Information Technology

Australian-based OCR Labs has become the first accredited non-government operator that provides digital identity services to the private sector under the federal government’s Trusted Digital Identity Framework (TDIF).By becoming an accredited provider, OCR Labs now ensures its private sector customers, such as those in banking, finance, and telecommunications that are using its identity services can “trust that their identity information can be verified, and is protected”, Minister for Employment, Workforce, Skills, Small and Family Business Stuart Robert said.”We want Australians to have confidence that their information is private and secure, regardless of who holds it. It has become increasingly important in this digital age to be able to establish trust, particularly online,” he said.OCR Labs applied for accreditation in February and was required to undergo a series of evaluations to ensure it met the TDIF standards, rules, and guidelines that set out best practices for digital identity services.OCR Labs satisfied 262 TDIF requirements, including protective security, privacy assurance, risk management, usability, and accessibility, and demonstrated it met the applicable requirements of the fourth iteration of the TDIF, which was published in May 2020. The company will be required to continually demonstrate it meets the TDIF obligations by undertaking annual assessments. OCR Labs intends to further enhance its TDIF accreditation to Identity Proofing Level 2 Plus before the end of 2021.

“Digital Identity underpins the government’s Digital Economy Strategy that will allow Australian businesses like OCR Labs, and in particular small business, to capitalise on the opportunities that digital technologies are creating, enabling them to grow and create jobs as part of Australia’s economic recovery,” Robert said. The federal government’s myGovID was the first to be granted a TDIF accreditation, followed by Australia Post’s Digital ID. Eftpos said it has also applied for its ConnectID to become TDIF accredited.Elsewhere, the federal government announced it has transitioned to the Australian Immunisation Register (AIR) to source all information related to the nation’s COVID-19 vaccine rollout.Previously, data was a mix between self-reported information about the number of doses administered by each jurisdiction, and the aged care and disability sector, and AIR for primary care. The transition to AIR will now include information about doses administered by the Australian Defence Force, Department of Foreign Affairs and Trade, and Australian Institute of Sport (AIS), which vaccinated the Australian Olympic Team as part of primary care, as well as the total number of doses for each jurisdiction from all channels and data derived from AIR, plus metrics on people with at least one dose and people who are fully vaccinated. The Department of Health touted the move as one that would provide access to more “comprehensive and consistent data”.  “Transitioning to AIR reporting ensures data is consistent and aligned across all reporting,” it said.”Jurisdictions have access to AIR so all governments in Australia have the same information base. The update of vaccination information into AIR is generally within 24 hours of the vaccination taking place.”Collating COVID-19 vaccination data comes off the back of Australia’s Data and Digital ministers agreeing on Friday to a national data sharing work program, following the signing of the Intergovernmental Agreement on Data Sharing by all Australian governments at the National Cabinet in early July. The agreement to work on a data-sharing work program was first raised during a meeting between the ministers back in April.According to the communique from the latest meeting, the ministers have agreed to take action to address national priority data sharing areas. These initial areas will include natural hazards and emergency management, waste management, and road safety, with plans that future priority data sharing areas will include family, domestic, and sexual violence, closing the gap, and veterans’ health. Further, the ministers agreed to reform the federal and state and territory data sharing system under the work program by developing an Australia Data Network, standardising operating procedures for data sharing activities, improving data discoverability through machine-readable metadata for data sharing priorities, and adopting a share-once use-often model for aggregate de-identified administrative data. “The intergovernmental agreement on data sharing recognises data is a shared national asset and aims to maximise the value of data to deliver outstanding policies and services for citizens. The agreement commits all jurisdictions to share data as a default position, where it can be done securely, safely, lawfully, and ethically,” the communique said.The communique also detailed that the ministers discussed opportunities to explore possibilities of how digital birth certificates could be used for “future interoperability to support citizens’ engagement with governments”.In April, the New South Wales government announced it was working on the development of a national digital birth certificate. The NSW government said it is looking into how to incorporate it with the federal government’s myGov. Related Coverage More

