Issue 20 | May 10, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: It was another “banner” week for data breaches, with hundreds of millions of compromised email account credentials discovered in a trove made available by a Russian hacker. While the bulk of the cache were for Mail.ru accounts, tens of millions corresponded to Gmail, Yahoo!, and Hotmail accounts. And if that wasn’t enough, we’re hearing about tens of millions of other accounts from online dating services Zoosk and Fling.com, and virtual pet community Neopets being leaked. If you missed World Password Day last week, hopefully this news is the kick in the pants you need to get serious about enabling multi-factor authentication and stop reusing those passwords. But don’t take our word for it, Betty White says MFA is good for you too!

In other data security news, we missed the publication of the bellwether Verizon Data Breach Investigations Report last issue, but never fear! We have the TL:DR version for you in this, our 20th edition of the #DataInsecurity Digest. Finally, don’t forget to read my USA Today piece on the link between the rise in unwanted software infections and identity fraud risk!

And now, on to the clips!

—————– 

Should the FTC take a closer look at unwanted software problem? You may have noticed a familiar byline in USA Today last week. *smile* The link between unwanted software — the source of many of those annoying pop-ups consumers see online — and identity fraud is something consumer groups urged the FTC to investigate earlier this year. I write: “…the greatest danger of unwanted software is that it often disables security updates to computer operating systems, Web browsers or other essential software like anti-virus tools. This leaves consumers’ computers especially vulnerable to malware infections, dramatically raising the risk of fraud such as identity theft.” (Source: USA Today)

272.3 million compromised email credentials discovered on cyber black market. Milwaukee-based @holdsecurity, has identified more than 272 million unique compromised email accounts on an online Russian black market, including tens of millions of Gmail, Yahoo!, and Hotmail accounts. The firm, which has played a role in uncovering breaches at JPMorgan, Adobe, and elsewhere, identified the credentials as part of a cache of 1.1 billion records on offer from a Russian hacker. @auchard has the story for Reuters: “Such large-scale data breaches can be used to engineer further break-ins or phishing attacks by reaching the universe of contacts tied to each compromised account, multiplying the risks of financial theft or reputational damage across the web. … Hackers know users cling to favourite passwords, resisting admonitions to change credentials regularly and make them more complex. It’s why attackers reuse old passwords found on one account to try to break into other accounts of the same user.” (Source: Reuters)

Even more accounts hacked – 57.2 million accounts for sale on dark web. Another hack, unrelated to the Russian hack, came to light last week. While as yet unconfirmed, signs point to much of the data coming from online dating service Zoosk. @zackwhittaker has the story for ZDNet: “Hackers last year quietly stole a database containing the details of over 57 million people. The breach has only come to light this week, after the stolen data was put up for sale on the dark web. The breach data contains data spanning three years between 2012 and 2015, including usernames, email addresses, and passwords that were hashed with the MD5 algorithm, which nowadays is easy to crack. Many cell phone numbers and Facebook usernames are also in the cache.” (Source: ZDNet)

Neopets allegedly hacked, too. Virtual pet community Neopets is also getting some unwanted attention over allegations that it lost tens of millions of users’ account credentials, possibly dating as far back as 2014. While details are still sketchy, users typically provide an email address, and provide a limited amount of personal information, such as their gender, country, state, and date of birth during the sign-up process. Neopets has more than 90 millions users, many of which are young children. (Source: Motherboard)

40 million credentials from Fling.com for sale on the dark web too. Motherboard’s @josephfcox’s “Another Day, Another Hack” column is quickly turning into required reading. Last week, he also broke news about a breach at adult dating site Fling.com that may have exposed 40 million records containing “email addresses, usernames, plain text passwords, IP addresses, dates of birth, and more.” According to Cox, “[r]ecords also indicated whether the account was a free or paid version, and what gender and sort of relationships the user was interested in, such as ‘fetish,’ ‘group sex,’ ‘online flirting,’ or ‘other.’” (Source: Motherboard)

NCSA: As if you needed another reason to turn on multi-factor authentication… The Russian email hack news broke, appropriately, on World Password Day. Our colleagues at @StaySafeOnline are using the opportunity to remind everyone that the email address/password combination is no longer safe enough to protect your accounts. Turn on multi-factor authentication! Writes @MKaiserNCSA: “Logging on multiple times daily to our most frequently used accounts seems like second nature, but incidents like this reminds us of the need to be vigilant in protecting our personal online information … A simple, critical first step in this process is securing all email, social media and financial accounts, by making use of available security tools such as multi-factor authentication that provide an additional layer of protection and make it significantly harder for accounts to be accessed by others.” (Source: National Cyber Security Alliance)

