Introduction
In an era dominated by digital interconnectedness, the significance of cybersecurity has risen to unprecedented levels, influencing the fabric of both individual lives and organisational landscapes. As we navigate the intricate web of our increasingly digital world, the evolving landscape of cyber threats poses challenges that demand our vigilance and strategic preparedness. The interconnected nature of global communication, commerce, and information exchange underscores the need for robust frameworks to ensure the confidentiality, integrity, and availability of data. In this context, the deployment of cybersecurity standards and legislation becomes paramount, providing a structured foundation for organisations to fortify their defences against cyber threats. This essay embarks on a journey through compelling case studies, aiming to unravel the intricate tapestry of cybersecurity standards, legislation, and the organisational resilience that emerges in the face of adversity. By delving into real-world scenarios, we seek to understand not only the consequences of cyber threats but also the effectiveness of existing frameworks and the adaptive strategies employed by organisations to safeguard their digital domains.
Overview of Security Standards and Cyber Legislation
Key cybersecurity standards, such as ISO 27001 and the NIST Framework, play pivotal roles in shaping the digital defence strategies of organisations worldwide. ISO 27001, an international standard, provides a systematic approach to managing and securing sensitive information. Its objectives encompass the establishment of an information security management system (ISMS), ensuring the confidentiality, integrity, and availability of information assets. On the other hand, the National Institute of Standards and Technology (NIST) Framework offers a comprehensive set of guidelines, best practices, and risk management standards. Rooted in the principles of Identify, Protect, Detect, Respond, and Recover, the NIST Framework enables organisations to assess and enhance their cybersecurity posture. Despite their distinct origins, ISO 27001 and the NIST Framework share commonalities in emphasising risk management, continuous improvement, and a holistic approach to cybersecurity. Both standards serve as guiding beacons for organisations seeking to fortify their defences and cultivate resilience in the dynamic landscape of cyber threats. The exploration of these standards within the context of real-world case studies will shed light on their practical application and effectiveness in safeguarding organisational assets.
Cybersecurity legislation, such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), stands as cornerstones in the protection of sensitive information. GDPR, implemented in the European Union, serves to safeguard the privacy and personal data of individuals. Its objectives include empowering individuals with control over their data, promoting transparent data processing practices, and imposing stringent penalties for non-compliance. HIPAA, on the other hand, focuses on the healthcare sector within the United States, aiming to secure the confidentiality and integrity of patient health information. Common to both GDPR and HIPAA is the emphasis on data protection, privacy, and the establishment of secure practices for handling sensitive information. These legislative frameworks share the goal of fostering a culture of accountability, promoting transparency, and compelling organisations to implement robust security measures. As integral components of the legal landscape, GDPR and HIPAA provide a framework for examining and evaluating organisational responses to cyber threats and incidents within the broader context of case studies on cybersecurity standards and resilience.
The General Data Protection Regulation (GDPR) is founded on seven core principles that guide the lawful processing of personal data. These principles include the necessity and lawfulness of processing, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. The GDPR establishes a comprehensive framework ensuring that organizations handle personal data responsibly, transparently, and with due consideration for individuals' privacy rights. Through these principles, GDPR aims to strike a balance between protecting personal data and allowing for legitimate and necessary data processing activities, fostering a privacy-centric approach across various sectors and industries.
GDPR grants individuals robust rights concerning their personal data. These include the right to be informed, access, rectification, erasure (right to be forgotten), restriction of processing, data portability, and the right to object to automated decision-making. Organisations are obligated to inform individuals about the processing of their data, obtain consent where required, and ensure that data subjects can exercise their rights effectively. Additionally, GDPR imposes obligations on data controllers and processors to implement appropriate technical and organisational measures, conduct risk assessments, and report data breaches promptly. This dual focus on empowering individuals and holding organisations accountable signifies GDPR's commitment to fostering a more transparent and privacy-respecting digital landscape.
In the United States, the absence of a comprehensive federal privacy law akin to the General Data Protection Regulation (GDPR) has led to the emergence of state-level initiatives, notably the California Consumer Privacy Act (CCPA). While the CCPA sets a precedent for consumer data protection, it is state-specific, leaving gaps in a nationwide regulatory framework. The introduction of federal bills, such as the Consumer Online Privacy Rights Act (COPRA) and the American Data Dissemination (ADD) Act, signifies efforts towards a unified approach, yet these proposals are still in varying stages of development. COPRA, having recently reached Congress, is in its early stages, while ADD has progressed further but remains under discussion. The existence of state-specific laws and ongoing federal debates suggests that, as of now, the U.S. lacks a singular, comprehensive commitment to data privacy. This divergence in legislative progress may imply varying levels of concern among Americans regarding the need for standardized and robust data protection measures. In the Case Studies section, we will delve into a notable data breach incident involving Target in 2013, examining how such events have been handled in the absence of a unified federal privacy framework.
