Will Obama’s cybersecurity plan help consumers? – National Consumers League

/in , , /by

It seems appropriate that the Obama Administration chose Safer Internet Day to announce its new *Cybersecurity National Action Plan (CNAP). At a time when massive data breaches continue to be the norm, rather than the exception, it is heartening to see the President take comprehensive action to address ongoing threats to consumers’ data. So, what are some of the highlights of the CNAP? Will it help consumers getting pummeled by data breaches?

Let’s take a look…

Establishing a “*Commission on Enhancing National Cybersecurity”

Bringing together cybersecurity experts to talk shop and recommend solutions is rarely a bad idea. Importantly, the CNAP is charged with delivering a report of its findings and recommendations to the President on December 1, 2016, which should make for interesting reading by data security geeks like yours truly. The CNAP calls for the Commission to be made up of “top strategic, business, and technical thinkers from outside of Government.” Within the Executive Order itself, the Commission membership qualifications are spelled out in greater detail as “those with knowledge about or experience in cybersecurity, the digital economy, national security and law enforcement, corporate governance, risk management, information technology (IT), privacy, identity management, Internet governance and standards, government administration, digital and social media, communications, or any other area determined by the President to be of value to the Commission.”

Notice something missing there? If you said “consumers,” give yourself a gold star. All too often, the job of protecting consumers’ data is punted on to the backs of consumers themselves. While doing things like enabling two-factor authentication, using good digital hygiene, and paying attention to credit reports is never a bad idea, it can’t be the only solution. The companies and agencies that collect and use consumers’ data must have real skin in the game when it comes to protecting that information. We hope that the new Commission will take a look at the role that data security standards, strong data breach notification requirements, and cyber insurance can play in strengthening data protections.

Empowering Americans to secure their online accounts

At NCL, we’re big fans of the great work the National Cyber Security Alliance is doing to arm consumers and businesses with the tools to enhance their own data security. By embracing two-factor authentication, the Administration is putting its imprimatur on a common-sense data security tool that all consumers should be using whenever possible. Kudos, too, for looking at ways for federal agencies to practice what they preach by looking for ways to implement stronger authentication methods and reduce the use of Social Security Numbers as an identifier for citizens. (P.S. If you use Google services and need some extra incentive to up your security game, our colleagues at Google are offering two free gigabytes of Google Drive storage to anyone who completes their Security Checkup).

Investing $19 billion+ for cybersecurity as part of the President’s Fiscal Year (FY) 2017 Budget

This is the part of the CNAP that’s getting the most press and, frankly, will probably be the toughest part of the plan to get over the finish line, given election year politics in Washington. However, given the cybersecurity skills gap, it’s heartening to see the President’s budget proposing a package of student loan forgiveness, increased cybersecurity hiring, small business training, and technology modernization initiatives. Last year’s OPM data breach made the consequences of relying on out-of-date technology painfully clear. And for goodness sakes, it’s time for every federal agency to get off Windows XP, already!

There’s lots more to dig into in the CNAP, but overall, it’s got a lot to like from a consumer point of view. As the Plan correctly recognizes, “there is no silver bullet to fully guarantee our data security.” The fight for better data security is going to take lots of hands, and we applaud the President for proposing ways for us all to get in the trenches.

*Links are no longer active as the original sources have removed the content, sometimes due to federal website changes or restructurings

How many straws until the camel’s back is broken on data breaches? – National Consumers League

/in , , , /by

John BreyaultAnother day, another data breach. The data breach roulette wheel this times landed on health insurer CareFirst. Who loses? The 1.1 million consumers whose names, birth dates, email addresses and CareFirst subscriber ID numbers are now in the hands of cyber crooks.

First things, first, what’s the risk to consumers? The mostly likely effect is that consumer affected by the breach may be on the receiving end of convincing-looking phishing emails. These attacks are designed to trick consumers into clicking on links or attachments that install malware or send users to phishing websites. The phishing emails (and possible telephone calls) are likely to reference CareFirst in some way, and may even masquerade as notifications about the breach itself.

Bottom line: If you are a CareFirst customer, the first place you should be going to get reliable information about the breach and what CareFirst is doing about it is www.carefirstanswers.com. The website has been set up by CareFirst to give affected customers up-to-date information about the breach and what steps they can take to mitigate their risk, including taking advantage of free credit monitoring and identity theft protection CareFirst is offering via Experian.

