 10% disability rating from the Department of Veterans Affairs
• $600,000 per year
• Allows the Department of Information Technology to hire and train five veterans for cybersecurity-focused positions

State coop | North Carolina moves closer to creating cyber apprenticeship program for disabled vets

• toys and apps gather personally identifiable information
• access to names, birthdates, and gender
• Hackers could exploit cybersecurity weaknesses within these devices as an entrance point to a family’s wireless networks

Augusta Free Press | Warner calls on FTC to protect children’s data security

What type of schalarly research is hitting against anti-hacking laws?

• Michigan & Illinois researchers are looking at real estate websites to track discriminatory practices
• Northeastern University researchers are looking at discriminatory practices in job posting websites

How do they run afoul with anti-hacking laws? The researchers generate faux profiles on the websites they are researching

WallStreet Journal | First Amendment Suit Claims Anti-Hacking Law Criminalizes Scholarly Research

The key tort issue in data breaches: whether the consumer has been injured

What’s the argument if hackers have your information isn’t that a harm to a consumer? Some courts say yes, other courts say no.

Where are cases proceeding where the harm of the data breach is only having your personal information hacked? Judges in California, Illinois and other states

Wallstreet Journal | For Consumers, Injury Is Hard to Prove in Data-Breach Cases

How? Via laptop theives can open doors, and start an ignition to steal late model cars prompting new laws against auto manufacturers to secure vehicle data

Is this in Texas? Yes. Houston has recorded theft of a 2010 Jeep

Which manufacturers are targeted? Known hacks of autombilies are of Fiat Chrysler, GM and Tesla vehicles

WallStreet Journal | Thieves Go High-Tech to Steal Cars

• Retaining too much data
• Employee unintentional or intentional error
• Customer data security when customers access accounts
• 3rd party vendors
• Being consumed by 1 threat, makes a bank vulnerable to other data security threats

American Banker | What’s the Biggest Threat to Data Security?

Citizens in the UK dislike both the European Union and Businesses that have data breaches. 

An overwhelming majority supporting fining businesses & the recommendation has made it to Parliament.

Computer Weekly | UK consumers support fines for firms that lose personal data

UK Parliament | Cyber Security: Protection of Personal Data Online

Out with PINS in with biometric identifiers to access banking information. 

Why switch from PIN numbers to biometrics at financial institutions? 

• traditional passwords are too cumbersome
• traditional passwords are no longer secure

New York Times | DealB%k | Goodbye, Password. Banks Opt to Scan Fingers and Faces Instead.

• Major data breaches occured via a 3rd party contractor (Target, Home Depot, etc…)
• The cost of a major data breach increases annually, and it hits the company that hired the 3rd party contrator
• FICO is rolling out a data security score called an Enterprise Security Score

Pymnts.com | Procurement Is Ground Zero For Cybersecurity Protection

Which school district was affected by an internal hack? Abingdon-Avon School District, IL

Who is thought to have  hacked the school district internally? The Head of its IT

The purported purpose? Changing grades

The state law charges? 3 felony counts of Eavesdropping

KWQC | Abingdon-Avon employee arrested in relation to data breach

What campaign related voter information was hacked?   Voter files compiled by  L2, a political data brokerage, but hacked from a client (campaign) that left the voter information unprotected on a cloud

What type of voter information was exposed?   names, addresses, political preferences and opinions on social issues

Where were the hackers? Serbia or routed through Serbia

The Hill | US voter database accessed from Serbian server

The Federal Trade Commission publishes “Start with Security: A Guide for Business” & offers these recommendations for business:

• Don’t collect personal information you don’t need.

• Hold on to information only as long as you have a legitimate business need.

• Don’t use personal information when it’s not necessary.

• Restrict access to sensitive data.

• Limit administrative access.

• Insist on complex and unique passwords.

• Store passwords securely.

• Guard against brute force attacks.

• Protect against authentication bypass.

• Keep sensitive information secure throughout its lifecycle.

• Use industry-tested and accepted methods.

• Ensure proper configuration.

• Segment your network.

