Every day, enterprises wrestle with cybersecurity compromises of all sizes and types, ranging from simple viruses to complex, targeted online attacks. To successfully defend their data, IT organizations are developing teams, tools, and processes to quickly respond to new cyber threats and compromises–but not all of them are succeeding. In this Dark Reading Report, “How Enterprises Respond to the Incident Response Challenge,” we find out how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
However, many security leaders appear to be overestimating their ability to detect and respond to security incidents. Many organizations lack dedicated staff for handling incident response functions. And the heightened awareness around cyber incident response, some organizations’ definition of a “security incident” may overlook significant events. Find out more by downloading this Dark Reading report today.
Washington state could be next in line to pass a state-wide consumer privacy law in the absence of a federal mandate.
In January, a bipartisan group of legislators introduced the Washington Privacy Act (WPA) and Senator Reuven Carlyle, who sponsored the bill, discussed why the senators believe the bill is important: “It has never been more important for state governments to take bold and meaningful action in the arena of consumer data privacy. That’s what this legislation does.”
The WPA is, in some ways, similar to some of the most recognizable privacy acts, such as CCPA and GDPR. In fact, the bill borrows many practices from those same bills. However, it differs in some significant ways, and, if it passes, it will be the most comprehensive privacy law in the US.
What’s notable about the WPA is the ripple effects it could create down businesses’ supply chains: The WPA not only stipulates data protection responsibilities for organizations which determine the purposes and means of data processing (“controller”), it also requires these organizations to verify that their vendors (“data processor”) have sufficient data protection mechanisms in place to process personal data safely.
Regardless of whether or not this particular piece of legislation passes, it’s important for businesses to understand the WPA and what it represents: individual states are thinking about and passing legislation requiring businesses to address consumer privacy and data protection. As more states pass these kinds of laws, the burden on businesses to comply with them will continue to grow.
What businesses would need to be WPA compliant?
As it is written currently, the WPA would apply to two categories of companies that conduct business in or target consumers in Washington:
Businesses that control or process personal data of 100,000 or more consumers.
Businesses that derive greater than 50% of gross revenue from the sale of personal data and processes, and control or process the personal data of 25,000 or more consumers.
Notably, this means that the WPA would apply to some of the biggest businesses in the country, such as Amazon and Microsoft. But it would also apply to little known data brokers and retail stores.
The WPA focuses on two groups: The first is controllers — businesses or individuals who decide how and for what purposes personal data is processed. For example, a business that collects data and uses it to send targeted ads or email marketing would be a controller.
The other group is processors — businesses or individuals that do not make decisions about how data is used and only process it as directed by the controller. A credit card processing company is a good example of a processor; they don’t collect or make decisions about the data, they just process it for the controller.
What rights does the WPA give consumers?
Under the WPA, consumers have certain rights when it comes to their personal data. These rights include:
Right of access: The right of a consumer to know if a controller is processing their personal data and to access that personal data.
Right to correction: The right of a consumer to correct their personal data.
Right to deletion: The right of a consumer to request that their data be deleted.
Right to data portability: The right of a consumer to obtain their personal data in a portable and, as much as technically feasible, readily usable format.
Right to opt out: The right of a consumer to opt out of having their personal data processed for targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or significant effects on the consumer.
Individuals would not be able to bring lawsuits against companies for breaking the law, but the state Attorney General’s Office would be able to pursue violations under the state’s Consumer privacy Act.
Controller requirements under the WPA
In short, the WPA requires controllers to be more transparent about their data use and to only use consumer data for the purposes they specified when collecting the data. There are a few other specific requirements, but many of them flow into those core purposes.
The WPA creates these specific controller responsibilities:
Transparency: This would require controllers to provide a privacy notice to consumers that includes what personal data is being processed, why it is being processed, how they can exercise their rights, what data is shared with third parties, and what categories of third parties controllers share their data with. Additionally, if the controller sells personal data, they have to “clearly and conspicuously” disclose this and explain how consumers can opt out.
Purpose Specification: Controllers are limited to collecting data that is reasonably necessary for the express purpose the data is being processed for.
Data Minimization: Data collection must be adequate, relevant, and limited to what the controller actually needs to collect for the specified purpose.
Avoid Secondary Use: Processing personal data is prohibited for any purpose that isn’t necessary or compatible with the specified purpose of collecting or processing the data — unless the controller has the consumer’s consent.