With that out of the way, there are a number of key questions that regulators, legislators and advocates should be asking in the coming days and weeks.

First, why are health insurers being targeted? CareFirst is the third major health insurer to disclose a breach in the past six months. There are troubling signs that the breaches at Anthem in February, Premera in March and now CareFirst are part of a coordinated attack on U.S. health insurers, possibly by state-sponsored hackers. Regardless of the origin of the hack, it’s clear that medical information is especially lucrative for thieves. According to cybersecurity experts, stolen medical info is worth 10-20 times more than stolen credit or debit card data goes on the cyber black market. With 2.3 million Americans falling victim to medical identity theft in 2014, it’s not hard to see why medical information presents such an attractive target to cybercriminals

Second, why did it take 10 months to notify consumers? According to CareFirst, the intrusion into their network was first detected in June 2014 and “immediate action” was taken to contain the threat. However, it was not until April 2015 that the company discovered that the crooks had exfiltrated their systems with stolen data. With nearly 10 months lead time, cybercrooks had ample time to create mischief with the stolen data before CareFirst notified consumers. Why did it take so long to find out that data was actually lost?

Finally, would more stringent data security standards or data breach notification laws have reduced the risk of this breach? There is no way to make a system 100% safe from hacking. However, far too many companies only invest significant resources in protecting their customers’ data after a hack, not before. This leaves millions of consumers at risk of breach-fueled fraud as companies elect to invest elsewhere while they wait for a hack to force them to spend on data security. What kind of incentives and/or penalties should Congress and Executive Branch consider to shift the cost/benefit equation for companies towards spending on data protection before a breach? NCL’s 2015 Data Security Agenda is a good roadmap for policymakers looking for consumer-friendly answers to these important questions.

The CareFirst breach is yet another straw on the pile of reasons why consumers can’t wait on businesses to take care of the data security problem on their own. It’s time for leaders in Washington to step up and pass real data security reform before the next straw breaks the camel’s — and our — backs. In the meantime, here are tips consumers can use to reduce the risk of identity theft.

Bravo! FTC’s “Start With Security” initiative announces seminar on data security – National Consumers League

/in , , , /by

Federal Trade Commission Chairwoman Edith Ramirez this morning announced the next step in the FTC’s efforts to craft data security guidelines for businesses. As part of its “Start with Security” program, originally unveiled in March, the Commission will hold an initiative at the University of California on September 9. This follows on the heels of the February 13 Summit on Cybersecurity and Consumer Protection at Stanford University.NCL has long advocated for the FTC to take a leadership role in the federal government on data security and is very pleased about this announcement. We applaud the FTC for taking this step to improve data security and help businesses protect consumers.

While details of the September meeting aren’t yet fully known, we do know a few things about the Commission’s “Start with Security” program. At the IAPP summit in March, FTC Bureau of Consumer Protection Director said that the program’s goal is to provide businesses with resources, education and guidance on data security. Chairwoman Ramirez (who NCL will be honoring in October, incidentally) elaborated on this theme, stating that the initiative will be aimed at bringing together experts on data security to share best practices, particularly for small and medium-sized businesses.

The focus on data security at small-to-medium sized businesses is a logical choice for the agency. Its ongoing legal tussle with Atlanta-based LabMD illustrates challenges the Commission faces as it seeks to enforce data security obligations on small businesses. Such entities are often ill-equipped to adequately protect the growing amounts of sensitive personal information they are collecting.  This is an incredibly important issue. As NCL’s #DataInsecurity Report found, nearly 6 in 10 data breach victims indicated that their trust in retailers decreased following a breach. For a small business struggling to stay afloat, losing the confidence of customers due to a data breach can mean the difference between keeping the lights on and a “closed” sign on the front door.

