Cybersecurity This Month:

FTC to Start Blogging About Data Security

The Federal Trade Commission will publish a blog every Friday for several months on lessons learned from data security investigations that were closed without formal enforcement action and , the FTC announced July 21.

Although the FTC publicizes its formal data security enforcement actions, the results of investigations that are closed without an enforcement action are largely opaque. In its first blog post, the FTC noted that companies have avoided enforcement action when they can show common-sense security safeguards were in place: staff training; technical security protections; quickly addressing vulnerabilities and threats.

Doing Business in Canada? Prepare for a New Data Breach Notice Requirement

Companies doing business in Canada should prepare now for a new data breach notice requirement, even though rules won't be implemented for months and may include a transition period.

Companies should “use the intervening time to develop or fine-tune their breach response protocols.” Once a breach happens, it's “too late” to put protocols in place. Companies seeking to prepare in advance of the data breach notice mandate should refer to the Office of the Privacy Commissioner of Canada’s existing guidance on how to prevent breaches and how to respond if they do occur—Ten Tips for Reducing the Likelihood of a Privacy Breach and Key Steps for Organizations in Responding to Privacy Breaches.

Small and Medium Businesses Victimized by Ransomware Attacks

The massive cyberattacks that impact major corporations around the world may grab all the headlines, but a recent Malwarebytes survey of small and medium businesses found that these companies are being hit just as hard, if not harder, by cybercriminals.

The survey, conducted in June and which looked at 1,054 organizations with 1,000 or fewer employees, found that 81 percent had been hit with a cyberattack, with 66 percent having suffered a data breach of some type.

Hackers Targeting U.S. Nuclear Power Plant Operators and Leaking Secret Windows 10 Code

The Wolf Creek Nuclear Operating Corp., which runs a nuclear power plant in Kansas, was one company hit by cyberintruders, both the New York Times and Bloomberg News reported. The government report could not tell if the intrusions were an attempt at industrial espionage or sabotage, but concluded the hackers appeared to be mapping out networks for possible future attacks. A spokesman for the Nuclear Energy Institute told the Times that no nuclear-plant operator had reported operational security breaches in the recent wave of attacks. Hackers also leaked 32 TB of secret Windows 10 code. The leak contains more than 32 terabytes of data and includes both the Windows 10 source code and other code intended only for internal use at Microsoft, the Register reported. In a statement, Microsoft confirms the leaks are legitimate, and says that they appear to come from the Shared Source Initiative — a program that Microsoft runs to share the Windows source code with top PC manufacturers and other partners.

Buchanan Breach Coach

Visit Buchanan BreachCoach®, your one-stop portal for cybersecurity information and updates.

Top News

FTC to Provide Weekly Insight on Reasonable Data Security

The Federal Trade Commission will publish a blog every Friday for several months on lessons learned from data security investigations that were closed without formal enforcement action, as well as enforcement actions, and questions received from businesses, the FTC announced July 21.

Although the FTC makes public the results of formal data security enforcement actions, some investigations—including some highly publicized ones—do not result in enforcement action because the company could demonstrate to the FTC that it had implemented reasonable security safeguards. Sharing information on the nonpublic resolutions process may help companies, and their legal counsel, better understand what the FTC expects from companies held to a “reasonable data security” standard.

To view the FTC’s announcement, click here.

Bloomberg Law on July 31, 2017 (subscription required)

Canada Breach Notice Mandate on Horizon 

Companies doing business in Canada should prepare now for a new data breach notice requirement, even though rules won't be implemented for months and may include a transition period, privacy attorneys told Bloomberg BNA.

Draft regulations to implement the data breach reporting requirements set forth in amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) are expected to be published “in the coming months,” according to Hans Parmar, a spokesman for Innovation, Science, and Economic Development Canada (ISED), which is responsible for developing the regulations. He also said that no deadline for issuing final rules has been set, and a transition period may be added to address company concerns that they need more time to adapt, he said.

Bloomberg Law on July 31, 2017 (subscription required)

SMBs Finally Getting Wise to Ransomware Attacks 

The massive cyberattacks that impact major corporations around the world may grab all the headlines, but a recent Malwarebytes survey of small and medium businesses (SMB) found that these companies are being hit just as hard, if not harder, by cybercriminals.

The survey, conducted in June and which looked at 1,054 organizations with 1,000 or fewer employees, found that 81 percent had been hit with a cyberattack, with 66 percent having suffered a data breach of some type. In many cases, the impact was significant, as cyberattacks forced 22 percent of those hit to cease operations for at least a day, while 90 percent who were hit said they were knocked offline for at least one hour.

SC Media on July 27, 2017

Hackers targeting U.S. nuclear power plant operators: reports 

Hackers have been targeting companies that operate nuclear power plants in the U.S. in recent months, according to a pair of reports Thursday.

The Wolf Creek Nuclear Operating Corp., which runs a nuclear power plant in Kansas, was one company hit by cyberintruders, both the New York Times and Bloomberg News reported. Other energy facilities and manufacturing plants have also been targeted since May, the reports said, citing a joint report by the Department of Homeland Security and the FBI. Bloomberg reported Russia is the chief suspect in the hacks.

Financial Times - US News on Jul 7, 2017

Hackers reportedly leaked 32 terabytes of secret Windows 10 code (MSFT)

A huge compilation of Microsoft's proprietary Windows 10 software code has been leaked online, according to the Register. The leak contains more than 32 terabytes of data and includes both the Windows 10 source code and other code intended only for internal use at Microsoft, the Register reported. 

Venture Capital from AllTop on Jun 23, 2017