There has been a lot happening in the cyber world over the past two weeks. It was a bit of information overload. So rather than focus on one topic, I'll provide an overview of what caught my attention.
Florida Biometric Law
The Florida Biometric Information Privacy Act died in the legislature on May 3. According to the Florida Senate website, the bill "Died in Innovation, Industry, and Technology [committee]." That about sums it up for anything related to technology in Florida, it dies in committee.
Who knows why it died. Was it a bit rushed to begin with? After all, the proposed law suddenly appeared on the books, made a splash, then just as quickly was put to rest by the senate. Maybe it was too similar to the Illinois Biometric Information Privacy Act that resulted in hundreds of lawsuits. Could it be that companies who rely on biometric information did not want a law that could open the floodgates to class action litigation.
Whatever the reason, the bottom line is that there is currently no law in Florida that governs how companies collect, use, and share biometric information. This is an issue I expressed concern about in a previous blog.
Facial Recognition in San Francisco
Meanwhile, San Francisco banned the use of facial recognition software by the police and other agencies. San Francisco is the the first major city to take such a position. In mixed reports, it appears that San Francisco is not instituting a blanket ban, but rather a process to determine the best use of the technology. Interestingly, the ordinance targets government agencies. It does not impact the private sector. So, it appears that the private sector can still use facial recognition for whatever purpose it sees fit.
Florida Election Hack
This really should not be surprising, but the media is all over the fact that Russian agents hacked Florida voter rolls in 2016. Ironically, for "security" reasons the FBI refuses to name the counties that were affected.
If you have been out of the news loop, here's how this information came to light. Last month, the Mueller Report disclosed that the Russian military intelligence unit known as the G.R.U. breached “at least one Florida county government.” Apparently, the intrusion came through a spearphishing email.
After the revelation in the Mueller Report, the FBI briefed Florida Governor DeSantis on the breach, but not before they made him sign a non-disclosure agreement, which means he can't reveal which counties were affected by the breach. Of course, Governor DeSanits made it known that "it did not affect any voting or anything like that." Even the FBI confirmed that the hack did not affect the results.
Here's the problem: all of the publicly available information leads to the conclusion that the Russians meddled with the 2016 election. We are just beginning to understand the scope of the effort and how they went about their task -- information warfare, propaganda through social media, and hacking of elections systems. So while the actual breach may not have directly impacted the election results, news like this will lead many to question the sanctity of the political process. That may have been the goal in the first place -- spread distrust and discord amongst the people.
Chinese Hackers Indicted
On May 9, there was a report that a federal grand jury returned an indictment in Indianapolis, Indiana, charging a Chinese national as part of an extremely sophisticated hacking group operating in China and targeting large businesses in the United States. One of the victims was Indianapolis-based health insurer Anthem Inc.
Just in case you didn't know, Anthem was the victim of a data-breach in 2015 that resulted in the unauthorized disclosure of personally identifiable information of over 70 million people.
The allegations in the indictment outline the activities of a China-based computer hacking group that committed one of the worst data breaches in history. The Chinese hackers allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their personally identifiable information.
According to the indictment, the defendants used extremely sophisticated techniques to hack into the computer networks of businesses. These techniques included using spearphishing emails with embedded hyperlinks to malware.
This news highlights that Anthem was, in fact, a victim of a sophisticated cyber scheme. Anthem did not stand much of a chance against such an attack. Even the US government has been hacked. If the government has trouble with cyber threats, what chance does an insurance company, such as Anthem, have against highly-skilled cyber criminals?
Yet, Anthem was sued in a class action because of the data breach and ended up paying $115 million to settle the lawsuit. Is there something wrong with this picture?
Let's see what happens this week in the world of cyber.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP