SolarWinds attack renews push for a federal breach notification law
The coming into effect of the EU’s GDPR across the pond gave fresh impetus to calls for a federal breach notification law in the United States. Those calls are only growing louder in the aftermath of the unprecedented and massive SolarWinds attack. The cybersecurity community is still coming to terms with the far-reaching impact of the incident.
There is still no certainty over how many companies and federal agencies may have been impacted by the breach. In all likelihood, the exact number may never be known, but it could be as high as 18,000 entities. A key reason for this uncertainty is the lack of a breach notification law requiring federal agencies and private sector organizations to notify the government when they are hacked.
The absence of this law means organizations and federal agencies miss out on accessing the critical aggregate procedures, techniques, and tactics needed to stop the actions of bad actors. That may change as members of Congress expressed their intention to close this gap. State laws require notification of data breaches but are only invoked where personally identifiable information is lost. In the SolarWinds incident, no personal information was lost.
Congress has attempted and failed to pass a breach notification law before. The most recent was the Pentagon’s fiscal 2021 policy bill that included a provision requiring the establishment of a cyber incident reporting program. The provision did not become law following its inability to pass the Senate as well as the Chamber of Commerce’s objection.
Virginia data protection bill signed into law
On March 2, Virginia Governor Ralph Northam signed into law the state’s data protection bill. This made the Old Dominion the second state in the US to pass a law that borrows heavily from the EU’s GDPR. The state’s Consumer Data Protection Act (CDPA) follows the California Consumer Privacy Act (CCPA) that came into force on January 1, 2020.
Whereas the CDPA and CCPA all significantly mirror sections of the GDPR, each law has unique provisions that vary from the rest. Virginia’s CDPA only applies to businesses that process or control the personal information of 100,000 consumers or more, or companies that process or control the data of at least 25,000 Virginia residents and derive 50 percent or more of their revenue from the sale of personal information.
Virginia’s new law is likely to spur other states such as Washington, Oklahoma, and Florida that already have similar legislation in the pipeline. There is a sense of déjà vu here if you recall the emergence of data breach notification state laws. Even at that time, the trend kicked off in California, but eventually, all states and territories passed their own breach notification laws.
Surveillance cameras breached
A hacktivist group took control of a Verkada super admin account. Verkada is a leading provider of surveillance cameras. As a result of the breach, the hacktivist group potentially had access to more than 150,000 Verkada surveillance cameras though the actual number breached was slightly under 100.
With privileged access, the group could view a worryingly diverse range of environments, from schools, hospital beds, and private homes to car assembly lines, interrogation rooms, and prison cells. The hacktivists also downloaded a full list of Verdaka’s customers and the business’s non-public financial statements.
The hard-coded credentials were allegedly publicly available on the Internet, although the group did not provide details of where the said credentials were posted.
Calling itself Advanced Persistent Threat 69420, the hacktivist group had unrestricted access for 36 hours, with the situation only remedied after they contacted Bloomberg News, which then notified Verkada. The Verkada incident will only increase debate over the use of surveillance cameras for law enforcement and general monitoring of public areas.
Verkada could face regulatory action given the nature of the information breached. HIPAA violations may have occurred thanks to the compromise of hospital surveillance camera feeds. GDPR violations may have occurred too. Class action lawsuits are a real possibility.