Federal government shutdown a boon to scammers

/in , /by

With the partial government shutdown about to enter Day 27, there is no shortage of stories about the shutdown’s impact on everyday citizens. With the shutdown hurting millions of Americans and costing the economy billions of dollars, one group is undoubtedly rooting for the shutdown to go on as long as possible: scammers.

That is because one of the agencies currently shut down is the Federal Trade Commission (FTC), which is one of the government’s biggest cops on the beat against scam artists. In 2017, almost a quarter million consumers reported to the FTC that they lost nearly $1 billion to scammers. While those are certainly big numbers, we know that fraud is a historically underreported crime, so those losses are likely only the tip of the iceberg. 

Screenshot of the FTC's website with and alert showing that it is shutdown.

The FTC relies greatly on consumer complaints to drive its investigations. In 2017, the Commission collected 2.7 million such complaints, giving it the evidence it needed to take down scams of all kinds, from phony debt collectors, to identity thieves, to imposter scams to dozens of other types of cons. Unfortunately, for the past 27 days, the agency has been unable to accept complaints from consumers. That means that for the past 3+ weeks, scammers have been free to defraud Americans without having to worry about getting caught by the FTC. 

Consumers can file their complaints with other organizations, though none of them have the resources or investigative reach of the FTC. For example, state attorneys general typically take fraud complaints, but their investigative reach is often constrained by limited resources and they may lack expertise on the types of fraud that the FTC has investigated for decades. There are also a number of great nonprofit organizations, including the Identity Theft Resource CenterAARP’s Fraud Watch, and NCL’s own Fraud.org that collect complaints and provide counseling to fraud victims. For Fraud.org’s reports, we also typically amplify our impact by sharing our complaints with the FTC, which can and does investigate. With the FTC shut down, that information isn’t currently happening. 

With the FTC absent, scam artists’ jobs are made much easier. The plight of hundreds of thousands of furloughed federal workers – many living paychecktopaycheck – is rightfully getting plenty of attention. However, Congress, the White House, and the media should not ignore the millions of consumers who are being put at greater risk of fraud while the government remains shuttered. 

Fraud on Venmo threatens consumer trust in the emerging P2P payments space – National Consumers League

/in , /by

Fraud in the peer-to-peer (P2P) money transfer space is an all-too-common occurrence and is growing by leaps and bounds. One of the biggest players in the P2P space is Venmo, which is owned by PayPal. Last quarter, the company reported $17 billion in transactions on Venmo, an increase of 78 percent over the same period last year.Unfortunately, wherever money is exchanged, fraudsters will try to find ways to lure consumers into faux deals and fake transactions, particularly when new and potentially unfamiliar technologies are used to make payments. At NCL’s Fraud.org, we hear from thousands of consumers who have either fallen victim to fraud or want advice about avoiding it.

Venmo is no exception to this rule. PayPal reported a spike in fraud on Venmo earlier this year, leading to wider-than-expected operating losses. As TheStreet.com reported this week, many PayPal investors are bullish on Venmo’s potential for monetization but were taken aback by reports that Venmo’s “transaction loss rate”, an internal metric that includes fraud-related losses, rose from 0.25 percent to 0.40 percent of overall Venmo volume between January and March. This was one of the factors that played a part in Venmo’s operating loss of $40 million during the first quarter, according to The Wall Street Journal. Why the spike in early 2018? That is hard to know.

To their credit, as loss patterns emerged, the Venmo team quickly “updated the new features to prevent losses and protect customers,” said Amanda Miller, a PayPal spokesperson. “With the new instant transfer feature, that meant suspending the new feature for a few days and then reintroducing it. Suspending that feature temporarily was the right thing to protect customers.” Venmo also raised fees from a small flat fee to a percentage-based fee.

We hope these changes will help but what have consumers lost in the process?  Scammers have been long abusing P2P services, including Venmo, with scams ranging from reversing payments for goods purchased to using stolen credit cards or hacked accounts to make Venmo transactions. 

