Tag Archive for: notification

Hacked Firms Face ‘Frankenstein’ of State-Based Cyber Notification Laws

/in


Last summer, Katherine “Kitty” Green received some disturbing news about the computer network at Florida Gulf Coast University, where she oversees a foundation for private donors. An outside data provider warned it had detected that hackers sneaked into the university’s systems and might have made off with sensitive personal information of its benefactors.

Six months later, FGCU sent out notices to 5,498 financial supporters, offering free credit-monitoring and a hot line to call for more information. One reason it took so long is that, after consulting with technical and legal experts, the university concluded that under local laws, it would have to file different notifications in 16 different states.

“Every state has different questions, which makes it much more complicated to know what to do,” Green said. “It was definitely more time consuming than we’d imagined.”

Each of the 50 states has its own breach notification requirements, as does the District of Columbia, Puerto Rico and Guam.

With more businesses, governments and organizations succumbing to cyber-attacks, the lack of a clear and effective reporting standard for threats and breaches has taken on new urgency. Over the weekend, another massive hack of businesses came to light, this time of Microsoft Corp.’s widely used email software and affecting at least 60,000 known victims globally, according to a former senior U.S. official with knowledge of the matter.

That announcement comes hard on the heels of the SolarWinds hack, so called because suspected Russian hackers targeted popular software from Texas-based SolarWinds Corp. As many as 18,000 of its customers received infected updates, though far fewer were targeted with secondary attacks — about 100 private-sector companies and nine U.S. agencies, according to the White House.

Notification Headache

Amid all these attacks, notifying the public has itself become a major headache. That’s because, as data breaches have proliferated, so too has the patchwork of notification requirements.

On the federal level, there are special rules for personal health records and a Securities and Exchange Commission directive that public companies inform…

Source…

SolarWinds hack has lawmakers pushing for national breach notification law

/in


Lawmakers will push to pass a mandatory data breach notification law following the high-profile attack last year on SolarWinds, the network management and IT security company.

The compromise of the SolarWinds Orion IT monitoring and management software package, suspected to be the work of hackers affiliated with the Russian government, has compromised about 100 companies and nine U.S. agencies, including the departments of Homeland Security, State, and Justice. Up to 17,000 SolarWinds customers downloaded the malware.

Microsoft President Brad Smith called the SolarWinds hack “the largest and most sophisticated attack the world has ever seen” during a Feb. 26 hearing before two House committees.

During the hearing, several lawmakers promised to push a national data breach notification law this year. An upcoming bill would require companies to share information about breaches with the U.S. Cybersecurity and Infrastructure Security Agency but allow them to keep their names anonymous to the general public, said Rep. Michael McCaul.

The bill McCaul plans to introduce with Rep. Jim Langevin would presumably include penalties for failing to disclose breaches. All 50 states have their own data breach notification laws, some with significant fines for failure to disclose.

Lawmakers have for years tried to pass a federal breach notification law but have so far failed. Advocates of a national law say it would create a consistent breach notification standard with consistent penalties. However, some critics question whether federal law would water down tougher state laws.

In addition to a handful of lawmakers calling for a national breach notification law during the hearing, Smith also said it’s time for federal rules. Sharing threat information is “something that doesn’t happen broadly enough across the industry,” he said during the hearing.

Currently, reporting data breaches can open up companies to scrutiny from Congress and the public, Smith said. “A lot of companies choose to say as little as possible, and often, that’s nothing,” he added. “But silence is not going to make this country…

Source…

SolarWinds hack may lead to breach notification law and stronger cyber agency

/in


One of the lesser-known aspects of the SolarWinds hack that lawmakers and top U.S. cybersecurity officials are grappling with is figuring out how many American companies and federal agencies have been affected. 



a man wearing glasses and looking at the camera: From left, FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft CEO Brad Smith testify during a Senate Intelligence Committee hearing on Feb. 23, 2021.

© Provided by Roll Call
From left, FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft CEO Brad Smith testify during a Senate Intelligence Committee hearing on Feb. 23, 2021.

At present, no one knows.

This blind spot stems from the absence of a federal breach notification law that requires companies and federal agencies to notify the U.S. government if they have been hacked. That, however, may be about to change as congressional committees learn more about the SolarWinds hack and lawmakers in both chambers have signaled a bipartisan willingness to consider the idea. 

Last week, lawmakers summoned top tech company executives and the CEO of SolarWinds, the company whose software became the conduit for Russian intelligence agencies to access thousands of American companies and federal agencies. 

SolarWinds was hacked by Russian operatives who injected malware into routine software updates that went out to as many as 18,000 government entities and Fortune 500 companies that were clients of SolarWinds. Top U.S. government officials have said Russian intelligence services were behind the attack and that, as of now, nine federal agencies and about 100 companies were exposed but more victims are likely to be found as the probe continues.

Executives from FireEye, the cybersecurity company that found the Russian attack and made it public in December, Microsoft and SolarWinds told members of Congress that while they had come forward to share details of the attack, they were not obligated to do so and wanted Congress to address that gap. 

Without a law and clear guidance, companies don’t know whom to alert when they’re hacked, Brad Smith, president of Microsoft, said at a joint hearing of the House Oversight and Reform and House Homeland Security committees. 

Companies also face a legal barrier because contracts with federal agencies “restrict a company like Microsoft from sharing with others in the federal…

Source…

Federal Banking Agencies Propose Computer-Security Incident Notification Requirements | Weiner Brodsky Kider PC

/in


The FDIC, Board of Governors of the Federal Reserve System, and OCC (the Agencies) recently issued a joint notice of proposed rulemaking that would require a banking organization to notify its primary federal regulator of any computer-security incident that the banking organization believes in good faith rises to the level of a notification incident.  Comments must be received by April 12, 2021.

The proposal would require a banking organization to notify its primary federal regulator as soon as possible and no later than 36 hours after determining that a notification incident has occurred.  The proposal explains that a computer-security incident includes occurrences that: (i) result in actual or potential harm to the confidentiality, integrity, or availability of an information system; or (ii) violate or immediately threaten to violate security policies, procedures, or acceptable use policies.  The proposal explains that a notification incident includes a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair various banking operations.

Additionally, the proposal would require a bank service provider that provides services described in the Bank Service Company Act to notify at least two individuals at affected banking organization customers immediately after a computer-security incident that it believes in good faith could disrupt, degrade, or impair services for four or more hours.  The Agencies explain that a bank service provider is not expected to determine if the computer-security incident rises to the level of a notification incident because it may not know if the service is critical to the banking organization’s operations.

The Agencies explain that the notification requirement is intended to serve as an early alert to the banking organization’s primary federal regulator.  No specific information is required in the notice, and it can be provided through any form of written or oral communication.

Source…