• Monitor activity on your network.

• Ensure endpoint security.

• Put sensible access limits in place.

• Train your engineers in secure coding.

• Follow platform guidelines for security.

• Verify that privacy and security features work.

• Test for common vulnerabilities.

• Put it in writing.

• Verify compliance.

• Update and patch third-party software.

• Heed credible security warnings and move quickly to fix them.

• Securely store sensitive files.

• Protect devices that process personal information.

• Keep safety standards in place when data is en route.

• Dispose of sensitive data securely.

Are all data breaches electronic? No, hard copies of personal information are still sources of data breaches.

Are there examples of major data breaches that were based on hard paper copies? Yes. For example:

• The NFL medical record data breach of 2016
• A 2014 State of California investigation of Safeway for improperly disposing of customer records
• A 2011 find of NYPD records found in a trash bin

Do data breach laws discuss paper records?  No, not all. The Federal laws and these 8 states have added paper records to their data breach statutes:

•  Alaska
• Hawaii
• Indiana
• Iowa
• Massachusetts
• North Carolina
• Washington
• Wisconsin

Lexology | Patterson Bellknapp Webb & Tyler | The Paper Trail: The Potential Data-Breach Sitting in your Printer

Why Illinois updated its data security laws? To make the laws more consistent with technology

What additional personal information is covered by data breach law?

• health insurance
• medical information
• biometric information
• username and password or security questions

How will businesses be able to notify consumers of a breach? By email

Cook County Record | New IL legislation updates data breach law to cover more tech, speed required consumer notifications

According to the author of The Car Hacker’s Handbook, the data your car collects is more valuable to hackers than taking over control of your vehicle. 

Tech Crunch | The Car Hacker’s Handbook digs into automotive data security

Ponemon Institute released its annual data breach informatics. The cost of an average daa breach has risen to $7 million.

Law 360 | Data Breach Costs Rise To $7M Per Incident, Study Says

Which financial entity is facing an SEC fine for a data breach? Morgan Stanley

How much is the SEC fine? $1,000,000

What was the data breach? Security measures failed to prevent an employee from transfering account information to a private server that was hacked

What do federal rules require of financial entities? policies and procedures that are reasonably designed to protect customer data

The Hill | Morgan Stanley to pay $1M SEC fine for data breach

What government is requiring authorization from the governing body before a purchase of surveillance equipment can be made? Santa Clara County deep on Silicon Valley

Which police purchases will require approval?  Any law enforcement purchase of new surveillance technologies. e.g.:

• license plate scanners
• products that spoof cellphone towers
• closed-circuit cameras

What entities can approve the police technology?  County board and district attorney approval are required

Why require approval before law enforcement buys technology?

• too little oversight in the current system
• too many intrusive technologies are in use with the data retained

Are there other requirements for surveillance equipment? Yes, law enforcement is required to:

• publish annual surveillance reports detailing:
  • usage
  • how successful different technologies have been
  • complaints
  • internal audits not subject to privilege

The Hill | California county becomes first to restrict surveillance technology

Data Security is the 1 key element missing from the 7 states that have passed self driving car laws.

Cars can be hacked. Cars contain data. The data your car’s computers contain can be used for:

• direct & targeted marketing
• cam be accessed by hackers

California is addressing vehicle data via regulation by requiring:

• notice and consent
• before information can be collected from operators
• this excludes information that is needed to operate the vehicle

The Guardian | Self-driving cars: overlooking data privacy is a car crash waiting to happen

• passwords are valuable because we don’t change them and use them on multiple account
• its data mining material to engineer more information about your identity
• a hacker can use 4 year old LinkedIn data for their own illegal purposes, and 4 years later sell it openly on the black market. 

IT Pro Portal | Why four-year-old data is more valuable than you think

What cyber security threat could be helped by old school methods? Electric Grid Security

Who is proposing old school solutions? 4 U.S. Senators: King, Heinrich, Risch, Collins

What does the legislation call for? 

