Tag Archives: Cybersecurity

Massachusetts Adds New Requirements to Breach Notification Law

Massachusetts Governor Charlie Baker recently signed a new law that amends the state’s data breach notification law.

“The improvements made to Massachusetts laws in this legislation are necessary to protect consumers from the consequences of data breaches that could expose personal information and to give consumers more control over their data and how it is used,” Governor Baker tweeted.

Key New Provisions include: Continue reading Massachusetts Adds New Requirements to Breach Notification Law

A Data Breach Can Cost a Small Business $2.5 Million

SMBs are attractive targets to cybercriminals because they typically have smaller cybersecurity budgets and may lack an internal security team dedicated to timely discovering and responding to cyberattacks. Critically, these organizations may also lack resources to train their employees to identify preventable breaches like phishing campaigns.

The Cisco Report

Late last year, Cisco published a special cybersecurity report (Cisco’s SMB Cybersecurity Report)(Report) focused how cyberattacks affect SMBs. The Report includes 1,816 survey respondents from 26 countries.

When surveyed, respondents listed these as the most concerning threats.

  • Targeted employee attacks (BEC and phishing)
  • Advanced persistent threats (new malware)
  • Ransomware

Continue reading A Data Breach Can Cost a Small Business $2.5 Million

HHS Publishes Cybersecurity Best Practice Guide

The U.S. Department of Health and Human Services (HHS) recently published voluntary cybersecurity best practices entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (Best Practice Guide). These best practices were compiled over a two-year period by 150 cybersecurity and healthcare experts from both the public and private sector and are a cybersecurity roadmap for healthcare organizations of all types and sizes, from small local clinics to large regional hospital systems.

All entities, especially those in the healthcare field, can learn from this valuable resource.

The Four-Part Best Practice Guide

The Best Practice Guide is four sections: a main document (entitled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients); two technical volumes; and resources and templates. The Best Practice Guide’s goal is to increase awareness, provide sound practices, and consistently mitigate today’s most damaging cybersecurity threats in the healthcare industry. Continue reading HHS Publishes Cybersecurity Best Practice Guide

NYDFS Cybersecurity Regulation Enters New Transitional Phase

Beginning on September 4, 2018, banks, insurance companies, and other financial services institutions regulated by NYDFS are required to comply with several additional requirements of the NYDFS cybersecurity regulation.

After September 4th, companies will be required to:

  • report annually to the board concerning critical aspects of the cybersecurity program;
  • have an audit trail that reconstructs material financial transactions to support normal operations in the event of a breach;
  • implement policies and procedures to ensure the use of secure development practices for in-house developed applications;
  • implement encryption to protect nonpublic information;
  • develop policies and procedures to ensure secure disposal of information not necessary for business operations; and
  • implement a monitoring system that includes risk-based monitoring of all persons who access or use any of the company’s information systems or nonpublic information.

Continue reading NYDFS Cybersecurity Regulation Enters New Transitional Phase

NIST Releases Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity

On April 17th, just over four years after the initial development was released, the National Institute of Standards and Technology (NIST) has released an updated version (1.1) of the Framework for Improving Critical Infrastructure Cybersecurity. The framework, developed under the Obama administration, was to be a voluntary, risk-based guide for improving cybersecurity infrastructure in the United States.

Framework Updates & Goals

Then-President Obama’s executive order pushed for the development of standards and practices to assist organizations within the financial, health care and energy fields, among others, to protect their data from a cyber-attack.

The Cybersecurity Framework has 3 components: Continue reading NIST Releases Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity

Save the Date! Cybersecurity Awareness Month Topics and Tips

October is National Cybersecurity Awareness Month (NCSAM), a joint effort involving the U.S. Department of Homeland Security and its partners, including the National Cyber Security Alliance. The cybersecurity awareness campaign spans an entire month because real concerns require extensive attention.

The Mission: Raise awareness and promote good cyber hygiene (consistent habits will improve your personal cyber health).

Every week, a different theme will be explored. Whether you participate in one event or all of them, you’ll gain valuable insight and tips that you can apply immediately.

Here’s the schedule:

Date Theme Overview
10/2–10/6 Simple Steps to Online Safety Learn more about the top consumer cybersecurity concerns, how to address them, and tips for helping public victims of cybercrimes.
10/9–10/13 Cybersecurity in the Workplace Is Everyone’s Business Discover how your organization can protect itself against cyber threats and how to empower employees to participate in safeguarding the company.
10/16–10/20 Today’s Predictions for Tomorrow’s Internet Learn how sensitive, personal information powers smart cities, connected devices, digitized records, smart cars, and homes…and what you can do to use these innovations securely.
10/23–10/27 The Internet Wants You: Careers in Cybersecurity By 2022, the cybersecurity sector will be short nearly 2 million information security workers. Learn how to encourage students and job seekers to explore cybersecurity careers.
10/30-­10/31 Protecting Critical Infrastructure from Cyber Threats Our infrastructure–traffic lights, running water, phone service, etc.– depends on the Internet. Learn why building resilience in this infrastructure is crucial to our national security.

