Cybersecurity & Tech

In Legislative Appropriation Request Trends:

• 3rd party contracts to assess security at agencies
• HB 2783 (2013) required a study to see if agency computer systems were legacy.
  • Hello, 3rd party contracts to replace or upgrade legacy systems
  • Legacy systems are a higher security risk
  • Over 1/2 agency computer systems are

In 2015’s State Budget:

• Article IX, Section 9.10 : DIR prioritization of state agencies’ cybersecurity projects
• Article IX, Section 9.11, Cybersecurity Initiatives 
  • ​10 agency focus to improve data security by coordination & bulk purchasing:

                  (1)  Department of Aging and Disability Services;

• 1. (2)  Department of Assistive and Rehabilitative Services;

  2. (3)  Department of Family and Protective Services;

  3. (4)  Department of State Health Services;

  4. (5)  Health and Human Services Commission;

  5. (6)  Higher Education Coordinating Board;

  6. (7)  Office of Court Administration;

  7. (8)  Parks and Wildlife Department;

  8. (9)  Department of Insurance; and

  9. (10)  Department of Licensing and Regulation. 

  10. Strategy A.1.3, Statewide Security for DIR funding for statewide security policy & procedures 

  11. Strategy C.2.2.NetworkandTelecommunicationsSecurityServices  

      Strategy B.3.1, Statewide Cyber Security Services  for DIR risk managment & 3rd party security assessments

       

      LBB | Overview of Cybersecurity Provisions in the 2016-17 General Appropriations Act 

Health insurance and health data sells for 60 to 70 times what social security numbers sell for on the black market.

IT Portal Pro  | Why your medical information is gold for hackers

• State Attorney Generals oppose federal control over health care data security and data privacy
• States are better equipped to make fast changes in the data driven economy
• Breaches that are small and localized are better handled by local authorities and not the federal government

Health IT Security | Are State Health Data Breach Notification Laws Needed?

What state recently enacted new telemedicine laws? Washington State

What data security elements were included in the Washington State legislation? 

• Establishes best practices that complies with ““generally accepted health care practices and standards.” 
  • Boils down to HIPAA and the HITECH Act & existing state law
• Establishes a technology standard of ““the standards required by state and federal laws governing the privacy and security of protected health information.”
• Allows Health Plans to deny coverage if these standards are not met

WA SB 6519

Davis Wright Tremaine LLP | M.D. Phone Home: New Legislation Expands Telemedicine in Washington

Hacking incidents by industry:

• 23% of data breaches occured in healthcare
• 18% of data breaches occured in financial services
• 16% of data breaches occured in education

34% of healthcare data breaches are caused by employee error

The average notification timeline after a breach:

• 69 days to detect the incident
• 7 days to contain it
• 43 days to analyze what happened
• 40 days to notify potentially affected individuals

Health IT Security | Healthcare Data Breaches Most Common in 2015 Incidents

Which state is making a new move to protect student data? Colorado

What does it mean for education contractors? New Rules. New Data Security Requirements.

3 Key prohibitions in the bill:

• prohibit education contractors from selling personally identifiable student information
• prohibit use of student information for targeted advertising to students
• Prohibitions follow to the subcontractors
• Establishes data security protocols tied to education contractors

CO HB 16-1423

Chalkbeat Colorado | Colorado lawmakers try again to tighten protection of student data

Which state updated its data breach law in March to shorten the time line for notification? Tennessee

How long do Tennessee businesses with data breaches have for notification? 14 days from discovery or notification of the breach

Is there an exception to the 14 days? yes, a legitimate law enforcement need

Did Tennessee also expand what triggers a notification? Yes

What new event triggers a notification? When the breach is caused by your own employee

TN SB 2005

JD Supra | Alston & Bird | Tennessee Updates Data Breach Statute to Require Notice in 14 Days

Which state passed new data security laws in 2016? Wyoming

Were the new laws the result of a breach or a legislative mandate? The result of a 2 year,  4-member Joint Task Force on Digital Information Privacy

What are agencies asked to do?  2 tasks

• Agencies must review their data collection, handling, security and management.
• Agencies must assess their stored data and explain why it collected it; and whether it really still needs to be stored

Where does procurement come into play? To fix and protect the data in perpetuity as state and local governmental entities determine industry best practices. Any wagers on whether government currently implements best practices protect data?

Wyoming SF 38 

Wyoming Tribune Eagle | Law requires state agencies take 2nd look at data security

Wyoming Business Report 

What entity released guidelines on teleworking and cyber security? The National Institute of Standards and Technology

What suggestions in the guidelines that will direct procurement opportunities?

• virtual mobile infrastructure technologies

  • that create temporary, secure environments for teleworkers who need to access organizational data that are destroyed when the session is over

• mobile device management technology
  • technology to force devices to adhere to certain security standards before granting them access to sensitive data

Fed Scoop | NIST issues draft cybersecurity guidelines for teleworking

• Methodist Hospital in Kentucky was hit by ransomeware
• The ransomeware, of the “Locky” strain,  encrypted, deleted original files  and is holding hostage all its data for $1,600, or 4 bitcoins
• Hospital paperwork is being processed by hand

Krebs on Security | Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection

Governing | Hackers Target Hospitals for Ransom

• Cyber security is a dynamic problem
• Flexible solutions include cyber insurance
• Cyber Insurance is in a nascent market stage 
• Cyber Insurance can mitigate risk and help consumers see their cyber exposure

KOAM 7 | AIA Statement on House Homeland Security Committee Hearing on the Role of Cyber Insurance

Why are wireless mice vulnerable to hacking? Unencrypted communication with computers is what guide the mice.

What does that mean? For $20, someone a block away can trick your computer into using its mouse and steal your data.

Why would regulators care? Because regulators stress encryption in data security. 

Reuters | Wireless mice leave billions at risk of computer hack: cyber security firm

What entities are the new targets for data security enforcement? HIPPA adjacent health and wellness companies. 

Why are HIPPA adjacent health and wellness companies the focus of regulators? These companies collect and store personal health information. For example:

• Fitbit & health apps. That data from your fitbit gets stored somewhere and if it was collected and stored by a health care provider, it would be protected information. 
• Medical billing companies
• Medical Transcription Services.