• 2 year study
• examinging technology that makes the grid vulnerable
• how the automated systems can be hacked remotely
• “reengineer the last mile of the energy grid  to isolate its most important systems”

The Hill | Senate bill would encourage ‘retro’ grid security approach 

What is civic hacking? hackers doing good to solve governmental problems

How does it work? The feds listed 16 issues that it needs helps with and called for a National Day of Civic Hacking. Examples include:

• application process for food stamps, business licenses, criminal record copies, business licenses, affordable housing, 
• developing a community platform for California’s Health and Human Services Commission

Code for America | 4th Annual National Day of Civic Hacking 

Which school district experienced a data breach of its W-2 data, and all data retlated to persons who have received payment from the school district? Concord, N.H.

When did the breach occur? April

How did the breach occur? Social engineering, a targeted approach in which the hacker masquerades as the superintendent soliciting information

Did the data breach result in the information being used? Yes, false tax returns were filed based on the hacked information

When did the school district discover the data breach? June 1st

When did the school district notify persons that their personal information was compromised? June 3rd

What 3 things did the notification suggest people do to protect their information?

•  Contact your personal banking institution(s) to make them aware of this breach; 
•  Register for a fraud alert; 
•  Contact institutions that hold any personal assets to make them aware of this breach.

What is ransomware? A data security attack that freezes computer data, but leaves the business, such as a hospital, otherwise functioning so that services are not disrupted. A ransom is  asked for and in exchange the data is liberated.

What statutes are states amending? Computer crimes to apply extortion to computer violations

What specific statutory tweaks is California considering after ransomware attacks at California hospitals?

• defines ransomware
• makes it a crime to use ransomware
• the criminal offense is punishable by 2-4 years in jail and a $10,000 fine

California Senate Bill 1137

Health IT Security | How Ransomware Affects Hospital Data Security

3 pieces of ransomware intel critical to hospital data security:

• Institute for Critical Infrastructure Technology calls 2016 the year of ransomware
• Targets for ransomware are mobile devices and connected medical devices that offer access points for unauthorized users
• States are passing anti-ransomware legislation
  • College of Healthcare Information Management Executives support stronger hospital specific ransomwate legislation

Health IT Security | How Ransomware Affects Hospital Data Security

The equation for a data breach of NFL records:

• Store the health records on an athelic trainer’s laptop
• Print off some hard copies of medical records
• Leave the laptop and paper records in a car
• + one car burgular = NFL medical records stolen

The Hill | Report: Thousands of NFL medical records stolen

• Data breaches are costly
  • ​internal costs related to security improvements, mitigation & notification
  • regulatory costs
  • costs arising from 3rd party claims
• Identify risks, which for construction include:
  • ​file sharing with subcontractors
  • espcially for projects critical to infrastructure- hospitals, roads, energy facilities, governmetn facilities
• Cyber Insurance to help your business cover costs

Miami Herald | Cyberattacks can cripple the construction industry

What White House Proposal on data security affecting health care? On May 25, 2016 the White House released its final Data Security Policy Principles and Framework (Security Framework) for President Obama’s Precision Medicine Initiative (PMI).

What are the goals of the White House data security proposal?

• Build patient trust
• Adapatable security protocols
• Dependable data preservation
• Identify risks
• Transparency with patients
• Responsibility
• Sharing. Collaboration

What requirements do the goals translate into?

• Have comprehensive security plans
• Utilize risk maangement approaches to data security
• Utilize periodic 3rd party reviews of data security
• Establish access controls for data
• Train your staff
• Employ encryption
• Audit for Threats &  Share threats

White House | Precision Medicine Initiative and Data Security

White House | PMI Security Principles 

Who:     Federal Trade Commission

What:    Amendments to how companies disclose privacy policies & information to consumers

When:     Begins this fall

Standard of Review: The FTC favors corporate disclosures to consumers that are:

• shorter
• clearer
• easier-to-use

The Hill | Consumer protection agency to look at disclosure issues

• 21 Governors are presiding over State Cyber Security Commission.
• The 2 most recent states:
  • Colorado
  • Indiana

Who sits on State Cyber Security Commissions?