HIPAA, the Health Insurance Portability and Accountability Act, is a crucial regulatory framework in the healthcare sector with two primary rules addressing privacy and security. The Privacy Rule establishes national standards to safeguard individuals' medical records and personal health information, dictating limits on the use and disclosure of such data by covered entities. These entities, including healthcare providers and plans, must respect individuals' rights to access their health information and request corrections. Complementing the Privacy Rule, the Security Rule focuses on technical and non-technical safeguards for electronic protected health information (ePHI). Covered entities are required to conduct a comprehensive risk analysis and implement security measures to protect ePHI against anticipated threats. The Security Rule encompasses areas like access controls, encryption, and audit controls to ensure the confidentiality, integrity, and availability of electronic health data. Together, these rules create a standardized approach, promoting data security, patient privacy, and the responsible handling of health information across the healthcare industry.
HIPAA (Health Insurance Portability and Accountability Act) directly impacts the healthcare practices in the United States, and its influence does not extend to the United Kingdom. The UK operates under its own set of regulations and standards for data protection and healthcare privacy. In the UK, the General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs the processing of personal data, including health-related information. GDPR establishes principles for the lawful and fair handling of personal data, giving individuals control over their information. Therefore, while HIPAA has been a significant regulatory force in the U.S., its effects do not extend to the UK medical sector. The UK's healthcare industry adheres to GDPR and other local regulations to ensure the confidentiality and security of patient data while providing a framework for lawful data processing and sharing within the healthcare ecosystem. In the Case Studies section, we will delve into specific instances that highlight the intersection of data security and healthcare, including a detailed examination of the WannaCry ransomware attack and its profound impact on the National Health Service (NHS) in the United Kingdom.
Case Studies
Case Study 1: Target Data Breach
In late 2013, Target Corporation, one of the largest retail chains in the United States, fell victim to a massive data breach that compromised the personal and financial information of millions of its customers. Cybercriminals gained unauthorised access to Target's network during the busy holiday shopping season, targeting a third-party contractor of Target, known as Fazio Mechanical Services, with a phishing attack. According to IDStrong, “[Fazio Mechanical Services] remotely accessed Target’s network for billing purposes, contract fulfilment, and general management.” The emails sent to Fazio Mechanical Services contained malware that stole the employee’s credentials and granted the criminals access, which resulted in the theft of credit and debit card data as well as personally identifiable information, affecting approximately 40 million customers.
The Target data breach prompted a critical examination of the company's existing security standards. While Target had implemented security measures, the incident highlighted gaps in their defence mechanisms. The attackers exploited weaknesses in the network segmentation, allowing them to move laterally within the system. The incident shed light on the importance of regularly assessing and fortifying cybersecurity protocols, particularly in a retail environment where customer data is a prime target. Investigations revealed that some standard cybersecurity procedures, like malware detection software, weren’t implemented in Target’s day-to-day protocols. The breach emphasised the need for a holistic approach to security that includes not only technology safeguards but also rigorous monitoring, employee training, and third-party vendor assessments.
The initial report of the breach was leaked by cybersecurity reporter Brian Krebs; however, Target swiftly responded to mitigate the damage and restore customer trust. The company engaged in open communication with the public, promptly acknowledging the incident and providing regular updates. Target also collaborated with law enforcement agencies and cybersecurity experts to investigate the breach and identify the responsible parties. The retail giant took measures to enhance its cybersecurity posture, investing significantly in technology upgrades, implementing two-factor authentication, and reevaluating vendor relationships. Target's response demonstrated the importance of transparency, collaboration, and proactive measures in the face of a cybersecurity crisis.
The Target data breach had profound legal ramifications, leading to numerous lawsuits, regulatory investigations, and financial penalties. Target reached settlements with affected customers and financial institutions, with total costs exceeding $18 million. The incident prompted a broader conversation about the legal responsibilities of companies in safeguarding customer data. It also prompted a re-evaluation of cybersecurity standards within the retail sector, influencing the adoption of more robust measures to protect against similar threats. The fallout from the breach served as a wake-up call for the entire industry, emphasising the interconnectedness of cybersecurity and the potential far-reaching consequences for both individual organisations and the sector as a whole.