What kind of enforcement actions are being considered for this health care app data? Regulators are looking for reasonable & appropriate data storage and data security protection. 

Health Data Management | FTC steps up protection of consumer health data

The U.S. Justice Department arrested invididuals that attempted to break into a small dam to disrupt operations. The informed intel:

• 1st time someone has been charged with disrupting, or attempting to disrupt, critical U.S. infrstructure. 
• The charges are” cyber myham” to disrupt the water infrastructure. 

Washington Post | U.S. charges Iran-linked hackers with targeting banks, N.Y. dam 

• Gain legitimacy as mode of information providers & conduits
• More than 1/2 of the debates have been co-sponsored by tech companies
• Gaining traction as a baramoter for public mood via:
  • YouTube debate questions
  • Google analytics use in debate questions
  • Twitter posts utilized in debate questions
• They host spin rooms, debate lounges to discuss candidates
• Develop campaign technology
• Advertising mediums

The Hill | Tech’s Big Play in 2016

What happened that led to a lawsuit? A health care network experienced a data breach, followed its internal protocols to handle the data breach.

What did the plaintiff’s allege that the health care network didn’t do that caused them harm? health network had violated the HITECH Act in protecting personal health information

What did the courts say? “There is no case law that suggests that an isolated privacy breach or discrete series of related breaches constitute a violation of the HITECH Act,” states the district court opinion. “Moreover, the Relator fails to allege that KHN failed to implement policies and procedures to address various security risks.”

What’s the take away? When a health care provider follows data breach protocols to protect health records, following those steps shows protections for health records.

Health IT Security | US Appeals Court Affirms FCA Healthcare Data Breach Case

What happened on University of California campuses to cause a UC hacker policy? In 2015 Hackers Broke into the UCLA Medical Center.

In response to the hack what policy did UC officials enact? UC installed data monitors that stores internet traffic on campuses for 30 days

Do faculty like this idea? No, UC has a policy dating back to the 1930s that providers for collaborative policy making in conjunction with faculty input. It’s all very Californian.

Did UC create a greater data security risk? Some say yes, because capturing and storing 30 days of university internet traffic is a treasure trove of data for hackers

Which UC official decided to install data collection monitors? Janet Napolitano, the university president and a former secretary of homeland security in the Obama administration

NPR | All Things Considered | At Calif. Campuses, A Test For Free Speech, Privacy And Cybersecurity

Who is touting new legislative approach to cyberstalking? Rep. Katherine Clark (D-Mass.)

What does her bill do? 

• make it easier for law enforcement to arrest cyberstalkers 
• create a $20 million grant to aid local and state law enforcement
• Create a national resource center for research & technical information for law enforcement officers and prosecutors.

SC Magazine | SXSW: Dem. lawmaker plans to introduce online harassment legislation

BuxxFeed | Congresswoman Unveils Plans To Prosecute Severe Online Threats Against Women

Data security of self-driving cars spurs calls for uniform data security standards for self-driving cars.

Have there been a push for self driving car regulations or statutes in Texas ? Yes, why yes, there has. 84R HB 933

Did those pushes include data security issues? No.

The Hill | Lawmakers worry about cyberattacks on self-driving cars

• Spanish hackers discovered that devices that make logisitics companies more efficient are subject to being controlled by hackers
• Companies use “telematics gateway units” or TGUs, small radio-enabled devices attached to industrial vehicles’ networks to track their location, gas mileage and other data“
• The ability to locate large vehicles and ambulences creates public safety concerns

Wired | Thousands of Trucks, Buses, and Ambulances May Be Open to Hackers

What’s Congress’ new cybersecurity idea? To ” increase information sharing among the Homeland Security Department and state and local governments about cyber threats and vulnerabilities”

Whose idea is this? Congressman Will Hurd filed a bill in December 2015 & Sens. Gary Peters and David Perdue are introducing a bill in March 2016
 

Politico | Warner, McCaul and Obama talk tech in Austin

DATA SECURITY.

Emergency Management | Cybersecurity Tops County and City IT Director’s Concerns

• Improving Health Information Technology Act (S. 2511)
  • electronic health records interoperability
  • establishing a medical device postmarket surveillance system
  • loyal subscribers will recall the hacking of medical devices
• Ranking Member Patty Murray’s amendment to S.1878
  • medical device data safety and effectiveness
  • how do we keep consumers aware of medical device data security issues?

Healthcare IT | How Recent Senate HELP Bills Affect Healthcare Data Security

• By 2020 the worldwide cybersecurity market will reach $170Billion
• In 2015 the world wide cybersecurity market is $75 billion
• Cybersecurity related firms will spend $170 Billion 
• By 2019, the cost of data breaches will be $2.1 trillion

researcher Markets and Markets | Cyber Security Market by Solution (IAM, Encryption, DLP, Risk and Compliance Management, IDS/IPS, UTM, Firewall, Antivirus/Antimalware, SIEM, Disaster Recovery, DDOS Mitigation, Web Filtering, and Security Services) – Global Forecast to 2020

Forbes | Worldwide Cybersecurity Spending Increasing To $170 Billion By 2020

What local governmental entity department was the newest target to hackers holding data for ransom? Durham, N.H., Police Department

How did the hackers do it? Attached a file to a email on a relevant police investigation that appeared to be fax file.

What did the police department do? Pay the ransom? Beat the ransom technology? The police department mitigated damage by recovering the locked files from a backup copy that hadn’t been infected. The department paid no ransom.