• Top IT leader in state government
• public safety agency heads
• executives from cyber companies
• federal officials

What are the goals of State Cyber Security Commissions?

• asses the security of state networks
• develop cyber security legislation

4 Point Checklist for State Cyber Security Commissions:

• Who should sit on the commission?
• What’s the commission’s deadline?
• What is required of the commission? an assessment? legislative recommendations?
• How should the group be structured?

State Scoop | As more governors convene cyber commissions, questions arise over effectiveness

• Financial Services support national data security standards & require nationwide data breach notification requirements for business
• Retailers oppose federal legislation for the detrimental effect on retailers
• The detrimental effect on retailers: applying banking rules on non-banks 

The Hill | Financial industry spars with retailers over data breach bill

The Hill | Retailers battle financial sector over data breach legislation

“Learning to be Watched: Surveillance Culture at School” report published  by the National Center for Education Policy at the University of Colorado at Boulder finds:

• schools are soft targets for comapnies gathering data
• free technology to school leads to data collection by the company
• anonymized student data does not mean  students’ personally identifiable information (PII) is fully or permanently protected

Washington Post | Schools are now ‘soft targets’ for companies to collect data and market to kids — report

• In 2016, 31 states introduced student data security bills
• in 2016, a total of 94 student data security bills were introduced
• The 4 fastest states to act in 2016 were:
  • New Hampshire: a study to make recommendations
  • Utah: data governance standards
  • Virginia: contracting limitations, data limitations for student & teacher data
  • West Virginia: State Board level data governance standards

District Administration | CIO News | 31 states introduce student data privacy bills

4 Key Pieces of Intel from how strong data security laws protect businesses:

• Global market. EU contracts require strong data protections clauses
• U.S. weak data security laws create uncertainty in the global market
• Cost Opportunities. What might cost small companies to comply in the short run, the harm to innovation of not having high data standards cost U.S. businesses more. 
• U.S. should be a leader in data security standards.

TechCrunch | Startups to Congress: Strong data security keeps us competitive

Who are the targets of Connecticut’s student data privacy bill?

• contractors with local boards of education, the State Board of Education and the State Department of Education
• operators of websites, online services and mobile apps

What will be required of education vendors?

• outline and maintain security practices
• prohibited from using personally identifiable student information for :
  • advertising purposes
  • any purpose apart from what their contract stipulates
• vendors cannot retain student records after the contract services have been fulfilled
• vendors must have procedures to alert school boards and parents of any suspected breach of data in no more than 48 hours.

Additional requirements specific to online vendors and contractors:

• no targeted advertising using student information
• prohbition from using student information for purposes unrelated to school
• required deletion of student information upon:
  •  request of a student, parent or school board
  • failure to do so results  in a civil penalty 

Connecticut HB 5469

Wilton’s HamletHub | Student Privacy Bill Heads to Governor’s Desk: Parents Get High Praise for Advancing this Groundbreaking Legislation!

Which entity promulgated the new federal contracting rule? Federal Acquisition Regulations (“FAR”) Council

Which data security rule for contractors are we talking about? Basic Safeguarding of Contractor Information Systems

Which contracts will be hit by the new rule?

• all acquisitions by any federal executive agency
• beginning June 15, 2016
• If a contractor’s information system may contain “Federal contract information,” 
• Applies to all subcontractors too

All contractors, and affected subcontractors will be required to meet 15 safeguards:

• Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems);
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute;
• Verify and control/limit connections to and use of external information systems;
• Control information posted or processed on publicly accessible information systems;
• Identify information system users, processes acting on behalf of users, or devices;
• Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems;
• Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse;
• Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals;
• Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices; 
• Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; 
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
• Identify, report, and correct information and information system flaws in a timely manner; 
• Provide protection from malicious code at appropriate locations within organizational information systems;
• Update malicious code protection mechanisms when new releases are available; and
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed

Lexology | Wilmer Cutler Pickering Hale and Dorr LLP | Final Government Contractor Basic Data Security Rule Issued

• Performing due diligence on all data and security protocols when selecting and monitoring vendors;

• Developing privacy provisions for contracts with TPAs and other service providers over and above standard confidentiality agreements;

• Limiting access to sensitive information to necessary personnel;

• Training personnel on the law and the fiduciary responsibilities;

• Developing written policies and procedures detailing for personnel the applicable state and federal laws;

• Continuing to monitor and watch over service providers with access to sensitive data.