The Brazilian government has released a note stating the National Treasury has been hit with a ransomware attack on Friday (13). According to a statement from the Ministry of Economy, initial measures to contain the impact of the cyberattack were immediately taken. The first assessments so far have found there was no damage to the structuring systems of the National Treasury, such as the platforms relating to public debt administration.The effects of the ransomware attack are being analyzed by security specialists from the National Treasury and the Digital Government Secretariat (DGS). The Federal Police has also been notified. The Ministry noted new information on the incident “will be disclosed in a timely manner and with due transparency”.A further statement released jointly with the Brazilian Stock Exchange today (16) noted that the attack did not affect “in any way” the operations of Tesouro Direto – a program that enables the purchase of Brazilian government bonds by individuals.The incident at the National Treasury follows a major cyberattack that emerged in November 2020, against the Brazilian Superior Electoral Court. The attack brought the Court’s systems to a standstill for over two weeks. At the time, the event was considered to the most comprehensive attack ever orchestrated against a Brazilian public sector institution, in terms of its complexity and the extension of the damage caused.In July, the Brazilian government announced the creation of a cyberattack response network aimed at promoting faster response to cyber threats and vulnerabilities through coordination between federal government bodies.

The DGS, which operates under the Special Secretariat for Management and Digital Government of the Ministry of Economy, will have a strategic role in the formation of the network. The DGS is the central body of SISP, a system utilized for planning, coordinating, organizing, operating, controlling and supervising the federal government’s information technology resources across more than 200 bodies. In the private sector, major ransomware attacks that emerged in 2021 in Brazil involved large companies such as healthcare firm Fleury and aerospace conglomerate Embraer. More

Colonial Pipeline is sending out breach notification letters to 5,810 current and former employees whose personal information was accessed by the DarkSide ransomware group during an attack in May. The company admitted in an August 13 letter that on May 6, the ransomware group “acquired certain records” stored in their systems. 

ZDNet Recommends

“The affected records contained certain personal information, such as name, contact information, date of birth, government-issued ID (such as Social Security, military ID, tax ID and driver’s license numbers) and health-related information (including health insurance information). Not all of this information was affected for each impacted individual,” the letter said. Bloomberg reported in May that before locking down the pipeline’s business systems, the group stole almost 100 GBs of data. Colonial Pipeline said it was offering victims of the hack two free years of “identity restoration” and credit monitoring services from Experian. They urged those affected to check their credit reports for any unauthorized activity. The letter was first reported by Bleeping Computer and a company official confirmed to CNN Business that personal information was lost during the ransomware attack. The attack on Colonial Pipeline, which left significant parts of the East Coast without gas for several days, kicked off a swift change in the government’s response to ransomware incidents. Since the attack, multiple new regulations have been released for critical industries in general as well as the oil and gas industry specifically. 

Colonial ended up paying a ransom of $4.4 million to the DarkSide group due to the urgency of the gas crisis, but US law enforcement managed to get a portion of it back. Due to increased law enforcement interest globally, the people behind DarkSide shuttered their operation and some members reformed under a new name: BlackMatter. The Record spoke with the operators behind BlackMatter, who specifically cited the Colonial Pipeline attack as “a key factor for the closure of REvil and DarkSide,” adding that the group has now “forbidden that type of targeting and we see no sense in attacking them.” More

Clear Secure, the tech company that operates the Clear identity platform used at airports and other venues, published its second quarter financial results on Monday, its first quarterly report as a publicly-traded company. Revenue declined year-over-year, though total bookings grew 102 percent year-over-year thanks to a strong rebound in traveling during the second quarter. Shares fell in after-hours trading.
Clear Secure
The company reported basic and diluted net loss per share of 3 cents. However, that does not reflect a full quarter of results since Clear Secure’s initial public offering occurred on June 30. Revenue for the quarter was $55.2 million, down 8 percent year-over-year. Analysts had been expecting a net loss of 31 cents per share on revenue of $54.21 million. “We entered the year bullish on travel and the recovery has been faster and stronger than we expected,” CEO Caryn Seidman-Becker  and CFO Kenneth Cornick, co-founders of the company, wrote in a shareholder letter. “Aligned with the convenience economy, travelers are craving CLEAR’s touchless, frictionless, predictable travel journey. We are gaining share in existing airports, opening new airports and launching new products.”The rebound in travel led to strong Total Bookings growth. However, the strength in Total Bookings was not reflected in revenues, since revenues lag behind Total Bookings — Clear Secure bills members upfront and recognizes that revenue over the life of a membership, usually 12 months. Meanwhile, Clear Secure’s non-aviation platform, particularly Health Pass, gained significant momentum in the quarter with new partners and existing and new members. 