So what can the Commission hope to accomplish at its September meeting? In the interests of promoting consumer data security, we propose that the meeting agenda cover some basic data security policy topics, such as:

  • Is there a sufficient flow of information and best practices on breach trends, emerging threats from hackers, etc. being shared by the FTC with business that are entrusted to store consumer data? If not, how can this improve?
  • The Online Trust Alliance estimated that 90% of data breaches in 2014 could have been prevented if basic security measures had been taken. With this in mind, how can businesses be incentivized to make sure they are taking the basic steps to protect their data?
  • Small and medium-sized businesses often lack the budget and/or expertise to craft robust data security protections, yet they are increasingly collecting large amounts of sensitive data about their customers. What requirements should be placed on a pizza parlor, for example, when it comes to data security?
  • We often hear that it’s not “if,” it’s “when” when it comes to data breaches at businesses. However, it seems that businesses, particularly small-to-medium sized businesses, aren’t prepared to protest against the data breach threat. Is this accurate? If so, what can the FTC do to change that mindset?
  • Government data security mandates can only do so much to create a climate where data security is taken seriously by business. What flexible, market-based incentives exist to promote data security? Is cyber-insurance the answer?
  • There is no shortage of cybersecurity firms offering high-priced solutions to small-to-medium sized businesses. Are there free or low-cost solutions that businesses can take today that will measurably reduce their data security risks (e.g. enable multi-factor authentication, create stronger passwords, encrypt sensitive data)?

The “Start With Security” initiative is a good opportunity for the FTC to promote solutions that businesses can take to reduce their data security risk. However, absent reforms in Congress to tackle tough issues like data breach notification and a comprehensive data security standard, education can only do so much. We hope that the Commission will use the September 9 forum to highlight the impact that breaches continue to have on consumers and businesses and to push Congress to pass real data security reforms.

Don’t let your new computer get filled with scammy software – National Consumers League

/in , , /by

With the holidays upon us, many consumers will soon be unwrapping new laptops, tablets, and desktop computers. Out of the box, these new devices run great, but over time they can become clogged with all manner of scammy software. At best, these programs can degrade performance. At worst, they can lock down your new device and steal personal information.

Web browsers are a popular way that scammers gain entry to consumers’ computers. This is often done via deceptive browser tools and extensions.  These programs are typically legitimate and useful software that add new features to Web browser or otherwise alters the default Web surfing experience.  Popular examples include browser toolbars, language translators, and email notification icons.

Unfortunately, as many victims know too well, scammers also creating browser downloadables that promise one thing, but unleash a parade of horribles on unsuspecting consumers.  For example, these programs can rewire your browser settings and degrade your browser and computer performance.  They may also overlay scammy or inappropriate ads all over the web pages you visit, often covering up content that you want to see.  Even worse, these unwanted programs can introduce malware and other security and privacy threats, including stealing passwords and account login information.  And in many cases, they are impossible to get rid of without expert (read: expensive) help.

 So, what else can consumers do? Here are some tips for spotting and avoiding being a victim:

  • Keep your browser and operating system up to date. Most operating systems and software will notify you when it’s time to upgrade – don’t ignore these messages and update as soon as you can. Old versions of software can sometimes have security problems that criminals can use to more easily get to your data.

  • Know what you are downloading. Software from unfamiliar third parties may contain unwanted add-ons or malware. Be sure to know from where the software originates and only download it from a reputable source or a well-known app store.

  • Review Installation Options. When you download programs and extensions, pay attention to the fine print details and any auto-checked checkboxes. Make sure that you understand what programs are being installed.

  • Read the User Agreement. In addition to only downloading software from a reputable source, also be sure to read disclosures on the download site to understand exactly what you’re installing. Don’t install software from sites your browser tells you may contain malware or software bundled with “additional offers” unless you fully understand what is in them.

  • Recognize the signs of infection. Here are some clues that a suspicious program is affecting your browser:
    • Your browser doesn’t block pop-up ads from showing
    • Your homepage, startup page, or default search engine has changed to a site you don’t recognize
    • Unfamiliar extensions or toolbars are added to your browser
    • The browser’s desktop shortcut opens an unfamiliar website

  • Remove scammy software. Routinely scan your computer for malware with antivirus software you trust.

  • If you get hit with a scammy download report it Fraud.org or the FTC.

These tips are part of the National Consumers League’s continued commitment to helping consumers keep themselves safe online. In particular, NCL’s #DataInsecurity Project raises awareness about the need for reforms aimed at better protecting consumer data and calls on our policymakers to act now to strengthen cybersecurity standards.

Announcing the #DataInsecurity Project – National Consumers League

/in , , /by

Last December, millions of consumers busily rang up more than $600 billion in holiday purchases. Unfortunately, hackers were also having a field day — at consumers’ expense. We learned that lax security procedures combined with an insecure payment mechanism resulted in as many as 110 million shoppers at retail giant Target having their personal information compromised.

