Deputy Attorney General Lisa Monaco met Thursday with retail CEOs at the Retail Industry Leaders Association (RILA) annual summit in Washington, where she cautioned them to be “mindful” about the “blended threat” of sophisticated "cyber-criminal groups" and "nation-state actors" forming “alliances of convenience,” said a DOJ readout Friday. She encouraged retailers to bolster their cyber defenses and "proactively develop" relationships with their local FBI field offices, it said. Monaco also addressed “organized retail crime” with the CEOs, including how U.S. attorneys across the country are bringing federal charges to punish and thwart “aggravated retail theft,” said DOJ. Retailers "appreciated the opportunity to discuss a number of high priority issues with Deputy AG Monaco, including cybersecurity," emailed RILA President Brian Dodge. "We appreciate the department’s attention to organized retail crime and the role they are playing investigating and prosecuting large cases," he said. RILA represents Best Buy, Target, Walmart and other big-box retailers.

President Joe Biden signed two pieces of cyber legislation into law Tuesday, the White House announced. The Federal Rotational Cyber Workforce Program Act (S-1097) establishes a federal rotational cyber workforce program. The State and Local Government Cybersecurity Act (S-2520) directs the Department of Homeland Security to “increase collaboration with state, local, tribal and territorial governments on cybersecurity issues.”

The full damage of the average ransomware attack can extend well beyond the cost of the ransom payment itself, a GetApp survey found. The software recommendation platform canvassed 300 ransomware victims in May, finding only 11% who said the ransomware payment “was the most consequential impact of the ransomware attack,” it said. Six in 10 survey respondents reported suffering a “multifaceted extortion attack” in which the victim’s files are encrypted and a separate attack is launched to pressure victims to pay the ransom, it said. The survey found 58% of multifaceted extortion victims reported they paid the ransom, compared with only 31% of standard ransomware attack victims, it said. “The complex nature of multifaceted attacks can bring normal business functions to a standstill,” said GetApp. Among companies that paid the ransom, 70% said the attack made a major impact on productivity, it said. More than a third of victims cited productivity losses “as the single most consequential impact of a ransomware attack, more than any other effect surveyed,” it said.

A bill to update Pennsylvania data breach requirements unanimously cleared the House State Government Committee at a hearing livestreamed Wednesday. SB-696, which earlier passed the Senate, would require state agencies, agency contractors, counties, school districts and municipalities to notify subjects of breaches within seven business days. Within three business days, state agencies would have to notify the attorney general and localities would have to notify their county’s district attorney. The bill also expands the definition of personal information to include medical information, health insurance information and a username or email address, “in combination with a password or security question and answer that would permit access to an online account.” Also, the bill requires state employees and contractors to use encryption and requires the Office of Administration to develop a security policy for storing personal information. The committee unanimously adopted an amendment with changes including that personal information doesn’t include widely distributed media and that the bill covers public schools.

The “demand environment” for cybersecurity remains “incredibly strong,” said SentinelOne CEO Tomer Weingarten on an earnings call Wednesday for fiscal Q1 ended April 30. Revenue in the quarter grew 109% year over year. Cybersecurity is one of the top tech spending priorities, “and we haven't seen that change despite macro conditions,” he said. “Secular trends,” like digital transformation, expanding attack surfaces and data proliferation, “are driving strong demand for cybersecurity,” he said. “The consequences and risks of not being protected by a leading cybersecurity solution are just too hot.”

With the “proliferation of digital,” information tech and security teams “are faced with an ever-evolving threat landscape,” said Splunk CEO Gary Steele on an earnings call Wednesday for fiscal Q1 ended April 30. The call was Steele’s first since taking over as CEO in mid-April (see 2203030065). Security teams also face “increased complexity from piling on more and more tools across hybrid and multi-cloud environments and the silos created by all these data sources and fragmented teams that lead to inefficient detection and resolution,” he said. “There is an enormous market opportunity to help customers navigate this new reality.” Steele’s first priority is to “increase internal speed and agility across our people and organizations,” he said. “Flattening” Splunk’s organizational structure “will help us do that,” he said. Splunk will not “backfill” the positions vacated by the departures of Teresa Carlson, president-chief growth officer, and Shawn Bice, president-products and technology, said Steele: “I will be hands on with the go-to-market and product leadership teams.” Splunk’s total revenue for the quarter increased 34% year over year to $674 million. It expects fiscal Q2 revenue to finish in the range between $735 million and $755 million, which would be a 12% sequential increase at the high end.

Meta CEO Mark Zuckerberg directly participated in decisions and “lax oversight” of user data that led to Facebook’s Cambridge Analytica privacy breach, Washington, D.C., Attorney General Karl Racine (D) alleged in a lawsuit Monday. This is a follow-up to a lawsuit Racine filed in 2018 against Facebook. Racine’s office reviewed documents produced during litigation of the ongoing suit. “The evidence shows Mr. Zuckerberg was personally involved in Facebook’s failure to protect the privacy and data of its users leading directly to the Cambridge Analytica incident,” he said.

Bitdefender debuted an identity theft protection service for U.S. consumers, reported the cybersecurity company Tuesday. The service, developed in collaboration with TransUnion subsidiary IdentityForce, is available as a stand-alone subscription offering or through the Bitdefender Ultimate Security suite of antivirus and password-protection solutions, it said. A recent Bitdefender survey of more than 10,000 consumers found many use “high-risk behavior” when shopping online, including half who admitted to using a single password for all online accounts, it said.

U.S. agencies remain on high alert for Russian cyberthreats, despite no major attacks on the U.S. homeland during Russia’s invasion of Ukraine, Department of Homeland Security and OMB officials told the House Cybersecurity Subcommittee during a hearing Tuesday. Federal chief information officers have been convening meetings since November on protective measures, and they remain in an “elevated state,” said Christopher DeRusha, deputy national cyber director-federal cybersecurity, Office of the National Cyber Director. It was a “paramount concern” well before the Russian invasion, said Eric Goldstein, Cybersecurity and Infrastructure Security Agency's executive assistant director-cybersecurity: The U.S. hasn’t seen any “damaging attacks,” but agencies remain in a posture of “heightened risk” and are focused on sharing information as quickly as possible.

Stronger EU cybersecurity rules advanced Friday when government and European Parliament negotiators agreed provisionally to the revised network and information security directive (NIS2). If approved by European Council members and the full Parliament, the measure would set the baseline for cybersecurity risk management measures and reporting obligations across several sectors, the Council said. One is digital infrastructure: The directive would apply to providers of public electronic communications services, digital services and domain name system services (see 2103220038). NIS2 introduces a size-cap rule under which all medium and large entities within the relevant sectors would be subject to the rules. Negotiators agreed on other provisions to ensure proportionality, a higher level of risk management and "clear-cut criticality criteria" for determining which enterprises are covered. The provisional accord also streamlines reporting requirements. The European Commission welcomed the political agreement, saying its next move will be a cyber-resilience act to ensure that digital products are more secure.