“In just over a year since its launch, Health Pass has scaled and become a trusted product. Our partners are looking for an easy, secure, and privacy-centric solution for testing and vaccination attestation,” Seidman-Becker  and CFO Kenneth Cornick wrote. “Health Pass gives consumers access to and control of their health data.”Clear Secure partnered with the state of Hawaii in the quarter to bring Health Pass to travelers to meet entry requirements without quarantine. Health Pass integrates with hundreds of providers and partners like Walmart, Atlantic Health, California and New York State. Clear Secure’s Total Cumulative Enrollments grew 26 percent year-over-year to 6.3 million, reaching 7 million on August 15. The growth was driven by both CLEAR Plus enrollments and platform enrollments. Incremental enrollments in the quarter were 760,000, more than double the first quarter of 2021. The company experienced overall strength in new member growth, though many of its markets remained below 2019 levels.Second quarter Total Cumulative Platform Uses grew 19 percent year-over-year to 65.5 million, driven by airport verifications as well as Health Passes uses. For Q3 2021, Clear Secure expects revenue of $65.5 million to 66 million. Analysts are expecting revenue of $65.32 million.

Tech Earnings More

The GNU C Library (glibc) is essential to Linux. So, when something goes wrong with it, it’s a big deal. When a fix was made in early June for a relatively minor problem, CVE-2021-33574, which could result in application crashes, this was a good thing. Unfortunately, it turned out the fix introduced a new and nastier problem, CVE-2021-38604. It’s always something!

The first problem wasn’t that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, “In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug.” Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug.While checking the patch, Nikita Popov, a member of the CloudLinux TuxCare Team, found the problem. It turns out that it is possible to cause a situation where a segmentation fault could be triggered within the library. This can lead to any application using the library crashing. This, of course, would cause a Denial-of-Service (DoS) issue. This problem, unlike the earlier one, would be much easier to trigger. Whoops.Red Hat gives the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is “high.” An attack using it would be easy to build and requires no privileges to be made. In short, it’s bad news. Popov himself thinks “every Linux application including interpreters of other languages (python, PHP) is linked with glibc. It’s the second important thing after the kernel itself, so the impact is quite high.”Popov found the problem while doing “his usual routine of porting CVE-2021-33574 fix to our supported distros.”  He found that null pointers could be passed in certain situations. Technically, the problem lay in the ‘mq_’ function family. These provide POSIX compliant message queue application programming interface (API) functionality. Typically these are used for inter-process communications (IPC) processes. Every Linux application including interpreters of other languages (Python, PHP) is linked with glibc library.

Popov found “two situations where the Linux Kernel would use the message NOTIFY_REMOVED while passing copied thread attributes along the way in the data.attr field. Unfortunately, a host application is able to pass a NULL value there if it wants glibc to spawn a thread with default attributes. In this case, glibc would dereference a NULL pointer in pthread_attr_destroy, leading to a crash of the entire process.”The C programmers among you are already closing their eyes and shaking their heads ruefully. One of the common rules of C programming is to never, ever dereference a null pointer. The question isn’t “Will it crash the program?” It’s “How badly will it crash the program?”  The good news is both the vulnerability and code fix have been submitted to the glibc development team. It has already been incorporated into upstream glibc.In addition, a new test has been submitted to glibc’s automated test suite to pick up this situation and prevent it from happening in the future. The bottom line is sometimes changed in unrelated code paths can lead to behaviors changing elsewhere without the programmer realizing what’s going on. This test will catch this situation.The Linux distributors are still working out the best way to deploy the fix. In the meantime, if you want to be extra careful — and I think you should be — you should upgrade to the newest stable version of glibc 2.34 or higher. Related Stories: More

T-Mobile is looking into allegations that a hacker stole 106GB of data containing the social security numbers, names, addresses and driver’s license information for more than 100 million people.

In a statement to ZDNet, T-Mobile said it is “aware of claims made in an underground forum and have been actively investigating their validity.” Teams at T-Mobile have been “working around the clock” to investigate the situation, a spokesperson told ZDNet, adding that they have hired digital forensic experts and contacted law enforcement. “We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the spokesperson said. “This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others. We understand that customers will have questions and concerns, and resolving those is critically important to us.”A reporter at Motherboard spoke to the hacker, who said they had stolen it from T-Mobile servers and that the batch also included unique International Mobile Equipment Identity (IMEI) numbers. Motherboard confirmed that the data was from real T-Mobile customers. The hacker told Motherboard that T-Mobile has already kicked them out of the breached servers but noted that copies of the data had already been made. On an underground forum, the hacker is selling a sample of the data with 30 million social security numbers and driver licenses for 6 Bitcoin, according to Motherboard and Bleeping Computer. Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock, also spoke to the hacker and wrote on Twitter that he was told about other motives for the attack.  

