now browsing by tag


#cybersecurity | #hackerspace | The Washington State Privacy Act Could Be More Comprehensive Than the CCPA

Source: National Cyber Security – Produced By Gregory Evans

Washington state could be next in line to pass a state-wide consumer privacy law in the absence of a federal mandate. 

In January, a bipartisan group of legislators introduced the Washington Privacy Act (WPA) and Senator Reuven Carlyle, who sponsored the bill, discussed why the senators believe the bill is important: “It has never been more important for state governments to take bold and meaningful action in the arena of consumer data privacy. That’s what this legislation does.”

The WPA is, in some ways, similar to some of the most recognizable privacy acts, such as CCPA and GDPR. In fact, the bill borrows many practices from those same bills. However, it differs in some significant ways, and, if it passes, it will be the most comprehensive privacy law in the US.

What’s notable about the WPA is the ripple effects it could create down businesses’ supply chains: The WPA not only stipulates data protection responsibilities for organizations which determine the purposes and means of data processing (“controller”), it also requires these organizations to verify that their vendors (“data processor”) have sufficient data protection mechanisms in place to process personal data safely.

Regardless of whether or not this particular piece of legislation passes, it’s important for businesses to understand the WPA and what it represents: individual states are thinking about and passing legislation requiring businesses to address consumer privacy and data protection. As more states pass these kinds of laws, the burden on businesses to comply with them will continue to grow. 

What businesses would need to be WPA compliant?

As it is written currently, the WPA would apply to two categories of companies that conduct business in or target consumers in Washington:

  1. Businesses that control or process personal data of 100,000 or more consumers.
  2. Businesses that derive greater than 50% of gross revenue from the sale of personal data and processes, and control or process the personal data of 25,000 or more consumers.

Notably, this means that the WPA would apply to some of the biggest businesses in the country, such as Amazon and Microsoft. But it would also apply to little known data brokers and retail stores. 

The WPA focuses on two groups: The first is controllers — businesses or individuals who decide how and for what purposes personal data is processed. For example, a business that collects data and uses it to send targeted ads or email marketing would be a controller.

The other group is processors — businesses or individuals that do not make decisions about how data is used and only process it as directed by the controller. A credit card processing company is a good example of a processor; they don’t collect or make decisions about the data, they just process it for the controller.

What rights does the WPA give consumers? 

Under the WPA, consumers have certain rights when it comes to their personal data. These rights include:

Right of access: The right of a consumer to know if a controller is processing their personal data and to access that personal data.

Right to correction: The right of a consumer to correct their personal data.

Right to deletion: The right of a consumer to request that their data be deleted.

Right to data portability: The right of a consumer to obtain their personal data in a portable and, as much as technically feasible, readily usable format.

Right to opt out: The right of a consumer to opt out of having their personal data processed for targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or significant effects on the consumer.

Individuals would not be able to bring lawsuits against companies for breaking the law, but the state Attorney General’s Office would be able to pursue violations under the state’s Consumer privacy Act. 


Controller requirements under the WPA

In short, the WPA requires controllers to be more transparent about their data use and to only use consumer data for the purposes they specified when collecting the data. There are a few other specific requirements, but many of them flow into those core purposes.

The WPA creates these specific controller responsibilities:

Transparency: This would require controllers to provide a privacy notice to consumers that includes what personal data is being processed, why it is being processed, how they can exercise their rights, what data is shared with third parties, and what categories of third parties controllers share their data with. Additionally, if the controller sells personal data, they have to “clearly and conspicuously” disclose this and explain how consumers can opt out.

Purpose Specification: Controllers are limited to collecting data that is reasonably necessary for the express purpose the data is being processed for. 

Data Minimization: Data collection must be adequate, relevant, and limited to what the controller actually needs to collect for the specified purpose.

Avoid Secondary Use: Processing personal data is prohibited for any purpose that isn’t necessary or compatible with the specified purpose of collecting or processing the data — unless the controller has the consumer’s consent.

