Collaborate Disseminate
Andrew Crocker of EFF responds to the announcement this week by DOJ about its revised policy for enforcement of the Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act (CFAA), the notoriously vague anti-hacking law, is long overdue for major… Continue reading DOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security Researchers
Robert Gavin reports: A federal judge sentenced Michael P. Fish to 9 ¼ years in prison Friday, saying he depravedly hacked into the accounts of dozens of unsuspecting female students at SUNY Plattsburgh, stole their private photos and sold the images o… Continue reading Fraudster who hacked SUNY Plattsburgh accounts gets 9 ¼ year prison sentence
The Department of Justice today announced the revision of its policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA). The policy for the first time directs that good-faith security research should not be charged. Good faith sec… Continue reading Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act
Alyssa M. Sones of SheppardMullin writes about a data breach lawsuit with a somewhat different, albeit unsuccessful, approach. Sones explains: Fraser’s allegation that Mint had a role in helping the hacker gain control of his phone number sets this cas… Continue reading Mint gets data breach claims dismissed
Theresa Defino reports: Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and business associates (BAs). And, if Congress agrees, its… Continue reading OCR: Current Fines Too Low to Spur Compliance; Agency Also Seeks Funding Boost, Injunctive Relief
Rahul Verma reports: The Indian government has introduced a new IT policy that requires virtual private network companies (VPNs) to collect extensive customer data and maintain it for five years or more. The directive came from Computer Emergency Respo… Continue reading Indian government makes user data collection mandatory for VPNs; Providers debate leaving country
Stephen Pritchard reports: Organizations in India face a six-hour data breach reporting deadline, following the introduction of new rules by the country’s computer emergency response team, CERT-In. The new rules will apply to critical parts of India’s … Continue reading India to introduce six-hour data breach notification rule
Debangana Ghosh reports: The Indian Computer Emergency Response Team (CERT-In) on Thursday made it mandatory for firms to report all incidents of cybersecurity vulnerabilities within six hours of noticing. Internet researchers and cybersecurity experts… Continue reading CERT-In’s directions on reporting data breach will hold companies accountable: Experts
Laura Dobberstein reports: Cybersecurity service providers must for licenses to operate in Singapore, under new regulations launched by the country’s Cyber Security Agency (CSA) on Monday. The new licensing framework requires vendors that offer penetra… Continue reading Singapore to license pentesters and managed infosec operators
Chris Bennington of Epstein Becker Green writes, in part: The HITECH Act requires OCR to issue annual reports to Congress of HIPAA breaches and complaints received by OCR during the calendar year. For 2020, OCR reported that it received 656 notificatio… Continue reading HHS OCR Issues Annual HIPAA Reports to Congress