NCL statement on Commerce Committee markup of the Data Security and Breach Notification Act of 2015 – National Consumers League

April 15, 2015

Contact: NCL Communications, Carol McKay (412) 945-3242, carolm@nclnet.org

Washington, DC – Today, the House Energy & Commerce Committee approved HR 1770, the Data Security and Breach Notification Act of 2015. NCL had previously hoped that this bill would be improved in committee. Unfortunately, as today’s partisan vote made clear, that has not happened. The following statement is attributable to John Breyault, NCL Vice President, Public Policy, Telecommunications and Fraud:

At a time when millions of consumers are increasingly at risk of identity theft due to massive data breaches, it boggles the mind that Congress is contemplating reducing data security protections. Unfortunately, that is exactly what will happen if H.R. 1770, the Data Security and Breach Notification Act of 2015, becomes the law. The bill, which today passed out of committee on a party-line vote, would actually weaken existing consumer protections in 38 states. No major consumer groups are supporting this bill. Even Congressman Welch, who co-sponsored the bill, did not vote to move it to the floor.

Despite massive breaches at companies like Target, Home Depot, Anthem, Primera and countless others, it seems clear that the majority in Congress is intent on crafting a bill that weakens consumer protections by reducing or removing businesses’ data security obligations. Any Member of Congress who claims to be pro-consumer should oppose this bill in its current form. 

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

NCL statement on introduction of Data Security and Breach Notification Act of 2015 – National Consumers League

March 13, 2015

Contact: NCL Communications, Ben Klein (202) 835-3323, benk@nclnet.org

Washington, DC — The National Consumers League (NCL), the nation’s pioneering consumer and worker advocacy organization today expressed its disappointment with the introduction by Rep. Marsha Blackburn and Rep. Peter Welch of the “Data Security and Breach Notification Act of 2015.” The following statement may be attributed to John Breyault, NCL vice president of public policy, telecommunications and fraud:

“At a time when millions of consumers suffer the effects of data breaches, it is disappointing that Congress would propose a bill that actually reduces consumer protections in this space. NCL supports a strong national data breach notification standard. Unfortunately, the bill proposed by Rep. Blackburn and Welch would preempt stronger existing state laws. For example, the bill covers fewer types of sensitive information, such as e-mail addresses, than many state laws.  In addition, the bill creates a disincentive for companies to notify affected consumers by instituting a ‘harm trigger’ that would enable breached companies to determine for themselves whether their customers should be notified of a breach. It is our sincere hope that this bill will be improved through the legislative process, rather that simply serving as a way for businesses to reduce their data security compliance burden. Failing that, it should be opposed as an anti-consumer measure.”

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

FTC report highlights continuing threat of identity theft to millions – National Consumers League

March 3, 2015

Contact: Ben Klein, National Consumers League (202) 835-3323, benk@nclnet.org

Washington, DC – The release of the Federal Trade Commission’s annual Consumer Sentinel Network Data Book once again highlights the harm that identity thieves are inflicting on millions of American consumers. For the 15th consecutive year, complaints about identity theft topped the Commission’s annual list of top scams.

“Identity theft, and the data breaches that fuel it, must be a top concern not only of regulators at the FTC, but policymakers throughout Washington and beyond,” said NCL Executive Director Sally Greenberg. “The message from 332,000 identity theft complaints to the FTC is clear: more needs to be done to protect consumers from this fraud.”

The Data Book identified tax-related identity theft as a top source of identity theft complaints to the FTC. While there is no fool-proof way to prevent tax ID theft, NCL has published a step-by-step guide to spotting and recovering from this fraud.

According to Javelin Strategy & Research, nearly 1 in 3 data breach victims will also experience identity fraud.  As information on tens of millions of consumers affected by data breaches continues to fall in to the hands of cybercriminals, it is likely that millions more consumers will suffer from identity fraud.

For policymakers, the need for reform should be clear. Ensuring that companies collecting consumers’ data protect it critical to bringing down rates identity fraud. However, without leadership from Washington, businesses and other entities that amass vast troves of consumer data will have little incentive to put data security ahead of profits.

Unfortunately, real reforms to improve data security have languished in Congress while hackers and other cyber-crooks have had a field day at consumers’ expense.  That’s why NCL has called on policymakers to adopt NCL’s Congressional Data Security Agenda. The agenda calls for reforms that:

  • Create a national data breach notification standard, while protecting strong state laws like California’s;
  • Require data holders to abide by reasonable data security requirements;
  • Clarify and strengthen the FTC’s data security authority;
  • Promote robust cyber-insurance underwriting standards;
  • Increase federal civil and criminal penalties for malicious hacking; and
  • Strengthen international anti-cybercrime partnerships.