Is this an isolated example? No, these police departments have also been affected by ransomeware:

• 5 small police departments in Maine
• Police departments in these states have been hit by ransomeware:
  • Illinois
  • Massachusettes
  • Tennessee
• These local governments have been hit by ransomeware:
  • Detroit
  • Medfield, Massachusettes

How has ransomeware grown in private sector? FBI says in 2014 the number of incidents grew 114%

Governing | Hackers Hold Police Files Hostage for Ransom

• the Consumer Financial Protection Bureau levied a fine against an online payment system company for the company’s data security practices in violation of the Consumer Finance Protection Act
• Consumer Financial Protection Bureau? Sounds Like Consumer Credit Commissioner?
• The regulators say the encryption touted by the company did not live up to its hype

Bloomberg BNA | Consumer Finance Agency Levies First Data Security Fine

National Law Review | Dwolla Fined $100,000 by CFPB in First Data Security Enforcement Action

Consent Order Between the Consumer Financial Protection Bureau and Dwolla

Who is issuing the warning? The Obama Adminsitration

What entities are being warned about data security threats?

• power companies
• water suppliers
• transportation networks

What’s sparked the warning? The attack n the Ukraine’s power grid 2 months ago. It was the first cyberattack that produced a wide spread blackout

What was the target of the cyber attack? industrial control systems that act as the intermediary between computers and the switches

What could hackers do with control over industrial control systems?

• distribution of electricity
• guidance systems for trains
• valves that control water supplies
• machinery that mixes chemicals at factories.

New York Times | Utilities Cautioned About Potential for a Cyberattack After Ukraine’s

Which governmetnal entity is seeking contractors for data security? Department of Defense

What is the data security objective? $600 million in computer system for background checks

Can similar procument opportunities present itself in Texas? Absolutely, keep your eyes open and subscribed to informedintel.com

Reuters | Pentagon to tap private industry for background check IT system

What group issued this report? The Institute of Directors and is supported by Barclay’s 

What did the report find the rate of businesses reporting data breaches? 1/3

What percentage of businesses maintained cybersecurity insurance? 20%

WSJ | Report Warns U.K. Businesses to ‘Get Real’ on Cyberattacks

AT&T.

The ad:

Cyber Security for Government

Help keep your agency’s information protected. Our proactive network-based approach to managed security delivers some of today’s most powerful weapons to combat cyber security attacks — helping to safeguard the elements of your IP infrastructure. To learn more about security solutions for your agency, please visit www.att.com/govsecurity.

Data security and new government agency leadership posts and new agencies go hand in hand. 

Pending federal legislation would create the National Commission on Security and Technology Challenges.

Here’s the info you need abou the National Commission on Security and Technology Challenges:

• its bipartisan: Senate Intelligence Committee member Sen. Mark R. Warner (D-Va.) & House Homeland Security Committee Chairman Michael McCaul (R-Tex.)
• required new agency report detailing:
  • benefits of encryption in protecting privacy and civil liberties
  • costs of weakening encryption
  • versus
  • impact on criminal investigations and counterterrorism
• 16 members chosen equally between House and Senate, majority and minority parties

Multichannel News | Encryption Commission Legislation Introduced

From where did this cyber security czar idea eminate?  It was in the 2016 proposed federal budget from the White House. The feds had a gigantic data breach, so its time to fix it.

Are state’s picking up on a state cyber security czar position? Yes, including a proposal this week from California

What moves states to implement a state cyver security czar?  Here’s what motivated California legislators:

• 160 state departments hold personal information about residents including:
  • SSNs
  • home addresses
  • medical information
• On a voluntary state audit, 73 of the 77 responding state agencies said their departments “are not in compliance with cyber security standards”
• The State Department of Technology says its because agencies do not have enough funding for up to date technology

The Recorder | Lawmakers Seek Fix for State’s Cybersecurity Woes

• On Friday, February 26, 2016, the IRS sais oops, there were more taxpayers affected by the data breach than we thought. Our bad.
• How much worse? Oh, just a couple extra 100,000s.

The Hill | IRS: Taxpayer breach much larger than previously reported

Drug Delivery Systems data is a new target and concern for data security.

Medical Device & Diagnostic Industry | The Data Revolution Comes to Drug Delivery

…hackers. Yes, that’s right 98% of the data breaches in 2015 that occured in health care were initiated by hackers.

That’s an 80% increase over 2014.

What is the intent of the hackers that seek health care information? 

•  identity theft
•  leverage the health care data to access medical care
•  conduct corporate extortion 

AJMC.com | Cyberattack on Hollywood Hospital Part of a Growing Trend

Stacey Napier will lead the Department of Information Resources as the its executive director beginning mid-March 2016.

Napier replaces Todd Kimbriel, the interim executive director of DIR. 

An overview of her background:

• She arrives from Governor Abbott’s office.
• She was with the Texas Attorney General’s Office for 10 +years
• She was previously the Chief of Staff to former state Sen. Florence Shapiro

Austin Business Journal | Texas names Capitol veteran as technology agency director

Spec’s experienced a data breach that resulted in legal fees. Spec’s was insured and has sued its insurer over the coverage of costs incurred from the data breach.

3 Take aways from a Texas Company with data breach insurance coverage:

• Spec’s wants its insurance company to pay its legal fees for a legal fight between Spec’s and the credit card processor that experienced the data breach
• Insurance companies have become good at covering the initial expenses (notifications, initial legal fees, computer foresenics) of a data breach, it’s these longer term expenses, like litigation, where it gets murky
• Insurance companies have been re-writing general commercial liability policies to expressly exclude coverage for data breaches and instead offering a separate policy

Houston Business Journal | Spec’s lawsuit raises questions on how insurance companies should handle data breaches

The question for Texas, does holding business data hostage constitute a crime?

Where did data get held hostage? In California

How was the data held hostage? “malicious “ransomware” application to encrypt data on the hospital’s computer system, demanding payment in exchange for a decryption key” 

What type of business?  Hollywood Presbyterian Medical Center  patient input information 

What did the hackers want? $17,000 worth of bitcoin was paid to retrieve an encryption code.

Where patients harmed? No patient records or hospital care was impacted.

The Hill  Ransomed hospital pays $17K to hackers to restore computer access

How much data has been gathered by license plate readers in Texas? Estimated 10 million license plate pictures, with locations, collected by month.

What can be done with this stored license plate information?  It can track the location of a vehicle by plotting its sightings by day and time

What’s happening on this legislatively?

