The #DataInsecurity Digest | Issue 3

/by

Issue 3 | Sept. 9, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Editor’s Note: Welcome to the third edition of NCL’s #DataInsecurity Digest! With Congress returning from August recess this week to a packed September schedule, it’s unclear whether any of the pending data security or breach notification bills will see the light of day. However, that doesn’t mean that it’s a slow news cycle when it comes to data security policy. Most notably, the 3rd Circuit’s decision in much-watched Wyndham case paves the way for the FTC to increase its role as the federal government’s data security cop on the beat. FTC Commissioner Terrell McSweeney also wades into the encryption debate, cautioning against crypto back-doors. Finally, the steady drop of fallout from the OPM hack and the Ashley Madison leak continues.

On to the clips…

—————–

FTC Commissioner McSweeney takes on encryption back-doors. @tmcsweenyFTC takes a not-so-veiled swipe at law enforcement calls for encryption keys: “This debate, sometimes called the crypto wars, is hardly new — it has been going on in some form or another for decades. But what is changing is the extent to which we are using connected technology in every facet of our daily lives. If consumers cannot trust the security of their devices, we could end up stymieing innovation and introducing needless risk into our personal security. In this environment, policy makers should carefully weigh the potential impact of any proposals that may weaken privacy and security protections for consumers.” (Source: Huffington Post)

Get up to speed quickly on the Wyndham decision. The good folks at @FrankfurtKurnit provide this analysis of the 3rd Circuit’s Wyndham ruling: “The big message here is that companies with vulnerable data security regimens will have a lot of difficulty arguing in future cases that they lacked notice from the FTC of what specific cybersecurity practices are necessary.” (Source: FKKS)

FTC announces “PrivacyCon” to examine privacy and security trends. Circle January 14 on your calendars for the FTC’s first “PrivacyCon.” … “We want to increase the FTC’s engagement with the technology community in order to more effectively encourage innovation that is protective of consumer privacy and security,” said FTC Chairwoman Edith Ramirez. “At PrivacyCon, our goal is to have leading experts in privacy and data security sit at the table with us and other policymakers to discuss their original research findings and the implications for consumer privacy.” (Source: FTC)

NYT: Farhad Manjoo (@fmanjoo) hits the nail on the head re: the Ashley Madison punditry. “There has been a tendency in the tech commentariat to minimize the Ashley Madison breach. …. But the victims of the Ashley Madison hacking deserve our sympathy and aid because, with slightly different luck, you or I could just as easily find ourselves in a similarly sorry situation. This breach stands as a monument to the blind trust many of us have placed in our computers — and how powerless we all are to evade the disasters that may befall us when the trust turns out to be misplaced.” (Source: New York Times)

WIRED on dumbing down of Ashley Madison data analysis. @iammollymchugh warns us that the relentless infographic’ing on the Ashley Madison leak threatens our ability to accurately assess it: “If you’re better able to digest the scope of the Ashley Madison hack in infographics and data bites, it’s OK—and it doesn’t make you bad or stupid if you find them interesting. But just remember that behind that carefully chosen typeface and designer-made template are people whose private lives are being ripped to shreds in Internet-friendly, eye-catching iconography.” (Source: WIRED)

Quick hit: The terrifying simplicity of Ashley Madison-fueled extortion. @cfarivar gives us a taste of how easy it is to extract cash from Ashley Madison users. (Source: Ars Technica)

CIO warning: New hacks will be focused on “embarrassment.” (Via @TechRepublic) “It used to be that hacking was all about credit card data and identify theft. What Ashley Madison and Sony before it have shown is that breaches are now evolving – and focused on embarrassment. … Furthermore, the ability to control, protect and secure the huge amount of data we have, not to mention understanding what could be used to exploit and manipulate a company is in my view unmanageable.” (Source: TechRepublic)

