The #DataInsecurity Digest | Issue 14

Issue 14 | Feb. 18, 2016

By John Breyault (@jammingecono,
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: This month, the Obama Administration announced its Cybersecurity National Action Plan (CNAP), a comprehensive set of initiatives intended to get federal agencies moving when it comes to improving their data security. In this issue, we take a look at the important parts of CNAP and what it means for the larger data security reform debate. Speaking of the feds, the hits keep on coming for the IRS, which suffered another data breach during its busiest time of the year. In scary news, health records at a Los Angeles hospital are being held for a cool $3.6 million ransom, driving home the real-world cost of hacker intrusions. Finally, we take a look at the continuing fight in DC over payment card security and the lack of accountability at VTech in response to its November 2015 breach.

And now, on to the clips!


POTUS proposes $19 billion for comprehensive cybersecurity initiative. The big news on the cybersecurity front is President Obama’s new Cybersecurity National Action Plan (CNAP), the centerpiece of which is a $19 billion increase in federal cybersecurity funding. “It is no secret that too often government IT is like an Atari game in an Xbox world,” said Obama in a WSJ op-ed announcing the plan. (Source: Wall Street Journal)

Data security advice from the President: Stick to the basics. President Obama’s cybersecurity plan is heavy on cyber hygiene, both for federal agencies and the general public, writes @bbarrett. “What’s striking about all of these measures is that they’re not much different than the advice you’d give your neighbor, or any acquaintance with a casual interest in keeping themselves just a little bit safer.” (Source: WIRED)

So will CNAP help? Our take on CNAP from the consumer point of view. The verdict? Lots to like, but $19 billion will be a tough sell to Congress. “The companies and agencies that collect and use consumers’ data must have real skin in the game when it comes to protecting that information. We hope that the new Commission will take a look at the role that data security standards, strong data breach notification requirements, and cyber insurance can play in strengthening data protections.” (Source: National Consumers League)

McSweeny: IoT security, comprehensive data security legislation are still foci for FTC. In remarks before the Chamber of Commerce last week, FTC Commissioner Terrell McSweeny noted that the vulnerability of Internet of Things devices to hacking remains a concern for her. While addressing the EU-US Privacy Shield, big data, and other perennial FTC issues, McSweeney also reiterated the Commission’s long-standing commitment to comprehensive data security legislation. (Source: Lexology)

California AG: 49 million records of Californians compromised since 2012. The retail and financial sectors were the biggest sources of breached records according to the AG. In addition to “comprehensive information security programs,” the report calls for more deployment of multi-factor authentication, encryption, and fraud alerts to protect consumer credit files. (Source: California Attorney General’s Office)

Public Knowledge: FCC has a role to play in protecting broadband users’ data security. A few weeks ago, NCL joined with more than 50 other public interest organizations in a letter calling on the FCC to begin examining the privacy and security obligations of broadband providers. This week, Public Knowledge is out with an excellent white paper examing that topic in detail containing a number of noteworthy nuggets for the data security-minded reader. (Source: Public Knowledge)

EMV wars: Part 1. The smoldering lobbying fight between banks and retailers over the rollout of EMV chip card technology got some new fuel this week when @WilkinsonMolly of the Electronic Payments Coalition took decried retailer efforts to push for a PIN mandate. “Instead of reducing consumer choice by mandating a single authentication method — PIN — that is already becoming obsolete, we should embrace the idea that different technologies resolve different problems.” (Source: The Hill)

EMV wars: Part 2. The ever-vigilant @briankrebs is out with an in-depth look at why so many retailers are antsy about investing in chip-based payment terminals. “Despite the increased risk of eating the entire loss from counterfeit card use in their stores, many merchants are taking a wait-and-see approach on enabling chip card transactions … some merchants — particularly the larger ones — want to turn the often painful experience of training customers how to use the chip cards and terminals into someone else’s problem.” (Source:

IRS e-filing system targeted again. As if last summer’s news that 300,000+ taxpayer accounts at the IRS were compromised by a hack weren’t bad enough, the IRS announced last week that identity thieves used more than 100,000 compromised Social Security numbers to obtain e-file PIN codes. Prof. Nir Kshetri of UNC Greensboro offered a great piece on why federal agencies’ cybersecurity is so lax. (Source:

IRS chief: Lack of funding to blame for cybersecurity lapses. IRS Commissioner John Koskinen laid the blame for data breaches at IRS at the feet of Congressional appropriators, whose budget cuts at the agency have resulted in $900 million dollars cut from its cybersecurity budget. (Source: Washington Examiner)

The only certainty in life… With tax filing season upon us, word comes down from @SaundersWSJ of new data breaches at tax preparers TaxAct and TaxSlayer. (Source: Wall Street Journal)

$3.6M Bitcoin ransom demanded for hospital files. Hackers are holding vital files at Hollywood Presbyterian Medical Centre in Los Angeles hostage while they wait for a $3.6M Bitcoin payment. The situation, which relies on so-called “ransomware,” has left the hospital reliant on fax machines to communicate and required the transfer of a number of patients, writes @Jason_A_Murdock. (Source: International Business Times)

VTech response to its #epicfail: Not our problem. Last year, children’s software maker VTech was hit with a breach that exposed the personal information of more than 5 million users. In response, VTech has updated its terms of service to prominently wash its hands of any future breach responsibility, writes @midian182 of TechSpot: “‘If [VTech] honestly feel they’re not up to the task of protecting personal information, then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the ‘zero accountability’ clause.’” (Source: TechSpot)

VTech’s reprieve could be short-lived, thanks to GDPR. While changes to its terms and conditions may be of limited legal usefulness in addressing breach liability, even that could evaporate in two years, thanks to the EU’s new General Data Protection Regulation, writes @kenmunro. (Source: Pen Test Partners)

Stat du jour: More than half of companies average four breaches involving payment data in the last two years. New research out from Gemalto and the Ponemon Institute pointed to the limited usefulness of PCI DSS—the payment industry’s dominant security standard—in protecting against breaches. “Compliance with PCI DSS is not considered sufficient for ensuring the security and integrity of payment data, according to 31 percent of respondents. In fact, only 17 percent of respondents say PCI DSS is essential and 18 percent of respondents say it is very important to achieving a strong payment data security posture.” (Source: Gemalto)

Quick hit: Are cyber-ratings firms coming into their own? Cybersecurity consultant Craig Calle finds comparisons with Moody’s and S&P, but for cybersecurity risk. (Source: CFO)

Quick hit 2: “Zero Days” to premier this summer, looks at Stuxnet development. Cyber warfare documentary “Zero Days” will examine how U.S. intelligence agencies took down Iranian nuclear centrifuges through the use of the Stuxnet malware, writes @euroinfocsec. (Source: Data Breach Today)

Upcoming events

RSA Conference – February 29-March 4 – San Francisco, CA
The premier conference for Internet security professionals. Agenda will include speakers from the DOJ, DOE, Department of Homeland Security, FBI, and NSA, among others.

National Consumer Protection Week – March 6-12 – Nationwide
The FTC is the hub for the annual National Consumer Protection Week. Among the topics on tap this year: identity theft and technology.