“The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019,” the hacker allegedly told Gal. “We did it to harm US infrastructure.”Binns filed a lawsuit against the FBI, CIA and Justice Department in November where he said he was being investigated for various cybercrimes, including participation in the Satori botnet conspiracy. He is a US citizen but lived in Izmir, Turkey and claimed he had been tortured and spied on for being an alleged member of the Islamic State militant group. He denied being a member of the group in his lawsuit.The unnamed hacker later spoke to Bleeping Computer to say that they gained access to T-Mobile’s systems through “production, staging, and development servers two weeks ago.” They also hacked into an Oracle database server that had customer data inside.To prove it was real, the attackers shared a screenshot of their SSH connection to a production server running Oracle with reporters from Bleeping Computer. They did not try to ransom T-Mobile because they already had buyers online, according to their interview with the news outlet.T-Mobile has been hacked multiple times over the last few years. In January they announced their fourth data breach in three years after incidents in August 2018, November 2019, and March 2020. More

[This article was first published in September 2020.]The more connected we become, the more data we will continue to share. Think about how often you access the internet and input or view sensitive information. From accessing health care information to paying bills online to even tagging your location on social media, you’re sharing information that can be collected.According to a recent study, 47% of Americans were not sure they understood what was done with their personal information and 59% were confused by the privacy policy presented by companies. In a time when our lives are so heavily entwined with the internet, knowing what’s done with the data you share is critical.Why it mattersLandmark security breaches remind us how vulnerable our data really is. Equifax, one of the top three credit reporting agencies, disclosed a data breach in September of 2017. Information like social security numbers, names, addresses, and driver’s license numbers were compromised for 147 million people, along with 209,000 customer credit card numbers. Given the severity and importance of the information leaked, the Equifax breach is regarded as unprecedented in impact. The settlement reached with the Federal Trade Commission amounted to $425 million to be paid out to help people who were affected.Facebook has experienced a series of security breaches, which has resulted in federal investigation. In 2019, the user data of 540 million Facebook users was exposed on Amazon’s cloud computing services. It was revealed that Facebook partnered with more than 150 companies to share personal information of the hundreds of millions of people who use the social media platform. Users were not aware of this exchange. In a focus group conducted by the Pew Research Center, people spoke negatively about the consequences of sharing data and cited that companies could have an ulterior motive for collecting their data.Federal LawsU.S. Privacy Act of 1974: This act established regulations on the collection, maintenance, use, and sharing of information. It requires that agencies obtain written consent from the individual before disclosing any of their information, unless it is part of the 12 statutory exceptions. Under this act, individuals are also able to request amendments to their records.Federal Trade Commission Act: This act gives the Federal Trade Commission the power to protect consumers from unfair or deceptive practices taken by companies and seek monetary compensation. They also have the right to enforce federal data and privacy protections.Children’s Online Privacy Protection Act (COPPA): COPPA prohibits the collection of data from anyone under the age of 13 without obtaining verifiable parental consent.Video Privacy Protection Act (VPPA): VPPA bans the disclosure of personal information or data unless the customer is aware and consents. This act includes streaming services.There is no single catch-all data privacy law. Instead, there are a mixture of federal and state laws that try to address the different aspects of data protection. The lack of federal laws pertaining to consumer privacy led individual states to pass their own laws protecting citizens. Even still, all-encompassing laws are not widely held. There is still a lot of ground that needs to be covered to ensure that American consumers are completely protected.Types of Data Privacy LawsConsumer privacyDo you ever wonder why things like Facebook or Instagram are free? You pay in privacy. These types of online services are free of monetary charge because they collect your data in exchange for their hosted services. However, 38% of surveyed Americans said that they were confused by the information presented in a privacy policy.