Security: Controllers are required to put administrative, technical, and physical data security policies and processes in place to protect the confidentiality, integrity, and accessibility of the consumer data they are collecting or processing.

Nondiscrimination: Controllers are disallowed from processing personal data in a way that breaks anti-discrimination laws. It also forbids them from using data to discriminate against consumers for exercising their rights by denying them — or providing a different quality of —  goods and services.

Sensitive Data: Processing sensitive data without a consumer’s consent is forbidden.

Minors and Children: Processing personal data of a child without obtaining consent from their parent or legal guardian is prohibited.

Non-waiver of Consumer Rights: Any contract or agreement that waived or limited a consumer’s WPA right is null and void.

Data Protection Assessments: Companies would also be required under the WPA to conduct confidential Data Protection Assessments for all processing activities involving personal data, and repeat the assessments any time there are processing changes that materially increase risks to consumers.

Data controllers must weigh the benefits of data processing against the risks. If the potential risks for privacy harm to consumers are substantial and outweigh the interests, then the controller would only be able to engage in processing with the explicit consent of the consumer. 


Processor requirements under the WPA

Processors’ responsibilities are different than the controllers’ responsibilities, and while the bulk of the WPA is currently on the controller, it does require that processors have the following items in place:

  • Technical and organizational processes for fulfilling controllers’ obligations to respond to consumer rights requests
  • Breach notification requirements
  • Reasonable processes and policies for protecting consumers’ personal data
  • Confidentiality
  • Controller ability to object to subcontractors
  • The ability for controllers to conduct audits

Additionally, processors and controllers must have contracts in place with provisions regarding personal data processing. The required provisions are similar to the GDPR’s data processing requirements.

How does the WPA differ from the CCPA?

While the WPA borrowed heavily from the CCPA in some areas, there are some key differences that make the WPA more comprehensive.

For example, the WPA requires businesses to weigh the risks and benefits posed to the consumer before they process their data. Specifically, covered businesses must conduct data protection assessments for all processing activities involving personal data. 

The WPA also prohibits businesses from exclusively relying on automated data processing to make decisions that could have a significant impact on consumers, which is not included in the CCPA.

Another significant difference is how the WPA addresses facial recognition software. The CCPA treats facial recognition and other biometric data the same as all other personal data, while the WPA has more specific requirements for how controllers and processors must treat facial recognition data. 

Namely, the WPA specifies that, among other things, facial recognition technology must be tested for accuracy and potential bias, controllers must obtain consent for adding a consumer’s face to a database, consumers must be notified in public places where it is happening, and results must be verified by humans when making critical decisions utilizing facial recognition technology.

What are the consequences of non-compliance?


The cost of non-compliance with the WPA

While the CCPA allows individuals to bring action against companies that are noncompliant, the WPA doesn’t have this provision. However, it does give the Washington Attorney General authority to take legal action and enforce penalties of up to $7,500 per violation. This will add up quickly for businesses that have data breaches or are found to be out of compliance with the WPA.

Preparing for the WPA and beyond

Many businesses are already thinking about WPA compliance, and the most forward-thinking businesses are also considering what this means for the future of privacy laws. The WPA is receiving praise from advocate groups such as Consumer Reports as well as tech giants like Microsoft, and many are even calling for further improvements to the bill. 

Even if the WPA does not come to pass, it is likely for other states to pass similar legislations around consumer data privacy. Either way, your organization needs to be prepared to operate in a world where data privacy issues will be continue to be legislated and litigated.

Companies with already mature infosec and privacy practices will have a big head start when implementing WPA-compliant practices.

To prepare for the WPA and future privacy laws, start by understanding what’s required by the existing industry-agnostic data privacy regulations (e.g., CCPA, GDPR). You’ll need to ensure that your privacy policy, data handling practices, security protocols and vendor contracts are compliant with these regulations. Doing so will help your organization be well prepared when new legislation like the WPA goes into effect. 

To learn more about what your organization can do to readily meet common data privacy legislations, check out this article Understanding Data Privacy and Why It Needs to Be a Priority for Your Business.  

