Tag Archive for: stricter

FCC Proposes Stricter Regulations for Data Breach Disclosure 

/in


The Federal Communications Commission (FCC) has proposed stricter requirements for companies to disclose data breaches.

According to the proposal, companies would be required to notify customers affected by inadvertent breaches, and the one-week waiting period before disclosure would be eliminated.

The updates would better align the FCCs rules with recent developments in federal and state data breach laws covering other sectors.    

Lisa Plaggemier, interim executive director of the National Cyber Security Alliance, explained the Biden administration—and government in general—have been making a lot of positive attempts to build more modern and effective cybersecurity protocols in the wake of last year’s news cycle dominated by several high-profile breaches.

“These new guidelines fall right in line with these overarching intentions, and similar measures will likely follow suit in the months and years to come,” she said. 

Unfortunately, last year’s hectic breach-centric news cycle laid bare just how fragmented the government’s oversight and reporting procedures are for the cybersecurity industry.

Moreover, Plaggemier said those constant reports highlighted how important it is for the public and private sector to rethink the way we collectively approach cybersecurity and report cybersecurity incidents.

FCC Addresses Breach Notification Requirements

The proposal outlines several updates to current FCC rules addressing telecommunications carriers’ breach notification requirements, including requiring carriers to notify the commission of all reportable breaches in addition to the FBI and U.S. Secret Service.

The FCC proposal also seeks comment on whether the commission should require customer breach notices to include specific categories of information to help ensure they contain actionable information useful to the consumer, and proposes to make consistent revisions to the commission’s telecommunications relay services (TRS) data breach reporting rule.  

“Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information,” FCC chairwoman Jessica Rosenworcel said in a statement. “But these rules need…

Source…

Standoff with researchers may emerge as GitHub floats stricter policies

/in


GitHub CEO Nat Friedman speaks at GitHub Universe 2020. GitHub on Thursday solicited the comments of the security research community on its new, apparently stricter policies for posting malware and proof-of-concept exploits. (GitHub)

GitHub on Thursday solicited the comments of the security research community on its new, apparently stricter policies for posting malware and proof-of-concept exploits. But the response may have been more than it bargained for.

Some of the changes date back to a month ago when GitHub, which is owned by Microsoft, removed a proof-of-concept exploit for the so-called ProxyLogOn vulnerabilities in Microsoft Exchange that have led to more than 100,000 server infections. There were also other incidents dating back more than a year in which GitHub repositories were found to be infected with malware and capable of being exploited in a supply chain attack.

GitHub, which researchers use as a platform where they can test and experiment, said in a blog post that these updates also focus on removing ambiguity in how the platform will define terms such as “exploit,” “malware,” and “delivery” – the platform’s effort to clearly state its expectations and intentions.

Security researchers expressed skepticism, arguing that if or when software ever gets removed, GitHub would have to outline a very clear-cut and transparent reason; otherwise, users will likely rebel and flee to other platforms, said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows.

Nikkel said some researchers have raised great points with existing off-the-shelf, legitimate tools such as Metasploit or Mimikatz, or other similar software that adversaries frequently abuse.

“Are these now also illegitimate? While starting the public discussion is a significant step, transparency around the end goal and the future will need to be spelled out clearly to GitHub users,” Nikkel said. “Suppose GitHub does end up taking stronger steps towards locking down what’s acceptable on the platform. In that case, the conditions of what they understand as an actual attack or threat would also need to be spelled out fairly clearly, and in terms…

Source…

Financial Regulators Eye Stricter Cybersecurity Incident Reporting Standards

/in


The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively, the Regulators) are considering a new rule that would require banks to notify their primary federal regulator within 36 hours of when they believe certain security incidents have occurred.

The Regulators are also proposing a new rule that would require bank service providers to notify at least two individuals at the affected bank immediately after the service provider experiences a computer security incident that could disrupt, degrade, or impair the provision of services for more than four hours.

The Regulators published a notice of proposed rulemaking (NPR) in the Federal Register on January 12, 2021, which allows for public comments for 90 days (until April 12, 2021).

Banks should consider the potential impact on procedures, operations, and vendor relations. If new rules are implemented, banks may need to update numerous documents, policies, and contracts that touch on these issues.

Renewed interest in the cyber health of the financial sector

The impetus behind the NPR is not the Regulators’ desire to start policing banks’ cybersecurity programs, or a desire to add a new regulatory burden on banks and their service providers. Rather, the Regulators want to make the rules governing notification consistent, and they want to gather more information about the types of cybersecurity incidents that could impact the stability of the financial sector.

Regardless, it has been quite some time since the Regulators have addressed cybersecurity rulemaking, so it is indicative of a renewed interest in the cyber health of the financial sector.

According to the Regulators, receiving this type of information about cybersecurity incidents from banks early and often can help the Regulators gather intelligence about emerging threats to individual banks and the financial system at large.

Banks required to notify primary regulators of “notification incidents” within 36 hours

Although the NPR sets a new, somewhat strict 36-hour reporting timeline for banks experiencing a cybersecurity incident, the Regulators…

Source…

DoT working on stricter rules for tracking lost mobile phones – Livemint

/in

Livemint

DoT working on stricter rules for tracking lost mobile phones
Livemint
The International Mobile Equipment Identity Number (IMEI) helps security agencies in tracking mobile phones as well as calls made from them. The DoT has barred telecom operators from providing service to any mobile phone with fake IMEI number but the …

and more »

mobile security – read more