Security researcher Brian Krebs, who first broke the story of the Target breach, recently published a startling set of numbers that demonstrates the impact of this one incident. They include:

  • $200 million – The cost to credit unions and community banks for reissuing 21.8 million credit and debit cards;
  • $18-35.70 – The media price range per card stolen from Target and resold on the black market in the months after the breach;
  • 1-3 million – The estimated number of cards stolen in the Target breach that were sold on the black market and successfully used to commit fraud;
  • $53.7 million – The estimated income that hackers generated from the sale of 2 million cards stolen from Target (at a median price of $18-35.70); and
  • $55 million – The size of outgoing Target CEO Gregg Steinhafel’s golden parachute.

Sobering as these numbers are, they represent the fallout from a single data breach, albeit a massive one. In 2013, the Verizon RISK team reported more than 1,300 data breaches. The non-profit Privacy Rights Clearinghouse, which tracks data breaches, reported that more than 257 million records were compromised last year as well. A recent study by the Ponemon Institute found that the average total cost of a data breach in the U.S. is $5.85 million per incident. The probability that a U.S.-based organization will experience a breach of at least 10,000 records in the next 2 years is 18.7 percent, according to the Ponemon study.

By 2020, annual global data production is expected to hit 35 zettabytes, (or 35 trillion gigabytes). This data explosion will power unfathomable changes to consumers’ daily lives. However, the existence of that much data – much of it personal and very valuable to malicious actors – demands stronger security practices. Federal agencies like the FTC are doing yeoman’s work to hold companies to account for lax data security. But the FTC’s authority in this area is in question in the courts, and case-by-case adjudication is unlikely to sufficiently address the larger problem. Organizations like the National Institutes of Standards and Technology have developed voluntary frameworks for cybersecurity, but companies and other entities are not compelled by law to adopt it. Standards bodies like the PCI Security Standards Council have industry backing, but they are sector-specific.

While no one can wave a magic wand and solve the problem of data security, more can and should be done in Congress to give enforcement agencies the tools they need to protect consumer data and prod industry to make data security a top priority.

That is why we are announcing today the launch of the NCL #DataInsecurity Project. We are calling on policymakers in Congress, federal agencies and the states to be champions for data security. For too long, policy inertia has prevented meaningful reform on Capitol Hill and elsewhere that would better protect consumers’ data. There are a number of promising bills currently pending in Congress, but more can and must be done. Pro-consumer steps to enhance data security include:

  • Creating a national data breach notification standard, modeled on strong state protections such as California’s;
  • Requiring businesses that maintain consumers’ personal data to protect that information via specific data security requirements;
  • Giving the Federal Trade Commission and state Attorneys General civil penalty authority to enforce violations of data security requirements;
  • Increasing civil and criminal penalties for malicious hacking;
  • Increasing efforts to enhance cooperation with international partners to bring overseas hackers to justice;
  • Requiring retailers and banks to implement the highest level of security available to protect consumers’ payment data

In an era when vast amounts of data are being collected about them, consumers must have confidence that their information is safe. The Target breach was a wake-up call. We can no longer sit idly by while sophisticated hackers steal with impunity and businesses accept the status quo as just another cost of doing business. The time for reform is now.

Mega-breaches and the importance of the Wyndham decision – National Consumers League

/in , /by

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

Consumers can be excused for not following the minutiae of U.S. district court decisions, but developments this week in New Jersey marked an important victory for data security. On Monday, Judge Esther Salas allowed a lawsuit brought by the Federal Trade Commission against Wyndham Worldwide Corp. (the parent entity of Days Inn, Howard Johnson’s and Ramada, among other hotel chains) to move forward.