“While the 300,000-plus identity theft complaints may seem like a huge number, it is just a drop in the bucket given the fact that most ID theft victims don’t report the crime, if they’re even aware of it,” said NCL Vice President of Public Policy, Telecommunications and Fraud John Breyault. “While consumers can take steps to mitigate their risk of ID theft, they can’t prevent it entirely. That’s why we need leaders in Washington to help make sure that the companies that profit from consumers’ data protect it to the greatest extent possible.”

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

NCL Statement on White House Consumer Privacy Bill of Rights discussion draft – National Consumers League

March 2, 2015

Contact: Ben Klein, NCL Communications (202) 835-3323, benk@nclnet.org

Washington, DC – The National Consumers League today expressed its hope that the White House’s proposal for a Consumer Privacy Bill of Rights will be just the beginning for a negotiation to enshrine strong consumer privacy protections in law. Unfortunately, should the proposal released last week be passed, it would in many ways actually weaken existing privacy and data security protections.

The following statement is attributable to John Breyault, NCL Vice President, Public Policy, Telecommunications and Fraud:

“The President has rightfully made protecting the privacy and security of consumers’ personal data a top priority of his Administration. Unfortunately, the Consumer Privacy Bill of Rights released on Friday fails to create a robust framework for consumer privacy and data security protection. Instead, it relies on industry-created codes of conduct without effective enforcement mechanisms. What’s worse, it would preempt laws in nineteen states, many stronger that the proposed standard, that provide data security protections for their citizens. We hope that this draft proposal will serve as the starting point, not a high water mark discussions about how to better protect consumers’ privacy and data security in the digital age.”

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

Consumer group issues taxpayer warning against ID thieves filing illegitimate returns – National Consumers League

February 24, 2015

Contact: Ben Klein, NCL Communications (202) 835-3323, benk@nclnet.org

Washington, DC – With Tax Day quickly approaching, the National Consumers League (NCL), is warning consumers to be on the lookout for tax identity fraud and offering tips on recovering from this scam. According to the Treasury Department, 1.6 million Americans fell victim to tax ID theft in the first half of 2013 alone. The Government Accountability Office estimates that identity thieves stole $5.2 billion in 2013 as a result of this fraud.

“While most Americans dread Tax Day, fraudsters increasingly are cashing in with lucrative tax identity fraud scams,” said John Breyault, NCL vice president of public policy, telecommunications and fraud. “What makes this scam particularly pernicious is the ease with which fraudsters can steal personal information, file a false tax claim, and then turn the fraudulent refund into untraceable cash before the consumer realizes they have been a victim of a scam.”

Consumers receive W-2 forms from their employer by the end of January, but often wait to file their taxes closer to Tax Day on April 15. Since the IRS aims to process refunds quickly, fraudulent claims often go undetected. NCL, the nation’s pioneering consumer advocacy group, has published a new guide at Fraud.org to help consumers identify this scam and give advice about how to avoid becoming a victim.

NCL’s analysis of the top scams reported to the Fraud.org database in 2014 revealed a spike in “Phantom Debt Collector” scams. Cases in which a fraudster impersonates an IRS agent make up a significant portion of these scams. Tax related identity theft scams made up nearly a third of the identity theft complaints to the FTC in 2014.

“There is no foolproof way to avoid becoming a victim of tax identity fraud, but there are steps consumers can take to better protect themselves,” said Sally Greenberg, NCL executive director. “The best thing consumers can do is file their taxes as early as possible to ensure the IRS receives the legitimate tax return before the scammers send in a fraudulent return. Also, consumers need to be increasingly vigilant to protect their personal information. Consumers should frequently change their passwords and refrain from sending sensitive information such as Social Security Numbers or bank account information over email or text message.”

Tips for Consumers

  • File your taxes as early as possible during tax season. Scammers depend on the fact that many taxpayers wait until late in tax-filing season to file. Filing early reduces the risk that a tax ID thief will be able to use your personal information to file fraudulently ahead of you.
  • Check your annual Social Security Administration earnings statement carefully. If there are earnings listed that you don’t recognize, someone else could be using your identity to obtain employment.
  • Review your credit report for any suspicious activity.
  • Never give out personal information, such as your SSN, date of birth, or bank account information in response to unsolicited emails, postal mail, over the phone or via text message, social media or other platform.

