Cyber Security & the Marketplace Fairness Act/Remote Transaction Parity Act

 

Recent breaches in the last year have shown the perilous state of information security.  Frankly, the bad guys are winning.  A few recent breaches of note:

  • Target
  • Home Depot
  • Anthem Blue Cross
  • U.S. Office of Personnel Management

A quote from the Washington Post on the recent US OPM breach that contained very sensitive information regarding their top secret clearance applications:

“In those files are huge treasure troves of personal data, including “applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers.”

China is suspected as the culprit in this and other breaches.  These breaches target both civilian and military companies and commercial data is highly prized in these targets.  The skill level of these “advanced persistent threats” or APTs is high.  The attacks are stealthy and frequently successful.

You know who else will have a big, fat bulls-eye on their back?  Certified Solutions Providers.

Why might China or hackers target a CSP?  Because they will be a large collection point for sales data across the entire US economy.  The more data in one place, the more rewarding the target is.

Taxcloud estimate in their promotional video that their market is 3.5 million retailers.  It might be more, especially as the states reduce the small business exemption level over time (their goal is zero exemption, long-term).

Right now there are 6 CSPs and I know that Taxometry is in the works.  That’s a pretty small number of providers to store data.  So what data will the CSPs be storing for the states?

  • Order-level transaction data
  • Item level transaction data (the tax category or TIC for each item purchased)
  • Item level description – a description of what was purchased and/or the part # of what was ordered
  • What exact address did these items ship to (because zip code alone isn’t enough)
  • Retailer information for the sale, such as the shipping address
  • Since there is a 3 year statute of limitations under the Remote Transaction Parity Act, at least 3 years, but likely more, of all transaction data for every single item ordered would need to be stored by CSPs.

I’m not suggesting credit card data would be stored by the CSPs, it won’t be.  But if a bad guy or nation state is looking for a lot of commercial data, it’s easier to target one or more CSPs than individual retailers one by one.  Reverse lookups from address to name are trivial and available.  Recent headlines have shown that the bad guys out there are winning the fight and a skilled group or nation state would probably view this small number of companies an interesting target.

Update: Amusing that the L.A. Times just had an article this morning (6/17/2015) with Rep. Chaffetz complaining about the poor security while his bill actually helps sow the seeds of a future possible issue.  From the Times:

“Intelligence officials are concerned that Chinese intelligence services or others could use the sensitive information, which can include medical histories and other personal details, to blackmail or otherwise recruit spies in the U.S. government and to design carefully tailored emails to infect computers of federal workers with access to secret files.

Chinese officials deny being behind the incursion.

During a contentious congressional hearing about the massive digital theft of personnel files, lawmakers ripped into the officials in charge of securing the networks.

“You failed. You failed utterly and totally,” Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, told the officials.””