In March 2018, Alabama and South Dakota passed laws mandating data breach notification for its residents.

The passage meant all 50 states, the District of Columbia and several U.S. territories now have legal frameworks that require businesses and other entities to notify consumers about compromised data.

All 50 states also have statutes addressing hacking, unauthorized access, computer trespass, viruses or malware, according to the National Conference of State Legislatures (NCSL). Every state has laws that allow consumers to freeze credit reporting, too.

While those milestones are notable, there are broader issues when it comes to legislative approaches to cybersecurity across the United States. There are vast discrepancies and differences among states when it comes to cybersecurity protection.

What Laws Are on the Books About Cybersecurity?

In 2018, there were more than 275 cybersecurity-related bills introduced by state legislatures in 33 states, Washington, D.C., and Puerto Rico. The legislative action covers a broad range of cybersecurity topics, including:

• Appropriations
• Computer crime
• Election security
• Energy and critical infrastructure security
• Government and private-sector security practices
• Incident response remediation
• Workforce training

For companies, especially those that work across state lines, the variances among state laws creates a challenge in tracking requirements and remaining legally compliant.

For example, while most states require immediate notification of a data breach “without unreasonable delay,” the deadlines are varied. Nine states require notification within 45 days, South Dakota allows 60 days and Tennessee allows as many as 90 days. In addition, most states require written notification while some allow for notification via telephone or electronic notice.

While states have focused much of their recent legislation on data privacy, there are many other components of cybersecurity. Again, there is no uniformity. In fact, most states do not have laws about other important cybersecurity issues:

• Half the states have laws addressing denial-of-service attacks.
• Just five states explicitly cite ransomware in statutes.
• Phishing laws are in place in 23 states and Guam.
• Twenty states, Guam and Puerto Rico have laws regarding spyware.

While broader laws addressing malware or computer trespass may be used to prosecute some of these attacks, the discrepancies further illustrate the different approaches and terminology states use.

What States Have Strong Data Privacy Laws?

Here are a few examples of states that have strong legal provisions within their cybersecurity and privacy laws:

• Arkansas. Parental consent is required before student information can be shared with government agencies.
• California. The state passed sweeping data privacy laws in 2018 requiring businesses to inform consumers of what personal information is being collected, disclosed or sold. The law, which goes into effect in 2020, contains provisions giving consumers the right to opt out of having their data sold to a third party. California is the only state with a constitutional declaration that data privacy is an inalienable right.
• Delaware. Recently passed laws restrict advertising to children and protect the privacy of e-book readers.
• Illinois. The state is the only one to protect biometric data.
• Maine. It’s the only state that prohibits law enforcement from tracking people using GPS or other geo-location tools on computers or mobile devices.
• Utah. The state is one of only two that requires ISPs to obtain customer consent before sharing customer data.

What States Have Weak Data Security Laws?

Despite the growing legislative controls on cybersecurity issues and public expectation for data privacy, there are many states that have laws that are lacking, including:

• Alabama. There are no laws on the books that protect the online privacy of K-12 students.
• Mississippi. To date, no laws exist that protect employee personal communications and accounts from employers.
• South Dakota. Companies can retain personal information on employees indefinitely.
• Wyoming. Employers can force employees to hand over passwords to social media accounts.

How Long Does a Company Need to Retain Personal Identifying Information?

Many companies struggle knowing when or if to hold onto personal information on consumers. The challenge is that laws vary greatly from state to state. As of January 2019, according to the NCSL, only 35 states have laws requiring businesses or government entities to destroy or dispose of this data at all.

Of those 35 states:

• Only 14 require both businesses and government agencies to destroy or dispose of data.
• Virginia requires government agencies only but excludes businesses.
• Nineteen states do not require government agencies to dispose of or destroy personal information.

Where Is the Federal Government in Cybersecurity?

The federal government has many laws and rules regarding cybersecurity, from HIPAA to the Cybersecurity Information Sharing Act, which allows for the U.S. government and technology or manufacturing companies to share Internet traffic information.

Other proposed legislation has hit some roadblocks. Take the Data Acquisition and Technology Accountability and Security Act, which would have established a national data breach reporting standard. State attorneys general strongly opposed the legislation, introduced in March 2018. The 32 state AGs argued that the bill would weaken consumer protections, make state laws stronger, and exempt too many companies.

For companies, the variances from state to state present a complex technical challenge. To remain compliant, they need policies, tools and solutions that ensure data is protected and secure.

Managed service providers (MSPs) offer a powerful option to address many data issues. MSPs provide cloud-based, off-site, secure data storage and automated backups. Data, systems and networks are monitored 24/7 to detect and remove unwanted activity. The advanced firewalls, enterprise-strength anti-virus tools and employee education that MSPs provide help maintain compliance and keep data safe from the attacks that trigger responses.

The growth of state legislation to address cybersecurity issues is welcome. The challenge for companies is finding a reliable solution that allows for responsive and responsible action.

Is someone out there pretending to represent your business to make money? Don’t laugh. It happens. Business identity theft is a growing concern for many companies across the US. According to a recent study by Dun & Bradstreet, business identity theft, also called commercial or corporate identity theft, was up 46 percent in 2017.

The CEO, Mary Ellen Seale, of The National Cybersecurity Society (NCSS) said, “Small business identity theft – stealing a business’s identity to commit fraud, is big business for identity thieves.” However, too few businesses, especially smaller businesses, are aware of the issue. In 2018, the NCSS published “Business Identity Theft in the US” to help publicize the problem, and to provide guidance on how companies can help protect themselves.

