While Congress did enact a nationwide data breach law for healthcare organizations, including FEHB plans, Cyberscoop reports that last month’s data breach affecting password manager LastPass “exposes how US breach notification laws can leave consumers in the lurch.”

The U.S. famously does not have a federal privacy law — something that might determine the rights of consumers to know their personal data has been stolen. What it has instead are 50 different state laws governing breach notification. When a company realizes its systems have been breached and data inappropriately accessed, it must examine the affected users state by state and determine whether the data stolen and belonging to them qualifies for notification under each user’s state data-breach notification regime. 

“It’s really messy,” says Chris Frascella, who studies consumer privacy at the Electronic Privacy Information Center, a nonprofit research group. “What you’re required to report in Alabama may not be something that you have to report in Connecticut.”

Against this backdrop, policymakers in Washington are attempting to step up their breach notification requirements, but these efforts are at an early stage.

As mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the owners and operators of critical infrastructure will soon have to report cyber incidents and ransomware payments to the Department of Homeland Security. DHS is currently in the process of writing rules governing these disclosures, but it is important to note that these requirements are focused on critical infrastructure, rather than consumer goods. 

Over at the Securities and Exchange Commission, policymakers have proposed requiring publicly traded companies to report in public filings breaches considered to be material to investors — but what amounts to a “material” breach is a matter of some debate. 

The Federal Trade Commission is also stepping up its efforts to push companies to implement better security practices and do a better job of notifying consumers when they are affected by a data breach.

Congress can fix this problem.

Cybersecurity Dive tells us

The consistent increase in annual cybercrime damages is not sustainable, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency said Thursday at CES in Las Vegas.

Cybercrime damages cost organization $6 trillion last year, she said. They are projected to reach $8 trillion this year and $10.5 trillion in 2025.

“We cannot accept that 10 years from now it’s going to be the same or worse than where we are now,” Easterly said. “The critical infrastructure that Americans rely on every day … is underpinned by a technology base and that technology base was created effectively in an insecure way.”

This won’t change until priorities and incentives are realigned, she said.

Change starts with a recognition that cybersecurity is a fundamental safety issue, according to Easterly.

“We’ve somehow accepted that the incentives in technology are all aligned toward cost, capability, performance, speed to market, and not safety,” she said.

Companies are automatically blamed when they’ve been breached or didn’t patch a vulnerability that resulted in an attack, but that sole blame misses the broader challenge and questions everyone should be asking of technology vendors, according to Easterly.

“Why did that software have so many vulnerabilities in it that it has to be constantly patched every week? Why did that software have a vulnerability that caused such a damaging breach?” she said.

Organizations are relying on technology that short shrifts security.

“We can’t just let technology off the hook,” Easterly said.

Good point, Ms. Easterly

From the cyber vulnerabilities front,

Cybersecurity Dive informs us

• “For the second consecutive year, disputes over cybersecurity and data represent the greatest global risk to organizations, according to a report from Baker McKenzie. 
• “The majority, 3 in 5, of senior legal and risk officers name cybersecurity and data as presenting the greatest risk to organizations, according to the firm’s 2023 Global Disputes Survey, which is based on responses from 600 legal and risk officers at organizations in the U.S., U.K., Singapore and Brazil with annual revenue of at least $500 million. 
• “Cybersecurity concerns are becoming more frequent and they represent a range of challenges for companies, including the risk of financial, operational and reputational damage, according to the survey.”

Cybersecurity Dive also points out

The Cybersecurity and Infrastructure Security Agency added a Microsoft Exchange Server flaw linked to the Play ransomware attack on Rackspaceto its catalog of known exploited vulnerabilities Tuesday [January 10]. 

The escalation of privilege vulnerability, listed as CVE-2022-41080, was linked to the Dec. 2 ransomware attack that disrupted email access for thousands of Hosted Exchange customers at Rackspace. 

CrowdStrike disclosed an attack method using CVE-2022-41080 and CVE-2022-41082 that achieves remote code execution via Outlook Web Access.  * * *

CISA also added CVE-2023-21674, which is a Microsoft Windows advanced local procedure call (ALPC) to its catalog. The escalation of privilege vulnerability happens when Windows improperly handles calls to ALPC, allowing an attacker to escalate privileges from sandboxed execution inside Chromium to kernel execution, according to researchers at Automox. 

Here’s a link to the CISA catalog for your ease of reference.

FYI, the Wall Street Journal reports, that “Biden administration officials and cybersecurity experts said the Federal Aviation Administration’s system outage on Wednesday didn’t appear the result of a cyberattack.”

From the ransomware front,

Security Weeks relates, “Security researchers at Microsoft are flagging ransomware attacks on Apple’s flagship macOS operating system, warning that financially motivated cybercriminals are abusing legitimate macOS functionalities to exploit vulnerabilities, evade defenses, or coerce users to infect their devices.”

The Health Sector Cybersecurity Coordination Center issued an analysis of “Royal & BlackCat Ransomware: The Threat to the Health Sector.”

Bleeping Computer’s The Week in Ransomware tells us

New research on ransomware was also disclosed, or discovered, with various reports listed below:

• A technical report from Rapid 7 on the Hive Ransomware.
• The Cuba Ransomware operation exploits the Microsoft Exchange OWASSRF flaw.
• The Lorenz ransomware group is planting backdoors for initial access months later.

CISA now requires federal agencies to patch the OWASSRF flaw by the end of January due to its active exploitation by both the Cuba and Play ransomware operations.

From the cyber defense front,

• The Wall Street Journal reports, “Cloud-infrastructure company Cloudflare Inc. announced Wednesday new email security capabilities aimed at helping businesses defend against phishing, malware and other cyberattacks commonly targeting corporate email accounts.”

• Health IT Security informs us, “More than 20 healthcare leaders have come together to form the Health 3rd Party Trust (Health3PT) Initiative and Council, aimed at introducing new standards, automated workflows, and assurance models to the third-party risk management (TRPM) conversation.”

• Following up on Ms. Easterly’s comments on cyber safety, Federal News Network notes that “CISA and the Department of Homeland Security’s Science and Technology Directorate, for instance, are sketching out projects to dig into the use of open source software in critical infrastructure sectors, Allan Friedman, CISA senior advisor and strategist, said at a Jan. 10 event at the Center for Strategic and International Studies sponsored by GitHub.”