Additionally, to help organizations strengthen their security posture and meet regulatory requirements, Hyperproof has published a suite of articles on cybersecurity controls, best practices and standards. Here are a few of the most popular resources on our website: 

Hyperproof’s compliance operations software comes with pre-built frameworks to help you  implement common cybersecurity and data privacy standards (e.g., GDPR, CCPA, SOC 2, ISO 27001) — so you can improve your data protection mechanisms and business processes to readily meet data privacy and data security regulations. Hyperproof not only provides guidance when you implement these compliance standards, it also automates many compliance activities to save you time when adhering to multiple regulations and industry standards. 

If you’d like to learn more about how Hyperproof can help you prepare to meet the WPA as well as existing data privacy laws, please contact us for a personalized demo.

Banner photo by Felipe Galvan on Unsplash

The post The Washington State Privacy Act Could Be More Comprehensive Than the CCPA appeared first on Hyperproof.

*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/washington-state-privacy-act/

Source link

The post #cybersecurity | #hackerspace |<p> The Washington State Privacy Act Could Be More Comprehensive Than the CCPA <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | U.S. and China Strike Phase One Trade Agreement; Washington Steps up Efforts to Block Chinese Tech Amidst Mounting Opposition

Source: National Cyber Security – Produced By Gregory Evans

U.S. and China Announce Agreement on Phase One Trade Deal

On Dec. 13, President Trump announced that the U.S. and China had agreed to a “Phase One” trade deal. Under the agreement, the U.S. will roll back tariffs on Chinese goods in exchange for more U.S. goods purchases and structural reforms from the Chinese side. According to Trump, he will sign the deal on Jan. 15 with Chinese representatives at the White House. If the signing goes as planned, it will represent the U.S. and China’s first agreement to reduce import duties since the two countries began implementing bilateral tariffs in July 2018.

So far, most details of the agreement have not been made public. But as for U.S. commitments, Trump on Dec. 13 already canceled new 15 percent duties scheduled to hit $160 billion of Chinese exports on Dec. 15. Additionally, the Office of the U.S. Trade Representative (USTR) has confirmed that the U.S. will reduce tariffs on $120 billion of China’s exports from 15 percent to 7.5 percent. According to Chinese Vice Commerce Minister Wang Shouwen, the Trump administration will make these cuts in phases, though neither side has specified a timeline. Tariffs of 25 percent will remain, meanwhile, on $250 billion of Chinese goods.

As for China’s commitments, China has already cut tariffs on a slew of agricultural products and commodities. The USTR also reports that China will raise its imports of U.S. goods to $200 billion above 2017 levels—though China has yet to commit to import quantities for specific goods, like agricultural products. China has further pledged to heighten intellectual-property protections, end forced technology transfers and liberalize its financial services; however, the deal does not touch Chinese government subsidies to domestic firms. The deal also includes a process by which the U.S. may impose punitive tariffs if China does not adhere to its promises.

The Phase One deal has handed outsize benefits to U.S. and Chinese tech companies. Technology products (along with other consumer-retail goods) were disproportionately represented among the imports originally scheduled for new tariffs on Dec. 15. U.S. tech companies like Apple that produce in China will no longer see foreign-manufactured goods like phones and computers slapped with tariffs. And as analysts at Morgan Stanley have noted, following the deal, technology companies in China will likely experience the largest valuation increases among Chinese firms. Foreign financial firms may also be winners from the deal. Both sides have represented that, as part of the trade agreement, China will for the first time allow foreign companies to enter its financial sector without a joint venture. (China had already announced in July 2019 that it planned to abolish this joint-venture requirement.) This forthcoming change may also expand financing opportunities for firms raising funds in China.

Business groups in the U.S. have widely praised the deal as a positive step, and U.S. stocks rallied on news of the deal. Some commentators have argued that the Phase One agreement—which had remained in doubt for months—signifies a thaw in U.S.-China tensions and sanguine prospects for future agreements. Chinese negotiators are, reportedly, already attempting to work with the Trump administration in hammering out the next phase of the deal.

