January, 11 2017

Three States Join Others to Expand Personal Information Definition to Include Usernames or Email Addresses

Mark Krotoski and W. Scott Tester,, January 4, 2017

Businesses should take steps to protect usernames, email addresses, passwords, and security questions and answers.
A key issue in determining whether notification is required following a data breach is whether “personal information” (PI) was acquired by an unauthorized person. US states vary significantly in defining what information qualifies as PI.[1] As part of a recent trend, some data breach notification statutes have been expanding the definition of PI, including by adding usernames and email addresses.

Read More

The Top Ten Data Breach Communication Errors

Evan Bloom,, January 3, 2017

Data breaches continue to make headlines around the world. Many companies think they are fully prepared to communicate in the wake of a breach. But are they? Is having a basic crisis communications plan enough? Granted, something is better than nothing, but being ready to communicate during a data breach crisis requires much more preparation than a basic crisis plan and some generic messaging.

Read More

KillDisk Evolves into Ransomware

Lucian Constantin, January 6, 2017

A malicious program called KillDisk, which has been used in the past to wipe data from computers during cyberespionage attacks, is now encrypting files and asking for an unusually large ransom.

Read More

How Lucrative Is Confidential Data? Prime Bounty for Hackers, Top Concern for Businesses

Ben Zilberman,, January 10, 2017

IT Professionals report securing sensitive data as the #1 challenge, even more than avoiding revenue loss or protecting reputation.
In the 19th century, money was the key to power. During the 20th century, it was technology. Today, information and data is the key to power. It’s why organizations are keen to safeguard their data and hackers are intent on stealing it. In 2016, this fact was underscored numerous times: Wikileaks, ransom attacks that hijacked an organization’s digital assets, or the doxing and dumping of information about officials and decision makers

Read More

New York Regulator Eases Requirements for Its Proposed Cybersecurity Regulation

Brian Hengesbaugh, Amy de La Lama and Harry Valetk,, January 5, 2017

In a surprising turn of events, the New York State Department of Financial Services (“DFS”) announced on December 28 significant changes to its cybersecurity regulation in response to industry concerns that the agency’s original proposal was too prescriptive, and did not allow enough time for compliance.

Read More

$475,000 HIPAA Penalty for Tardy Breach Notification

Marianne Kolbasuk McGee,, January 9, 2017

In a reminder of HIPAA’s tough requirements for breach notification, federal regulators have issued a $475,000 financial settlement and corrective action plan for Chicago-based Presence Health tied to its tardy notification for a 2013 paper records breach affecting only about 800 individuals.

Read More

St. Jude Medical Releases Security Patches for Vulnerable Cardiac Devices

Charlie Osborne,, January 10, 2017

Reports that St. Jude Medical devices contained severe security flaws which led to a complicated legal battle between the healthcare equipment provider and MedSec have been vindicated, with the FDA supporting the security firm’s findings and St. Jude finally releasing a patch to fix the flaws.

Read More

Stock-Tanking in St. Jude Medical Security Disclosure Might Have Legs

Michael Kan,, January 10, 2017

For better or worse, a security firm’s attempt to cash in on software bugs by shorting a company’s stock and then publicizing the flaws might have pioneered a new approach to vulnerability disclosure.

Read More
Infosecurity Newsletter Archive