• In 2015, Texas bills preventing license plate recording & collection died
• Arkansas & Utah prohibit private companies from amassing license plate data collection
• California permits the collection of license plate data for 60 days, longer if the information is being used in an active felony investigation
• Colorado allows for data retention for 3 years, then the data must be destroyed
• Maine allows license plate readers for limited law enforcement purposes and data can only be retained for 21 days
• Maryland prohibits license plate readers
• New Hampshire allows license plate readers for limited law enforcement purposes
• Tennessee limis license plate data retention to 90 days

What happened to spark stronger student data privacy protections? A court allowed for the release of student data to a group of parents who are fighting a court battle over the quality of education for disabled students.

What data do legislators want to prevent schools from releasing?

• student social security numbers
• medical histories
• mental health assessments
• student disciplinary records

​What is the nobel purpose of the legislative action? Schools collect data that is neither required by law nor required for public education purposes

The Recorder | Lawsuit Spurs New Student Privacy Proposal

California Assembly Bill 2097 

What data is being collected and sold by electronic devices? Smart televisions gather information about viewing habits and that data is sold to third parties .

Do owners of smart tvs know or have they consented to the data collection? According to a series of law suits, no, owners neitehr know of the data collection nor consent to it. 

WFAA | Vizio’s smart TVs are snitches, lawsuit alleges

What class action is progressing?  The suit involving the Anthem Inc. health breach that affected 97 million.

What did the judge do that allowed the class action to move forward? Rejected Anthem’s argument that a data breach is not a recognizeable injury

What does this mean? Courts have split on whether a data breach, with no proof that the stolen data has been used to cause a harm, is enough of an injury to satisfy a lawsuit. The California Judge’s order says it is enough of an injury for a lawsuit under New York’s General Business Law, similar to California’s Unfair Competition Law. 

The Recorder | Judge Rejects Key Defense in Anthem Data-Breach Suits

Which Attorney General office analyzed state data security breaches? California

What is the most popular data to breach?

• social security numbers
• credit card information
• medical information

What recommendations to policymakers emerged?

• Follow all the 20 controls in the Center for Internet Security’s Critical Security Controls, otherwise your company isn’t offering reasonably data security
• multi-factor authentication must be available
• encryption must be standard business practice
• All states should harmonize their data breach laws to make them effective

Lake County News | State attorney general releases Data Breach Report; more than 49 million records compromised

California Attorney General Data Breach Report

• Auto Manufacturers are facing data security issues related to connected cars
• Car Dealers are facing dats security issues related to customer data, the link of that customer data ties to car data
• This combination that ties customer data privacy to hackable connected cars requires “robust cyber security infrastructure could give his firm competitive advantages against their competitors.”

Computer Business Review | Cyber security showroom – How Lookers put data security into car dealership

Providing mechanisms to address a decedent’s online presence is a growing trend. 

This sounds rather nerdy, why is it important to a corporate client? Because the state may tell your client what it can and cannot do with customer data.

So, what state is now wading into this territory? Wyoming

What could happen with data at death?

• A user would be able to direct a service, like Facebook,  to turn their accounts over to a fiduciary at death
• Or, if a will isn’t so set up, then a data custodian  may turn the user’s account information over to a fiduciary or representative of the estate through a court direction

Government Technology | Data Protection, Privacy Bills Make their Way Through Wyoming State House

What regulation proposals are floating around related to connected cars and data security?

• U.S. Senator Markey’s SPY Car Act
• Congressmen Wilson and Lieu offer Examining Ways to Improve Vehicle and Roadway Safety: Vehicle Data Privacy
• Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers, Inc., want self regulation  Consumer Privacy Protection Principles: Privacy Principles for Vehicle Technologies and Services
• Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers, Inc., are collaborating on data securtiy by their Information Sharing and Analysis Center (ISAC)

Data Security Monitor | Automotive IT News | Legal Developments in Connected Car Arena Provide Glimpse of Privacy and Data Security Regulation in Internet of Things

Which executive is proposing a new cabinet level position to coordinate cybersecurity? President Obama’s proposed budget includes the creation of “new high-level federal official to coordinate cybersecurity across civilian agencies and to work with military and intelligence counterparts”

Is there a new cyber security plan? Yes, the “Cybersecurity National Action Plan”

What’s the goal?  build a cohesive, broad federal cybersecurity response that will:

• “drive cybersecurity policy, planning, and implementation for IT systems across” the federal government
• set and monitor performance goals for agencies

What will the new position do?

• Offer more training for the private sector, including:
  • password and pin authentication to sign onto tax data
  • 2 step authentication for government benefits
  • Reduce the use of Social Security numbers for identification

Top Tech News | Obama Administration Plans New High-Level Cyber Official

Wall Street Journal | White House Proposes New Cybersecurity Plan

What do the feds want to stop the state legislatures from doing? barring the manufacture and sale of unbreakably encrypted smartphones

Why does this matter? California and New York have pending legislation to bar the manufacturing and sale of unbreakably encrypted smartphones.

Why would the state want to prevent unbreakably encrypted smnartphones? Law enforcement wants access to smart phone data.

What groups are involved in this policy fight? tech companies v. law enforcement

The Recorder | Bill Would Bar Encryption Measures at State Level
 

The Virginia legislature is considering the Government Data Collection and Dissemination Practices Act which would:

• prohibit the state from secretly collecting data
• prohibit data collection “without a clear need for its collection”
• prohibit data collection by “fraudulent or unfair means”
•  targets of data collection would be notified about the purpose of the information gathering and would be given the opportunity to amend, correct and erase “inaccurate, obsolete or irrelevant information,”
• require agencies that store data to use secure methods for holding the data

Governing | 7 Tech Policy Issues to Watch in 2016

The Hewlett Foundation has a $65 million initiative in cyber security.

Robert and Renee Belfer just added $15 million for the Belfer Center for Science and International Affairs at Harvard’s Kennedy School to establish the Cyber Security Project. 