But is that enough? And will consumers be left holding the bag when they get caught in fraudulent payment schemes? That’s a question that PayPal and Venmo must answer. It is widely expected that P2P payment systems like Venmo will continue to grow exponentially in the coming years. To maintain consumer trust, they must do all they can to protect consumers from the inevitable scams and frauds that will continue to pop up and harm consumers. If P2P companies like Venmo can’t get fraud under control on their own, it may soon be time for Congress to step in a consider requiring zero-liability regulations such as those that protect users of debit or credit cards.

Rosé explosion leading to fraud in wine industry – National Consumers League

/in , /by

Haley SwartzRosé – the pink wine that incorporates the skin of red grapes and the flavors of all other varieties – has exploded in popularity over the last five years. Rosé consumption is particularly skewed among millennials and during the summer months, aided by gender-inclusive hashtags, the development of new, millennial-targeted brands, and the particularly “Insta” quality of a pink wine. Consumption of rosé has now eclipsed white wine in France, and in the United States, data indicates Washington, DC is the “capital of rosé,” – illustrating its ubiquity across political and social cultures.Rosé has contributed to an overall growth in wine sales, as consumers increasingly buy rosé in addition to other white and red wines – and higher-priced rosés are bringing in greater profits than cheaper, generic offerings. Experts say rosé consumption differs from other millennial-led fad wine crazes – à la prosecco and Moscato of the late 2010’s – because it is simply a higher quality product.

However, a recent case of fraud in the rosé industry illustrates the safety and quality vulnerabilities faced by consumers throughout global beverage supply chains. Rosé is like champagne, whereby only grapes harvested in the Champagne region of France can be labeled as “real” Champagne. While other European producers have entered into the rosé market, the “best and truest” rosés are made with grapes grown in the Provence region of France. Such a limited geographical area for a “true” rosé supply, combined with soaring global demand, is the perfect recipe for fraud.

Over the past two years, wine merchants have unknowingly sold 10 million bottles of what they thought was pure French rosé – but was just a cheap Spanish red/white blend. Most of the mislabeled wine was sold in French establishments, but some was found in British retail – leading to the question of whether the mislabeled wine may have even entered U.S. markets. The mislabeling included either a “Vin de France” generic label or the more prestigious “IGP” label that refers to a protected geographic designation in French growing regions. Worse, other bottles – though labeled in small print as “Spanish” or “European” in origin – had French scenery on the bottle’s label, including the fleur-de-lis (the former royal arms of France). Such a blatant form of misrepresentation is all too common in the wine industry.

Further, most bottles were placed in the French rosé section of wine retail locations – and, of course, priced accordingly. The Spanish wine, which sold in bulk at only 34 euro cents a liter ($0.40 USD) must be compared to the 75-90 euro cent ($0.88-1.05 USD) price tag for a true French rosé – providing double the profit for the fraudulent producers.

French authorities have identified four wine producers at fault, but only one has been charged with commercial fraud. If found guilty, the producer could face up to two years in prison and a fine of 300,00 Euros. While it’s unlikely the fraudulent bottles are still in a store near you, consumers should learn one lesson from this whole episode: Read the label – all of it – and avoid being distracted by a pretty shade of pink.

Imposters, information theft, and internet scams: the dangers of unregulated online pharmacies – National Consumers League

/in , , , , , , , , , , , /by

By NCL Food Policy and LifeSmarts Caleigh Bartash

With technology improving rapidly over the past few decades, online retailers have proved more convenient, reducing the market share of brick-and-mortar retailers. However, the convenience of purchasing prescription medication online or over the phone can inadvertently trap consumers in internet scams.Countless issues can arise from ordering prescription medication online. Unapproved internet dealers often evade government recognition or detection, failing to comply with drug safety regulations. Consumers can receive counterfeit, contaminated, or expired drugs. In some cases, these drugs may contain deadly opioids like fentanyl. Unauthorized medications can also have varying amounts of a medicine’s active ingredient — if they contain the correct ingredient at all.

