Reward for Ransomware Reporting? And other news bytes.
Apologies for the absentee posting. Balancing civilian responsibilities is slightly more difficult in a third world country...
New Colorado Privacy Law: 3 State to Pass Comprehensive Consumer Privacy
Similar to the California Consumer Privacy Act, the California Privacy Rights Act , Virginia's Consumer Data Protection Act, and GDPR, Colorado’s new privacy act will become effective in July 2023. Much like California grants its residents a privacy bill of rights, Colorado’s residents will enjoy the following 5 rights from commercial businesses (although subject to 17 exceptions such as health insurance, consumer credit reporting, and anonymized data etc.):
1. The right to opt-out of targeted ads, the sale of their personal data or being profiled (or authorize someone else to do it for you).
2. The right to access the data a company has collected about them.
3. The right to correct data that was collected about them.
4. The right to request that their data be deleted.
5. The right to prevent data portability between companies.
The act includes a cybersecurity duty of care by controllers of data and requires opt-in consent for sensitive data (similar to GDPR). Unlike Virginia’s privacy law, there is no revenue threshold excluding small businesses from compliance requirements. Also, unlike Illinois’ various laws, there is no private right of action that allows individuals to sue companies that violate provisions of the act. Enforcement is left to district attorneys’ offices and the Colorado Attorney General’s Office.
U.S. Government Stepping Up its Anti-Ransomware Efforts with Dedicated Website and $
The U.S. Department of Homeland Security launched StopRansomware.gov, combining content from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation, National Institute of Standards and Technology (NIST), and the U.S. Secret Service, and the Departments of the Treasury and Health and Human Services. Providing resources likes “Ransomware 101,” “Bad Practices,” and “Ransomware Guide,” the website also lists services for public entities and private entities battling ransomware.
On July 15, 2021, the Department of State announced the Rewards for Justice (RFJ) program, which offers up to a $10 million for information “leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure[.]” Focused on violations of the Computer Fraud and Abuse Act, the State Department reminds potential tipsters that it is looking for criminals targeting “protected computers,” which are those belonging to the U.S. government, financial institutions, and those used in or affecting interstate or foreign commerce or communications. Tips can be submitted through the RFJ program’s Dark Web tip-reporting channel and the State Department will submit reward payments in cryptocurrency if desired.
New Texas Data Breach Notification Law Introduces a HIPAA-Style Shame Wall
Taking effect on September 1, 2021, Texas’s newly amended data breach notification law will require businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents. Furthermore, the new modifications require the Texas Attorney General to maintain a publicly accessible list of breach notifications that it receives, which must be updated every thirty (30) days. Business posted to the list will be removed after one (1) year provided that no further breach information is reported to the Attorney General.