Inside Philanthropy | Meet a Wealthy Family That Cares About Cybersecurity

Minnesota wants to do a better job protecting student data privacy. Here’s what the land of 10,000 lakes is proposing in its House Bill 2386:

• prohibit schools from forcing students to supply their access information to personal social media accounts
• prohibit school employees from forcing students to alter the settings of their accounts to make information visible to the public
• opens violating schools up for legal action on the part of the affected student

Governing | 7 Tech Policy Issues to Watch in 2016

New Jersey Legislature is considering SB 808 that would:

• Create a 6 member Cybersecurity Commission under the Department of Law and Public Safety
• tasked with evaluating New Jersey’s “informational infrastructure”
• private and public collaboration on cybersecurity
• Issue recommendations on:
  • securing state networks
  • offering strategies to bolster the cybersecurity industry in the state
  • providing cyberhygiene and awareness

Governing | 7 Tech Policy Issues to Watch in 2016

• 31%  worry about internal controls over financial reporting;
• 26% are sleepless over data infiltration and IT security;
• 20% aren’t cozy over tax compliance;
• 17% fear the madness of future regulatory mandates.

Bloomberg BNA | DATA SECURITY SEES POLL NUMBERS RISE

• Fitbits will get hacked.
• The E.U. and U.S. fight on datat security will continue
• Businesses should have data security policy & do risk assessments
• Data Security will be guided by industry specific standards 
• Telephone Consumer Protection Act will be a new source of data security lawsuits
• Company issued electronic devices vs. personal electronic devices means more now that we’re in the age of data security
• Curate and protect your social media like you do your health data from your fitbit
• FTC and FCC will go stronger to protect data
• HIPPA and data security will see a renaissance
• Develop a breach notification plan (regulators are rewarding those that do)

National Law Review | Top 10 for 2016 – Happy Data Privacy Day

• Which states have pending legislation to penalize fully encrypted cell phones? California & New York
• What fine is being imposed under these bills? $2500
• What’s the goal of these encryption bans?
  • help law enforcement better combat human trafficking and other serious criminal activities that are being conducted over hidden encrypted networks and locked devices.
• What groups oppose these encryption penalties?  The tech and privacy community

The Hill | Calif. bill would ban fully encrypted smartphones

The IRS has ruled that businesses can go tax free for credit monitoring & identity theft protection services that:

• are provided by employers to employees following a data breach
• are provided before a data breach

national law review | Tax Benefit for Early Cybersecurity Protections

4 Key points to know now:

• Incentives for corporations to share data is a ruse for law enforcement to access data without a warrant
• Libertarians are calling the 2015 law, “the worst anti-privacy law since the USA Patriot Act”
• Undermine government accountability
• Erode American privacy protections

The Hill | Critics urge lawmakers to repeal recently passed cyber law

California Assembly has a new committee to handle privacy and technology issues. What’s the committee jurisdiction?

• drones
• data security & breaches including in health care
• Smart cities that use technologies to communicate with residents
• security of networks
• oversight of state computer data security

The Recorder | Calif. Lawmaker Forecasts Busy Year in Privacy

• data breach defined in new Orgegon law as:
  • “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.”
• personal information that triggers the notification statute
  • ​Social Security number;
  • Driver license number or state identification card number issued by the Department of Transportation;
  • Passport number or other United States issued identification number; or
  • Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account
• Statute only applies to unencyoted information
• law enforcement can delay notification if it would impede an investigation
• Statute does not apply to medical or health insurance information

Health Security | Oregon Data Breach Notification Law Goes Into Effect

What did hackers breach? Lawrence, MA Public Schools’ online database

How did the hackers breach the school database? A phishing attack 

What did hackers take? Teachers’ personal information:

• names
• phone numbers
• addresses
• Social Security numbers
• calendar year 2015 gross earnings

How did the school district respond?

• email to teachers informing them of the breach
• explained that the district would:
  • mitigate the breach
    • directing teachers to sign up for 90 days of free credit monitoring
  •  prevent future breaches
  • work with Massachusetts State Police, State Attorney General, & the state Office of Consumer Affairs and Business Regulations
• The day after emailing the teachers, the district issued a press release

Eagle Tribune | Teachers’ personal data hacked

Maryland’s concerns over data storage and security for police body cameras include:

• Price tag to store the data is prohibitively expensive
• The data costs have stopped police departments from using body cameras
• The storage retention policies differ for the recordings.
  • General 90 day retention
  • If there is an ongoing investigation data retention is for the length of the investigation
  • any video considered evidence must be maintained for 4 years

Record Journal | Legislature expected to revisit body camera law after worry about data storage cost

What kind of data breach triggered data breach law changes in Maine?  A health care data breach affecting 120,000.

What requirements does the legislator weant? Extended credit monitoring & fraud protection services requirement to total 2 years.

Are these legislative changes from a chairman? Yes, the Maine legislator behind this push is the House chairman of the Insurance and Financial Services Committee.

Kennebec Journal| Waterville legislator seeks more protection for victims of Augusta hospital data breach

• Data Breach Definition.
  • What data was breached?
  • The level of knowledge the data holder must have of the breach before notification is triggered. Did they know? Is it reasonable that this data was breached?
• How to treat good faith access to data by an unauthorized employee
• How to treat the breach of account creditial information.
  • user name, passwords, and security questions
• Timing.
  • ​When must notification be given?
• How to treat data processors, people who hold the data but are not the owners of the data.
  • Must data processers notify data controllers immediately?
  • An example would be a contractor who has a data breach of state employment records.
• Whether identify theft protection must be offered and for how long.
• Can companies waive their liability?
  • California law prohibits this waiver.
• Statutory risk mititgation requirements.

The Recorder | Know the Basics of Data Breach Notification Laws

• A limited time healthcare industry cybersecurity task force
• The taskforce includes cybersecurity experts and healthcare stakeholders
• The charge to the task force:
  • analyse the cybersecurity risks facing health care
  • recommend ‘actionable cyber threat indicators & defensive measures

The legislation people are looking to: Congress cyber security legislation.

The Global Legal post | Healthcare sector suffers chronic data breaches

What‘s happening? Affinity Gmaing, owners of 11 casinos, is suing the company it hired to contain a data breach.

How is this relevant to Texas government? Pay close attention to the enforcement actions and lawsuits that emerge from the federal government OPM data breach in which the company hired for remediation.