Dessert: Even Betty White is getting into the safer password game! Everyone’s favorite Golden Girl is getting in on the multi-factor game. If you watch one thing today, it should be Betty saying “passwords … they annoy the [bleeping] heck out of me.” (Source: Passwordday.org)

TONIGHT: Politico Cocktails and Conversation event focusing on health care breach risk. A tip ‘o the cap to @dandiamond of POLITICO Pulse for alerting us to their great event tonight looking at medical privacy in the age of cyber attacks. The panel will include Brooking’s @niamyaraghi who recently examined the link between the federal government’s meaningful use program and the growth in healthcare data breaches. (RSVP here. Doors open at 5:15pm at the District Architecture Center – 421 7th St. NW Washington, DC).

Republican Study Committee: IRS breach another reason to shut down agency. Last year’s breach at the Internal Revenue Service is now fodder in conservative Republicans quest to shut down the agency. (Source: Forbes)

Heritage: Obama cybersecurity policy efforts “Too Little, Too Late.” The conservative Heritage Foundation is also taking aim at cybersecurity lapses by the Obama Administration. David Shedd writes that the president’s Cybersecurity National Action Plan will do little to address the weaknesses that led to breaches at OPM and the Department of Energy, “I agree with the president as to the need for a national cybersecurity plan. Unfortunately, the evidence points to years of cybersecurity complacency and outright incompetence. The poor-to-failing cybersecurity grades across all federal agencies illustrates that this administration does not have a “record of boosting cybersecurity.” Why should be we confident that this administration will follow through?” (Source: TNS)

Verizon Data Breach Investigations Report points the finger at us humans. One of the key dates on the calendar for data security geeks like us is the annual publication of Verizon’s Data Breach Investigations Report. The report is a must-read. Topline threats continue to include methods that rely on human fallibility – phishing, exploiting weak passwords, and ransomware. “You might say our findings boil down to one common theme — the human element,” said Bryan Sartin, executive director of global security services, Verizon Enterprise Solutions. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. How do you reconcile that?” (Source: Verizon)  

Myers: Paying ransomware crooks only makes the problem worse. @LysaMyers, a security researcher for the ESET firm took to the pages of Passcode to chide those who would pay ransomware scammers to decrypt their files. Writes Myers: “To be sure, it’s a tough decision whether to pay or risk losing data. But paying should never, ever be the first, second, or even third option. There’s something wrong if the working assumption is that businesses, organizations, or individuals just pay without working on a solution to recover the data on their own – or just decide they are going to live without those pictures, files, and documents. And anyone with viable backups should greet cybercriminal’s ransom demands with a smug scoff, and then quickly restore affected files.” (Source: Passcode)

Upcoming events

June 15 – FTC Start with Security – Chicago – Chicago, IL
The FTC’s fourth “Start With Security” event will take place on Wednesday, June 15, 2016, in Chicago, Illinois, and will be co-sponsored by Northwestern Pritzker School of Law. During this one-day event, the FTC will bring together experts who will provide businesses with practical tips and strategies for implementing effective data security.

National Consumers League
Published May 10, 2016

Issue 18 | April 11, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The valuable data held by law firms is increasingly being targeted by hackers. The #PanamaPapers breach news is putting a spotlight on the data security vulnerability of law firms like never before. As more revelations roll in, expect law firms around the globe and those who oversee them to focus on what errors Mossack Fonseca made that allowed the data to leak out.

The FCC’s newly-released proposed rules for broadband privacy and security may be causing some heartburn for ISPs, but it represents a significant shift in a privacy and security debate in Washington that seems to be going nowhere in Congress. Public interest and privacy advocates are lining up to support the new rules while the ISPs are, unsurprisingly, taking a dim view of Chairman Wheeler’s actions. Grab your popcorn, folks!

Yet another Flash zero-day has Adobe scrambling to roll out a patch. Our advice? Just disable Flash (you won’t miss it). WhatApp’s rollout of end-to-end encryption is a step forward for consumer data protection, but it isn’t the foolproof way to protect yourself that some are suggesting. Finally, we take a look at some surprising numbers coming out on data breach litigation and provide an update on two massive breaches of government databases in Turkey and the Philippines.

And now, on to the clips!