Consumers may be attempting to access medications that they have previously been prescribed. However, they face security threats as soon as they give their personal details to an illegitimate pharmacy. These sellers have poor security protections, with leaks of sensitive customer information all too common. Illegitimate online sellers may even outright sell consumer data to scammers. Moreover, these websites can trick unsuspecting consumers into downloading viruses which further risk personal property and information.

Counterfeit drugs, unauthorized data sharing, and cyber attacks are dangerous, but now, a new threat has emerged involving counterfeit letters from the U.S. Food and Drug Administration.

Last week, the FDA released a press announcement alerting consumers to fraudulent warning letters claiming to be sent from the government. They advised that any consumer who received a warning message is likely the victim of a scam.

The July 2018 FDA press announcement is unique in that it is targeted directly to consumers. Commonly, these warning letters are used as a tool to inform the public about drug safety issues and are typically sent exclusively to manufacturers and companies creating products under their jurisdiction. FDA commissioner Dr. Scott Gottlieb summarized the FDA’s policy, stating “we generally don’t take action against individuals for purchasing a medicine online, though we regularly take action against the owners and operators of illegal websites.”

What’s next for those that received a warning letter? The FDA requests that potential victims contact them with information, including pictures and scanned documents if possible, in an effort to help them investigate the scams. Consumers can use the email address FDAInternetPharmacyTaskForce-CDER@fda.hhs.gov as the primary channel for communicating with the agency about suspicious warnings.

The best way to avoid falling victim to any scam involving illegal internet pharmacies is to abstain from suspicious websites. How do you distinguish fake internet pharmacies from safe ones? The FDA offers guidance with their BeSafeRx campaign. Asking a few simple questions at the doctor’s office or calling a certified pharmacist can help consumers protect themselves. Safe online pharmacies usually offer information including address, contact information, and state license. Consumers should be wary if the pharmacy does not require prescriptions to access pharmaceutical drugs. Other warning signs include international addresses, clear spam messages, and unreasonably low prices.

####

Have more questions about fraud? NCL’s Fraud.org site has prevention tips, an outlet for consumer complaints, and an experienced fraud counselor to teach you how to avoid common scams. And for those wanting to learn more about proper medication consumption, our Script Your Future initiative has helpful advice and information so you can navigate your prescriptions with the utmost confidence.

Hurricane Harvey charity scams warning – National Consumers League

/in /by

92_donate.jpgWith heartbreaking images of the recent devastation in Houston, many consumers in the United States and around the world are reaching for their wallets to help. The inclination to send donations is generous and kind, but advocates know that con artists have long exploited natural disasters, and consumers must be careful in order to avoid sending money to scammers who pose as charities.

In the days following a natural disaster, our Fraud.org staff often hear from consumers about crooks’ attempts to take advantage of tragic events for their personal gain. After the September 11 terrorist attacks, Hurricane Katrina, and the 2010 earthquake in Haiti, we received reports of a variety of scams tailored by con artists to capitalize on the rescue efforts. Scams typically involve con artists sending out emails purporting to come from a known and respected charity such as the Red Cross or Oxfam International. Victims are then directed to a fake Web site made to look like a legitimate charity’s site, where they are asked to share personal information or donate via wire transfer, PayPal, or a bank account. The scammer then makes off with the donation, and no real funds are sent to support actual disaster relief.

“The continued tragedy of fraud perpetrated in the wake of such disasters is that charity scams not only rob the donors,” said John Breyault, NCL vice president for public policy on telecommunications and fraud. “They also divert contributions from legitimate charities, who are in great need for money and goods to assist those who need it most.”

Fraudulent charities use natural disasters like the one in Houston to trick people who want to aid the victims. If you’re not sure whether a charity is legitimate, follow this advice:

  • If you’re approached by an unfamiliar charity, check it out. Most states require charities to register with them and file annual reports showing how they use donations. Ask your state or local consumer protection agency how to get this information. The Better Business Bureau Wise (BBB) Giving Alliance also offers information about national charities. Call (703) 276-0100 or go to Give.org.