From 2008 to early 2010, hackers breached Wyndham’s computer network, stealing credit and debit card information of approximately 500,000 customers. In 2012, the FTC sued Wyndham for the company’s alleged failure to adequately protect its customers’ information from theft. To date, the FTC has settled more than fifty similar cases resulting from businesses’ failure to put in place reasonable data security measures.  However, in the Wyndham case, the company is challenging the FTC’s authority to regulate corporate data security practices. This is important because the FTC is the only federal regulator charged with holding companies accountable for failure to protect their customers’ data. Had Judge Salas agreed with Wyndham, it would have threatened to eliminate the FTC’s authority to hold companies to account. The importance of Judge Salas’ decision was put in stark relief yesterday when security firm Symantec published its latest Internet Security Threat Report. The report, one of the most comprehensive security assessments in the industry, didn’t mince words when they called 2013 the “Year of the Mega Breach,” when “cybercriminals unleashed the most damaging series of cyberattacks in history.” Headlines from the report include:

  • 91% increase in targeted attacks campaigns in 2013
  • 62% increase in the number of breaches in 2013
  • Over 552 million identities were exposed via breaches in 2013
  • Spear-phishing campaigns saw a 91% rise in 2013
  • 38% of mobile users have experienced mobile cybercrime in past 12 months
  • 8 of the breaches in 2013 exposed more than 10 million identities each
  • 1 in 8 legitimate websites have a critical vulnerability
  • 500% increase in ransomware scams in 2013

The Symantec numbers are just the latest in a string of warnings coming out of the cybersecurity community about the growing threat from hackers. For example, Tuesday also marked the end of Microsoft’s support for the Windows XP operating system, which may still be installed on nearly 28 percent of desktop computers, as well as ATMs and government computer systems. Reports indicate that this could result in a field day for hackers as remaining security vulnerabilities in the operating system are exploited. News about a major vulnerability in the widely used OpenSSL security technology could expose the two-thirds of websites that run it to hackers. And those are just the warning coming out this week! While Monday’s decision in the Wyndham case was encouraging, the issue is far from resolved. Wyndham has stated that it will continue to challenge the FTC’s authority to regulate companies’ data security practices. This means consumers are still in danger of losing the most important data security cop on the beat. Given the constant stream of data security warnings, it’s imperative that uncertainty about the FTC’s ability to regulate data security be addressed. A number of bills currently pending in Congress would do just that. The FTC should also convene a workshop to examine the issue in depth, as NCL and others suggested last month. To be clear, there isn’t just a cybercrime wave going on right now. What consumers and businesses across the country are experiencing is more like a cybercrime tsunami. Policymakers in Washington need to make sure the FTC can continue to respond to this threat before we’re all washed away.

FTC report shines light on continuing problem of ID theft – National Consumers League

/in , , /by

In the world of fraud fighting, the release of the Federal Trade Commission’s Consumer Sentinel Data Book is something of a wonky holiday. Yesterday was no exception, with the agency publishing the annual report, which examines trends in the 2 million-plus complaints the FTC receives annually. The headline of the report was depressingly familiar: identity theft continued to be the biggest driver of complaints to the FTC for the 14th straight year.

This trend is one of the reasons NCL produced our State of Identity Theft in 2013 report last year, which examined the continuing threat of ID theft and why we are making the issue of data insecurity a top priority in 2014.

Looking deeper into the Sentinel data, some additional interesting trends and questions come to light, including:

  • Does youth correlate with risk of identity theft? The FTC noted that 20% of ID theft complaints came from consumers aged 20-29, who comprise only 13.8% of the population. There is also a steady reduction in ID theft complaint rates as consumers get older. For example, 8% of ID theft complaints come from consumers aged 70-plus, which is consistent with their overall 9% distribution in the population. An open question is whether identity theft risk decreases as consumers age or whether the correlation is due to an increased likelihood that younger consumers will report identity theft.
  • The telephone is scammers’ contact method of choice. While recent news has been dominated stories about high-tech data breaches, it appears that scammers are returning to a somewhat old-fashioned tool: the telephone. Last month’s Fraud.org Top Ten Scams report noted that telemarketing fraud was making a major comeback, with 36% of complaints mentioning the telephone as the method of contact. The FTC’s new data confirmed this, finding that 40% of complaints cited the telephone as the method of contact. The telephone is now the preferred method of contact by scammers, overtaking email for the first time since 2011. Congress is taking notice as well. In December, a bipartisan group of legislators introduced the Anti-Spoofing Act, which would crack down on scammers disguising their calls by altering Caller ID information.
  • Scammers shifting technique in “grandparent’s scams.” Con artists have long used the story of a loved one in distress to defraud consumers, particularly older adults. Also known as the imposter scam, this fraud starts with the fraudster calling a victim with an urgent appeal for funds to help a friend or family member in need. For example, the scammer might claim that a beloved grandson was in a car accident overseas and needs money to pay a hospital bill or to get bailed out of jail. More than 121,000 consumers reported an imposter scam to the FTC in 2013, an increase of more than 36,000 complaints since 2012. The scam is evolving as well. Whereas fraudsters used to impersonate a friend or family member, they are increasingly claiming to represent a business or government official.
  • Encouraging signs in the fight against lottery scams. For the second year in in a row, complaints about this type of fraud have decreased (down by almost more than 10,000 complaints since 2011). Thanks in part to consumer education campaigns like DeliveringTrust.com growing awareness of these scams seems to be having an impact.

