The Australian Federal Government has recently passed the Notifiable Data Breaches Bill 2016. This will introduce laws over the next twelve months which apply to businesses and nonprofits of $3M revenue, and also to Australian government agencies. Small businesses with less than $3M annual turnover but providing health services are also required to participate. Some of those small businesses affected include weight loss clinics, child care centers, chiropractors, gyms, hospitals, and pharmacists.
The penalties for noncompliance in promptly reporting suspected breaches to the Australian Privacy and Information Commissioner plus customers may result in penalties up to $350,000 for individuals and $1.8M for corporations.
Starting April 4, 2017, Tennessee has passed an amendment to its state data breach notification statute which states that businesses that experience a breach of encrypted data do not need to notify affected residents unless the encryption key was also compromised.
Then, on June 6, 2017, New Mexico's new Data Breach Notification Act signed by Governor Susana Martinez will go into effect removing it as one of three (South Dakota anad Alabama) of the 50 states in the United States to lack breach notification legislation.
On July 1, 2017, Viriginia's data breach notification statute shall include an amendment under italicized language in § 18.2-186.6(M) which affects employers or payroll service providers if they experience an unauthorized access and acquisition of unencrypted taxpayer's personal information. In that situation where they determine ID theft is likely then they will be required to notify the VA Attorney General of their name, federal employer ID number. The VA Attorney General will then notify the Department of Taxation.
It started with Manila's National Privacy Commission (NPC), the agency which mandated to implement Republic Act 10173, or the Data Privacy Act (DPA) and then resulted in March 28th, 2016 with
A great lol to Commission on Elections, here's your whoooooole database.
LulzSec Pilipinas had exposed data (posted a mega sized .zip file of data) which included publicly available information and also voter data, voter registration data, and databases relevant to the functionality of the Commission on Elections (Comelec) website. Less than a year later on January 11, 2017, a computer was stolen from Comelec's office in Wao, Lanao del Sur. That computer contained a copy of the voter registration system, voter search applications, and the whole database of registered voters.
In most organizations with the maturity of technology there comes a convergence of assets important to multiple areas of compliance and protection. In the case of Manila, it is the National Privacy Commision (NPC) which concerns itself with data privacy and then there is the Department of Informaiton and Comunications Technology which concerns itself strictly with the technical intricacies within the systems. The gap of organizational management and physical management has become just as important as the technical measures which were put into place.
As possible fallout after a late response (30 days) to inquiries by Mozilla and Google to Symantec about test certs Symantec had issued for google.com w/o Google’s knowledge back in 2015, Google Chrome may (at this point internally proposing – not a scheduled implementation) stop recognizing the (full) validity of Symantec certs after fixed durations.
Google currently (with Chrome 57) distrusts Symantec issued certs at their face value but with Chrome 59 would reduce it to 33 months (1023 days) then with Chrome 60 it would reduce to 27 months..and so forth. Eventually Chrome would only recognize Symantec certs as valid for a maximum date from issuance of 9 months (279) days.
Here is the proposed Chrome rollout schedule:
59 Jun 6th, 2017
60 Aug 1st, 2017
61 Sep 12th, 2017
62 Oct 24th, 2017
63 Dec 12th, 2017
Many companies currently use GeoTrust and Thawte which are operated by Symantec. This means those companies would need to accept Chrome’s requirement for re-issuance more frequently or else change their CA root authorities (i.e. find another cert vendor.) Symantec currently holds approximately 35-40% of the cert market. (Remember the days when Thawte was the independent underdog?)
This is all hay at this point but something worth tracking if ever so diligently or out of curiosity. The discussion has been led along by Ryan Sleevi – the Chrome engineer at Google proposing it.
On August 27th, two dozen camouflage adorned law enforcement officers raided the home, 2 storage sheds, and vehicle of the man known to have once worked 3 years ago at the same consulting firm (Booz Allen Hamilton) as Edward Snowden. Top Secret classified material, six documents of data of codes developed in 2014 to hack foreign governments, are alleged to have been removed and retained by the contractor.
The charges by the justice department are described as
“A criminal complaint has been filed charging Harold (Hal) Thomas Martin III, 51, of Glen Burnie, Maryland, with theft of government property and unauthorized removal and retention of classified materials by a government employee or contractor….” “…A large percentage of the materials recovered from Martin’s residence and vehicle bore markings indicating that they were property of the US government and contained highly classified information, including Top Secret and Sensitive Compartmented Information (SCI)…”
The charges could bring 1 year in prison for the unauthorized removal and retention of the top secret material and 10 years in prison for the theft of government property.
Hal Martin’s attorneys have exclaimed that he was a US Navy lieutenant and has devoted his entire career to protecting his country. The charges are allegations at this point.