Which Types of Businesses Are Targeted by Business Identity Theft?

Corporate identity theft is not just a problem for large corporations or companies operating in a particular industry. It is a crime which can affect any-sized business from tiny Mom and Pop shops on Main St. USA to multinational companies who are involved in any commerce:

• Small companies are usually the initial victims of identity theft since these companies tend to have more lax security in place and are less likely to realize their information is at risk. However, that doesn’t mean that larger companies are immune from having a criminal steal their identity. Plenty of larger businesses have their identities stolen each year.
• Corporate identity thieves use the name and legitimate business information of customers of large vendors’ customers to trick them into fulfilling orders. Busy vendors who fail to put into place procedures to verify whether an order is genuine can end up losing millions of dollars a year to these scams.
• Criminals masquerading as a legitimate business deceive financial institutions to open credit card accounts, establish lines of credit, send or receive wire transfers, and secure loans.
• The list of victims of corporate identity theft even extends to the US government when criminals use stolen company credentials to claim tax refundable tax credits or to exploit other government benefits for corporations.

How Do Thieves Steal a Corporation’s Identity?

Criminals who steal the identities of businesses have a wide range of methods ranging from very simplistic to highly sophisticated. Many lower level identity thieves focus on email phishing scams which target employees of the company in an attempt to gain confidential information such as database passwords or HR records. Other simple scams use spoofed email accounts of company executives to trick vendors and clients of a company into believing they are communicating with someone from the company. Slightly more advanced scams can include setting up an unsecured WiFi network in near a company in hopes that employees will use it to conduct business and then stealing the data.

More sophisticated scams can include dozens of people, building fake websites, using shelf companies, social engineering and even renting office space at the same location as the targeted company. The goal of these higher level scams is typically to create a plausible “Proof of Right” which the thieves can then use to secure fraudulent loans, masquerade as the company in a business deal, or even sell company assets.

How Can You Protect Your Company From Identity Theft?

While there is no way to protect your company completely from identity theft, you can make it harder for cybercriminals by maintaining proper data protection procedures.

• Train your staff. Teach your staff how to recognize phishing scams and how to verify when an email is from a legitimate source. Establish procedures on how to handle data correctly, and have a data loss prevention plan in place including a ‘clean desk’ policy.
• Secure your network. Add additional security to your networks and ensure that everyone is using secured servers. Avoid using a ‘master account’ which allows access to your entire network to limit data breaches. Require two-factor authentication.
• Monitor your financial information. Check your company’s credit report regularly to ensure that there aren’t any unexpected changes such as credit applications or new accounts.
• Consider hiring a company to help prevent corporate identity theft. An outside security company is one of the best ways to protect your corporate identity from scammers.

Amazon is a gigantic player in online sales. It’s estimated that the Seattle-based online e-commerce site will be responsible for roughly 50% of all digital sales during the 2018 holiday season, one of the busiest shopping times of the year in the United States. In other words, one out of every two people shopping during the holiday season will buy something from Amazon.

But Amazon’s very ubiquity has made it a tempting target for cybercriminals and thieves. It’s also widely trusted by consumers, who benefit from the online retailer’s wide choice and speedy deliveries. As a result of the many sales made through Amazon and the trust it has engendered among its customers, scam artists are targeting Amazon shoppers.

A Scam That Sends Fake E-Mail

The most recent scam sends an e-mail to an Amazon shopper telling them that their password needs a reset. One of the most notable elements of the scam is that the e-mail looks very official, using Amazon’s logo. It tells the targeted Amazon shopper to enter their Amazon user ID and new password directly from the e-mail.

But it isn’t Amazon that receives the new password. It’s the cyberthieves who set up and sent the e-mail. Once the target enters the information in response to the scam e-mail, the cyberthieves have the information to their Amazon account.

The thieves often set up Amazon gift cards for themselves, so that they have cash to be spent on Amazon. The gift cards are sent to their e-mail accounts, so they can use it before any theft is noticed. If the target customer has a credit card or debit card associated with their Amazon account, as most people do, the scam artists may shop until the cards are maxed out.

There are several variants to the scam. Sometimes, the cyberthieves set up the e-mail to say that new shipping information is needed or that there is a problem with an existing order.

But in all cases, a crucial element is the same. The e-mail looks official, and asks that the customer’s ID and password be entered directly from the e-mail. Entering it from the e-mail is what allows the cybercriminals to capture the user’s information and use it for themselves.

What Amazon Customers Should Do

Amazon customers need to be aware of the scam. They should never enter any of their account information in response to an e-mail about a problem with an Amazon order. For that matter, they should never enter any account information, of any type, in response to any e-mail, including debit card or credit card information.

If you get an e-mail like this, log out of your e-mail and log in to your Amazon account directly from the company’s web page, www.amazon.com. That page always has up-to-date information on your account and your orders. Customers will be able to see if there is any concern with their orders or shipping address.

If customers do need to change their log-in information, they should always do it directly on the Amazon site, not in response to an e-mail.

Finally, the Amazon site has a “take action” section on their website giving direct information on how to handle suspicious e-mails and scams by cyberthieves purporting to be Amazon. To access the section, click here.

The latest scam is easy to protect against. Customers should never respond to e-mails that look as if they’re from Amazon but always go directly to the Amazon website.