National Law Review | Jackson Lewis P.C. | Employee Benefit Plans and Data Security Issues

The FDIC announced on May 9th, 2 new data security initiatives:

• improved software to force encryption of portable devices
• hiring of a third party to assess FDIC information technology security and privacy programs

Bloomberg BNA | FDIC Takes New Initiative on Data Security Following Breaches

Executive GOV | FDIC Plans New Security Measures After Retroactive Data Breach Report

Will this be a legislative trend? Yes, because sextorition is not a crime. Individuals are charged under usual hacking crimes.

How does sextortion differ from ransomware?

• Ransomware is about money
• Sextorition is about power
• Ransomware holds your computer hostage
• Sextorition threatens to expose “secrets” unless certain nude images are transmitted

Who are the victims?

• 71% are under 18
• 91% are targeted by social media manipulation
• 7.3 years is the average state criminal sentence
• 29 years is the average federal criminal sentence

Sextortion | Brookings Institute 

Georgia Attorney General at the  National Association of Attorneys General said:

“I frankly think it’s absurd that there are 30 or 40 different state laws on cybersecurity and breach.”

Reed Smith LLP | Georgia Attorney General Supports Federal Data Breach Standard

In 2015, ​New Jersey expanded its data breach laws to apply to include these health care information holders that service New Jersey patients:

•  health insurance companies
• health service corporations
• hospital service corporations
• medical service corporations
• health maintenance organizations 

New Jersey also adopted new encryption standards that:

• Encrypt confidential patient information or secure personal information
• Utilize any method of technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person

What personal information must be protected by encryption?

A first name, or first initial and last name linked with at least one of the following:

(1) Social Security number

(2) driver’s license number or other state identification card number

(3) address, or

(4) identifiable health information

New Jersey law Examiner | Consumer protection for healthcare data breaches in New Jersey

The FBI advice for ransomeware attacks, which hold a businesses data hostage for a ransom:

DO NOT PAY THE RANSOM.

Refresh my memory, what are some of these ransomeware attacks? Several hospitals in California have had their systems frozen by ransomeware, forcing a move to manual paper hospital administration. The ransoms have been as small as $8,000.

WallStreet Journal | CIO Journal | FBI Cyber Division Chief Advises Companies Not to Pay Ransom for Release of Data

Which appellate court are we talking about? 7th Circuit

What did they do to keep a data breech law suit alive? held that the threat of impending future harm from a data breach was enough to keep a data breach lawsuit alive

Lexology | Seventh Circuit Reinstates Data Breach Suit Against P.F. Chang’s

Which state is considering new health care data breach laws? California

What health companies are the targets of new data security laws? wearable devices and consumer-facing apps  that track health data like steps taken, heart rate, etc…

Read the bill: California Assembly Bill 2688

The bill’s highlights:

• require customers’ permission—via an “opt-in” request
• Without an opt-in,  personally identifiable information cannot be shared with advertisers, health plans, data resellers
• Prohibit an employer from discriminating against a worker based on findings from that employee’s health-tracker

Business’ concerns: Support privacy, concerned about overreach by government

Privacy Advocate concerns: Seek to require the devices to comply with California’s Confidentiality of Medical Information Act.

The Recorder | Lawmakers Sweat Details of Consumer Health Privacy

Which Attorney General announced a 40% increase in data breach notifications? New York Attorney General Eric T. Schneiderman

Why does the state A.G. track data breach notifications? In NY, businesses must notify the A.G. of a data breach and the A.G. assists in reaching consumers

Has the state improved efficiency for businesses reporting data breaches? Yes, the state moved to an electronic, web-based reporting system

Hudson Valley News Network | A.G. Announces Record Data Breach Notifications

Wall Street Journal | Data Breaches Rise While Companies Struggle With Detection

Michigan is proposing life in prison for someone who is convicted of either:

• hacking a vehicle to gain control over it; or
• stealing a vehicle’s data by hacking.

