A PubKGroup Product
PubKCyber is the go-to source for the most critical regulatory, policy, and oversight developments related to federal cybersecurity. Our coverage includes federal cyber regulations and policy, local and state activity, international law and agreements, federal regulatory body activity, congressional and agency oversight, and industry standards, as well as legal actions and court decisions related to cybersecurity, privacy, and fallout from security breaches.
Ability to subscribe and post job announcements and advertisements online
A daily email summarizing the day’s top cyber developments relevant to contractors
PubK Event Board
A weekly community calendar emailed to your inbox
Coming in 2017:
A bimonthly update collecting critical developments, with added insight and context, and links to important resources
The Department of Health and Human Services has revealed that a recent breach of the Healthcare.gov site – which it announced with little detail in October – exposed the data of 75,000 individuals, including partial Social Security numbers, immigration status, and other personal information.
The site includes a tool for licensed insurance agents and brokers to search for consumers who have an application stored on the system. HHS discovered in mid-October that some of these accounts were performing excessive searches, apparently being used by an unauthorized party. They immediately disabled those accounts and the search feature itself.
However the data exposed includes much of the personal information that the site stores, including applicants’ identification data, income and tax filing information, reported pregnancy status, citizen/immigrant status, employment information, eligibility for health plans, and any plan they are enrolled in.
The information accessed did not include full Social Security numbers, or information the site does not collect, such as financial account details or general health information.
HHS will provide those whose data was exposed with free identity theft protection services.
The Department of Defense has expanded an event in Orlando, Florida, intended to help it augment its workforce for cybersecurity testing-and-evaluation activities.
The National Cyber Range Complex will add an additional industry day to their NCRC Event Planning, Operations, and Support event, which will now take place Nov. 27-28, followed by of one-on-one informational sessions with attendees.
The event will provide the private sector with an overview of a contract for staffing the NCRC.
The contract will call for subject matter experts that can assist in cybersecurity testing, evaluation, training, and mission rehearsal exercises at multiple government installations housed under the NCRC.
A breach law that just went into effect in Ohio provides covered entities with a legal safe harbor for certain data breach-related claims under Ohio law. It is the first law in the U.S. to offer an incentive to businesses that take steps to ensure that there are policies and procedures in place to protect against data breaches.
To qualify, at the time of the breach the entity must comply with a cybersecurity program that:
- contains administrative, technical, and physical safeguards for the protection of personal information; and
- reasonably conforms to one of several “industry-recognized” cybersecurity frameworks.
In addition, the program must be designed to:
- protect the security and confidentiality of the information;
- protect against any anticipated threats or hazards to the security or integrity of the information; and
- protect against unauthorized access to information that is likely to result in a material risk of identity theft or other fraud.
The ABA’s Standing Committee on Ethics and Professional Responsibility has released an opinion that its Model Rules of Professional Conduct require lawyers to monitor for and prevent data breaches, determine what occurred, restore systems, and inform clients if their sensitive data is breached.
However, it clarified that an ethical violation doesn’t necessarily occur if a hacker successfully hides its activities, “despite reasonable or even extraordinary efforts by the lawyer.”
The ABA uses “reasonable efforts” throughout the opinion when discussing how to ethically deal with current and potential data breaches. It defines their nature and scope based on “The ABA Cybersecurity Handbook,” which focuses on security responses rather than specific software needed.
The National Institute of Standards and Technology has issued a Final Draft of Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations–A System Life Cycle Approach for Security and Privacy. The draft features several updates aimed at supply chain risk, the NIST Cybersecurity Framework, and the pending update to NIST SP 800-53, Revision 5, which is focused on information security for federal information systems but now with an added emphasis on privacy-by-design.
One of the key changes is the introduction of a new step in the process: “Prepare.” The purpose of this step is to achieve more cost-effective and efficient security and privacy risk management processes. The revised RMF reflects the increasing trend toward approaching risk assessment and risk management as a comprehensive, enterprise-wide responsibility rather than as a series of discrete activities divided into subject matter silos.