Case Study 2: WannaCry Ransomware Attack
In May of 2017, the global healthcare sector faced a significant cybersecurity crisis with the outbreak of the WannaCry ransomware attack. This malicious software exploited vulnerabilities in Microsoft Windows systems, infecting computers and encrypting files, demanding ransom payments in Bitcoin for their release. The attack had widespread implications for healthcare organisations, including the United Kingdom's National Health Service (NHS), causing disruptions in patient care, appointment scheduling, and even forcing some hospitals to divert emergency cases. According to FierceHealthcare, the WannaCry ransomware attack “crippled more than 300,000 machines in 150 countries, including 80 National Health Service hospitals in Britain, that were forced to divert patients after malware prevented clinicians from accessing medical records.” The highly interconnected nature of healthcare systems allowed the ransomware to rapidly spread across networks, underscoring the vulnerability of critical infrastructure to such cyber threats.
The WannaCry attack prompted a critical examination of existing security standards within the healthcare sector. While various regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States, mandate security measures to protect patient data, the incident revealed disparities in cybersecurity preparedness across different healthcare organisations. Many affected entities were using outdated software, lacked regular security updates, and had insufficient backup systems. The incident underscored the importance of implementing and adhering to robust security standards in healthcare, considering the sensitive and confidential nature of patient information.
In the aftermath of WannaCry, regulatory bodies responded with increased scrutiny and an emphasis on cybersecurity compliance within the healthcare sector. Various countries and regions have introduced additional guidelines and recommendations to strengthen cybersecurity measures. Organisations found to be non-compliant faced not only financial repercussions but also damage to their reputation and trust among patients. Regulatory bodies, including the Information Commissioner's Office (ICO) in the UK, levied fines on healthcare organisations that failed to adequately protect patient data. This marked a shift in regulatory approaches, emphasising the gravity of cybersecurity in healthcare and the need for stringent enforcement to ensure patient privacy and data security.
The WannaCry ransomware attack served as a catalyst for positive change within the healthcare industry. It prompted healthcare organisations globally to reassess and reinforce their cybersecurity protocols. Investments were made in updating and patching software systems, enhancing network security, and implementing robust backup and recovery mechanisms. Collaboration among healthcare institutions, government agencies, and cybersecurity experts increased, fostering a collective approach to cybersecurity resilience. The incident highlighted the importance of continuous monitoring, regular training for healthcare staff, and a proactive stance in addressing cybersecurity threats. The healthcare sector's response to WannaCry underscored the significance of learning from such incidents to fortify defences and ensure the continuity of critical healthcare services in the face of evolving cyber threats.
Case Study 3: SolarWinds Cyber Espionage
The SolarWinds cyber espionage attack, uncovered in late 2020, marked a sophisticated and far-reaching infiltration into critical systems. Threat actors compromised the software supply chain by inserting a malicious payload into updates of the widely used SolarWinds Orion software. This breach allowed unauthorised access to numerous organisations, including government agencies, major corporations, and cybersecurity firms. The scale and intricacy of the attack revealed the vulnerabilities inherent in supply chain dependencies, demonstrating the potential for a single breach to have cascading effects across multiple sectors.
The SolarWinds incident prompted a rigorous assessment of security standards within the technology sector. Despite the presence of established frameworks like ISO 27001 and NIST, the attack exposed gaps in supply chain security and the need for more granular controls. The incident underscored the necessity for heightened scrutiny and due diligence in evaluating and securing third-party software and services. It became evident that the technology sector needed to evolve its security standards to address the complexities of modern cyber threats, emphasising a proactive and comprehensive approach to risk management.
The SolarWinds breach triggered legal actions and investigations globally, showcasing the international implications of such cyber incidents. Countries affected, including the United States, attributed the attack to state-sponsored actors, heightening geopolitical tensions. Legal responses included sanctions, diplomatic measures, and calls for increased cybersecurity collaboration among nations. The incident also prompted a re-evaluation of export control regulations related to cyber technologies, further illustrating the interconnectedness of legal frameworks in the face of a sophisticated cyber espionage campaign.