  • Ask for written information. Legitimate charities will be happy to provide details about what they do and will never insist that you act immediately.

  • Beware of sound-alikes. Some crooks try to fool people by using names that are very similar to those of legitimate, well-known charities.

  • Ask about the caller’s relation to the charity. The caller may be a professional fundraiser, not an employee or a volunteer. Ask what percentage of donations goes to the charity and how much the fundraiser gets.

  • Be wary of requests to support police or firefighters. Some fraudulent fundraisers claim that donations will benefit police or firefighters, when in fact little or no money goes to them. Contact your local police or fire department to find out if the claims are true and what percentage of donations, if any, they will receive.

NCL joins education campaign to help seniors safely buy drugs online – National Consumers League

/in , , , /by

counterfeit_Drugs_icon.jpgThis week, the National Consumers League (NCL) joined forces with the Alliance for Safe Online Pharmacies (ASOP Global), and the Center for Safe Internet Pharmacies (CSIP) in launching a campaign to educate seniors and their caregivers about the health and financial risks associated with buying prescription medicines from illegal or rogue online pharmacies.Over the last century, the number of Americans aged 65 and older has increased exponentially, and studies show that this trend will continue for the foreseeable future. While the elderly are living longer, many older adults depend on a multitude of prescription drugs to maintain their quality of life and to combat many of the problems that may arise with aging, such as chronic diseases. Approximately nine out of 10 older adults have at least one chronic disease, and nine out of 10 older Americans rely on at least one prescription medication on a regular basis. As adults 65 and older account for over one-third of all prescription medications and with many seniors living on fixed incomes, it is not surprising that they are looking for opportunities to purchase their necessary medications at cheaper prices.

Unfortunately, seniors are particularly vulnerable to unknowingly purchasing counterfeit drugs in an effort to find a more convenient and affordable means to obtain the medications they need. Of course, there are many online pharmacies that operate legally and are perfectly safe. However, there are many rogue online pharmacy sites that sell potentially dangerous, or even deadly, drugs that have not been approved by the Food and Drug Administration (FDA) for safety and effectiveness.

Many of these sites operate under the guise of being a legal, safe, and often cheaper alternative to purchasing a prescription from a retail or mail-order pharmacy. But in reality, they often sell drugs that contain the wrong active ingredient, the wrong amount of the active ingredient, no active ingredient at all, harmful ingredients, or even poisons. As an increasing number of older adults are being introduced to the Internet, it is important that they are educated on the risks associated with purchasing their prescriptions online.

To fill this knowledge gap, the National Consumers League is pleased to be collaborating with the Alliance for Safe Online Pharmacies and the Center for Safe Internet Pharmacies to not only educate seniors and their caregivers about online pharmacies, but also empower them to make safe and informed decisions when shopping for prescription drugs online. Counterfeit drugs have long been an area of great concern for NCL, and we are enthusiastic about contributing to this joint effort to keep older Americans safe online.

To stay safe, seniors and their caregivers should avoid websites that:

  1. Do not require a valid prescription.
  2. Allow you to buy prescription medications by simply completing an online questionnaire.
  3. Offer drastically discounted prices.
  4. Do not have a licensed pharmacist available for consultation.
  5. Do not display a physical street address.
  6. Offer to ship prescriptions from other countries to the U.S.
  7. Are not verified by the National Association of Boards of Pharmacy (NABP).

Consumers are encouraged to buy from sites ending in .pharmacy, which are verified by NABP. In addition, online pharmacies that display the VIPPS (Verified Internet Pharmacy Practice Sites) seal have successfully undergone NABP’s rigorous screening process.

For more information about illegal online pharmacies and counterfeit medicines, consumers should visit www.XtheRisk.com. For additional information on health fraud and tips on how to protect yourself from the dangers of counterfeit drugs, visit Fraud.org.

