A LEGAL UPDATE: EQUIFAX. The Attorney General of West Virginia on Thursday filed suit against Equifax, accusing the credit reporting agency of failing to secure its systems, resulting in the data breach that affected roughly 148 million people in the United States. Attorney General Patrick Morrisey said the company not only failed to heed four separate warnings that its online dispute portal systems were vulnerable, Equifax also stalled in alerting the affected consumers. "Equifax's failure to secure consumers' personal information constitutes a shocking betrayal of public trust and an egregious violation of West Virginia consumer protection and data privacy laws," Morrisey said in a statement. More than 730,000 West Virginians were impacted by the breach, putting the residents at risk of "identity theft, tax return scams, financial fraud and other harm," according to a press release detailing the lawsuit, which was filed in Boone County Circuit Court. The lawsuit said Equifax did not detect the breach for roughly six weeks when it found hackers had infiltrated its system in May 2017. The company then sat on that information until September before customers were notified. During that time, Equifax's CIO reviewed his "available stock options and sold roughly 6,815 shares of Equifax stock by Aug. 28, 2017," Morrisey alleges in the court documents. He also accuses them of dealing with the crisis in a way that deceived its customers by offering "complimentary" monitoring service that ultimately left them paying for a service that waived their right to a class action lawsuit. Morrisey wants Equifax to pay $150,000 for each security breach, $5,000 for each violation of West Virginia's Consumer Credit and Protection Act, and reimburse the state for all legal fees. A REPORT IN FOCUS: A former cyber official on Thursday laid out nine recommendations the federal government should consider in order to better secure U.S. systems from outside attacks carried out by foreign intelligence as well as other hacker groups. Kate Charlet, Carnegie Endowment's director for Tech and International Affairs Program and former acting deputy assistant secretary of defense for cyber policy, said Congress should prioritize appropriating meaningful funds to information technology (IT) modernization in the 2019 fiscal year. "A larger-scale, up-front investment--one that can reinvest savings from use of modern approaches--would keep momentum going on much-needed modernization efforts," she wrote in a post. The passage of the Modernizing Government Act was a good step toward "addressing the government's legacy information technology problem," she continued, but the $100 million appropriated for the 2018 fiscal year "is a drop in the bucket of what is needed." Charlet said the Trump administration should shift their primary focus of protecting important assets and systems to protecting missions and functions. "The National Security Council (NSC) and Office of Management and Budget (OMB) should direct each agency to first identify its core missions and functions, second identify the network infrastructure that supports those functions, and finally develop risk mitigation measures to ensure continuation of the core function even if that infrastructure were subject to cyber attack," she wrote. Agencies should continue to work to strengthen initiatives, like their "capabilities to detect threats and vulnerabilities in agency networks," as well as "demand better risk-based decision-making tools," she advises. In addition, Charlet proposed that certain agencies undertake measures to better protect U.S. systems in cyberspace. She suggested that the Department of Homeland Security (DHS) begin to strategize on how best to leverage its ability to issue Binding Operational Directives -- orders that direct executive branch agencies how to better safeguard federal information systems. "The DHS and the Office of Science and Technology Policy should develop a strategy for automation in federal cybersecurity," Charlet added. Her other steps for security included boosting the federal workforce. "Agencies and Congress should expand special hiring authorities for cyberspace expertise, but should also focus on retention. Getting and keeping the right talent can have an outsized impact on protecting government networks," she wrote. A LIGHTER CLICK: Think your card tricks are cool? A.I. can measure brain cells. (Wired) WHAT'S IN THE SPOTLIGHT: Uber has agreed to expand a settlement it reached with the Federal Trade Commission (FTC) last year in light of a massive data breach that the company revealed months after the agreement with regulators to settle previous privacy violations. Like the previous settlement, which was reached in August, the revised agreement does not include a monetary fine for the breach that compromised information for 57 million people. "After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach," Maureen Ohlhausen, the acting FTC chairwoman, said in a statement. "The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future." Under the terms of the new agreement, Uber has to disclose any future data breaches to the FTC or risk fines. Uber did not reveal the 2016 breach until November of last year, after Dara Khosrowshahi took over as CEO, replacing the embattled founder Travis Kalanick. To read more from our piece, click here. IN CASE YOU MISSED IT: Links from our blog, The Hill, and around the Web. EU privacy watchdogs: Facebook apology 'simply is not enough'. (The Hill) Majority of Facebook users 'very concerned' about sale, use of personal data. (The Hill) DOJ gives House Intel original document that prompted Russia investigation. (The Hill) FCC chairman rejects senators' request to investigate Sinclair. (The Hill) OP-ED: Russia's assault on Telegram the first salvo in its war against encryption. (The Hill) OP-ED: Is critical infrastructure vulnerable to catastrophic attack? (The Hill) UK's National Cyber Security Centre implementing new cyber threat prioritization framework. (Press Release) UK carries out 'major offensive cyber-campaign' against Islamic State group. (BBC) GOP plans to discredit Comey ahead of book tour. (CNN) MySpace sold user data much like Facebook. (Motherboard) Mueller's team prepares to move forward without Trump interview. (NBC) If you'd like to receive our newsletter in your inbox, please sign up here. |