Security: Controllers are required to put administrative, technical, and physical data security policies and processes in place to protect the confidentiality, integrity, and accessibility of the consumer data they are collecting or processing.
Nondiscrimination: Controllers are disallowed from processing personal data in a way that breaks anti-discrimination laws. It also forbids them from using data to discriminate against consumers for exercising their rights by denying them — or providing a different quality of — goods and services.
Sensitive Data: Processing sensitive data without a consumer’s consent is forbidden.
Minors and Children: Processing personal data of a child without obtaining consent from their parent or legal guardian is prohibited.
Non-waiver of Consumer Rights: Any contract or agreement that waived or limited a consumer’s WPA right is null and void.
Data Protection Assessments: Companies would also be required under the WPA to conduct confidential Data Protection Assessments for all processing activities involving personal data, and repeat the assessments any time there are processing changes that materially increase risks to consumers.
Data controllers must weigh the benefits of data processing against the risks. If the potential risks for privacy harm to consumers are substantial and outweigh the interests, then the controller would only be able to engage in processing with the explicit consent of the consumer.
Processor requirements under the WPA
Processors’ responsibilities are different than the controllers’ responsibilities, and while the bulk of the WPA is currently on the controller, it does require that processors have the following items in place:
Technical and organizational processes for fulfilling controllers’ obligations to respond to consumer rights requests
Breach notification requirements
Reasonable processes and policies for protecting consumers’ personal data
Controller ability to object to subcontractors
The ability for controllers to conduct audits
Additionally, processors and controllers must have contracts in place with provisions regarding personal data processing. The required provisions are similar to the GDPR’s data processing requirements.
How does the WPA differ from the CCPA?
While the WPA borrowed heavily from the CCPA in some areas, there are some key differences that make the WPA more comprehensive.
For example, the WPA requires businesses to weigh the risks and benefits posed to the consumer before they process their data. Specifically, covered businesses must conduct data protection assessments for all processing activities involving personal data.
The WPA also prohibits businesses from exclusively relying on automated data processing to make decisions that could have a significant impact on consumers, which is not included in the CCPA.
Another significant difference is how the WPA addresses facial recognition software. The CCPA treats facial recognition and other biometric data the same as all other personal data, while the WPA has more specific requirements for how controllers and processors must treat facial recognition data.
Namely, the WPA specifies that, among other things, facial recognition technology must be tested for accuracy and potential bias, controllers must obtain consent for adding a consumer’s face to a database, consumers must be notified in public places where it is happening, and results must be verified by humans when making critical decisions utilizing facial recognition technology.
What are the consequences of non-compliance?
The cost of non-compliance with the WPA
While the CCPA allows individuals to bring action against companies that are noncompliant, the WPA doesn’t have this provision. However, it does give the Washington Attorney General authority to take legal action and enforce penalties of up to $7,500 per violation. This will add up quickly for businesses that have data breaches or are found to be out of compliance with the WPA.
Preparing for the WPA and beyond
Many businesses are already thinking about WPA compliance, and the most forward-thinking businesses are also considering what this means for the future of privacy laws. The WPA is receiving praise from advocate groups such as Consumer Reports as well as tech giants like Microsoft, and many are even calling for further improvements to the bill.
Even if the WPA does not come to pass, it is likely for other states to pass similar legislations around consumer data privacy. Either way, your organization needs to be prepared to operate in a world where data privacy issues will be continue to be legislated and litigated.
Companies with already mature infosec and privacy practices will have a big head start when implementing WPA-compliant practices.
To learn more about what your organization can do to readily meet common data privacy legislations, check out this article Understanding Data Privacy and Why It Needs to Be a Priority for Your Business.
Additionally, to help organizations strengthen their security posture and meet regulatory requirements, Hyperproof has published a suite of articles on cybersecurity controls, best practices and standards. Here are a few of the most popular resources on our website:
Hyperproof’s compliance operations software comes with pre-built frameworks to help you implement common cybersecurity and data privacy standards (e.g., GDPR, CCPA, SOC 2, ISO 27001) — so you can improve your data protection mechanisms and business processes to readily meet data privacy and data security regulations. Hyperproof not only provides guidance when you implement these compliance standards, it also automates many compliance activities to save you time when adhering to multiple regulations and industry standards.