As of January 2020, the California Consumer Privacy Act addresses that exact issue. This law puts pressure on companies to be transparent with their practices and gives residents the right to know what personal information has been collected, shared, or sold. Additionally, consumers have the right to delete personal information that’s already been collected and the right to opt-out of the sale of personal information. The idea of trading your personal information for a free service is better accepted when the consumer has control.Children’s online privacyOne of the only inclusive data privacy laws is concerned with children’s online privacy. Children’s Online Privacy Protection Act (COPPA) is a federal law that prohibits the collection of data from children who are under 13 years old. This means that parents have control over the information the companies can have and can request that any collected data be deleted.In February 2019, TikTok paid $5.7 million to the FTC over concerns that the video app was in violation of COPPA. The largest children’s privacy civil penalty to date, TikTok was accused of illegally collecting personal information from children without parental consent. In addition to the substantial settlement, TikTok was required to update its practices and remove all videos that are made by children under the age of 13. TikTok is only one example, Google and YouTube have also been investigated by the FTC.E-readerThere are only a handful of states that have laws governing consumer privacy when it comes to e-readers. These laws prohibit entities from collecting or sharing information regarding the type of material being rented or bought using the e-reader. Within the states that have laws pertaining to e-readers, most have focused on information that can be gathered by public entities like libraries. However, efforts are being made to protect the privacy of the content people choose to read on their electronic devices. The Electronic Frontier Foundation took the time to comb through the popular e-book platforms’ privacy policies to give you the answers you’ve been searching for.Online servicesConsumers are seeing changes when it comes to online services and privacy data. Companies are now more transparent when it comes to their efforts in collecting information about your browsing habits, whether in a good-faith effort to keep their consumer’s trust or because of the laws that require it. Additionally, approximately 86% of internet users have taken steps to maintain their online privacy. Clearing cookies, using a virtual network and encrypting their email are some of the actions taken. Still, 61% say that they still would like to do more to protect themselves.Information sharing by businessWhile businesses collecting and sharing your information is nothing new, recent changes require that companies clearly inform you of what their intentions are when collecting that information. The reason why the company collects your data will vary, though generally companies use it to improve customer experience, assess their marketing strategy, or make money. The relationship around data privacy is a give and take between both consumers and data collectors. Businesses must be held accountable for the data privacy methods they have in place and be transparent about how they use the data they harvest. It’s also imperative that consumers know their rights and ability to impact how companies collect and use their information.Notice when recording phone callsGenerally, the biggest concern when recording phone calls is consent. Many states are one-party consent states, meaning that phone calls can be recorded as long as one person consents. But what is considered consent? Think about when you call a customer service line and hear the ever-identifiable “this call may be monitored or recorded…” message. When a caller continues with the call, many states take that as implied consent.There are 11 states that require both parties to consent to the recording: California, Delaware, Florida, Illinois, Maryland, Montana, Nevada, New Hampshire, Pennsylvania and Washington. Sometimes regardless of which law the state follows, there are exceptions to the rules. Which include: police recordings, court orders, and emergency services.Breach notification lawsEvery single state has a data breach notification law in place, although some states were slower than others to adopt one. Still, many states are actively amending their laws and expanding the definitions they hold. States like New Jersey, New York, and Oregon have broadened the scope of what is protected and established what regulations they impose on companies. Breach notification laws require that companies notify consumers of any data breaches involving personal or otherwise identifying information. Each law has a specified time frame in which action needs to be taken.Data disposalData disposal laws are concerned with what happens to your information when the company no longer wants to store it. To prevent unauthorized access, both government and private agencies are required to destroy or make indecipherable information in consumer reports. The Federal Trade Commission has impressed a disposal rule that outlines what the rule applies to and what constitutes proper disposal. Proper disposal of consumer records should be a part of every company’s security program.Understandably, the mashup of federal and state laws can be hard to navigate. This table