Still, reactions in the U.S. to the substance of Trump’s deal have been mixed. Although U.S. officials have touted the deal’s impact on the American economy, commentators have criticized it for resulting in few tangible concessions—particularly on structural reforms—that China had not previously been willing to make. And many remain skeptical that, even with this deal, the two sides will reach further trade agreements before November’s presidential election. Reports also suggest that Chinese leaders consider the deal a huge victory—and one that justifies a hardline approach to future U.S. trade talks.

State Department Steps up Efforts to Block Chinese Tech Imports, But Faces Mounting Opposition

Reporting broke in December that the State Department has, in recent months, attempted to stop American companies from purchasing Chinese technology components. The State Department’s Under Secretary for Economic Growth, Energy, and the Environment Keith Krach has led the initiative, which asks firms to sign a set of principles titled the Global Digital Trust Standard (GDTS). The GDTS would, in effect, commit firms not to buy products from Huawei and possibly other Chinese companies. Krach has reportedly approached thirteen business entities—including telecom carriers AT&T and Verizon, as well as chip manufacturers—about signing the GDTS. None appear to have signed.

The GDTS—by covering U.S. purchases, not sales—represents a more expansive attempt to influence U.S. supply chains than many past government actions against Huawei. But it also builds on recent steps in this direction by the Trump administration. On Nov. 26, the Commerce Department proposed a process for reviewing, and possibly prohibiting, information-technology acquisitions from “foreign adversar[ies].” These measures are widely considered to target Chinese companies like Huawei (although they have yet to take effect). Last month, the Federal Communications Commission (FCC) also labeled Huawei and ZTE national-security threats. This categorization bars purchases of their products through an FCC fund subsidizing rural telecom services.

The State Department’s requests, however, have met significant resistance from U.S. companies. Corporate leaders worry that signing the GDTS will commit them to anticompetitive behavior, exposing them to antitrust lawsuits. Concerned about higher costs and supply-chain disruption, businesses are also increasingly rebuffing Washington’s broader efforts to regulate tech imports, with many pushing back against the Commerce Department’s Nov. 26 purchase-review proposal. Unease about that rule change—and the review process’s complexity—led many trade associations on Dec. 6 to request a two-month extension to the rule’s comment period.

Chinese opposition to U.S. restrictions on Huawei has likewise grown more forceful, which may portend rising tensions on tech issues between the two countries. On Dec. 18, the Chinese state-owned paper China Daily published an editorial condemning U.S. efforts “to put Huawei out of business” as “dangerous” and “nothing but protectionism.” Huawei, meanwhile, has lately tried to market itself to American allies as more faithful than the U.S. to shared western values. And Huawei announced plans in December to sue the FCC for deeming it a national-security threat without due process. This legal challenge may compound U.S. firms’ fears about antitrust lawsuits should they cease importing Huawei goods.

It is not yet clear how the pushback will affect the Trump administration’s import-regulation efforts. Trump has continually ramped up restrictions against Huawei since May 2019, when he placed Huawei on a blacklist—still just partially implemented—that precludes it from purchasing U.S. components. However, there are some signs that regulators are open to tweaking such policies in response to feedback. Throughout November and December, the Commerce Department has issued export licenses to certain companies applying for exceptions from the ban against selling to Huawei.

In Other News

Reports emerged on Dec. 15 that the U.S. expelled two Chinese diplomats last September for suspected espionage after the two officials drove onto a military base in Virginia. At least one of the diplomats, U.S. officials suspect, was an undercover Chinese intelligence officer. The decision represents the first espionage-related expulsion of Chinese diplomats in over thirty years. After reports of the event broke, China denied that the embassy officials engaged in any wrongdoing and urged the U.S. “to correct its mistake.” The expulsions come amidst growing concerns among intelligence agencies worldwide that China is conducting espionage on a “mass scale.” Shortly after reports of the expulsions emerged, separate reporting indicated that a Chinese student had stolen research materials from a lab in Boston as an act of suspected biotechnology espionage.