Why is this important? the laws related to data security are chaning at lightening fast speed. Faster than a lobbyist can walk, and on a very complex, technical topic which does make for smooth lobbying. 

iapp | Daily Dashboard | Is this case a new avenue for data breach liability?

The SEC is getting tough on data security. State financial agencies likely to follow suit. Here’s what’s happening:

• Enforcement actions against companies with weak security protocols
• The SEC expects financial firms to have security planning in place before a hack
• Periodic risk assessments and encryption are key

Financial Times | Securities and Exchange Commission gets tough on cyber security

Why is GM embracing white hat hackers? To help identify and notify of security risks.

What’s the industry response? Just announed Detroit’s first public security vulnerability disclosure program bringing together GM and HackerOne

What’s the benefit to white hat hackers? As long as thehackers follow basic published protocols, the hackers can challenge security without legal repercussions.

So, its creating charitable immunity for white hat hackers? in contract form, yes. It allows hacker alliance to continue its bounty hunting without legal ramifications. 

ARS Technica |  GM embraces white-hat hackers with public vulnerability disclosure program

What dam got hacked? Iranian hackers targeted a dam in New York. Shortly thereafter Ukranian hackers got into a power grid.

What type of hack triggers a state response or the creation of a new state penalty?

• Look to whether the hackers took control of the system or just “looked around”
• Look to whether any person was injured as a result

Just Security | Was the Cyber Attack on a Dam in New York an Armed Attack?

California Legislature has a newly formed Tech Caucus. It’s full name is the Legislative Technology and Innovation Caucus. 

One would think if any state had a tech caucus, it’d be California. Such is not the case. It was founded by the legislator pushing ride share legislation in California. 

The priorities of the fledgling tech caucus are:

• Touting the sharing economy. 
  •  ride share, fly share, move share, house share
• workforce training and workplace diversity
• bring together tech industries and associations

The Recorder | Tech Caucus Forms, But Hasn’t Taken Shape

• The City University of new York began purging data because it believes libraries should only keep information users want
• American Library Association doesn’t believe you are what you read and opposes law enforcement use of library records.
• The  Library Freedom Project supports protecting web searches on public computers, encouraging libraries to operte exit nodes and Tor, a difficult to trace web browser

The Guardian | You are not what you read: librarians purge user data to protect privacy

What was the state government data breach? in 2012, South Carolina suffered a data breach that exposed records for 6 million taxpayers.

What legislative fixes have emerged from South Carolina in wake of this data breach?

• Support agencies’ preventive measures
  •  dual-password programs
  • laptop encryption
• Centralize cybersecurity in an office under the governor.
  •  Allows an information security director to oversee and enforce statewide standards.

Governing | 2016’s Top Legislative Issues to Watch

• Treasure Trove of Data. House Oversight Committee Chairman Jason Chaffetz (R-Utah) is warning that a hack on the Department of Education would make the OPM data breach look like child’s play
• 1/2 of all U.S. government records are at the U.S. Department of Education
• Bad Inspector General Report. Deficiencies in security at Department of Education were called out by a November Inspector General report
•  An F In Security. The agency also got an F in implementing security requirements under the Federal Information Technology Acquisition Reform Act
•  Contractors have hands in 184 data cookie jars. Congress is laser focused on the 184 different programs that are used or maintained by 3rd party contractors.

The Hill  Oversight head: Hackers would hit mother lode at Education Department

Which state has an agency enforcement action against the sharing economy? New York’s Attorney General

Which part of the sharing economy is the NY Attorney General looking into? Ride Share

What’s the issue? Buzzfeed reported that company execuitves had access to rider locations through the ride share app

Let’s get to know what could happen in Texas, and look at what enforcement deal was worked out in NY. The settlement included:

• a 20K fine
• requiring ride share entity to adopt a data security plan
  •  encryption of  rider geo-location information
  • adopting  “multi-factor authentication
  • establish corporate data security safeguards like:
    • ​annual privacy and security training for employees
    • designation of a person to supervise a privacy and security program
    • maintain reasonable security practices

NY Daily News | Uber agrees to pay $20K fine, adopt data security provisions to settle probe by AG Schneiderman’s office

The Hill | Uber settles with New York AG over privacy

What State created an Office of Data Privacy and Protection? Washington

Did it do it by legislative action? No. It was created by Executive Action.

2 Reasons Why Washington State Created this new Data Office:

• Washington is the “world’s center for digital commerce.”
  • That’s sure to make Texans happy.
• “good cybersecurity is essential to the continuity of global commerce and to a thriving economy”

3 Powers the new Office of Data will have:

• Train state agencies on best privacy practices
• Assist Washington residents through consumer outreach and education programs
• Conduct annual reviews of the state’s privacy policies and practices

Governing | Washington State Creates Office of Privacy and Data Protection

The EU is revamping its data security statutes, why should Texas care? Because E.U. courts have taken a very libertarian and conservative view to protect personal information.

Did the EU take any actions that might translate to Texas? Yes, 4 Points to consider:

• Stronger requirements for obtaining consent to collect/store data
• Memorializing the “right to be forgotten”.Sounds an awful lot like the Texas Do Not Call List.
• 72 hour noptification requirement for comapnies to notify the EU of a breach
• Fines up to 4% of a company’s global revenue for its non-compliance 

National Law Review | EU Finalizes Text of New General Data Protection Regulation 

 Data security insurance is a hot commodity. Here’s why:

• Gross income from premiums will rise by 300+%  in the next 5 years
• More income is on the horizon, even with factoring in new regulatory and legislative changes for this burgeoning market

Why the boom? High profile data security breaches lead to more data security policies being written.