OPM ID theft monitoring price tag? Up to $329M. @jonfingas writes on the continuing OPM breach fallout: “Officials have awarded ID Experts a contract to protect the 21.5 million affected government workers against identity theft. The arrangement will cost the government at least $133.3 million, and options could bring its value to as high as $329.8 million. … However, there’s a question as to whether or not the money will be well-spent. Any short-term damage has likely already been done, after all.” (Source: Engadget)

Krebs: OPM (Mis)Spends $133M on Credit Monitoring. @briankrebs pulls no punches in criticizing OPM’s ID theft monitoring contract: “No matter how you slice it, $133 million is a staggering figure for a service that in all likelihood will do little to prevent identity thieves from hijacking the names, good credit and good faith of breach victims.” (Source: KrebsonSecurity)

I thought that was Michael Daniel’s job? RAND opinion makers Susan Everingham and Lillian Ablon (@lillyablon) suggest a data security czar could prevent government breaches better – “The public trusts the government to take care of some of its most personal and sensitive data. … Perhaps it’s time to appoint a data security czar who can establish guidelines and oversee how government agencies manage sensitive data.” (Source: Newsweek)

AP: Sony settles breach class action for an undisclosed amount. “Other former employees criticized Sony’s response to the data breach, contending the company emphasized protecting its public image instead of ensuring that its workers were protected from identity theft as a result of having their Social Security numbers, salary details and other sensitive data posted online.” (Source: Wall Street Journal)

Quick hit: ReverbNation breach could have affected 3.8 million. (H/T @writingadam) Music artists are now in the breach crosshairs, thanks to a breach at music marketing portal ReverbNation. Names, SSNs, DOBs, EINs, postal addresses, email addresses, and encrypted passwords were among the haul. Change your passwords, rockstars. (Source: SC Magazine)

Quick hit: Latest DC breach target: Heritage Foundation. Conservative think tank may have had private donor information compromised. (Source: Heritage Foundation)

Heritage had criticized OPM hack response. POLITICO’s @timstarks adds some context to the Heritage breach news: “The breach occurred at the same time that the foundation’s multimedia news organization, the Daily Signal, has criticized the Obama administration and federal agencies such as the Office of Personnel Management over lax cybersecurity.” (Source: POLITICO)

Infographic du jour: Top 10 HPAA Breaches. #1 Anthem – 78.8M, #2 Premera Blue Cross – 11M – 143M Americans affected since 2009. (Source: Healthcare IT News)

Upcoming Events

Today – FTC: Start with Security – San Francisco
The FTC’s initial “Start With Security” conference will focus on data security challenges for startups and developers. Last week, the FTC released its speaker lineup, and it’s a doozy. In addition to remarks from Chairwoman Edith Ramirez, we’ll also hear from Michael Coates (Twitter), Raymond Forbes (Mozilla), Paul Moreno (Pinterest), Pierre Farr (Google) and Yan Zhu (Yahoo), among others. Not to be missed: FTC chief technology Ashkan Soltani’s fireside chat with Accel’s Arun Mathew. AgendaStart with Security guide for businesses.

October – National Cybersecurity Awareness Month
Designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.

Oct. 14-15 – ICF International: CyberSci Summit – Fairfax, VA
ICF International is hosting this workshop to teach attendees about key solutions to challenges in cyber science, technology, and research and development in an age of cyber weapons. Keynote speakers include: William Glodek (U.S. Army Research Laboratory), General Michael Hayden (former CIA director), and Dr. Michael A. Wertheimer (former NSA research director). Free admission for federal employees, contractors, White House staffers, and academia.

Oct. 30 – Follow the Lead: An FTC Workshop About Online Lead Generation – Washington, DC
The workshop will bring together a variety of stakeholders, including industry representatives, consumer advocates, and government regulators. The FTC has invited the public to submit research, recommendations for topics of discussion, and requests to participate as panelists.

Jan. 14, 2016 – PrivacyCon – Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

National Consumers League
Published September 9, 2015