can help you break it down.StateTitleType of LawAlabamaSB318Data breach notificationAlaskaAlaska Stat. § 45.48.010Data breach notification#rowspan#Alaska Stat. § 45.48.500Data disposalArizonaAriz. Rev. Stat. § 41-151.22e-reader#rowspan#A.R.S. §§ 18-55Data breach notification#rowspan#Ariz. Rev. Stat. § 44-7601Data disposalArkansasArk. Code §§ 4-110-105Data breach notification#rowspan#Ark. Code §§ 4-110-104(b)Consumer data#rowspan#Ark. Code §§ 4-110-104(a)Data disposalCaliforniaCal. Civ. Code §§ 1798.100 et seq.Consumer data#rowspan#Cal. Bus. & Prof. Code § 22948.20Consumer data#rowspan#Cal. Civ. Code §§ 1798.81Data disposal#rowspan#Calif. Bus. & Prof. Code §§ 22580-22582Children’s online privacy#rowspan#Cal. Ed. Code § 99122Online services and websites#rowspan#Cal. Civ. Code §§ 1798.130(5), 1798.135(a)(2)(A)Online services and websites#rowspan#Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA)Online services and websites#rowspan#Calif. Bus. & Prof. Code § 22575Online services and websites#rowspan#Cal. Civ. Code §§ 1798.83 to .84Information sharingColoradoColo. Rev. Stat. § 6-1-716Data breach notification#rowspan#Colo. Rev. Stat. § 6-1-713:Data disposalConnecticutConn. Gen. Stat. § 42-471Data disposal#rowspan#Conn. Gen Stat. § 36a-701bData breach notificationDelawareDel. Code § 1204CChildren’s online privacy#rowspan#Del. Code tit. 6, § 1206Ce-reader#rowspan#Del. Code Tit. 6 § 205CInformation sharing#rowspan#Del. Code tit. 6 § 5002CData disposalFloridaFla. Stat. §§ 501.171(3)-(6)Data breach notification#rowspan#Fla. Stat. §§ 501.171(2)Consumer data#rowspan#Fla. Stat. §§ 501.171(8)Data disposalGeorgiaGa. Code §§ 10-1-910 et. seq.Data breach notification#rowspan#Ga. Code §§ 10-15-2(b)Data disposalHawaiiHaw. Rev. Stat. § 487N-2Data breach notification#rowspan#Haw. Rev. Stat. §§ 487R-2Consumer data and data disposalIdahoIdaho Code § 67-831 through § 67-833Data breach notificationIllinois20 ILCS § 450Consumer data#rowspan#815 ILCS § 530/45Consumer data#rowspan#815 ILCS §§ 530/1 to 530/25Data breach notification#rowspan#815 ILCS § 530/30Data disposalIndianaInd. Code §§ 4-1-11 et. seqData breach notification#rowspan#Ind. Code §§ 24-4-14-8Data disposalIowaIowa Code §§ 71.C.1 – 715C.2Data breach notificationKansasKan. Stat. § 50-7a01 et seq.Data breach notificationKentuckyKRS § 365.732 and KRS § 61.931 to 61.934Data breach notification#rowspan#KRS § 365.725Data disposalLouisianaLa. Rev. Stat. §§ 51:3071 et seq.Data breach notificationMaine35-A MRSA § 9301(active 7/1/20)Online services and websites#rowspan#Me. Rev. Stat. tit. 10 § 1346 et seqData breach notificationMarylandMd. State Govt. Code § 10-624 (4)Information sharing#rowspan#Md. State Govt. Code §§ 10-1303Data disposal#rowspan#Md. Code Com. Law §§ 14-3504Data breach notificationMassachusettsMass. Gen. Laws § 93H-3Data breach notification#rowspan#Mass. Gen. Laws § 93H-2Consumer data#rowspan#Mass. Gen. Laws § 93I-2Data disposalMichiganMich. Comp. Laws §§ 445.72Data breach notification#rowspan#Mich. Comp. Laws §§ 445.72aData disposalMinnesotaMinn. Stat. §§ 325M.01 to .09Online services and websites#rowspan#Minn. Stat. §§ 325E.64Data breach notificationMississippiMiss. Code § 75-24-29Data breach notificationMissouriMo. Rev. Stat. §§ 182.815, 182.817e-reader#rowspan#Mo. Rev. Stat. § 407.1500Data breach notificationMontanaMont. Code §§ 30-14-1701 et seqData breach notification#rowspan#Mont. Code §§ 30-14-1703Data disposalNebraskaNeb. Rev. Stat. §§ 87-801 et seq.Data breach notification#rowspan#Neb. Stat. § 87-302(15)Inaccuracies in privacy policiesNevadaNRS § 603A.300Consumer data#rowspan#NRS § 603A.340Information sharing#rowspan#SB 220Online services and websites#rowspan#NRS § 205.498Online services and websitesNew HampshireN.H. Rev. Stat. §§ 359-CConsumer data, information sharing, data breach notification, data disposalNew JerseyN.J. Rev. Stat. §§ 56:8-163Data breach notification#rowspan#N.J. Rev. Stat. §§ 56:8-162Data disposalNew Mexico2017 H.B. 15, Chap. 36, Section 6Data breach notification#rowspan#2017 H.B. 15, Chap. 36, Section 3Data disposal#rowspan#2017 H.B. 15, Chap. 36, Section 4Consumer dataNew YorkS5575BConsumer data#rowspan#N.Y. Gen. Bus. Law § 399-HData disposal#rowspan#23 NYCRR 500Data breach notificationOregonORS § 646.607Information sharing#rowspan#SB684Data breach notificationsNorth CarolinaN.C. Gen. Stat. § 75-65Data breach notifications#rowspan#N.C. Gen. Stat. § 75-65Data disposalNorth DakotaN.D. Cent. Code §§ 51-30-01 et seqData breach notificationsOhioOhio Rev. Code §§ 1347.12 and Ohio Rev. Code §§ 1349.19 et seqData breach notificationsOklahoma24 OK Stat § 24-163 (2016)Data breach notificationsOregonOregon Rev. Stat. § 646A.604Data breach notifications#rowspan#Oregon Rev. Stat. § 646A.622Data disposalPennsylvania18 Pa. C.S.A. § 4107(a)(10)Inaccuracies in privacy policies#rowspan#73 P.S. §§201-1 – 201-9.2Consumer dataRhode IslandR. I. Gen. Laws §§ 11-49.3-1 to .3-6Data breach notification#rowspan#R. I. Gen. Laws § 6-52-2Data disposalSouth CarolinaS.C. Code Ann. § 30-2-40 and S.C. Code Section 30-2-20Consumer data#rowspan#S.C. Code SECTION 39-1-90Data breach notification#rowspan#S.C. Code Section 37-2-190Data disposalSouth DakotaSD SB62Data breach notificationTennesseeTenn. Code §§ 47-18-2107Consumer data#rowspan#Tenn Code §§ 8-4-119Data breach notification#rowspan#Tenn Code § 39-14-150(g)Data disposalTexasTex. Bus. & Com. Code § 521.053Data breach notifications#rowspan#Tex. Bus. & Com. Code § 521.052(a)Consumer