Our guest this week is Joanne McNabb, Director of Privacy Education and Policy for the California Attorney General’s Office.  Joanne discusses the findings and recommendations in the recently released 2014 California Data Breach Report.  She also offers insight into some of the key factors the Attorney General’s Office considers in deciding whether or not to investigate a breach.  Finally, she discusses changes in California privacy law that will go into effect on January 1 – including SB568, the so-called “online eraser” for minors seeking to delete unwanted posts, and AB1710, which extends data security requirements to companies that “maintain” personal information, not just those that own or license it.  Finally, she settles a dispute only privacy lawyers could find interesting regarding the scope of AB1710’s provision requiring identity theft prevention/mitigation services.

We almost got through the week without any NSA news, but the FISA court made the news for doing exactly what you’d expect – renewing the section 215 orders for metadata.  More interesting was the news from Turkey, which effectively rewrites the history of cyberwar.  It looks as though Russia waged a distinctly kinetic and sophisticated attack on the Turkish-Azeri pipeline that broke Russia’s chokehold on Caspian oil.  Michael Vatis takes the day off to file an amicus brief in support of Microsoft in the fight over overseas warrants.

The Sony breach fallout continues to be severe.  Things are bad enough that the Hollywood Reporter is asking me to write op-eds.  We question whether Sony is really resorting to “active measures” to block distribution of the stolen files.  And Aaron Sorkin calls the media “dishonorable” for publishing all these leaked documents.  I don’t remember him saying the same thing when it was Manning and Snowden’s stolen docs on the front page.

Chris Conte explains the SEC’s new cybersecurity rules for exchanges and other trading platforms.

And the lame duck allows cybersecurity legislation to pass in a convoy:  Five bills, all modest in impact, were adopted by Congress in the last few days:

  • S. 1691 – allowing pay flexibility to attract cybersecurity professionals;
  • H.R. 2952 – requiring DHS to adopt a workforce strategy and assessment plan;
  • S. 2519 – authorizing  DHS to run an integration center providing threat information to civilian agencies and modifying federal government data breach rules;
  • S. 1353 – a very NIST-centered set of authorizations for cybersecurity awareness, research and workforce measures that may or may not be funded
  • S. 2521 – confirming DHS’s role in providing FISMA oversight under OMB guidance

And Sony has company.  It turns out that an Iranian hack of the Sands may be first cyberattack on US soil.  Both Sony and Sands join the DDOS of our banks as cyberattacks on the US that have gone unanswered.  Instead of a digital Pearl Harbor, we’re getting a lot of digital Sudetenlands.

Download the forty-seventh episode (mp3).