Beijing last month reprimanded tech giants Tencent and Xiaomi for violating users’ data privacy with certain applications—including Tencent’s instant-messaging app QQ. Specifically, the government alleged that these apps violated national laws against collecting and selling personal data, such as through the use of designs that make it hard for users to delete accounts. In response to the transgressions, China’s Ministry of Industry and Information Technology (MIIT) on Dec. 19 published the names of dozens of problematic apps; it also threatened “punishment” if their problems were not addressed by end-2019. The crackdown gives force to an MIIT campaign announced last November to rein in mobile-app privacy violations, particularly among apps with high user volumes. Still, this campaign contrasts with Beijing’s recent efforts to scale up the government’s own data collection, which includes a Dec. 2 law requiring anyone registering a mobile number to undergo facial-recognition scans. Following the government’s announcement, Tencent issued a public pledge to amend its privacy statements.

On Dec. 8, the Financial Times obtained information that the Chinese government has ordered that all foreign-made hardware and software be removed from state institutions within three years. The substitutions will occur steadily through 2022—30 percent in 2020, 50 percent the next year and 20 percent the final year—and they complement similar moves by the U.S. to restrict Chinese tech imports. Analysts suspect executing the replacement will be difficult, because Chinese substitutes for some foreign products fall well below those foreign products’ levels of sophistication and developer support. China has wanted to remove foreign tech from key government operations since at least 2014, and doing so fits in with its objective of technological self-reliance under its “Made in China 2025” program. Still, the announced three-year timeframe is faster than expected, and the shift may harm some U.S. tech companies, which generate an estimated $150 billion in annual revenue from total sales to China. Some analysts expect, however, that major tech firms have anticipated and prepared for a move such as this.


Paul Krugman argues in the New York Times that the “Phase One” trade deal achieves few of Trump’s objectives, while Max Boot contends in the Washington Post the benefits it will bring the U.S. are speculative. Writing for Foreign Policy, Peter E. Harrell predicts that the next phase of U.S.-China trade disputes will center on export and investment controls rather than tariffs. Michael Ivanovitch argues in CNBC that a Phase One deal will do little to end the U.S.-China trade deficit and forestall future trade spats.

Henry Paulson writes in the Washington Post that the U.S. needs to catch up with China on developing 5G technologies. For Project Syndicate, Ngaire Woods questions whether Huawei really poses a greater security threat to the U.S. than companies like Facebook. Yukon Huang and Jeremy Smith discuss for the Carnegie Endowment for International Peace why the U.S. and China should resolve their technology disputes in multilateral forums.

For the New York Times, Ian Johnson examines how the Chinese Communist Party is incorporating traditional Chinese values into its governing strategy, and Roger Cohen explores the origins of political unrest in Hong Kong. In the Diplomat, Remco Zwetsloot and Dahlia Peterson argue that China’s immigration practices hold it back from competing with the U.S. in tech.

For Lawfare, Christopher C. Krebs discusses how the Cybersecurity and Infrastructure Security Agency can tackle U.S. cybersecurity vulnerabilities. Richard Altieri and Benjamin Della Rocca explore potential U.S. executive and legislative responses to Xinjiang internment camps. Tom Wheeler explains how Trump administration policies have set the U.S. back in its competition with China on 5G technologies.

Source link

The post #nationalcybersecuritymonth | U.S. and China Strike Phase One Trade Agreement; Washington Steps up Efforts to Block Chinese Tech Amidst Mounting Opposition appeared first on National Cyber Security.

View full post on National Cyber Security

University of Washington students can hack smart devices, track body movement

Source: National Cyber Security – Produced By Gregory Evans

Computer science students at the University of Washington have found a way to remotely hack into people’s personal devices, such as cell phones and smart TV’s, to track individual movement, raising serious security questions, the university announced Wednesday. The hacking method uses CovertBand, a software program the student team created,…

The post University of Washington students can hack smart devices, track body movement appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Black members of Congress put pressure on FBI to investigate the missing black girls in Washington, DC that inspired a celebrity-driven social media campaign

Black members of Congress are demanding the FBI get involved in the search for a series of missing black girls in Washington DC, in a case that inspired a high-profile celebrity campaign.
Congressional Black Caucus chairman Cedric Richmond (D-LA), and Del. Eleanor Holmes Norton, who represents the District in Congress, wrote a letter Tuesday asking Attorney General Jeff Sessions and FBI Director James Comey get involved.
Their letter’s existence emerged after #missingdcgirls was tweeted by LL Cool J, Sean ‘Diddy’ Combs and Selma director Ava DuVernay, among others.