—————– 

#PanamaPapers are a lesson for law firms on the need for better data security. Repercussions of the massive leak of sensitive data from Panamanian law firm Mossack Fonseca continue to reverberate around the globe. However, the #PanamaPapers leak is just the latest in a string of law firm breaches, notes @euroinfosec, “Ask hackers why they attack law firms, and their reply – to riff on bank robber Willie Sutton’s famous quip – would no doubt be: ‘Because that’s where the secrets are.’ … Law firms are a prime hacker target because they handle secret details of intellectual property, mergers and acquisitions, and other potentially valuable information.” (Source: Data Breach Today)

More #PanamaPapers fallout: One-quarter of law firms have experienced data breaches. The #PanamaPapers saga is also making HR pro’s take a closer look at data security, writes @1SHRMScribe, “Experts worldwide are calling the data breach surrounding the so-called Panama Papers—more than 11.5 million documents detailing how hundreds of wealthy people hid money in offshore banks and investments to avoid paying taxes—the biggest data breach in history. … Last year, the American Bar Association reported in its Legal Technology Survey that 1 in 4 firms with at least 100 attorneys have experienced a data breach.” (Source: SHRM)

FCC Broadband Privacy NPRM includes security, breach notification standards for ISPs. While the privacy requirements in the FCC’s proposed rules for ISPs have gotten most of the press, the Commission is also proposing important new data security regulations for broadband providers. The rules would require ISPs to, among other things, appoint a CISO, strengthen customer authentication technology (read: multi-factor authentication), and take responsibility for the data security practices of third parties that subscriber data is shared with and notify customers and law enforcement of breaches. (Source: FCC)

Advocates: ISP rules could be a big win for consumer privacy. Public interest advocates, for the most part, welcomed the FCC’s proposal with open arms as a way to strengthen privacy and security protections in a key part of the Internet ecosystem. @M_F_Rose of Public Knowledge reflected the thoughts of many advocates, writing, “Broadband service providers occupy a unique position in the Internet ecosystem. As gatekeepers to the Internet, they have, by their very nature, access to every bit of data that their customers send and receive online. And, as they move aggressively into advertising markets, they have every incentive to exploit their access to this data and remove all consumer agency in determining where and for what purpose their personal data is used. … This NPRM represents a step forward to protecting consumers’ economic and dignitary rights in their own data.” (Source: Public Knowledge)

But not everyone’s happy with the new rules. The industry reaction to the new rules has been, to say the least, less than welcoming. Jim Halpert of @DLA_Piper reflected the views of many in his analysis of the rules for IAPP: “Unless narrowed in the final rule, the FCC’s proposed rules would create major challenges for privacy professionals with responsibilities for broadband Internet access provider customer data. They would also generate considerable consumer confusion about use of consumer data collected online.” (Source: IAPP)

Adobe rushes to patch Flash vulnerability powering ransomware attacks. If you’re one of the 1 billion users who have Flash installed on your computer, the latest zero-day vulnerability could lead to a big headache. Adobe rushed out a patch this week, but experts are already seeing hackers exploiting the bug. Writes @jim-finkle “The software maker urged the more than 1 billion users of Flash on Windows, Mac, Chrome and Linux computers to update the product as quickly as possible after security researchers said the bug was being exploited in ‘drive-by’ attacks that infect computers with ransomware when tainted websites are visited.” (Source: Reuters)

Our advice: just disable Flash. Fewer and fewer websites are using it and chances are, you won’t miss it. Here’s a step-by-step guide for disabling flash on all the major browsers.

WhatsApp hops on the end-to-end encryption train… Messaging service WhatsApp is the latest tech company to embrace end-to-end encryption as a way to better protect users’ data. WhatsApp CEO Jan Koum explains the move: “The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us.” (Source: WhatsApp)

…but it’s not all puppies and rainbows, yet. Writing for TechDirt, @glynmoody says WhatsApp’s end-to-end encryption is a good thing, but may not be the privacy and security panacea you might think it is. “[E]nd-to-end encryption is only available if all the participants in a conversation are using the latest version of the software. If one of them isn’t, group chats will be unencrypted. … even with strong, end-to-end encryption in place, the accompanying metadata is still leaking important information about who you are communicating with, and when. … end-to-end encryption does not protect you from malware that is capturing your keystrokes and sending them over the Internet, or from slips like accidentally storing a screenshot of sensitive chats.” (Source: TechDirt)

OECD: Consumer protection laws need updating to improve trust in e-commerce. The OECD is out with new guidance to member countries on improving consumer confidence in e-commerce. “While consumers are increasingly drawn to the convenience and choice of online commerce, concerns about privacy, payment security or legal recourse in case of a problem mean that many others remain wary,” noted the agency. While the OECD recommendations are non-binding they “[put] peer pressure on countries to take action – says businesses should not misrepresent or hide terms and conditions likely to affect a decision to buy or try to conceal their identity or location.” (Source: OECD)