Tech support scammers dupe consumers – National Consumers League

/in , , , /by

sg.jpgEver heard of a tech support scam? Well, a very smart, savvy member of my family fell victim to one this week.My family member, who we will refer to as Sherry, was working on her laptop when she clicked on an ad. Clicking on that ad ending up installing malware on her computer, which then put up warning messages on her screen telling her that her computer was infected. A helpline phone number was displayed—appearing to be Microsoft tech support. Sherry, in a panic, called the phone number, which was actually a scammer. Unbeknownst to Sherry, she allowed him to remotely access her computer while she was on the phone with him. The scammer led Sherry to believe he was running a scan for viruses, but he was really scanning her computer’s information and possibly attempting to damage her hard drive so that Sherry would have to pay him money to “fix” it. Sherry’s computer, just like all of ours, is full of important work data, personal contact information, financial documentation, and more that we wouldn’t want anyone else to have access to. Before Sherry committed to giving this man her credit card information, a friend advised her to hang up with the scammer, shut her computer down, and disconnect it from the Internet.

From an FTC Post on tech support scams:

In a recent twist, scam artists are using the phone to try to break into your computer. They call, claiming to be computer techs associated with well-known companies like Microsoft. They say that they’ve detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don’t need.

These scammers take advantage of your reasonable concerns about viruses and other threats. They know that computer users have heard time and again that it’s important to install security software. But the purpose behind their elaborate scheme isn’t to protect your computer; it’s to make money.

This is exactly what Sherry experienced. Her scammer assured her that he was fixing her computer issues, while she asked several times if he was being honest. He responded, “You have to trust me.” Two days later, Sherry has been told not connect her computer to the Internet, which is vital to her work. She’s also waiting for the other shoe to drop – what happens when her friends start getting solicitations to help Sherry out of a travel jam and wire money to some phony address? Or who knows what other damage these scammers have done to her personal information linked to the laptop? There are many implications to this type of scam that can be very detrimental to one’s financial, work, and personal life.

So consumers, please, sign up for Fraud Alerts, which will warn you and your family on the latest scams. Read this Fraud Alert for more information on tech support scams. The more consumers know what to look for, the less likely you are to get duped. NCL’s Fraud.org is here to help! Microsoft also provides tips on how to avoid tech support phone scams here.

NCL #DataInsecurity Project – National Consumers League

/in , , , , , /by

databreach.jpgNCL recently debuted the first issue of The #DataInsecurity Digest, a twice monthly publication curated by NCL’s own, John Breyault, to deliver important consumer-focused data security news, policy and news analysis, and information about upcoming events directly to your inbox. Click here to subscribe.

In 2013, there were 614 data breaches that led to more than 550 million identities compromised. New data breaches means more identity theft and other fraud, and more consumers facing financial loss, great inconvenience, and a loss of trust in the marketplace. That is why NCL is working on the #DataInsecurity Project — to raise awareness about the need for reforms aimed at better protecting consumer data.https://www.youtube.com/watch?v=z6GD9UNbgAs&list=UUXfyCJGEBaMOTcf5l7W_GTg

Data breaches impact consumers, credit unions, banks, and retailers. Last December, the retail giant Target suffered a massive data breach that made national headlines. In the breach, as many as 110 million identities were compromised.

Take a look at the impact of just this single incident:

  • $200 million: the cost to credit unions and community banks for reissuing 21.8 million credit and debit cards
  • 1-3 million: the estimated number of cards stolen in the Target breach that were sold on the black market and successfully used to commit fraud
  • $18-35.70: the price per card stolen from Target and resold on the black market in the months after the breach

Shocking as these numbers are, they represent the fallout from just a single data breach. Data breaches are happening with frightening regularity.

Malicious hackers are going to continue to exploit existing weaknesses, and many businesses lack the incentive or ability to adequately protect their customer data against evolving threats. That is why NCL believes that consumers need to be proactive about protecting their own data and calling on policymakers for improvements.

