At a glance.
- Update on US state breach laws.
- CISA's new vulnerability reporting platform.
- US Policymakers look at cryptocurrency and ransomware.
US state breach laws.
An Act Concerning Data Privacy Breaches, passed unanimously by the Connecticut legislature last week with the support of industry, will expand the definition of “personal information” and direct companies to disclose breaches to victims and the state within sixty days instead of ninety, according to Hartford Business Journal. Once the Governor signs the bill into law, the personal information designation will be extended over health, passport, military, and Internet account information.
JD Supra describes Texas’ “Wall of Shame” breach bill, also approved last week by the state’s legislature. House Bill 3746 would update the state’s breach notification regime to require a public record on the attorney general’s website of breaches impacting two-hundred-fifty or more residents. Organizations’ names would be deleted after one year of good behavior.
CISA establishes a vulnerability reporting platform.
In partnership with cyber firms Bugcrowd and Endyna, the Cybersecurity and Infrastructure Security Agency (CISA) has rolled out a vulnerability disclosure platform to assist Federal agencies in complying with Binding Operational Directive (BOD) 20-01, SecurityWeek reports. BOD 20-01 requires civilian departments to develop vulnerability disclosure policies. CISA says the new platform “aims to promote good faith security research, ultimately resulting in improved security and coordinated disclosure across the federal civilian enterprise.” The service will enable cross-agency information-sharing in addition to management and support functions, and leave room for offices to establish individual bounty programs with the help of Bugcrowd and Endyna.
Disclosure programs are popular in the private sector and the Pentagon, TechCrunch says, and clarify the “rules of engagement” for ethical hackers, but civilian agencies have dragged their feet. Bugcrowd Founder Casey Ellis called CISA’s initiative a “watershed moment for the role that hackers play as the Internet’s Immune System.”
Cryptocurrency: regulate it or report it?
Reuters reports that the head of the US Internal Revenue Service recommended that Congress give the IRS statutory authority to collect information on cryptocurrency transactions that exceed the ten-thousand-dollar threshold. Commissioner Charles Rettig told the Senate Finance Committee yesterday that clarity in the matter is important, and that such large transactions, in the view of the IRS, frequently go unreported. "I think we need congressional authority," Rettig said. "We get challenged frequently, and to have a clear dictate from Congress on the authority for us to collect that information is critical."
Rettig asked essentially for a requirement that transactions be reported, not necessarily that they be limited. He also believes that unreported profits from rising cryptocurrency valuations make a significant contribution to a “tax gap” he estimates to run at a trillion dollars a year. (A tax gap is the difference between taxes owed and taxes collected.)
We received some cautionary, skeptical comment from Cyware's Neal Dennis on the impulse to blame alt-coin for the continuing ransomware pestilence.
“Cryptocurrency is not to blame for the ransomware surge. Burning time and money on investigating a currency's role in an attack is akin to investigating the role a car plays in a physical bank robbery. It is just one of the hundreds of vehicles a robber can choose from.
"Attempting to regulate bitcoin will do nothing more than hinder the coin overall. We’ve seen this, with Ripple and SEC, which were delisted from all US accessible exchanges, like Coinbase, after the start of their legal battles. Threat actors will simply find new digital currencies.
"At the end of the day, ransomware is not new. Mitigation strategies are not new. Even methods of targeting are not new. We have best practices for mitigating ransomware attacks, yet companies are not implementing them. For example, with the recent JBS attack, the company stated backup servers were not affected, and it was actively working with an Incident Response firm to restore its systems as soon as possible, demonstrating they had secure backups and were ready to pivot.”