The letter, which was obtained by Associated Press on Thursday, called on Sessions and Comey to put money behind the search for the missing kids.

Read More

The post Black members of Congress put pressure on FBI to investigate the missing black girls in Washington, DC that inspired a celebrity-driven social media campaign appeared first on Parent Security Online.

View full post on Parent Security Online

Groups sue to block new Washington charter schools law – Education Week

View full post on Education Week: Bullying

#pso #htcs #b4inc

Read More

The post Groups sue to block new Washington charter schools law – Education Week appeared first on Parent Security Online.

View full post on Parent Security Online

Washington County Board of Education adopts new child-abuse policy

The Washington County Board of Education on Tuesday unanimously adopted three policies that will immediately impact the school system’s child-abuse reporting methods, superintendent evaluations and diversity initiatives.

The child-abuse reporting policy requires all employees of Washington County Public Schools to report any incidents of suspected abuse or neglect “as soon as possible, but without compromising student safety.”

Previously, training focused on instructional and administrative staff at schools. But, under the new policy, training will be extended to all school employees, including bus drivers, custodians and cafeteria workers.

“We felt there was an opportunity for other employees,” board President Donna Brightman said. “Whether that be a custodian, food service or a bus driver, anyone who comes in contact with a child who might have the trust or be able to see if something is fairly obviously wrong and try to be that point of contact for that situation.

Read More

The post Washington County Board of Education adopts new child-abuse policy appeared first on Parent Security Online.

View full post on Parent Security Online

Washington Twp. Target a target for credit card fraud

Source: National Cyber Security – Produced By Gregory Evans

WASHINGTON TWP. Three more New York City residents were charged with credit card fraud at Target after using several fraudulent cards to purchase thousands of dollars’ worth of gift cards at the store, bringing the week’s total to six, police said. At about 5:08 p.m. Thursday, Officer Derek Heymer responded to the Target located on Route 46 for a report of several people attempting to use fraudulent credit cards to purchase items, Lt. Douglas Compton said. Heymer arrived and located three individuals, Tavell Miller, 22,  Amir Alcindor, 20, and Jacquies Maurice, 26, all of Brooklyn, NY. “During a field investigation, it was determined the group had dozens of fictitious credit cards in their possession,” Compton said, “And had used them to purchase thousands of dollars in gift cards from Target.” Heymer also located a small amount of marijuana on Miller, Alcindor, and Maurice, Compton said. All three were arrested, taken to police headquarters, and charged with conspiracy to commit credit card fraud, fraudulent use of a credit card, theft of a credit card, and possession of under 50 grams of marijuana. Miller, Alcindor, and Maurice were taken to the Morris County Correctional Facility in lieu of $25,000 bail. Earlier last week […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Washington Twp. Target a target for credit card fraud appeared first on National Cyber Security.

View full post on National Cyber Security

CBP: Possessing marijuana when crossing into Washington, other states, still illegalNational Cyber Security

nationalcybersecurity.com – U.S. Customs and Border Protection (CBP) is reminding travelers crossing the border that possession of any amount of marijuana remains a violation under federal law. In enacting the Controlled Subs…

View full post on Hi-Tech Crime Solutions Daily

CBP: Possessing marijuana when crossing into Washington, other states, still illegal

Top Priority Sector:  law_enforcement_first_responders U.S. Customs and Border Protection (CBP) is reminding travelers crossing the border that possession of any amount of marijuana remains a violation under federal law. Read More….

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

View full post on National Cyber Security