January, 11 2017
Three States Join Others to Expand Personal Information Definition to Include Usernames or Email Addresses
Mark Krotoski and W. Scott Tester, JDSupra.com, January 4, 2017
Businesses should take steps to protect usernames, email addresses, passwords, and security questions and answers.
A key issue in determining whether notification is required following a data breach is whether “personal information” (PI) was acquired by an unauthorized person. US states vary significantly in defining what information qualifies as PI. As part of a recent trend, some data breach notification statutes have been expanding the definition of PI, including by adding usernames and email addresses.
Evan Bloom, Continuitycentral.com, January 3, 2017
Data breaches continue to make headlines around the world. Many companies think they are fully prepared to communicate in the wake of a breach. But are they? Is having a basic crisis communications plan enough? Granted, something is better than nothing, but being ready to communicate during a data breach crisis requires much more preparation than a basic crisis plan and some generic messaging.
Lucian Constantin Computerworld.com, January 6, 2017
A malicious program called KillDisk, which has been used in the past to wipe data from computers during cyberespionage attacks, is now encrypting files and asking for an unusually large ransom.
Ben Zilberman, Radware.com, January 10, 2017
IT Professionals report securing sensitive data as the #1 challenge, even more than avoiding revenue loss or protecting reputation.
In the 19th century, money was the key to power. During the 20th century, it was technology. Today, information and data is the key to power. It’s why organizations are keen to safeguard their data and hackers are intent on stealing it. In 2016, this fact was underscored numerous times: Wikileaks, ransom attacks that hijacked an organization’s digital assets, or the doxing and dumping of information about officials and decision makers
Brian Hengesbaugh, Amy de La Lama and Harry Valetk, Bakerinform.com, January 5, 2017
In a surprising turn of events, the New York State Department of Financial Services (“DFS”) announced on December 28 significant changes to its cybersecurity regulation in response to industry concerns that the agency’s original proposal was too prescriptive, and did not allow enough time for compliance.
Marianne Kolbasuk McGee, Healthcareinfosecurity.com, January 9, 2017
In a reminder of HIPAA’s tough requirements for breach notification, federal regulators have issued a $475,000 financial settlement and corrective action plan for Chicago-based Presence Health tied to its tardy notification for a 2013 paper records breach affecting only about 800 individuals.
Charlie Osborne, Zdnet.com, January 10, 2017
Reports that St. Jude Medical devices contained severe security flaws which led to a complicated legal battle between the healthcare equipment provider and MedSec have been vindicated, with the FDA supporting the security firm’s findings and St. Jude finally releasing a patch to fix the flaws.
Michael Kan, Compueterworld.com, January 10, 2017
For better or worse, a security firm’s attempt to cash in on software bugs by shorting a company’s stock and then publicizing the flaws might have pioneered a new approach to vulnerability disclosure.