If you’d like to learn more about how Hyperproof can help you prepare to meet the WPA as well as existing data privacy laws, please contact us for a personalized demo.
Banner photo by Felipe Galvan on Unsplash
The post The Washington State Privacy Act Could Be More Comprehensive Than the CCPA appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/washington-state-privacy-act/
U.S. Assistant Secretary of State Roberto Destro has blasted Islamic Republic officials for threatening and persecuting Iranian journalists living abroad.
“The U.S. condemns the harassment and threats that Persian-language reporters are receiving from Iranian regime officials while working abroad,” Destro tweeted on Thursday, February 6.
Assistant Secretary of State in the Bureau of Democracy, Human Rights and Labor at the U.S. Department of State also asserted in his tweet, “We stand with the Iranian people in their right to freedom of information and with independent journalists fighting to inform the public.”
Reports on threats and harassment of Iranian journalists living and working outside the country have been rife in the past few months, leading to widespread international condemnation. The same kind of pressures were also intense prior to the start of nuclear negotiations in 2013.
Iran-linked hackers pose as journalists in email scams to obtain passwords and break into the email accounts of journalists, Reuters said in an exclusive report on Wednesday, February 5.
In a report published Wednesday, London-based cybersecurity company, Certfa, has named a hacking group nicknamed Charming Kitten, which has long been associated with Iran.
Israeli firm ClearSky Cyber Security provided Reuters with documentation of impersonations of two media figures at CNN and Deutsche Welle, a German public broadcaster. ClearSky also linked the hacking attempts to Charming Kitten, describing the individuals targeted as Israeli academics or researchers who study Iran. ClearSky declined to give the specific number of people targeted or to name them, citing client confidentiality, Reuters reported.
With a week to go before final exams, ITI Technical College, a private Baton Rouge vocational college, is going back to paper, at least partially until its computer system is fully restored after being the latest Louisiana institution victimized by ransomware.
ITI Vice President Mark Worthy said Tuesday the college’s computer personnel were working to get all the servers in the system back up and are making progress. But in the meantime, since many on staff began before automation, they’re starting to go through the documents that backup the databases to ensure that grades are recorded and financial aid gets to the right people.
“Full functionality? Not sure when because of the complexity,” Worthy said. Some of the critical systems are coming back online. Classes for the 605 students are continuing. Communications, however, have been crippled, so administrators are visiting classrooms to convey information.
What’s taking time is that the technicians are reconnecting each server for computers used by students and administrators on the six-acre campus only after checking to ensure the code is clean.
Monday’s ransomware attack, which crippled about 10% of the state’s computer network servers just hours after votes were tallied in statewide …
Technicians traced the ransomware attack back to the Czech Republic. The attackers replicated an employee’s contact list and sent out emails to faculty and staff that looked like the real thing. The messages asked the reader to click on an expected report, which one of the employees did on Monday, Jan. 27. In the dark hours of the following Wednesday morning, the school’s IT administrator was checking the network, as she usually does, and found suspicious activity. She disconnected all the servers from the internet, then started looking for the impacted systems, Worthy said.
But the ransomware was able to encrypt some of the databases and keep the school from accessing their files. Eventually, the techs found a message to contact the attackers for instructions on how and how much to pay to regain access to the databases. “We won’t pay and we won’t contact these criminals,” he said.
Initially, Worthy offered to hire specialists to work on the problem. But his IT staff argued that they would be more familiar with the architecture of the system. Besides, the school teaches information technology and has faculty and staff able to handle the problem.
Unlike, the City of New Orleans or state government, both of which were hit by ransomware attackers, ITI is a privately owned college. State government’s teams and experts are not available to the school.
Gov. John Bel Edwards is expected to discuss cybersecurity Wednesday in a speech before the Louisiana Municipal Association, whose members include several localities hit with crippling cyber-attacks.
“We’re running this rodeo on our own,” Worthy said. “Fortunately, we teach IT, so we have a lot of really, really sharp people already on staff.”
Worthy said ITI would be contacting police and the FBI after the system is back up and the incriminating evidence is collected.
Similar ransomware attacks have previously crippled Louisiana state agencies, city governments, and school systems.
