‘New Scheme’ on Data Security Could Bring More Red Tape for Small Businesses

From: National Retail Federation

J. Craig Shearman

NRF is telling Washington that a proposal to apply bank-style regulations to small businesses in an attempt to improve credit and debit card data security is the wrong approach.

“Everything about the Neugebauer-Carney plan is wrong,” NRF Senior Vice President for Government Relations David French said. “Banks have tough rules because a criminal hack could drain customer accounts in an instant and threaten the safety and soundness of the entire financial system. That’s appropriate for banks. But the small businesses Neugebauer and Carney want to regulate simply don’t pose the same kind of risk.”

Students on cybersecurity task force weigh policy options

From: Princeton University

“Cybersecurity” has been in the American lexicon for decades. The U.S. has typically taken a defensive approach to cyberwarfare, responding to attacks as they occur but leaving preventative strategy to private companies. But recent extensive invasions like the Sony Pictures Entertainment hack, the Target data breach and an attack on the White House network have called national attention to the sharp rise in cyberattacks, exposing the vulnerabilities of millions of Americans.

Where the Science is Taking Us in Cybersecurity

From: Lawfare


Science tends to take us places where policy cannot follow. Policy tends to take us places where science cannot follow. Yet neither science nor policy can be unmindful of the other. Here I will confine myself to six points where I see science, including applied science, asking us to look ahead (The following is necessarily short; for a longer treatment of the science of security, per se, see “T.S. Kuhn Revisited,” keynote to biennial meeting of NSF Principal Investigators, February 6, 2015.):

  1. Identity
  2. Ownership as perimeter
  3. Control diffusion
  4. Communications provenance

Cyberattacks leave businesses wide open to lawsuits

From: Silicon Republic

by John Kennedy

The damage to both reputation and finances caused by a security breach or cyberattack would put fear into the heart of any business owner — even before thinking about the potential lawsuits and fines that could follow.

Yes, failure to secure your systems means irate customers whose finances were compromised or identities stolen are well within their rights to sue you. And if you are a US-based company, class actions by angry shareholders are an ever-increasing reality.


Another prologue to cybersecurity regulations: controlled unclassified information (“CUI”) – what contractors need to know and why they should care

From: Lexology

Alexander W. Major |  Sheppard Mullin Richter & Hampton LLP

Government contractors should take note of a proposed new rule that could impose significant new data storage obligations when finalized. The Federal Government is taking another baby-step towards cybersecurity regulation with a proposed rule intended to standardize protocols relating to designating and safeguarding unclassified information that is to be withheld from public disclosure (also known as “controlled unclassified information” (“CUI”)). See 80 Fed. Reg. 26501 (proposing amendments to 32 CFR Part 2002). On May 8, 2015, the National Archives and Records Administration (“NARA”) published a proposed new rule that goes a long way in creating a standardized system intended to replace the litany of improvised CUI control markings that have been used by various Federal agencies and, unintentionally, hindered inter-governmental information sharing for decades. The effort, however, is more than a simple housekeeping exercise, the re-designation of CUI will also bring changes to the manner in which contractor-generated information residing on contractor-owned systems is stored and secured.