Tech.Mic | Get Caught Hacking a Car and You Could Get Life in Prison, Thanks to Proposed Bill

Michigan Senate Bill 928 

Michigan Senate Bill 927

Your informed intel:

Which state is making a move to cloud computing that is triggering data security issues and new procurement opportunities? Arizona

What procurement opportunities does the move trigger? 

• Opportunities for cloud based computing storage
• Opportunities for data security firms

Which data security standards will be required? All new procurement contracts and state data centers will have to meet standards contained in:

•  Health Insurance Portability and Accountability Act standards

• the Family Educational Rights and Privacy Act guidelines

• the FBI’s Criminal Justice Information Services strictures

State Scoop: Arizona lawmakers advance bill to spur statewide cloud migration

Why is there a data security issue with 3rd party tax collectors? 3rd party tax collectors receive taxpayer information from taxing jurisdictions

Why is does this raise data security risks? data theft is on the rise & businesses aren’t keeping up with data security protocols to protect taxpayer information

Accounting Today | Saying No to Outside Agencies in Tax Collections

An Office of Inspector General, Security Concerns, and health care contractors– Sound like a familiar mix?

Which health care contractors is the HHS OIG looking into? Medicare administrative contractors

What is the data security concern that is raised? the number of health care data gaps is INCREASING

Healthcare Dive | OIG report: More data security gaps at Medicare administrative contractors

Let’s peak into the Electronic Payments Coalition:

Electronic Payments Coalition- who are they?

• payments industry stakeholders
•  credit unions
• community banks
• trade associations
• payment card networks
• banks

What’s the point of the EPC? 

• EPC protects the value, innovation, convenience, security and competition that exists in the modern electronic payments system

What’s the EPC saying about the federal Data Security Act of 2015 (H.R. 2205)​?

• Retailers are wrong about their position. These reforms are common sense consumer protections.
• This bill would have stopped data breaches. 
• This bill is flexible for all retailers.  H.R. 2205 is scalable and flexible to the size and risk profile of the covered entity

EPC | EPC SUPPORTS COMMONSENSE MEASURES TO PROTECT CONSUMER DATA

What 4 Ways does the Health & Human Services Data Protection Act protect health care data?

• Creates the  Office of the Chief Information Security Officer (CISO) within HHS
• Creates a data protection arrangement between the new CISO, the HHS General Counsel, & the HHS CIO
• Keeps information technology & information security separate to ensure the highest level of security
• Incentivizes better security to protect health care data

Health IT Security | Healthcare Cybersecurity Bill Introduced for HHS Operations

What is the question answered by Attorney General Opinion KP-0076? Whether Bowie County can engage a private company to use a license plate reader data looking for vehicles that don’t have liability insurance?

Is there a fee splitting arangement in this scenario? Yes, the vehcile owner will get a letter from the District Attorney office, and fees will be split 50-50 between the County and the company.

Can this fee splitting arrangement with automatic license plate readers work? No.

What is the statutory solution to make automatic license plate readers ok for counties? Counties need specific authority for the “use of automated photographic or similar technology to enforce the state’s vehicle financial responsibility laws. “

What does the Attorney General analysis look like? Its a laundry list of all the uses for photo enforcement in Texas. The highlights:

• statutes  limit what local government it applies to
• statutes limit specifically what can be captured by the photgraphic enforcement
• statutes limit the kind of penalty that is permitted. (i.e. civil or criminal penalties)

Retailers and Financial Institutions are like the Hatfields & the McCoys when it comes to federal data security legislation.  

Here’s what you need to know when this fight comes to your state legislature:

• Fairness.  Retailers think it unfair to hold retialers to the financial institution standards for customer notification upon a data breach.
• Impact Beyond Small Businesses. The impact of imposing financial institution standards on businesses will impact businesses large and small that operate in the retail sector and all other ecnomc sectors.
• Agreement: Federal Laws are better than state laws. They agree that uniform federal laws that preempt state laws would be preferred for data security.
• Consumer Protections v. Overzealous Regulators. Priority of Democrats is  strong consumner protections, while Republicans are concerned about overzealous federal regulators.