In the wake of the SolarWinds incident, the technology industry witnessed collaborative efforts to enhance cybersecurity resilience. Tech companies, competitors in many respects, recognised the shared threat landscape and the importance of collective defence. Information sharing initiatives, such as the establishment of the Joint Cyber Defense Collaborative (JCDC), emerged to facilitate collaboration between private sector entities and government agencies. These collaborative responses aimed to pool resources, share threat intelligence, and collectively improve cybersecurity practices to thwart similar attacks in the future. The SolarWinds incident highlighted the need for a united front to address complex and highly orchestrated cyber threats that transcend individual organisational boundaries within the technology sector.
Case Study 4: NotPetya Cyber Attack
The NotPetya cyberattack, which emerged in 2017, stands out as a watershed moment in the realm of cyber threats, causing widespread disruptions, particularly in the logistics and manufacturing sectors. This ransomware, initially disguised as a ransom-seeking attack, quickly revealed itself as a destructive cyber weapon. Its impact was particularly pronounced in Ukraine, where it originated, but it quickly spread globally, affecting major multinational corporations. The logistics and manufacturing sectors faced severe operational challenges, with disruptions to production lines, logistical networks, and supply chains. The attack revealed the vulnerability of interconnected global systems, illustrating how a cyber incident in one region can have cascading effects on industries worldwide.
In the aftermath of NotPetya, a critical evaluation of industry-specific security standards in the logistics and manufacturing sectors became imperative. While existing standards such as ISO 27001 and NIST offer comprehensive guidance, the incident exposed the need for industry-specific cybersecurity frameworks. The logistics and manufacturing sectors, with their intricate web of interconnected systems, required tailored approaches that factored in the complexities of supply chain dependencies. The attack highlighted the necessity of adopting robust cybersecurity measures not only at the organisational level but also across the entire ecosystem, from suppliers to distributors.
NotPetya triggered legal consequences and international discussions on cyber norms and state responsibilities. Initially believed to be a criminal act, the attack was later attributed to state-sponsored actors, further complicating the legal landscape. Affected organisations faced financial losses, regulatory scrutiny, and legal actions. The incident prompted discussions at the international level about the need for norms governing state behaviour in cyberspace. Countries and organisations sought to establish clear guidelines for responsible state conduct in the digital domain to prevent the escalation of cyber conflicts. The NotPetya attack, with its geopolitical implications, underscored the importance of international cooperation in addressing and preventing cyber threats.
In response to the NotPetya attack, affected organisations demonstrated resilience by adapting their strategies to the evolving threat landscape. Many organisations have invested in enhancing their incident response capabilities, implementing robust backup and recovery systems, and fortifying their cybersecurity postures. The incident prompted a shift towards proactive threat intelligence sharing within and across industries, fostering a collaborative approach to cybersecurity defence. Notably, organisations began to prioritise cyber resilience, acknowledging that the ability to recover swiftly from a cyber incident is as crucial as preventing one. The adaptive strategies employed by affected entities reflect a growing recognition of the need for agility and preparedness in the face of sophisticated and evolving cyber threats within the logistics and manufacturing sectors.
Analysis of Responses
Across the four case studies, commonalities and variances in responses to cybersecurity incidents underscored the complexity of addressing and mitigating cyber threats. One notable commonality was the pervasive impact on the respective industries. In each case, the breaches disrupted operations, damaged reputations, and incurred substantial financial losses. The need for prompt and effective responses to restore normalcy became a unifying theme. However, variances emerged based on industry and organisational size. While the Target data breach had broad implications for the retail sector, the WannaCry attack significantly disrupted healthcare services. The SolarWinds and NotPetya incidents showcased the cross-industry and global ramifications, affecting technology and logistics/manufacturing sectors, respectively. The variances highlight the importance of tailoring cybersecurity responses to industry-specific challenges and organisational contexts.
In evaluating industry-specific security standards, each case study exposed weaknesses in existing frameworks and the necessity for continual improvement. The Target Data Breach prompted a reassessment of retail industry standards, emphasising the need for enhanced payment security and customer data protection. The WannaCry attack revealed gaps in healthcare cybersecurity standards, leading to increased scrutiny and calls for more stringent measures. The SolarWinds and NotPetya incidents underscored the importance of supply chain security prompting the technology and logistics/manufacturing sectors to reevaluate their standards and practices. The case studies collectively emphasised the dynamic nature of cyber threats and the need for adaptive industry-specific standards that can evolve with the threat landscape.