Bloomberg | Cybersecurity Insurance Explosion Poses Challenges

• A cyber security researcher in California discovered that Cyberattackers had opened a pathway into the networks running the United States power grid.
  • Digital clues show hackers tied to Iran have possession of passwords and engineering drawings of dozens of power plants
  • In 2012 and 2013 Russian hackers sent encrypted commands to points on the US power grid
• Why is the power grid so vulnerable? An aging, outdated power system
• Just like other hacks, vulnerabilities occur in 3rd party providers
  • Hundreds of contractors sell software and equipment to energy companies

Sacramento Bee | AP Investigation: US power grid vulnerable to foreign hacks

California revamped its data security statutes for education last year. California Education Code Section 49073.1 requires education contractors to:

• a statement that pupil records continue to be the property of and under the control of the local educational agency;

• a description of the means by which pupils may retain possession and control of their own pupil-generated content, if applicable, including options by which a pupil may transfer pupil-generated content to a personal account;

• a prohibition against the service provider using any information in the pupil record for any purpose other than those required or specifically permitted by the contract;

• a description of the procedures by which a parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil’s records and correct erroneous information;

• a description of the actions the service provider will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records;

• a description of the procedures for notifying the affected parent, legal guardian, or eligible pupil in the event of an unauthorized disclosure of the pupil’s records;

• a certification that a pupil’s records shall not be retained or available to the service provider upon completion of the terms of the contract and a description of how that certification will be enforced;

• a description of how the local educational agency and the service provider will jointly ensure compliance with the Family Educational Rights and Privacy Act (“FERPA”); and

• a prohibition against the service provider using personally identifiable information in pupil records to engage in targeted advertising.

California Education Code Privacy Chapter 

The Recorder | Keep Up with Data Security 

• Health care comapnies are required by HIPPA to report breaches 
• The federal government publishes breach information. Check out: Office of Civil Rights (OCR) under Health and Human Services
• 90% of health care breaches in 2015 were the result of a Hacking/IT Incident

Remember when Texas passed laws to go above and beyond over HIPPA? Look for it in health care data protection too.

Forbes | Data Breaches In Healthcare Totaled Over 112 Million Records In 2015

• Lots of cyber insurance policy litigation.
  • You know what lawyers mean- lawsuits and legislation.
• 2015 was once in a lifetime groeth in cyberinsurance market
  • Hyper growth leads to regulation and legislation as the unintended consequences emerge
• health care cyber insurance renewal rates are seeing 150% premium increases
  • Big premium cases mean, big regulatory and legislative changes are afoot

Property Casualty 360 | Cyber insurance 2015: Inside a robust and rapidly changing market

• IRS breach. 100,000 taxpayers exposed. Estimated cost $50 Million.
• Anthem health insurance breach. 80 million health insurance records leaked. Cost estimate $100 Million.
• Office of Personnel Management.  21 million federal employee and contact records breached. Minimum cost is the $133 million contract to a credit monitoring and mitigation services provider.
• Ashley Madison Breach. 37 million customer information hacked. A class action lawsuit seeks $578 million.
• Two Year 100 banks in 30 countries.  $1 billion over the course of two years.

Secure Speak | The Most Costly Data Breaches of 2015

Change general law in a spending bill? No, say it isn’t so. Yes, it is so. 

Congress is adding data security language to is spending authorization bill. Here are the highlights that have privacy advocaes on the right and left up in arms:

• The government already spies on its citizens too much
• Going light on businesses that share more information about data breaches with the government and other businesses isn’t helping privacy
• Protecting from disclosure under the Freedom of Information Act all this collected data breach information isn’t open government

Post Recorder | Major cyber security legislation tucked into US spending bill 

Who is funding cybersecurity grants? The Hewlett Foundation Cybersecurity Initiative

How much in grant fudning is available? Started at $20 Million. It’s at $45 Million now.

The lucky recipients are? University of California at Berkeley, Stanford & MIT

Any Texas recipients? No. As Hewlett chief alludes, more private interests need to support research about how cyber security should look in the future. Specifically:

• develop a comprehensive conceptual framework for cybersecurity.
• think broadly or systematically about a larger framework
• think about what cybersecurity should look like in the future
• how to balance new technology and privacy

Inside Philanthropy| Building a Field: Here’s a Case of a Foundation Creating New Knowledge and Expertise

What type of information could be valuable from parking?

• Name
• Credit Card Information
• Address
• Vehicle Information- make, model, VIN

Kent Online | Maidstone Borough Council refers parking permit data breach to Information Commissioner’s Office

U.S. Army National Guard announced “13 new cyber units that will be spread throughout 23 states by the end of fiscal year 2019.”

The U.S. Air Guard will be operating a new cyber squadron in Texas.

SC Magazine  | Army National Guard announces 13 new cyber units across 23 states

• More concerned about data breaches than lawsuits
• Worried about corporate image damage from data breaches
• Board Chairs and CEOs are more involved in data security than ever before
• Odds are high most comapnies have a data response plan
• Data breaches are increasing in severity and frequency

Credit Union National Association | Study: Companies losing confidence in data breach protections

What data center project? Microsoft bought 158 acres in the Texas Research Park real estate controlled by the Texas Research & Technology Foundation. 

How big of a project is this? It will be one of the largest data centers in the U.S.

Where’s the economic development angle? The Texas Research and Technology Foundation uses proceeds from the sale of the land to fund biotech companies

Puget Sound Business Journal | EXCLUSIVE: Microsoft buys nearly 160 acres in San Antonio for data center development

Data security landscape constantly changes and regulation will not keep up that pace.

The Hill | Retailers pan cyber bills as holiday assault looms

• Holiday shopping spikes make tracking amonolous shopping transactions very difficult
• Overburdensome to small retailers
• Ignores the data security responsibility of 3rd party vendors and financial institutions

The Hill | Retailers pan cyber bills as holiday assault looms

The Montana Information Technology Managers Council this fall promulgaed policy to require Montana state agencies to classify information in 4 categories:

• public
• confidential
• secret
• top secret

Open government? The category names depcit a conflict between category names IT professionals regularly utilize & the categories that political types would prefer,

The policy is htting the Montana Legislature with a roar.

Montana Standard | State mulls policy on public, secret, top secret info

…California.

The Hill reports that Congressinaction  is by default allowing California’s data breach laws to precedence as a national standard.

California data security laws tackle business notification requirements; education data breaches; and health care data breaches.