The Hill | Retailers battle financial sector over data breach legislation

What group is calling for improved state data security systems? National Association of State Chief Information Officers

What sparked the call to arms? the cost of cyber crime world wide is $375 billion to $575 billion, which is labled a threat to democracy

What do the NASCIO propose states do? Create statewide cybersecurity ecosystem 

What would a statewide cybersecurity ecosystem link? 

NASCIO |  Advanced Cyber Analytics | April 2016

Politico | Morning CyberSecurity | STATES PUSHED TO UPGRADE CYBER ANALYTICS

WHO WAS CONVICTED: A woman in Pennsylvania reported her rape to the police

WHAT EVIDENCE LED TO CONVICTION: When police came to the scene, they collected as evidence the woman’s fitbit found laying in a hallway

WHY DID THE EVIDENCE INDICATE GUILT: The woman claimed she had gone to sleep and was later attacked, but the data downloaded from the Fitbit indicated the woman was walking about at the time and logged her heart rate

Wall Street Journal | Prosecutors Say Fitbit Device Exposed Fibbing in Rape Case

No. Nien. Nyett. Nej. A federal judge ruled that people caught in the data breach at Ashley Madison cannot remain anonymous. 

Why did these plaintiffs want to be anonymous? Fear of the impact to the professional and personal lives.

Why did the court deny the request? Because the data breach is not equal to instances when a person can remain anonymous. Those instances are reserved for minors, rape, or other highly sensitive matters.

Washington Post | People suing Ashley Madison for last year’s hack can’t be anonymous, judge rules

A poll commissioned by The App Association reveals a distrust of government on data security issues.

The informed intel:

• 54% trust tech companies to secure their personal information
• 21% trust the government to secure their personal information
• 7 in 10 believe hacking is increasing

The Hill | Poll: Voters trust tech companies ahead of FBI on data security

The Credit Union National Association proposed the following changes to credit card processing in Texas to improve data security:

• Data Security at Merchant Level. Require merchants receiving payment by credit or debit cards to protect the sensitive personal financial information they receive;
•  Require Consumers to Notify Card Processors of Breaches. Require card recipients to notify their card processor immediately upon detecting a breach, and require the information be provided to the issuing financial institutions by the card processors;
• Card Issues Should Cover Costs. Allow card issuers to recover costs and losses resulting from a business’s failure to protect or destroy the data; and
• Prohibit Merchants from Storing Card Data Beyond Transactions. Require anyone taking credit or debit cards to remove card data once the transaction is completed.

Credit Union National Association | Texas House committee hears CU’s data breach concerns

Which state jumped on the enanced data breach notification law bandwagon? Nebraska

What 3 changes did Nebraska make to its data breach laws?

• Expand the Data Triggering Notification to incude:
  • user name or email address along with
  • a password or security question and answer
  • that would permit access to an online account
• Expands who Receives notice of a breach. Companies also have to notify the State Attorney General.
• Encryption standard changed so that if the hackers got a hold of the encryption key, the data is no longer considered encrypted.

Nebraska’s LB 835

AdLaw Access | Nebraska Amends Data Breach Notification Law

Where did the ride share data report originate? UBER produced its first ever transparency report

The numbers of data requests from July 2015 to December 2015:

• 33 requests from government agencies
• 11,644,000 riders affected
• 583,000 drivers affected
• California, NYC, and Chicago governmental entities requested the most data
• 517,000 riders & 14,000 drivers impacted by a Houston, TX data request
• 370 riders & 370 drivers impacted by a San Antonio, TX data request

Uber | Transparency Report 

• Liability. did the data security standards create a lawsuit free for all because of the security standard minimum?
• Security Standards required for businesses.
  • the laws calls for reasonable standards
  • the Attorney General reported that Critical Security Controls created by the  Center for Internet Security should be the minimum

WallStreet Journal | Are California’s New Data Security Standards a Recipe for Liability?