More than 2.1 million complaints were filed with the FTC in 2013, with reported losses of more than $1.6 billion. Given that fraud is a chronically underreported crime, we should assume that many millions more consumers were harmed. As we prepare to mark National Consumer Protection Week, this new data should serve as a reminder of the immense toll that fraud takes on U.S. consumers.

This data should push all of us — anti-fraud advocates, law enforcement, policymakers and everyday consumers — to redouble our vigilance in the fight against scammers.

It’s time for broadcasters to step up on deceptive advertising – National Consumers League

/in /by

If you’ve turned on the television or radio recently, chances are that you’ve heard at least one advertisement that made you sit up and say “what the…?” From bogus weight-loss products, to suspicious tax “advice” firms, to “free” cruises to the Bahamas, it often seems difficult to avoid ads that are misleading, if not outright fraudulent. At the federal level, the Federal Trade Commission (FTC) is charged with protecting consumers from unfair and deceptive advertising.

Over the years, the agency has brought hundreds of cases against companies that have made dubious claims in their advertisements. In addition, in cases where there is evidence of fraud the FTC can also shut down operations under its “unfair and deceptive acts or practices” authority. State attorneys general also have authority to go after deceptive advertising and fraudulent operations.

Unfortunately, given the limited resources at their disposal, regulators are often only able to go after the most egregious cases of deception and fraud. The result? Ads for all kinds of deceptive and fraudulent products and services continue to proliferate on the public airwaves and on cable TV.

So what can be done to better police the airwaves for deceptive and fraudulent content? As part of its recent enforcement action against four bogus weight-loss companies, the FTC sent a letter to publishers and broadcasters asking them to refer to the FTC’s guidance on spotting phony weight-loss claims when advertisers submit ads.

While this action is a step in the right direction, we think the broadcasting and publishing industries can and should do more to vet the ads they run before they run. The FTC has largely steered clear of putting pressure on publishers and broadcasters to take this common-sense step. The Commission’s last significant effort on this was back in 2003, when former chairman Tim Muris asked cable television advertisers to strictly screen weight-loss ads.

As the Washington Post’s Lydia DePillis noted in a recent article on this topic, publishers and broadcasters usually cite two big reasons for resisting ad screening: their First Amendment right to publish and broadcast what they wish and the expense of setting up a screening program. With the proliferation of Internet-based advertising, the problem becomes even harder to control.

That said, we don’t think that these excuses are reason enough for the industry not to even try. Consumers tend to trust the ads they see on the radio or on television to a greater extent than online ads. When a fraudulent or deceptive ad runs, it undermines confidence in the advertising industry generally. More concretely, when a deceptive advertiser goes under due to enforcement actions, it can leave media outlets holding the bag. For example, when “tax resolution” company TaxMasters went bankrupt in 2012 after being investigated by the Texas Attorney General’s office, it owed CNN and Fox News Channel more than $3.5 million in unpaid advertising.

Doing a better job of screening out deceptive ads is not only the right thing to do from a public interest point of view, but it makes good business sense too. That being the case, why aren’t more companies doing it? Consumers deserve no less.

Shoppers deserve trust and security from our biggest retailers – National Consumers League

/in , /by

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud Imagine that you’re the CEO of Target today. As one of the 25 most admired companies in the world, consumers’ trust in your brand is paramount to your success. Over the past week you’ve learned that your company is the victim of one of the largest retail data breaches in U.S. history. Cyber thieves compromised 40 million consumers’ credit and debit cards. To add insult to injury, the breach happened during the height of the holiday shopping season – the most important month in your company’s calendar.