Legal consequences and international perspectives emerged as critical considerations in the aftermath of each cyber incident. Organisations faced regulatory scrutiny, financial penalties, and lawsuits, reflecting a growing trend of legal accountability for cybersecurity lapses. The international attribution of cyberattacks, as seen in the SolarWinds and NotPetya cases, highlighted the need for diplomatic measures and global collaboration to address cyber threats effectively. The evolving nature of cyber conflict challenges traditional legal frameworks, necessitating international discussions on responsible state behaviour in cyberspace. These legal and geopolitical dimensions revealed the interconnectedness of cyber incidents with broader international relations and emphasised the need for a unified approach to cybersecurity on a global scale.
Communication and transparency emerged as crucial elements in the responses to the cyber incidents. In all cases, organisations that communicated openly and transparently about the breaches garnered more public trust and were better positioned to navigate the aftermath. Target's acknowledgment of the breach and subsequent communication efforts, for example, influenced public perception. Similarly, healthcare organisations affected by WannaCry faced scrutiny but gained trust through transparent communication about the challenges they encountered. The SolarWinds and NotPetya incidents underscored the importance of transparent communication in collaborative responses, enabling affected organisations to share threat intelligence and collectively strengthen cybersecurity postures. The role of communication in building trust and facilitating collaborative resilience highlighted its significance as a fundamental component of effective cybersecurity responses across industries and organisational sizes.
The Role of Legislation as a Deterrent
The analysis of cyber legislation as a deterrent reveals its pivotal role in shaping the behaviour of organisations and individuals within the digital realm. Cybersecurity legislation establishes a legal framework that delineates acceptable practices, defines liabilities, and imposes consequences for non-compliance. The prospect of legal repercussions, including fines and sanctions, serves as a potent deterrent against cybercrime. Moreover, the existence of well-defined legislation reinforces the seriousness with which society views digital security, influencing organisational and individual attitudes towards responsible and secure cyber practices. The effectiveness of legislation as a deterrent is contingent on several factors, including the clarity of legal provisions, the rigour of enforcement mechanisms, and the adaptability of the legal framework to evolving cyber threats. As this analysis unfolds within the context of case studies on cybersecurity standards and organisational resilience, it illuminates the intricate interplay between legal structures, their enforcement, and their impact on deterring cyber threats in the ever-evolving landscape of digital security.
A comparison of cyber jurisdictions with robust legislation reveals the varied approaches and their impact on digital security landscapes. Certain jurisdictions, often characterised by stringent and comprehensive cybersecurity laws, stand out as beacons of regulatory strength. These jurisdictions prioritise the protection of sensitive information, personal data, and critical infrastructure through legally enforceable frameworks. For instance, the European Union's GDPR and the United States' evolving cybersecurity legislation exemplify the commitment to fortifying digital defences. Such jurisdictions typically demonstrate a proactive stance in addressing emerging cyber threats, fostering international cooperation, and imposing substantial penalties for non-compliance. The effectiveness of these strong legislative environments is reflected in the resilience of organisations within their borders, as well as in their ability to respond swiftly and decisively to cyber incidents. By comparing these jurisdictions, one can discern patterns and best practices that contribute to a heightened state of cybersecurity readiness, offering valuable insights for organisations seeking to bolster their defences in a globalised and interconnected digital landscape.
Despite the vital role that cybersecurity legislation plays in safeguarding digital ecosystems, challenges and criticisms persist within existing frameworks. One notable challenge lies in the struggle to keep pace with the rapidly evolving nature of cyber threats. Legislation often lags behind the dynamic tactics employed by cybercriminals, necessitating frequent updates to maintain relevance. Additionally, the complexity and specificity of legal language can pose difficulties for organisations in interpreting and implementing the regulations effectively. Compliance costs, both in terms of financial investments and operational adjustments, are another common criticism. Smaller businesses may find it particularly challenging to meet stringent requirements, potentially creating a disparity in cybersecurity resilience across different scales of enterprises. Privacy concerns also emerge, with critics arguing that some legislation may infringe on individuals' digital rights in the pursuit of enhanced security. Striking the right balance between robust cybersecurity measures and preserving individual liberties remains a persistent challenge in crafting effective and widely accepted legislation. Addressing these challenges is essential for refining and fortifying cybersecurity legislation, ensuring its adaptability and efficacy in an ever-changing threat landscape.