For more information about how to spot and avoid this scam, and what to do if you believe you’ve fallen victim, visit www.Fraud.org

NCL thanks Intuit Tax and Financial Center for the unrestricted educational grant that helped make this consumer guide available at Fraud.org.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

Anthem Data Breach Increases Identity Fraud Risk for Tens of Millions of Consumers – National Consumers League

February 5, 2015

Consumer group offers tips for affected customers and employees and calls for urgently-needed data security reform in Washington 

Contact: Ben Klein, National Consumers League, benk@nclnet.org, (202) 835-3323

Washington, DC – The National Consumers League is warning consumers that the data breach at Anthem, Inc. is likely to raise the risk of identity fraud for tens of millions of current and former Anthem customers and employees. According to published reports, the breach compromised as many as 80 million records, including sensitive personal information such as Social Security numbers, dates of birth, postal addresses, email addresses, employment and income data.

Criminals can use these pieces of personal information to commit a range of identity crimes in another consumer’s name. Such fraud can include opening lines of credit, filing fraudulent tax returns, and obtaining medical care or government documents to name only a few possible uses of this compromised data. While only a small percentage of compromised records are typically used to commit fraud, given the reported size of the Anthem breach, a significant number of consumers may fall victim to identity crime as a result of this breach.

“It is highly likely that the personal information compromised at Anthem has already or will soon appear for sale on cybercrime black markets,” said John Breyault, NCL Vice President, Public Policy, Telecommunications and Fraud. “As Anthem and investigators work to get to the bottom of this breach, it is important that consumers understand the possible consequences of this breach for their personal identity fraud risk.” 

The Anthem data breach once again highlights the urgent need for businesses that collect and store ever-greater amounts of consumer information to do more to protect that sensitive data. According to the Online Trust Alliance, more than 90% of data breaches that occurred in the first half of 2014 could have easily been prevented. While many businesses and other organizations have taken steps to improve their cyber defenses, it is clear what is being done is insufficient to stem to growing tide of cybercrime. 

Leadership from Capitol Hill on this issue is urgently needed. As President Obama made clear in his State of the Union address, “I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information. ”Through the #DataInsecurity Project, NCL is working to hold Congressional leaders to account for following through on the President’s call to protect the millions of consumers who fall victim to cybercrime every year. A recent Javelin Strategy & Research survey commissioned by NCL found an overwhelming majority (72%) of identity fraud victims believe that existing federal data security requirements are insufficient to protect their data.

“At what point do we say enough is enough?” said Sally Greenberg, NCL Executive Director. “Businesses are making billions of dollars off of consumers’ data, but too many of them are not taking the steps needed to protect that data. The Anthem breach is another battle lost in the war against cybercrime. It is time for Washington to step up and institute reforms that finally help businesses get religion when it comes to data security.”

As federal policymakers debate data security reform, consumers should take steps to mitigate their risk of data breach-fueled identity fraud. NCL is offering the following tips to customers affected by the Anthem data breach:

  1. Anthem customers and employees should beware of phishing emails that may seek to trick them in to clicking on suspicious links or attachments. These emails can look very convincing and may reference the Anthem breach in some way. Clicking on the links or opening an attachment contained in the email can install malware that may be used to obtain additional sensitive personal information such as bank account or credit card numbers, usernames and passwords. Current and former Anthem customers and employees should be aware that Anthem has stated it will contact them via mail to notify them about further information related to the breach. More information is available from Anthem at www.AnthemFacts.com or by phone at (877) 263-7995.
  2. Monitor your credit report and dispute suspicious activity. Consumers can download a free copy of their credit report from each of the three major credit-reporting bureaus (Experian, TransUnion and Equifax) at www.annualcreditreport.com.
  3. If you suspect identity fraud has occurred, it is important to act quickly. Call one of the three credit reporting bureaus and request an initial fraud alert. This will place alerts on your report at all three credit-reporting bureaus. Once the alert is in place, the credit reporting bureaus will contact you when someone attempts to open credit in your name.
  4. If you confirm that you have been a victim of identity fraud, contact the Federal Trade Commission to create and Identity Theft Affidavit. This affidavit can be used to file a police report with your local police department. Together, these two documents form an Identity Theft Report, which is crucial to beginning the process of recovering from identity fraud. More information on spotting, reporting and recovering from identity fraud is available at Consumer.gov. The FTC also has a useful consumer checklist that includes information and required documentation for creating the Identity Theft Affidavit and police report available online.
  5. Do not reply to suspicious emails, as this may lead to additional social engineering attacks. Instead, the safest course of action is to simply delete the email. Consumers can also forward them to the United States Computer Emergency Readiness Team at phishing-report@us-cert.gov.
  6. Update your passwords on sensitive accounts, such as e-mail, social media and online bank and credit card accounts. Do not use the same username and password combination across multiple accounts. If stronger security measures such as multi-factor authentication are offered, enable them.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

Letter: NCL asks FTC for workshop dedicated to data breaches – National Consumers League

February 5, 2015

The Honorable Edith Ramirez
Chairwoman
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580

Dear Chairwoman Ramirez:

On behalf of the National Consumers League, America’s pioneering consumer and worker advocacy organization, I would like to commend you for the leadership that the Federal Trade Commission (FTC) shown in protecting the security of consumers’ data. 