When the first signs of a massive cyberattack became apparent in the Tangipahoa Parish School System’s computers, administrators thought it wa…
Two days before commencement ceremonies, Baton Rouge Community College leaders learned that its computers were cyberattacked by ransomware.
In November roughly 1,500 of the state’s 30,000 computers were infected by cyber attackers. The hackers blocked access to the state’s data until a ransom was paid. The state refused to pay but had to shut down systems that disrupted state services, such as slowing delivery of food stamps, as well as closing the Office of Motor Vehicles for several weeks.
In December, the City of New Orleans shut down its computer systems while technicians cleaned the ransomware out of code and reloaded the information onto city computers.
State officials plan to re-open eight of its main Office of Motor Vehicles locations Monday, a week after a cyberattack crippled Louisiana sta…
Success! An email has been sent with a link to confirm list signup.
Error! There was an error processing your request.
Source: National Cyber Security – Produced By Gregory Evans It can be difficult for normal people to know when to trust the government and when not to. It can be even more confusing to figure out when to trust Mike Lee. The senior senator from the great state of Utah has, on occasion, stood up […]
View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Despite growing awareness around cyberthreats, organizations will continue to face the consequences of inadequate network protection. Bad actors do not discriminate. Organizations across all sectors are at risk — corporations, non-profits, and increasingly, federal and state government entities. The U.S. Government Accountability Office (GAO) reported that […]
View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans What are the key considerations security decision-makers should take into account when designing their 2020 breach protection? To answer this, we polled 1,536 cybersecurity professionals in The State of Breach Protection 2020 survey (Download the full survey here) to understand the common practices, prioritization, and preferences […]
View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans by DH Kass • Jan 20, 2020 The Federal Bureau of Investigation will now notify state officials when a local election has been hit by hackers, a course reversal from a prior closed door policy not to extend notification beyond victims of cyber attacks. A protracted […]
View full post on AmIHackerProof.com
The USA is considering legislation that would protect local governments by requiring the appointment of a cybersecurity leader for each state.
Backers of the Cybersecurity State Coordinator Act of 2020 say the proposed law will improve intelligence sharing between state and federal governments and speed up incident response times in the event of a cyber-attack.
Under the legislation, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency would be tasked with appointing an employee of the agency in each state to serve as cybersecurity state coordinator.
Money to create these positions would come from the federal government, which would be required to ring-fence the necessary funding.
The role of each state coordinator would be multifaceted, combining elements of training, advisory work, and program development.
Each leader would serve as a principal federal cybersecurity risk advisor, coordinating efforts to prepare for, respond to, and remediate cyber-attacks. Another core responsibility would be to raise awareness of the financial, technical, and operational resources available to nonfederal entities from the federal government.
Coordinators would be expected to support training, exercises, and planning for continuity of operations to expedite as swift a recovery as possible from cybersecurity incidents. Furthermore, they would be called on to assist nonfederal entities in developing and coordinating vulnerability disclosure programs consistent with federal and information security industry standards.
“State, local, Tribal, and territorial entities face a growing threat from advanced persistent threat actors, hostile nation states, criminal groups, and other malicious cyber actors,” reads the bill. “There is an urgent need for greater engagement and expertise from the Federal Government to help these entities build their resilience and defenses.”
The bill, which has attracted bi-partisan support, was introduced by Senators Maggie Hassan and Gary Peters and is co-sponsored by senators John Cornyn of Texas and Rob Portman of Ohio.
Portman said: “This bipartisan bill, which creates a cybersecurity state coordinator position, would help bolster state and local governments’ cybersecurity by facilitating their relationship with the federal government to ensure they know what preventative resources are available to them as well as who to turn to if an attack occurs.”
An ongoing and “serious cyberattack” at
Austria’s foreign ministry could be the work of nation-state actors, the
country’s government said.
The ministry has set up a “coordination
committee” to respond to the attack, which started as the country’s Greens
party okayed an alliance with conservatives.
While the foreign ministry discovered the attack
and responded quickly, the incident is ongoing.
“Due to the gravity and nature of the attack, it
cannot be excluded that it is a targeted attack by a state actor,” the foreign
and interior ministries said in a joint statement cited in a report by the
It is similar in nature to a pair of attacks against Germany in 2015 and 2018 believed to be the work of Russia’s Fancy Bear APT group.
Want to read more?
Please login or register first to view this content.