The #DataInsecurity Digest | Issue 10 – National Consumers League

Issue 10 | Dec. 15, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Welcome to the final #DataInsecurity Digest of 2015. It’s hard to believe that we’ve already knocked out 10 issues! This year we’ve followed the fallout from mega-breaches at Ashley Madison, VTech, and numerous retailers. We’ve also helped keep you up-to-date on progress (and lack thereof) of moving meaningful data security reform in Congress and beyond. This week, we look at how the FTC’s settlement of a long-running case against Wyndham Hotels upholds the Commission’s data security mandate. We also provide an update on HR 2205, the Data Security Act of 2015, which passed the House Financial Services Committee last week. The bill, which NCL opposes, would establish a national data security standard. Sounds good on its face, but, unfortunately, the devil’s in the details, as a letter from more than a dozen consumer groups makes clear (see below). In other policy news, conferees are getting closer to agreement on the Cyber Information Sharing Act (CISA), which worries many in the privacy and civil liberties community (including NCL). We also take a look at data security worries surrounding two types of gifts consumers are sure to find under the tree this year: wearable devices and connected toys. Finally, it wouldn’t be a year-end edition without a look back at the biggest data breaches of 2015 and a look ahead to the looming data security policy fights in 2016.

And now, on to the clips!

—————–

FTC settles with Wyndham, affirms role as data security cop. The Federal Trade Commission’s long-running fight with Wyndham Hotels over the FTC’s authority to hold companies accountable for data security lapses ended this week when a settlement was reached. In addition to holding Wyndham to a 20-year security audit regime, the agreement–for the first time–effectively gives the FTC’s stamp of approval to the PCI DSS payment card security standard. Analysis from a trio of experts at @kslaw is the best deep dive for folks interested in how the settlement will affect the FTC’s data security plans going forward. (Source: Lexology)

Neugebauer/Carney data security bill advances despite opposition. HR 2205, the Data Security Act of 2015, last week advanced out of the House Financial Services Committee by a 46-9 margin despite opposition from consumer and privacy groups who cited the bill’s failure to improve on existing state data breach notification, data security standards, and its impact on Communications Act protections for telecommunications, cable, and satellite records. NCL joined with 17 leading consumer and privacy groups to oppose the bill. Rep. Brad Sherman joined retailers who expressed concern about the bill’s impact on small businesses. “The best way to stop data breaches is to hold responsible the entities that hold the data,” said Sherman. “Those who want us to target Home Depot. They’re not focused on very small businesses, and this bill could achieve 99% of its purposes if it exempted 90% of the businesses in this country.” (Source: Credit Union Times; Consumer/privacy groups letter)

US PIRG: HR 2205 a “Trojan Horse assault on state privacy laws.” @edmpirg of USPIRG spoke for many in the public interest community by describing HR 2205 as a veiled attempt undermine existing state data security and privacy laws. “Hidden inside a seemingly modest proposal to establish federal data breach notice and data security requirements is a Trojan Horse provision designed to to take state consumer cops off the privacy beat, completely and forever,” said Mierzwinski. (Source: US PIRG)

Retailers: HR 2205 is “red tape masquerading as security.” @RILATweets joined opposition to the Neugebauer/Carner Data Security Act with a letter signed by 13 retailer trade groups. The associations complained that data security rules based on the financial industry’s requirements under the Gramm-Leach Bliley Act are incompatible with retailers’ business models. “Haphazardly slapping rules that were written 15 years ago for the financial industry on retailers, restaurants and thousands of small businesses is not the kind of data security legislation that will safeguard our economy. This is red tape masquerading as security,” said the retailers. (Source: RILA)

Civil liberties groups push for last-minute changes to CISA conference report. A coalition of 19 civil liberties organizations sent a letter last week to the Obama Administration and Congress, pushing for Members to oppose the final version of CISA expected to move out of conference committee. “The final version of this bill is an insult to the public and puts all of us in greater danger of cyber attacks and government surveillance,” said @evan_greer, campaign director of @fightfortheftr, who organized the letter. “This was already a fundamentally flawed piece of legislation, and now even the meager privacy protections it provided have been gutted, exposing it for what it really is: a bill to dramatically expand abusive government spying.” (Source: Fight for the Future)

2016 cyber legislation crystal ball: movement unlikely in an election year. The @dcexaminer took a look at coming 2016 policy fights, finding movement on significant data breach bills unlikely until 2017. “Data-breach bills have now passed the House Energy and Commerce and Financial Services committees, but here’s the rub: competing industry coalitions support one version and adamantly oppose the other. The retail sector backs the Energy and Commerce bill; the financial community supports the Financial Services panel’s version.