As you are aware, however, data breaches continue to affect tens of millions of consumers every year. Negative impacts of these breaches can range from the simple inconvenience of replacing compromised credit cards, to an increased risk of identity theft, to the disclosure of sensitive corporate intellectual property. More remains to be done to safeguard the security of Americans’ personal information. As President Obama made clear in his State of the Union speech “[n]o foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.” Congress has held numerous hearings, including one today in the Senate Energy & Commerce Committee, that seek solutions to this data security crisis.

Through more than fifty enforcement actions, the FTC has held the caretakers of consumers’ sensitive personal information to account when they fail to adequately protect that data. Since you assumed the chairwomanship in 2013, the FTC has organized several workshops aimed at examining privacy and security implications of emerging technologies such as the “Internet of Things,”[1] mobile devices,[2] and “Big Data.”[3] These important events have done much to build a record of public input that has helped inform the FTC’s work and the actions of businesses and other organizations throughout the country.

Given the success of past FTC workshops and the scope of the data breach problem, we strongly urge the Commission to consider organizing a workshop focused solely on the issue of data beaches. Specifically, we would like this workshop to convene cybersecurity experts, leaders from the consumer advocacy and law enforcement communities and representatives from the retail, banking, credit rating and technology sectors. The goal of such a workshop should be to create a record that the Commission can use to understand how well existing voluntary guidelines, self-regulatory regimes and cybersecurity technologies are working to protect consumer data. The event would also assist the Commission to develop guidance for businesses and other entities on how comply with Section 5 of the FTC Act by better protecting their customers’ data.

I look forward to continuing to work with the FTC as it moves forward on its important data security agenda. Should you have any questions, please do not hesitate to reach out to me at your convenience. 

Kind regards,

Sally Greenberg
Executive Director
National Consumers League 

cc: The Honorable Julie Brill
The Honorable Terrell McSweeny
The Honorable Maureen K. Ohlhausen
The Honorable John Thune
The Honorable Joshua D. Wright


[1] Federal Trade Commission. “FTC Seeks Input on Privacy and Security Implications of the Internet of Things,” Press Release. April 17, 2013. Online: https://www.ftc.gov/news-events/press-releases/2013/04/ftc-seeks-input-privacy-and-security-implications-internet-things

[2] Federal Trade Commission. “FTC to Host Public Forum on Threats to Mobile Devices on June 4,” Press Release. February 22, 2013. Online: https://www.ftc.gov/news-events/press-releases/2013/02/ftc-host-public-forum-threats-mobile-devices-june-4

[3] Federal Trade Commission. “FTC to Examine Effects of Big Data on Low Income and Underserved Consumers at September Workshop,” Press Release. April 11, 2014. Online: https://www.ftc.gov/news-events/press-releases/2014/04/ftc-examine-effects-big-data-low-income-underserved-consumers

National Consumers League statement on Obama Administration action on data security – National Consumers League

January 13, 2015

Contact: Ben Klein, National Consumers League, benk@nclnet.org, (202) 835-3323

Washington, DC – The National Consumers League (NCL), the nation’s pioneering consumer advocacy organization, today applauded the Obama Administration’s efforts to better protect consumers from the threat of cyber attacks. In a speech yesterday at the Federal Trade Commission, the President proposed a new Personal Data Notification and Protection Act that would set a 30-day national data breach notification standard.

NCL has supported a strong national data breach notification standard, modeled after state law in California, which would set a national floor for breach notification without preempting stronger state laws. NCL has also called on Congress to strengthen civil and criminal penalties for malicious hacking and welcomes the recent announcement that the President’s proposal addresses this by criminalizing the overseas trade in stolen identities.

The following statement is attributable to Sally Greenberg, NCL Executive Director:

“The threat of criminal hacking is eroding consumers’ faith in our interconnected digital economy. We must not allow the immense benefits of our information revolution to fall victim to those who would steal consumers’ personal data for their own gain. The President’s proposal for a national data breach notification standard is an important step forward in giving consumers more control over their data, but there is much more to do. We look forward to learning more about the Administration’s proposal so that consumers will benefit from the strongest possible protections.”