With every media story about the incident, each outraged consumer Facebook comment and critical tweet, that trust is eroded. It’s clear that Target is facing a public relations nightmare. How they react to this will determine how much faith consumers will continue to place in the brand. Unfortunately, the advice consumers are getting from the company so far is depressingly familiar: monitor your credit and debit card statements, keep an eye on your credit report and report irregularities promptly. This is the advice consumers hear after virtually every data breach. Are the increasing number of data breaches just something that consumers need to get used to?

In a recent article about the Target breach Mark Rasch, a former U.S. prosecutor of cybercrime said, “Most of these attacks are just a cost of doing business,” As advocates for consumers, we categorically reject the notion that the status quo is an acceptable outcome. We must not accept a marketplace where consumers are asked to make ever more data available to more entities but are stuck with the consequences when those entities fail to protect our data. We think that the government and private sector can and should do more to protect the vast amounts of sensitive data that they are collecting from consumers. This is not a new issue.

For decades, data security experts have discussed ideas about how to improve the situation. At its core, consumer and business data is the focus of a never-ending arms race between those that want to protect consumer data and those that want to steal it for fraudulent uses. Just as no bank can ever be 100% secure from a robbery, no data can ever be 100% secure from a breach. However, consumers should be able to rely on a certain basic level of data security. Unfortunately, that is exactly what we lack today. Shockingly, there is no one law in the U.S. that mandates the steps businesses should take to protect their customers’ data. Instead, consumers are reliant on precedents set by Federal Trade Commission enforcement actions.

Since 2000, the FTC – under it’s “unfair and deceptive acts or practices” authority — has brought nearly fifty data security cases against companies whose data security practices (or lack thereof) have put consumers at risk. However, that authority could be taken away if the FTC loses in two closely watched court cases. Should the FTC lose, consumers will be left without one of the most important watchdogs in this fight. Consumers should not be left to fend for themselves against the legions of sophisticated and organized data thieves. The Target breach, and the daily smaller breaches that go unreported should serve as a wake-up call for legislators and regulators that data security reform is urgently needed.

Did you know another American falls victim to ID theft #every3seconds? – National Consumers League

/in , /by

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

NCL’s “State of ID Theft” Conference To Put National Spotlight on Continuing Problem

For thirteen years, the crime of identity theft has generated more complaints to the Federal Trade Commission than another other fraud. In 2012, more than 12 million Americans were affected by identity theft, costing the U.S. economy $20.9 billion. Every three seconds, a consumer’s identity is comprised by this pernicious crime.

 

Seven years ago, President George W. Bush, recognizing the seriousness of the threat of ID theft, created the federal Identity Theft Task Force. Made up of eighteen federal agencies, the task force was charged with implementing a range of recommendations to address the threat of ID theft. The task force made thirty-one recommendations, from reducing the use of Social Security Numbers by federal agencies, to improving coordination by law enforcement, to passing a national data breach notification standard, to name a few. The implementation of these recommendations by the federal government, as well as improved anti-fraud procedures in the private sector, have done much to make life harder on ID thieves.

Despite these advances, ID theft is still a major threat to consumers, business and the government. According to one conservative estimate, more than 1.1 billion records have been comprised by identity theft. Data breaches, which put information on millions of consumers in the hands of fraudsters, are still occurring at a rate of at least one per day.

Just as troubling, it appears that we may be on the cusp of a new wave of ID theft. With ever larger amounts of data being collected about consumers by government and the private sector, data breaches become more likely. Identity thieves are shifting towards scams that are harder to detect, such as tax-related ID theft and medical ID theft. And the criminal themselves — often located overseas — are becoming more professional and organized.

How will these new factors affect consumers’ vulnerability to identity theft? What can we learn from the last seven years of fighting this problem? What should consumers expect from regulators, law enforcement and the private sector as this crime evolves?

To examine these and other questions, the National Consumers League will be hosting our first State of ID Theft conference on December 12 in Washington, DC. The event will bring together some of the brightest minds in the country for panel discussion examining the continuing threat of ID theft and what can be done to better protect consumers. Headlining the conference will be a lunchtime conversation between FTC Chairwoman Edith Ramirez and Former Chairwoman Deborah Platt Majoras, who co-chaired the federal Identity Theft Task Force from 2006-08.

Registration is free but space is limited. Please RSVP here. For more information please contact John Breyault at johnb@nclnet.org.