Top Stories
DETERMINATION THAT A PUBLIC HEALTH EMERGENCY EXISTS
HHS Declares Public Health Emergency in response to Hurricane Ian.
Breaches
Ambry Genetics Settles Class Action Lawsuit Over 2020 Data Breach for $12.3M
Ambry will pay $12.3 million into a settlement fund. Ambry, which is owned by Realm IDx, formerly Konica Minolta Precision Medicine, has also agreed to several business practice changes, including implementing additional security-related measures, enhanced policies and training for staff, enhanced restrictions to access personal health information, and other security measures.
Security
Journey to the NIST CSF 2.0: Workshop Summary Analysis & Recording
On August 17, 2022, NIST hosted its first public workshop on the future update to the NIST Cybersecurity Framework (CSF 2.0).
Morgan Stanley to pay $35 million fee for 'astonishing' customer data disposal practices - The Record by Recorded Future
Morgan Stanley will pay a $35 million penalty to settle charges from the U.S. Securities and Exchange Commission for wide-ranging failures around properly disposing of hard drives and servers containing the personal information of some 15 million customers.
Auth0 warns that some source code repos may have been stolen
Authentication service provider and Okta subsidiary Auth0 has disclosed what it calls a "security event" involving some of its code repositories.
GitHub Moves to Guard Open Source Against Supply Chain Attacks | WIRED
GitHub, which itself is owned by Microsoft, announced on Monday that it plans to support code signing, a sort of digital wax seal, for npm software packages using the code-signing platform Sigstore. The tool grew out of cross-industry collaboration to make it much easier for open source maintainers to verify that the code they create is the same code that ends up in the software packages actually being downloaded by people worldwide.
CISA warns of critical ManageEngine RCE bug used in attacks
This security flaw (CVE-2022-35405) can be exploited in low-complexity attacks, without requiring user interaction, to gain remote code execution on servers running unpatched Zoho ManageEngine PAM360 and Password Manager Pro (without authentication) or Access Manager Plus (with authentication) software.
FDA Authorization Bill Drops Medical Device Cybersecurity
A congressional deal to keep the U.S. Food and Drug Administration funded past this month strips medical device cybersecurity provisions earlier approved by the House of Representatives with bipartisan support.
Privacy
CNIL issues 250K euro fine over data security, retention violations
An investigation found alleged violations of data retention requirements under Article 5(1)(e) of the GDPR and data security obligations under Article 32. The CNIL found 25% of Infogreffe users had their data held by the website beyond the stated 36-month period.
Berlin DPA imposes 525K euro fine over DPO violation
The Berlin Commissioner for Data Protection and Freedom of Information issued a 525,000 euro fine to a Berlin-based retailer for violation of data protection officer requirements under the EU General Data Protection Regulation. An investigation found an alleged conflict of interest concerning the DPO's employment status and decision-making responsibilities that violated Article 38(6) of the GDPR.