Which legislative body is considering data security from the angle of improving existing computer infrastructure in government? Congress

What’s the cost associated with modernizing government computers? $ 3.1 Billion.

Bonjour procurement opportunities.

What’s the argument supporting infrastructure investment? “If we do not invest in our technology and cybersecurity now, we will have no one to blame for the next data breach but ourselves,” Rep. Ted Lieu (D-Calif.)

How will the funding operate? 

• The $3.1 billion will go into the Information Technology Modernization Fund
• Self-sustaining investment fund
• Allows for innovative & rapid upgrades to outdated & vulnerable IT systems
• Creates support for future federal technology infrastructure 

The Hill | House Dem stumps for Obama’s tech modernization push

What have state courts been saying across the country about data breach insurance? General Liability policies don’t cover data breaches

What happened this week to alter this legal trend? The U.S. Fourth Circuit Court of Appeals in Virginia found that a ageneral liability policy covered a data breach

What does the insurance company say? The 4th Circuit Court of Appeals got it wrong. General liability policy that covered “electronic publication of material” with “unreasonable publicity” is not a data breach policy

SC Magazine | Federal court bucks trend, rules general liability insurance covers data breach

What state legislature considered a bill to fine companies that do not decrypt after receiving a court order? California

What happened to this bill to fine companies? Died in committee without a vote

What did opponents to the bill say?

• forced decryption weakens security and personal privacy
• “Do we have a world where there’s no privacy whatsoever for the average citizen?
• Assuming that this body is OK with every agency in the U.S. having access to everything, every application, every phone … are we OK then with the government of Russia having it? China? Iran?
• Because once a backdoor is created, a backdoor exists.”

Who supports the bill? law enforcement

Who opposes the bill? Civil libertarians and tech companies
California Assembly Bill 1681

The Recorder | State Lawmakers Reject Decryption Bill

When did Dallas County have a data breach? In December 2015, it came to light that Dallas County had left personally identifiable information from 10s of 1000s accessible online for more than a decade.

How much does an average data breech cost to remediate? $80 per record. If it exposed 50,000 records that is a $4 million remediation minimum.

How does the remediation cost cover for Dallas County?

• information technology experts to investigate, repair, and secure data (Procurement Opportunity)
• expenses to provide legally required notifications to the citizens (Procurement Opportunity)
• costs to offer identity theft monitoring services (Procurement Opportunity)
• attorney fees (Procurement Opportunity)

  Legal Intelligencer | Cybersecurity Threats Pose Big Risks for Local Governments
   

• Tech & Privacy Interests don’t like provisions forcing technical assistance to government investigations
• Why the hestiancy over forced assistance? It will lead to greater data insecurity
• Ties the hand of businesses that want to provide their customers greater security

The Hill | Encryption bill draft worries tech community

CNET | Encryption bill would force companies to surrender user data

• The Bill creating the Washington State’s new Office of Privacy and Data Protection: Washington State House Bill 2875
• What will be the purpose of the new Office of Privacy & Data Protection?
  • ​Determine what information state agencies are collecting
    • Do we know in Texas? No
  • Work with agencies to reduce the amount of consumer data being collected
  • Monitor & assist wit citizen complaints
  • Annual privacy review of state data collection
  • Educate Washington State residents about consumers about privacy protection

University of Washington Today | UW law students lay groundwork for new state privacy office

CloudPassage has a new report on cybersecurity and high education institutions. Here’s the big picutre:

• None, Zero, Zilch, Nien of the Top 10 Computer Science programs in the country require security courses to graduate
• Of the Top 26 computer science programs, only #12 Michigan requires cyber security
• In 2015, there were 200,000 OPEN computer security positions in the U.S.

Why the lack of focus on cyber or data security among undergrads?

• Its been pushed as a niche area for graduate programs
• not enough graduate students are pursuing cyber security
• there is more of deamnd for “flashy” computer science programmers who can build apps

SC Magazine | Cybersecurity being overlooked by American universities: Report