Conclusion
In conclusion, the examination of the four case studies—the Target Data Breach, WannaCry Ransomware Attack, SolarWinds Cyber Espionage, and NotPetya Ransomware—has yielded valuable insights into the multifaceted landscape of cybersecurity and organisational resilience. Key findings emphasise the far-reaching consequences of cyber incidents, spanning industries, borders, and organisational sizes. The commonalities across responses underscore the critical importance of proactive and adaptive strategies, industry-specific security standards, and transparent communication in mitigating the impact of cyber threats. As organisations navigate the dynamic cyber landscape, several recommendations emerge. Prioritising the implementation of robust cybersecurity measures, fostering a culture of resilience, and investing in continuous staff training are imperative steps. Additionally, collaboration within and across industries is essential, facilitating the sharing of threat intelligence and best practices.
Looking ahead, future considerations must account for the ever-evolving nature of cyber threats. Organisations should adopt a forward-looking approach, anticipating emerging risks and investing in technologies that can adapt to the evolving threat landscape. Continuous monitoring, threat intelligence sharing, and regular updates to security protocols are critical components of a proactive cybersecurity strategy. As technology advances, the integration of artificial intelligence and machine learning into security frameworks becomes increasingly important. Moreover, international collaboration is essential to developing and enforcing robust norms and standards in cyberspace, ensuring a united front against global cyber threats. In this dynamic and interconnected digital era, the lessons learned from these case studies provide a roadmap for organisations to fortify their defences, adapt to emerging challenges, and foster a resilient cybersecurity posture.
— Toby Ward (Founder of OSTWCyber)
Bibliography
National Health Executive (2018) “WannaCry Cyber-Attack Cost the NHS £92m after 19,000 Appointments Were Cancelled.” National Health Executive, www.nationalhealthexecutive.com/articles/wannacry-cyber-attack-cost-nhs-ps92m-after-19000-appointments-were-cancelled. Accessed 17 Dec. 2023.
David Lukic (n.d) “Target Data Breach: How Was Target Hacked?” IDStrong, https://www.idstrong.com/img/logo.png IDStrong, 22 Sept. 2020, www.idstrong.com/sentinel/that-one-time-target-lost-everything/.
“GDPR.” IT Governance, www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation. Accessed 17 Dec. 2023.
Greenberg, Andy. “The Untold Story of Notpetya, the Most Devastating Cyberattack in History.” Wired, Conde Nast, 22 Aug. 2018, www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.
“ISO 27001, the International Information Security Standard.” IT Governance, www.itgovernance.eu/en-ie/iso-27001-ie. Accessed 17 Dec. 2023.
Jones, Corrin. “Warnings (& Lessons) of the 2013 Target Data Breach.” Red River | Technology Decisions Aren’t Black and White. Think Red., 3 May 2022, redriver.com/security/target-data-breach.
Landi, Heather. “Report: 40% of Healthcare Organizations Hit by WannaCry in Past 6 Months.” Fierce Healthcare, 29 May 2019, www.fiercehealthcare.com/tech/lingering-impacts-from-wannacry-40-healthcare-organizations-suffered-from-attack-past-6-months.
Lutkevich, Ben. “What Is HIPAA (Health Insurance Portability and Accountability Act)?” Health IT, TechTarget, 28 Aug. 2020, www.techtarget.com/searchhealthit/definition/HIPAA.
Maloney, Sarah. “A Quick Recap on Notpetya – an Unofficial Guide.” Cybersecurity Software, www.cybereason.com/blog/blog-a-quick-recap-on-notpetya. Accessed 17 Dec. 2023.
Saheed Oladimeji, Sean Michael Kerner. “Solarwinds Hack Explained: Everything You Need to Know.” WhatIs, TechTarget, 3 Nov. 2023, www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know.
Temple-Raston, Dina. “A ‘worst Nightmare’ Cyberattack: The Untold Story of the Solarwinds Hack.” NPR, NPR, 16 Apr. 2021, www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack.
“What Is NIST Cybersecurity Framework?” IBM, www.ibm.com/topics/nist. Accessed 17 Dec. 2023.
Consumer Privacy Act. (n.d.). California Consumer Privacy Act (CCPA). [online] Available at: https://www.consumerprivacyact.com/california/.
Consumer Privacy Act. (n.d.). Federal Consumer Online Privacy Rights Act (COPRA). [online] Available at: https://www.consumerprivacyact.com/federal/.
Pallone, F. (2022). H.R.8152 - 117th Congress (2021-2022): American Data Privacy and Protection Act. [online] www.congress.gov. Available at: https://www.congress.gov/bill/117th-congress/house-bill/8152.
Comments