The current landscape of protection for consumer data is woefully inadequate.

NCL’s #DataInsecurity Project is calling for reforms such as:

  • Creating a national data breach notification standard, modeled on strong state protections such as California’s;
  • Requiring businesses that maintain consumers’ personal data to protect that information via specific data security requirements;
  • Giving the Federal Trade Commission and state Attorneys General civil penalty authority to enforce violations of data security requirements;
  • Increasing civil and criminal penalties for malicious hacking;
  • Increasing efforts to enhance cooperation with international partners to bring overseas hackers to justice; and
  • Requiring retailers and banks to implement the highest level of security available to protect consumers’ payment data.

To promote these goals, NCL is taking its #DataInsecurity Project on the road to four states across the country, to meet with policymakers, industry experts, consumer advocates, law enforcement officials, and members of the academic and business community. The tour is designed to raise awareness about the frequency of data breaches and to encourage the adoption of comprehensive reforms so that consumers can be better protected.

As a part of the #DataInsecurity Project, NCL has also unveiled important new research by Javelin Strategy & Research investigating the impact of data breaches on consumer trust, on who consumers feel should be responsible for their data, and on current responses to data breaches. Check out NCL’s survey report.

You can get involved!

Help us send the message that the time for reform is now! Sign our petition to the White House calling on policymakers to step up and protect consumers’ data.

 

How many straws until the camel’s back is broken on data breaches? – National Consumers League

/in , , , /by

John BreyaultAnother day, another data breach. The data breach roulette wheel this times landed on health insurer CareFirst. Who loses? The 1.1 million consumers whose names, birth dates, email addresses and CareFirst subscriber ID numbers are now in the hands of cyber crooks.

First things, first, what’s the risk to consumers? The mostly likely effect is that consumer affected by the breach may be on the receiving end of convincing-looking phishing emails. These attacks are designed to trick consumers into clicking on links or attachments that install malware or send users to phishing websites. The phishing emails (and possible telephone calls) are likely to reference CareFirst in some way, and may even masquerade as notifications about the breach itself.

Bottom line: If you are a CareFirst customer, the first place you should be going to get reliable information about the breach and what CareFirst is doing about it is www.carefirstanswers.com. The website has been set up by CareFirst to give affected customers up-to-date information about the breach and what steps they can take to mitigate their risk, including taking advantage of free credit monitoring and identity theft protection CareFirst is offering via Experian.

With that out of the way, there are a number of key questions that regulators, legislators and advocates should be asking in the coming days and weeks.

First, why are health insurers being targeted? CareFirst is the third major health insurer to disclose a breach in the past six months. There are troubling signs that the breaches at Anthem in February, Premera in March and now CareFirst are part of a coordinated attack on U.S. health insurers, possibly by state-sponsored hackers. Regardless of the origin of the hack, it’s clear that medical information is especially lucrative for thieves. According to cybersecurity experts, stolen medical info is worth 10-20 times more than stolen credit or debit card data goes on the cyber black market. With 2.3 million Americans falling victim to medical identity theft in 2014, it’s not hard to see why medical information presents such an attractive target to cybercriminals

Second, why did it take 10 months to notify consumers? According to CareFirst, the intrusion into their network was first detected in June 2014 and “immediate action” was taken to contain the threat. However, it was not until April 2015 that the company discovered that the crooks had exfiltrated their systems with stolen data. With nearly 10 months lead time, cybercrooks had ample time to create mischief with the stolen data before CareFirst notified consumers. Why did it take so long to find out that data was actually lost?

Finally, would more stringent data security standards or data breach notification laws have reduced the risk of this breach? There is no way to make a system 100% safe from hacking. However, far too many companies only invest significant resources in protecting their customers’ data after a hack, not before. This leaves millions of consumers at risk of breach-fueled fraud as companies elect to invest elsewhere while they wait for a hack to force them to spend on data security. What kind of incentives and/or penalties should Congress and Executive Branch consider to shift the cost/benefit equation for companies towards spending on data protection before a breach? NCL’s 2015 Data Security Agenda is a good roadmap for policymakers looking for consumer-friendly answers to these important questions.