10 States that strengthened daa security laws in 2015:

• Connecticut
• Montana
• Nevada
• New Hampshire
• North Dakota
• Oregon
• Rhode Island
• Washington
• Wyoming
• California 

The Hill | Has Congress allowed California to set a national standard for data breach notification?

Which agency is causing an uproar? The federal Office of Personnel Management. AKA “The OPM Breach of 2015”

How did the agency mishandle the data breach? A report this week from OPM’s Inspector General found 5 contracting irregularities when OPM awarded a $21M clean up the data breach contract. 

The 5 Government Contracting Problems:

• OPM did not offer a complete scope of the work
• Conduced inadequate market research
• had an incomplete acquisition plan
• exceeded dollar limits on blanket agreements
• Unreliable contract file

CNN | OPM hit for mishandling data breach cleanup

The 9th Circuit Court of Appeals is wrangling over wording in an anti-hacking statute.

What legislative craft became legal fodder? Whether a law that prevents hacking can be applied against a business.

Why does this matter to your clients? Businesses want to protect the data they retain and the data their customers have on their websites and computers. But, who owns that data?

Why does this matter in Texas? Data storage facilities in Texas, like the large Facebook data storage open Texas legal system to the issue. And state laws on the issue matter too. Are there tech companies in Texas? Yes. Are your clients storing data there? Yes, probably so.

This is confusing, give me an example. Hypothetically, there’s a website where people post every detail about their life. If the postings are targeted by a marketing company, the data accessed, does this hypoethical site with its walls of information have the right to stop it or do the people posting the info have privacy rights in their data?

What have courts done? In California, lower courts have sided with the business that stores the data, and not recognized personal privacy of the individual.

The Recorder | Hacking Law Gets Workout in Facebook Case

Australia is re-writing its data security laws. A draft proposal includes exemptions from notification requirements for governmental entities and telecommunications companies. 

Australia’s Draft Data Security Legislation 

The Guardian | Telcos and security agencies exempted from data breach rules in draft bill

Where? Virgina

What budget provisions are boosting data security? Governor McAuliffe says the state’s budget will include education investments for cybersecurity, including:

• scholarships for students who agree to serve two years of public service in the cybersecurity workforce after graduation
• increased cybersecurity training in high school including:
  • new virtual, secure platform to enhance student cyber skills
  • providing training on cyberattack detection and defense
  • developing cyber certifications
  • encouraging student collaboration within the industry, to conduct research
  • offering training for active duty military and veterans.
• higher education fudning for institutions that meet national standards for cybersecurity training

Why the state focus on cybersecurity? “Cybersecurity education is a key component to building the new Virginia economy.”

NBC 29 WVIR| Gov. McAuliffe Says Budget Would Boost Cybersecurity Industry

New York Legislature, at the behest of its Attorney General, is strengthening its data security laws. 

Assembly Bill 6866 adds new data to protection requirements and increases penalties.

This bill creates these standards that establish compliance with the law for businesses:

• a business that protects data more than the law requires
• a business that complies with Gramm-Leach-Bliley Act
• a business that meets international standards for information security
• a business that complies with HIPPA
• a business that complies with current National Institute of Standards and Technology Standards Special Publication 800-53
• a business that:
  • has a designated security employee
  • identifies reasonably foreseeable security risks
  • assesses safeguards and risks
  • selects providers that are have appropriate safeguards
  • regularly tests and monitors its business systems
  • maintains a Security Program Practices & Procedures
  • disposes of information in a manner that does not allow the information to be read or reconstructed

New York A06866

New York Legislature is considering stronger data security laws which would:

• increase penalties against companies from $150,000 to $1,000,000
• in addition to current required protected information of  Social Security, driver’s license and credit card numbers, this bill would require protection of biometrics like fingerprints
• user names, email addresses, securty questions and answers
• health information protected under HIPPA
• establishes reasonable safeguards for business
• establishes government data security standards in New York

Times Union | Santabarbara promotes data security bill on Cyber Monday

AO6866 Data Security Act in New York Legislature 

Moody’s is warning that its ratings analysis will include cybersecurity.

Moody’s big picutre cybsersecurity:

• cyber defense
• cyber detection
• cyber prevention and response

Moody’s specific analysis will include:

• Nature of the affected assets or businesses 
• Duration of service disruption and expected time to restore
• Scope of the affected assets or businesses 

Why does this matter to Texas? Every state entity and local governmental entity that issues bonds will be impacted.

Think Advisor | Threat of Cyberattacks Could Now Affect Moody’s Ratings

Legl Tech News | Threat of Cyberattacks Could Now Affect Moody’s Ratings

VTech, a manufacturer of electronic educational gadgets for kids, has been hacked.

Hackers took:

• headshots of kids & parents
• chat logs
• audio files of kids
• names of kids & parents
• email addresses
• home addresses
• birthdays

Remedies:

• A hacker contacted a tech company to expose VTECH’s unsecured data storage.
• VTECH took down their portals that allowed for data storage until a resolution can be reached.

Motherboard | Hacker Obtained Children’s Headshots and Chatlogs From Toymaker VTech

The Hill | Toy maker hack exposes data on 200K children

Mashable | The VTech data breach shows kids are just as vulnerable to hacking

Congress is working to secure the nation’s power grid because the power grid is facing a major cyberattack because:

• the power ” industry’s digital defenses are dangerously lagging and underfunded
• energy companies are “scrambling to play catch-up”
• energy companies  are ” leaving the all-important power grid exposed to hackers”
• “the industry isn’t fully prepared to stymie sophisticated hackers.”
• “In 2014, the energy sector was the most targeted of the nation’s critical infrastructure industry sectors,”

5 Solutions bandied about in D.C.:

• New presidential team to coordinate cyber threat assessment & response efforts 
• More funding for cybersecurity in energy and utilities
• More funding for the Energy Department program, Cybersecurity for Energy Delivery Systems, to research & develop tools to protect the grid
• Create “The Terrorism Prevention and Critical Infrastructure Protection Act” to direct DHS to work with critical infrastructure companies, like power grid operators and utilities to boost their cyber defenses

The Hill | Congress struggles to secure nation’s power grid