data#rowspan#Tex. Bus. & Com. Code § 521.052(b)Data disposalUtahUtah Code §§ 13-37-201 to -203Information sharing#rowspan#Utah Code § 13-44-201(1)(a)Consumer data#rowspan#Utah Code § 13-44-202Data breach notifications#rowspan#Utah Code § 13-44-201(1)(b)Data disposalVermontNRS § 603A.300Consumer dataVirginiaVa. Code §§ 18.2-186.6.Data breach notifications#rowspan#Va. Code § 59.1-442Information sharingWashingtonWash. Rev. Code §§ 19.255.010Data breach notifications#rowspan#Wash. Rev. Code §§ 19.215.030Data disposalWest VirginiaW.V. Code §§ 46A-2A-101Data breach notificationsWisconsinWis. Stat. § 134.98Data breach notifications#rowspan#Wis. Stat. § 134.97Data disposalWyomingWyo. Stat. §§ 40-12-501 et seq.Data breach notificationDistrict of ColumbiaD.C. Code §§ 28-3851 et seq.Data breach notificationPuerto Rico10 L.P.R.A. § 4051Consumer data and data breach notificationQuick Tips to Protect Data at HomePossible security breaches and companies collecting your information are only one facet of data safety. Your data is also susceptible to being stolen or compromised by hackers. Thankfully, there are a number of things you can do at home to combat them. You don’t need advanced tech skills or world-class equipment; these are things you can do on your home computer.Security softwareInstalling security software on your computer is one of the first steps you should take. Security software keeps your computer healthy and your information safe from attacks or computer viruses. Make sure you stay up to date with any and all updates of your software. It’s easy to close out the persistent pop-up box that reminds you to update, but don’t ignore it! Security software is especially important if you are regularly connected to public WiFi networks. While most in-home routers are encrypted, there is no way to know if the internet you are connecting to is safe.Use a password managerUsing the same password for everything leaves you vulnerable to potentially giving someone access to all of your information. But remembering a gaggle of passwords is no easy feat. Using a password manager is an easy way to ease the burden. Password managers are designed to generate long and complicated passwords that are less likely to be compromised. Your passwords are encrypted and can only be accessed through the master password you create. Depending on the password manager, it may offer an automatic fill feature that kicks in when you go to a page you have a saved password for.Backup your dataIn the event that your information is lost, compromised or stolen, backing up your data is a way to make sure all of your hard work and cherished memories are not lost. When you back up your data, you’re making a copy that is not stored on your computer. Whether you use a local storage option or the cloud, the point is to make your files unavailable to anyone else except you.Data encryptionData encryption is an essential way to keep your personal information safe. It works by taking readable text from an email or document and scrambling it into an unreadable cipher text. Encrypting your data will secure it not only on your computer, but also when it is transmitted over the internet. For the information to revert back to its original form, both the sender and recipient have to have the encryption key.What to do After a Data BreachSo you’ve heard on the news or received an email that there has been a breach and your data may have been affected. A security breach does not automatically mean someone is going to steal your identity. Before you panic, use these steps to help you through the process.1. Confirm if you were affected by the security breachBeware of scammers attempting to coax more information out of you with fake emails. If you receive an email that a breach has occurred, contact the company directly to confirm. Do not reply to the email.2. Find out what information was compromisedWhat you do after a security breach may vary slightly depending on the type of company that was breached. You should tailor your response to the circumstances and to what information was stolen. If you find that you are the victim of the security breach, don’t pass up the company’s offer to help.3. Change your passwordsThe next important step to take is to address your personal security. Update your login information and security questions for all of your sensitive accounts – not just the ones affected by the breach. Take this time to enact two-factor authentication into your login process to add another layer of security to your accounts.4. Contact a credit reporting bureau to reportTo make sure you aren’t the victim of identity theft, call any of the major credit reporting bureaus and have them file a fraud alert on your name. This alert makes it harder for someone to open new accounts under your name and lasts for one year. Additionally, you may also consider putting a credit freeze on your report, which will restrict access to your credit report. Bear in mind this will require you to manually lock and unlock your credit report when filing for new lines of credit, like a rewards card or a house.5. Monitor all accounts closelyFinally, after you’ve changed your passwords and placed a fraud alert in your name, the last thing to do is closely monitor your account for any suspicious activity. A fraud alert and credit freeze will make it harder for thieves to open new accounts, though it does not guarantee safety to the accounts they may already have access to. More

