Tag Archives: Illinois

Security News for the Week Ending October 22, 2021

State Acknowledges Data Breach After 10 Months

I guess better late than never. Finally, the State of Illinois is admitting to a data breach, sort of. Here is what they are now saying. Check the dates below. Notice who was among the last to know – the victims. Can the state be fined for breaking the law? We shall see.

Pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414, the Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) (collectively the Departments) in conjunction with the Illinois Department of Innovation and Technology (DoIT) are notifying the media of an incident within the State of Illinois Integrated Eligibility System (IES).

IES is the eligibility system of record for State-funded medical benefits programs, the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). On November 24, 2020, the State discovered an issue within IES. Upon investigation, the Departments discovered that household members who were once on a case and had their access removed could still see information even after they were no longer part of that case.

In response to this incident, on January 8, 2021, IES was updated to limit case access to only the head of household, and prior and other current household members no longer have access. To date, the Departments are unaware of any actual or attempted misuse of personal information as a result of the incident and the number of potentially affected individuals was limited.

The Departments notified the members of the Illinois General Assembly on July 29, 2021, the potentially affected individuals on September 9, 2021, and the Office of the Illinois Attorney General on September 10, 2021.

Tesco Launches First Checkout-Free Store in London

Following in line with companies like Amazon, retailers like Tesco in London are working on letting customers shop in their stores and not having to stop at the checkout line. This is done with a crazy number of cameras and sensors. My guess is that they are willing to take some losses in the short term to try and figure out the weak spots and how people plan to game the system, but this is surveillance to the the max. It requires that you have their app and they will automatically charge your credit card, which has to be on file. Me, I’m okay with the checkout line. Credit: Computing

Facebook Plans to Rebrand Itself

Okay, this is not really security related, but fun for Friday. Facebook, apparently, wants to rebrand itself. They have been quiet about this but will announce the new name at their annual conference this month. Note that they didn’t ask for suggestions; they probably would have gotten a bunch that referred to different body parts than people’s faces. But, this is kind of like what Google did with Alphabet a couple of years ago. Facebook as a company has lots of brands and it probably doesn’t make sense, any more, for the parent company to still be called Facebook. Credit: Computing

CISA Wants the 24 Hour Breach Reporting Law for Incidents

There are bills working their way through Congress right now that would make it mandatory that certain companies report breaches and some attacks within either 24 or 72 hours, depending on the bill. CISA is putting its weight behind 24 hours. This probably will include anything designated as critical infrastructure, which is a lot, and possibly some others. Stay tuned to see what passes. Companies would rather keep hacks secret, if possible, but if the bill passes and companies might be fined or executives go to jail, they will probably disclose. The disclosure would be to the government, probably, and not publicly. Credit: FCW

CISA Says Ransomware Targeted SCADA Systems of 3 US Water Treatment Plants

The FBI, CISA, EPA and NSA issued a joint alert saying that cyberattacks against water and wastewater treatment plants are up. They revealed that the industrial control system (ICS) or SCADA systems at three plants had been hit by ransomware and that the malware had been lurking inside for about a month before it launched the attacks. They target the outdated software and poorly configured hardware of these systems and it is a pretty easy attack. Drinking water is the primary target, they say. My guess is that they do that because poisoning people will create more chaos. Credit: Hack Read

Illinois Strengthens Data Breach Notification Law

Compliance is one of those challenges for companies big and small.  One of those compliance requirements is to keep abreast of changes to or new laws that apply to your organization.  While we don’t offer legal advice, when we see items related to compliance, we will bring them to your attention.  In the case of information security breach laws, most states have their own law as do some commonwealths and other protectorates.

It is important to remember that these laws, for the most part, apply based on where the user is, not where the business is.  So, if you are located in New Mexico (which is one of only three states that does NOT have a data breach notification law), but you have customers who live in California and Arizona, say, the California law applies to California residents and the Arizona law applies to Arizona residents.  This is why most companies would prefer a national law.  Due to national politics, a federal law would likely be weaker than many of the state laws, which would make privacy friendly legislators tend to vote against it.  In order for a national law to be effective, it would have to preempt states’ rights, which would tend to make those legislators who support a less intrusive Federal government vote against it.

This week it is Illinois and Its Personal Information Protection Act.  Some of the changes to PIPA, which go into effect on Jan. 1, 2017,  include:

  • Expanded the definition of personal information to include a person’s first and last name along with medical information, health insurance information or unique biometric information (such as, but not limited to fingerprints and retina image).  It also will include a person’s username or email address in combination with your password or security question and answer if that allows access to an account.
  • PIPA clarifies the safe harbor exception to breach notification.   Before, if the data was encrypted, you didn’t have to notify people.  Apparently that was misused.  Now it will say that if the data was encrypted, but the decryption key was taken, then you have to notify.  This is similar to changed made this year in Tennessee and Nebraska.
  • With the changes to the law, in the case of userid/password breaches, the notification must state that you should change your username or password and/or security question and answer promptly (really, do you  have to tell people that?) and that you should change it on ALL accounts that used that same login information, not just at the one site that was compromised.
  • While including healthcare and biometric information could increase the number of companies covered, there are two very important exceptions:
  • (1) Companies “subject to and in compliance with Section 501(b) of Gramm-Leach-Bliley” will be deemed to be in compliance with PIPA.  501 (b) covers a wide array of companies enumerated in section 505 (a).  These include national banks, member banks of the federal reserve system, banks insured by the FDIC (basically every bank in the country), savings banks, credit unions, brokers and dealers, investment companies, investment advisors, insurance companies regulated by the various states,  or any other business not listed that is engaged in financial services.  Notice that it does say that you  must be in compliance with GLB.
  • (2) Companies subject to and adhering to requirements under HIPAA and HITECH are also deemed to be compliant with PIPA with the extra stipulation that if you do something that requires you to notify the U.S. Department of Health and Human Services (i.e. some form of breach), you are required to also notify the Illinois AG within 5 days.

For companies with an online presence, you likely have customers in many states if not all states.  This means that you have to understand the requirements for responding to breaches in each state where your customers live.  This post represents changes to just one law.

Information for this post came from the Consumer Financial Services Law Blog.