The CareFirst breach is yet another straw on the pile of reasons why consumers can’t wait on businesses to take care of the data security problem on their own. It’s time for leaders in Washington to step up and pass real data security reform before the next straw breaks the camel’s — and our — backs. In the meantime, here are tips consumers can use to reduce the risk of identity theft.

Bravo! FTC’s “Start With Security” initiative announces seminar on data security – National Consumers League

/in , , , /by

Federal Trade Commission Chairwoman Edith Ramirez this morning announced the next step in the FTC’s efforts to craft data security guidelines for businesses. As part of its “Start with Security” program, originally unveiled in March, the Commission will hold an initiative at the University of California on September 9. This follows on the heels of the February 13 Summit on Cybersecurity and Consumer Protection at Stanford University.NCL has long advocated for the FTC to take a leadership role in the federal government on data security and is very pleased about this announcement. We applaud the FTC for taking this step to improve data security and help businesses protect consumers.

While details of the September meeting aren’t yet fully known, we do know a few things about the Commission’s “Start with Security” program. At the IAPP summit in March, FTC Bureau of Consumer Protection Director said that the program’s goal is to provide businesses with resources, education and guidance on data security. Chairwoman Ramirez (who NCL will be honoring in October, incidentally) elaborated on this theme, stating that the initiative will be aimed at bringing together experts on data security to share best practices, particularly for small and medium-sized businesses.

The focus on data security at small-to-medium sized businesses is a logical choice for the agency. Its ongoing legal tussle with Atlanta-based LabMD illustrates challenges the Commission faces as it seeks to enforce data security obligations on small businesses. Such entities are often ill-equipped to adequately protect the growing amounts of sensitive personal information they are collecting.  This is an incredibly important issue. As NCL’s #DataInsecurity Report found, nearly 6 in 10 data breach victims indicated that their trust in retailers decreased following a breach. For a small business struggling to stay afloat, losing the confidence of customers due to a data breach can mean the difference between keeping the lights on and a “closed” sign on the front door.

So what can the Commission hope to accomplish at its September meeting? In the interests of promoting consumer data security, we propose that the meeting agenda cover some basic data security policy topics, such as:

  • Is there a sufficient flow of information and best practices on breach trends, emerging threats from hackers, etc. being shared by the FTC with business that are entrusted to store consumer data? If not, how can this improve?
  • The Online Trust Alliance estimated that 90% of data breaches in 2014 could have been prevented if basic security measures had been taken. With this in mind, how can businesses be incentivized to make sure they are taking the basic steps to protect their data?
  • Small and medium-sized businesses often lack the budget and/or expertise to craft robust data security protections, yet they are increasingly collecting large amounts of sensitive data about their customers. What requirements should be placed on a pizza parlor, for example, when it comes to data security?
  • We often hear that it’s not “if,” it’s “when” when it comes to data breaches at businesses. However, it seems that businesses, particularly small-to-medium sized businesses, aren’t prepared to protest against the data breach threat. Is this accurate? If so, what can the FTC do to change that mindset?
  • Government data security mandates can only do so much to create a climate where data security is taken seriously by business. What flexible, market-based incentives exist to promote data security? Is cyber-insurance the answer?
  • There is no shortage of cybersecurity firms offering high-priced solutions to small-to-medium sized businesses. Are there free or low-cost solutions that businesses can take today that will measurably reduce their data security risks (e.g. enable multi-factor authentication, create stronger passwords, encrypt sensitive data)?

The “Start With Security” initiative is a good opportunity for the FTC to promote solutions that businesses can take to reduce their data security risk. However, absent reforms in Congress to tackle tough issues like data breach notification and a comprehensive data security standard, education can only do so much. We hope that the Commission will use the September 9 forum to highlight the impact that breaches continue to have on consumers and businesses and to push Congress to pass real data security reforms.