StackCommerce
Don’t wait for New Year’s Day to start making major changes to your life when you can train at your own pace for an exciting, well-paid career of your choice. StackSkills Unlimited + Infosec4TC Platinum Cyber Security Lifetime Bundle offers two modules filled with over 1,000 courses, so you are sure to find at least one that clicks. But remember, there’s no law saying you can only do one thing, multiple revenue streams are a plus.

The StackSkills Unlimited Online Courses will teach you skills from blockchain technology to marketing, design, business, finance, and much, much more. The courses cover all levels, from beginning to advanced. And not only do you get access to the pre-selected library of over 1,000 courses, but more than 50 new classes are also added every month.Best of all, they are taught by over 350 of the top instructors online. They are highly-rated elite experts in their fields, so they can tell you what led them to success and warn you about the factors that caused their failures. You can get certifications to pump up your resume and premium customer support.StackSkills Unlimited Online Courses delivers engaging content you can use for changing careers or making extra cash. Their impressive rating of 4.5 out of 5 stars says it all.The second part of the bundle is for anyone interested in cybersecurity. In a survey less than a year ago, “…cybersecurity skills cited as the most in-demand skill by more than a third (35%) of the 4,200 IT professionals surveyed.” With phishing, ransomware, and other threats becoming stronger and more frequent every day, that situation isn’t likely to change any time soon. So training at your own pace for a cybersecurity career will probably be a good use of your time.That’s why the Infosec4TC Cyber Security Training: Platinum Membership is such a great deal. If you need certifications to turbocharge your resume, Infosec4TC has the highest rate of students passing the exams. But if you’re looking to change careers or move up in your current job, you will get mentoring until you achieve your goal. With this Platinum Membership, you get lifetime access to over 90 existing courses and all future ones, the latest exam questions, extra materials and so much more.Don’t miss this chance to grab the StackSkills Unlimited + Infosec4TC Platinum Cyber Security Lifetime Bundle while it’s on sale for just $79.99.

ZDNet Recommends More