As part of the #DataInsecurity Project, NCL has called on the new Congress to enact a range of reforms to better protect consumers’ data. In addition to data breach notification, NCL has called on Congress to create national data security standards, strengthen the Federal Trade Commission’s civil penalty authority; promote the growth of cyber insurance underwriting standards; increase criminal and civil penalties for malicious hacking; and strengthen international anti-cybercrime partnerships.

For more information on NCL’s 2015 Congressional Data Security Agenda, click here.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

Don’t let your new computer get filled with scammy software – National Consumers League

With the holidays upon us, many consumers will soon be unwrapping new laptops, tablets, and desktop computers. Out of the box, these new devices run great, but over time they can become clogged with all manner of scammy software. At best, these programs can degrade performance. At worst, they can lock down your new device and steal personal information.

Web browsers are a popular way that scammers gain entry to consumers’ computers. This is often done via deceptive browser tools and extensions.  These programs are typically legitimate and useful software that add new features to Web browser or otherwise alters the default Web surfing experience.  Popular examples include browser toolbars, language translators, and email notification icons.

Unfortunately, as many victims know too well, scammers also creating browser downloadables that promise one thing, but unleash a parade of horribles on unsuspecting consumers.  For example, these programs can rewire your browser settings and degrade your browser and computer performance.  They may also overlay scammy or inappropriate ads all over the web pages you visit, often covering up content that you want to see.  Even worse, these unwanted programs can introduce malware and other security and privacy threats, including stealing passwords and account login information.  And in many cases, they are impossible to get rid of without expert (read: expensive) help.

 So, what else can consumers do? Here are some tips for spotting and avoiding being a victim:

  • Keep your browser and operating system up to date. Most operating systems and software will notify you when it’s time to upgrade – don’t ignore these messages and update as soon as you can. Old versions of software can sometimes have security problems that criminals can use to more easily get to your data.

  • Know what you are downloading. Software from unfamiliar third parties may contain unwanted add-ons or malware. Be sure to know from where the software originates and only download it from a reputable source or a well-known app store.

  • Review Installation Options. When you download programs and extensions, pay attention to the fine print details and any auto-checked checkboxes. Make sure that you understand what programs are being installed.

  • Read the User Agreement. In addition to only downloading software from a reputable source, also be sure to read disclosures on the download site to understand exactly what you’re installing. Don’t install software from sites your browser tells you may contain malware or software bundled with “additional offers” unless you fully understand what is in them.

  • Recognize the signs of infection. Here are some clues that a suspicious program is affecting your browser:
    • Your browser doesn’t block pop-up ads from showing
    • Your homepage, startup page, or default search engine has changed to a site you don’t recognize
    • Unfamiliar extensions or toolbars are added to your browser
    • The browser’s desktop shortcut opens an unfamiliar website
  • Remove scammy software. Routinely scan your computer for malware with antivirus software you trust.

  • If you get hit with a scammy download report it Fraud.org or the FTC.

These tips are part of the National Consumers League’s continued commitment to helping consumers keep themselves safe online. In particular, NCL’s #DataInsecurity Project raises awareness about the need for reforms aimed at better protecting consumer data and calls on our policymakers to act now to strengthen cybersecurity standards.

National Consumers League statement on White House action on data security – National Consumers League

October 17, 2014

Contact: Ben Klein, National Consumers League, benk@nclnet.org, (202) 835-3323

Washington, DC – The National Consumers League (NCL) today applauded the Obama Administration for its action to address the need for great data security protections for consumers’ sensitive information.

The following statement is attributable to Sally Greenberg, NCL executive director:

As the number and magnitude of data breaches pile up, it is clear that more must be done to address the vulnerability of consumers’ personal financial information. When consumers’ data is compromised, real harm is done. Whether it be due to missed payments when debit or credit cards are canceled or the increased threat of identity theft, consumers pay the price when their data isn’t sufficiently protected.

That is why we are extremely pleased to see the White House today release its Executive Order on data security. As a major early adopter of chip and PIN card technologies, the federal government can help spur adoption of this more secure method of payment. We are also encouraged by the Administration’s collaboration with businesses to increase consumer access to credit scores, identity theft monitoring and resolution support tools. We are encouraged to see many pro-consumer businesses like Visa, American Express, and MasterCard, partnering with the Administration to take positive steps towards better protections for consumers and we look forward to working with the White House and these businesses to strengthen consumers’ data security.

Finally, we look forward to being a part of the forthcoming Cybersecurity and Consumer Protection Summit. As we have highlighted through NCL’s #DataInsecurity Project, the hacking threat is one of the great consumer protection challenges of our time. By convening stakeholders to address this problem at the highest level, the Administration can begin to tilt the data security playing field back in consumers’ favor.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.