In the Senate, the issue stalled in the Banking, Commerce and Judiciary committees. An effort to add a breach-notification measure to the big Senate cyberinfo-sharing bill was turned aside last summer. … ‘The business community is so divided, it’s hard to see this issue getting legs,’ said an industry source who is unaligned with either banking or retail. ‘But it’s the kind of issue that could be worked on through the year with an eye on 2017.’” (Source: Washington Examiner)

Yahoo gets rid of email passwords. Yahoo has begun offering its Yahoo Mail users the ability to eliminate the use of passwords altogether in favor of smartphone-based security keys. @dmac1 has the story for the Wall Street Journal: “Starting this week, users who sign up for a Yahoo “account key,” will receive a push notification on their smartphone when they try to log in to their email account from a desktop. The mobile notification will tell them the location of the computer requesting access to their account. By clicking yes, they will give that computer password-free access to the account in perpetuity–or until Yahoo detects any unusual behavior that might indicate a different user.” (Source: Wall Street Journal)

Krebs: IRS, states have better defenses but fewer resources to go after ID thieves. With the start of a new year, tax ID thieves are sure to be getting ready for their busiest scamming season. @briankrebs takes a deep dive into how the IRS and state tax agencies are preparing for the onslaught. “The good news is that the states and Uncle Sam have got a whole new bag of technological tricks up their sleeves this coming tax season. The bad news is ID thieves are already testing those defenses, and will be working against a financially strapped federal agency that’s been forced to cede much of its ability to investigate and prosecute such crimes.” (Source: KrebsonSecurity.com)

The price of the wearable craze: Less data security. CNBC’s @maggieoverfelt takes a much-needed look at the growing security vulnerability of health-related wearables. “While devices powered by legacy tech firms like Medtronic and IBM have robust security practices in place, upstarts may have more trouble balancing the risk-reward ratio of spending the time and money it takes to build a strong security backbone into their device with the speed at which they want to roll things out. … There’s another reason why hackers could be exploiting flaws in medical devices: They want the information contained in your health records, which according to Dell SecureWorks, is about 10 times as valuable than a stolen credit card number on the black market.” (Source: CNBC)

Hackable toys raise data breach risk for children. The massive breach at VTech, along with concerns about the hackability of Mattel’s “Hello Barbie” doll are raising concerns about the level of data security at providers of the new generation of connected toys. George Washington University Fellow @kalevleetaru took on this topic in @Forbes recently. “From identity theft to inadvertent spying, toys are the latest frontier in the cybersecurity battle. … Children are also likely to be extremely open with their toys, telling them secrets about themselves or their parents that they would not share with anyone else. When these secrets are stored in third party commercial web servers it places them at risk.” (Source: Forbes)

More 2016 prognosticating: Experian data breach industry forecast. @Experian_DBR is out with its annual Data Breach Industry Forecast (free registration required), which includes a look in the 2016 data breach future. Among the highlights: EMV liability shift won’t halt payment breaches; healthcare hacks will continue to make headlines but small breaches will cause the most damage; consumers and businesses will be collateral damage of state-based hacks; POTUS campaigns will be attractive hacking targets; and hacktivism will make a comeback. (Source: Experian Data Breach Resolution)

Quick hit: Looking back at the biggest breaches of 2015. As we near the end of 2015, it’s an opportunity to take stock of the biggest breaches that made news this year. Network World editor @Tim_Greene looks back at VTech, Anthem, Ashley Madison, OPM, and Experian, among others. (Source: Network World)

Take two: Target reaches new settlement with MasterCard over 2013 breach. @Target and a class of issuing banks and credit unions affiliated with MasterCard have filed a new $39.4 million settlement agreement with the courts to resolve claims related to its 2013 data breach. The agreement is the parties’ second attempt at a settlement after an earlier version was rejected by the courts. (Source: Reuters)

Infographic du jour: 49 percent of consumers would not shop with businesses whose breach compromised personal information. Digital security company @Gemalto is out with a new survey of consumers in Australia, Brazil, France, Germany, Japan, the UK, and US. Unsurprisingly, the report finds that customer loyalty suffers greatly when a business suffers a data breach. Also, the report highlights consumers’ continued failure to protect their own data. Fifty-four percent of survey respondents said they haven’t taken basic security precautions, and 47 percent said they have not yet enabled two-factor authentication on their social media accounts. 27 percent said that they have been a victim of fraudulent use of their financial or personally identifiable information. (Source: Gemalto)

Upcoming Events

Today, 2 pm Eastern – Gartner: Data Security in the Age of the Road Warrior – Webcast
Data Loss Prevention experts, Heidi Shey, senior analyst at Forrester Research, and Dave Bull, content security solutions product director at Intel Security will discuss data breaches and data protection concerns. Key takeaways include: The current state of sensitive data access, use, and loss; The changing requirements for protecting this data—from privacy laws to threats that employees face as they travel for work; and what you need to do to when architecting your protection strategy to defend against today’s threats.

Jan. 14, 2016 – PrivacyCon – Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

Feb. 9, 2016 – Start with Security: Seattle – Seattle, WA
The FTC’s third “Start With Security” event will take place on February 9, 2016, in Seattle, Washington, and will be co-sponsored by the University of Washington Tech Policy Lab and the University of Washington School of Law Technology Law & Public Policy Clinic. This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. This event will bring together experts to provide insights on how small companies can secure their applications and products, and how important it is to do so.