Reasons to Engage Every Week

Cybersecurity should always be a priority, and NCSAM reminds us that it’s a shared responsibility. Businesses, governments, and individuals must make cybersecurity awareness part of their culture, and ePlace Solutions’ training and awareness materials can help you and your organization decide the best ways to remain secure.

Stay tuned for our updates next month on NCSAM’s themes!

FINRA Highlights Common Cybersecurity Issues for Broker-Dealers

The Financial Industry Regulation Authority (FINRA) published a series of three videos to highlight and provide guidance on common cybersecurity issues facing broker-dealers and investment advisors.

FINRA compiled the video series in response to cybersecurity deficiencies noted during examinations of member firms. The videos also offer several mitigation measures to help address these cybersecurity issues.

FINRA Cybersecurity Videos

Cybersecurity – Part I: In the first part of a three-part series, the speakers discuss common deficiencies seen during examinations of firms’ cybersecurity programs.

Cybersecurity – Part II: In the second part, the speakers discuss formalizing the oversight of cyber programs and strengthening controls around access to data and systems.

Cybersecurity – Part III: In the final part, the speakers discuss vendor management, branch controls and data protection.

Firms regulated by FINRA should review the videos and recommended security measures to know what to expect when the examiners come knocking at the door.

CFPB Inks First Cybersecurity Enforcement Action

The Consumer Financial Protection Bureau (CFPB) put on its gloves and stepped into the cybersecurity ring with a consent order with payment processor Dwolla. At first glance, the thought was, “Oh great, another agency with another enforcement action. Nothing new here.” But a closer look shows a few interesting things starting to appear.

Dwolla Consent Order

Let’s start with a look at the consent order. It gives some facts about Dwolla:

  • The company offers a payment processing platform.
  • Customers make payments via the web browser or mobile app.
  • The company has about 650,000 customers.
  • They transfer up to $5 million a day.

Setting up an account and using the service requires customers to provide Dwolla with several pieces of information, some of which customers probably want to be kept confidential. The information includes:

  • Name
  • Address
  • Date of Birth
  • Social Security Number
  • Phone Number
  • Bank Account Number
  • Routing Number
  • Username
  • Password
  • 4-Digit PIN

Sensitive information to say the least. But Dwolla understands this, and they reassure customers that their information issafe. Specifically, Dwolla boasts that its data security practices: “exceeds industry standards” and “sets a new precedent for the industry for safety and security.” On top of that, Dwolla says they encrypt data “utilizing the same standards required by the federal government.” Page 6 of the consent order has more quotes from Dwolla about their top notch data security measures.

To a normal customer, that kind of protection sounds pretty good, right? Those are solid reasons to become a Dwolla user. However, the CFPB found these claims to be false and deceptive. Specifically, the CFPB alleges that Dwolla failed to:

  • Adopt and implement reasonable data security policies and procedures,
  • Reasonably identify potential security risks,
  • Provide adequate training to employees handling customer information,
  • Use encryption to protect customer information, and
  • Deploy secure software for customer-facing applications.
Key Takeaway

A few issues became apparent after the Dwolla enforcement action:

More Cybersecurity Enforcement: Ok, this one is easy. Again, the first thought was, “Here we go again. Yet another regulatory agency is joining the mix in cybersecurity.” If your company is regulated by the CFPB, you have another watchdog to worry about.

Pre-Breach Enforcement: The next thought reading this story was, “Where is the breach?”There is no news of Dwolla suffering a security breach. Are we seeing a change of focus from post-breach to pre-breach enforcement? It feels like a trend might be starting. The FTC brought an enforcement action against ASUS for their poor cybersecurity practices rather than a breach actually occurring. The takeaway here may be that big, headline-grabbing breaches are no longer the prerequisite for enforcement actions.

Enforcement Targets: So, if there was no breach, how did Dwolla become a target for investigation and enforcement? Did the CFPB receive an insider tip? Did they get a customer complaint? Was it a simple review of Dwolla’s privacy claims? With no clarity here, companies under CFPB regulation should review their privacy and data security practices.

The biggest takeaway is that cybersecurity enforcement can come from anywhere and at any time. It would behoove all companies to proactively address their privacy and data security practices by implementing reasonable data security policies, training their employees, and adopting best practices for protecting customer data (i.e. encrypting sensitive customer information).

How to Participate in Cybersecurity Information Sharing

At the end of 2015, the Cybersecurity Information Sharing Act of 2015 (CISA) was passed – as we reported here.

As mandated by the CISA, the Department of Homeland Security (DHS) released guidance to assist private sector and federal entities in sharing cyber threat indicators with the Federal Government. DHS also released interim policies and procedures relating to the receipt and use of cyber threat indicators by federal entities, interim guidelines relating to privacy and civil liberties in connection with the exchange of those indicators, and guidance to federal agencies on sharing information in the government’s possession.