The #DataInsecurity Digest | Issue 1

Issue 1 | Aug. 11, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Welcome to the #DataInsecurity Digest, a new publication of the National Consumers League’s #DataInsecurity Project.

In the coming weeks, I’ll be using these emails to deliver important, consumer-focused data security news, policy analysis, and information about upcoming events directly to your inbox. The #DataInsecurity Project is an advocacy campaign, so we’ll also use these emails to keep you up to date on our latest efforts to push Congress and the Administration to pass comprehensive data security protections for consumers.

Subscribe here. Tell us what you think.

On to the news!

—————–

Coming up today! I’ll be speaking on card security, EMV, and the Administration’s efforts to combat ID theft and data security with ProtectMyData.org’s Debra Berlyn, Steve Pociask (@consumerpal), and Liz Garner, among others. The fun begins at 12:00 pm in Rayburn B-339. RSVP to info@protectmydata.org.

Bloomberg: Chinese intel creating “vast database” of breached data. @MichaelRileyDC & @jordanr1000 have the story on the latest China-backed breach, this time of United: “It’s increasingly clear, security experts say, that China’s intelligence apparatus is amassing a vast database. … That data could be cross-referenced with stolen medical and financial records, revealing possible avenues for blackmailing or recruiting people who have security clearances.” (Source: Bloomberg)

Bloomberg with another scoop: Sabre and (potentially American Airlines) also hacked by Chinese. @MichaelRileyDC & @jordanr1000 are on a roll with the breach scoops: “Sabre, one of the largest clearinghouses for travel reservations, is a potentially rich target for state-sponsored hacks because of the company’s role as a central repository of what it says are records on more than a billion travelers per year across the globe.” (Source: Bloomberg)

DHS: CISA “increase the complexity and difficulty” of info sharing. NJ’s @kavehewaddell shares DHS’s concerns with the now-punted CISA: “The Homeland Security Department said in an official letter that a cyberinformation-sharing bill under consideration in the Senate would be detrimental to Americans’ privacy and the country’s cybersecurity. … The problems DHS outlines in the letter mirror many of the concerns that privacy advocates and security experts have raised about the bill…”(H/T @benton_fdn). (Source: National Journal)

WSJ: Stephanie Armour (@stepharmour1) has the story on the burgeoning world of medical ID theft. “Victims sometimes only find out when they get a bill or a call from a debt collector. They can wind up with the thief’s health data folded into their own medical charts. A patient’s record may show she has diabetes when she doesn’t, say, or list a blood type that isn’t hers—errors that can lead to dangerous diagnoses or treatments.” (Source: Wall Street Journal)

FTC Cmmr. McSweeny talks common-carrier exemption at DEFCON. In a wide-ranging interview with WaPo’s always-current @kansasalps: “I’d also support repealing the common carrier exemption … I think it’s outdated at this point and [repeal] would allow us to better protect consumers in partnership with the FCC.” (Source: WaPo)

Breach suits aren’t giving industry religion on data security…  @deborahtodd reports for the Pittsburgh Post-Gazette: “In American courtrooms seeing the first wave of lawsuits related to cybersecurity breaches, injured consumers have received awards but it’s not clear the damages to companies have been enough to encourage change.” (Source: TNS)

… or are they? Neiman Marcus decision could lead to more success in breach suits – “According to the 7th Circuit, Neiman Marcus customers have standing to sue because [they] are at substantial risk of fraudulent charges or identity theft. … Plaintiffs’ lawyers are already cheering the Neiman Marcus decision.” (Source: Reuters)

Ashley Madison’s data breach is everyone’s problem. “The service was engineered and arranged like dozens of other modern web sites — and by following those rules, the company made a breach like this inevitable.” (Source: The Verge)

NYT: What data security problem? @nathanielpopper offers a contrarian view on breach costs: “Only a tiny number of people exposed by leaks end up paying any costs. … ‘For the bad guys, your five-year growth plan is not data breaches and stealing credit cards. It involves stealing all the info you can and opening legitimate accounts in people’s names.’” (Source: New York Times)

Fortune: Attacks softening EU wariness on privacy and security. (by @PBeshar) “The visceral brutality of recent terrorist attacks in Europe, coupled with fear engendered by the growing spate of cyber incursions, is dramatically changing the way Europeans think about privacy and security.” (Source: Fortune)

Daily Caller: DoL offers more grist for datasec oversight mill. @ethanrbarton has the scoop: “The Department of Labor has disregarded 11 warnings from its inspector general since 2010.” (Source: Daily Caller)

Scary health data breach numbers of the day. From @databreachtoday: So far this year, just the top five breaches have impacted a total of 99.3 million individuals. … As of Aug. 4, the official federal tally of major health data breaches since September 2009 listed 1,282 breaches affecting a total of 143.3 million individuals. That means the five recent hacker attacks represent almost 70 percent of all victims on the six-year tally. (Source: Data Breach Today)

47 times for me, but who’s counting? @joshkellerjosh @kkrebeccalai & @nicoleperlroth with an excellent tool for diagnosing your breach exposure. (Source: New York Times)

Upcoming Events

Sept. 9 – FTC: Start with Security – San Francisco
Aimed at start-ups and developers, this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response.

October – National Cybersecurity Awareness Month
Designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.

Oct. 30 – Follow the Lead: An FTC Workshop About Online Lead Generation – Washington, DC
The workshop will bring together a variety of stakeholders, including industry representatives, consumer advocates, and government regulators. The FTC has invited the public to submit research, recommendations for topics of discussion, and requests to participate as panelists.

National Consumers League
Published August 11, 2015