Krebs: Trump Hotels potentially facing another HUUUUGE breach. For the second time in less than a year, the Trump Hotel Collection chain of hotels appears to have a payment system breach on its hands. @BrianKrebs breaks the story: “KrebsOnSecurity reached out to the Trump organization after hearing from three sources in the financial sector who said they’ve noticed a pattern of fraud on customer credit cards which suggests that hackers have breached credit card systems at some — if not all — of the Trump Hotel Collection properties. … The hospitality industry has been hit hard by card breaches over the past two years. In April 2014, hotel franchising firm White Lodging confirmed its second card breach in a year. Card thieves also have hit Hilton, Hyatt, and Starwood properties.” (Source: KrebsOnSecurity)

Krebs (part deux): CEO phishing scams net $2.3 billion since 2013. @BrianKrebs also points us to a new fraud alert from the FBI about a dramatic spike in so-called “CEO phishin” scams, that’s costing businesses big-time. Writes Krebs: “Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes rarely set off spam traps because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans. … But CEO fraud attacks succeed because they rely almost entirely on tricking employees into ignoring or sidestepping some very basic security precautions.” (Source: KrebsOnSecurity)

Breach litigation cases down 25 percent. Law firm @BryanCaveLLP is out with their annual Data Breach Litigation Report, which examines data breach cases filed in U.S. District courts. Its findings are surprising. Notably, the number of data breach litigation cases filed in the last 15 months is down 25 percent. Only 21 unique defendants were names in those cases and only 5 percent of publicly reported breaches led to class action litigation, despite a huge amount of media attention to the breach issue. (Source: Bryan Cave)   

Is increased breach vulnerability being overlooked in the M&A boom? @steve_schick takes a look at one facet of the $4.3 trillion mergers and acquisitions boom of 2015: data security. “One overlooked area for the IT integration of merged or acquired companies is the blind spot that exists in not knowing whether one firm may be connecting to another where a network intruder may have been long hidden, giving an attacker easy access. … Less than 1% of enterprises today have the capability of finding an active attacker that is at work exploring their network and expanding their sphere of control in order to get to valuable assets. This means that the acquirer may be just as in the dark as the acquiree about whether or not intruders are currently in their networks.” (Source: LightCyber)

Not just a U.S. problem: COMELEC breach leaks data on 55 million Filipino voters. A breach of voter registration data in the Philippines is being blamed for leaking voter registration information on tens of millions of Filipino voters. Writes @MikeBueza and @wdmauel: “Information security experts fear that what can be considered as the biggest leak of personal data in Philippine history could result in massive identity theft by preying criminals.” (Source: Rappler)

Turkey, too! 49 million records leaked from citizenship database. @alexhern is covering the story of how hackers leaked records on nearly half of Turkey’s citizens. “A database posted online allegedly contains the personal information of 49 million people on the Turkish citizenship database, potentially making more than half of the population of the country vulnerable to identity theft and massive privacy violations. … On top of the risks of having ID numbers made public, Turks on the database also face the prospect of identity theft purely using the personal information contained within the database.” (Source: The Guardian)

Upcoming events

June 15 – FTC Start with Security – Chicago – Chicago, IL
The FTC’s fourth “Start With Security” event will take place on Wednesday, June 15, 2016, in Chicago, Illinois, and will be co-sponsored by Northwestern Pritzker School of Law. During this one-day event, the FTC will bring together experts who will provide businesses with practical tips and strategies for implementing effective data security.

National Consumers League
Published April 11, 2016

Issue 16 | March 16, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The FCC’s broadband privacy proposal is generating quite a lot of heat in Washington, since it would impose new rules on cable and telecom companies—no slouches when it comes to lobbying. Less talked about are the data security and breach notification requirements which would apply to ISPs businesses. The FTC has also begun an inquiry into PCI-DSS certification, which sounds pretty wonky, but in fact, represents a significant effort by the Commission to make sure that one of the most widely known security standards is up to snuff. No #DataInsecurity Digest would be complete without news of the latest data breaches and this edition is no different. Cancer treatment center franchise 21st Century Oncology is the latest victim, with more than 2.2 million consumers affected. Breach fallout continues to plague the IRS, which recently had to shut off its “Get IP PIN,” since hackers figured out how to compromise the system, which was put in place to help victims of tax ID fraud.

And now, on to the clips!

—————– 

FCC broadband privacy proposal includes data security and breach notification requirements. While most of the news about the FCC’s broadband privacy proposal focused on the limits the proposal would place on ISPs ability to use customer information for advertising purposes, the Commission has also proposed strong data security rules. Notes the fact sheet: “The proposal would require broadband providers to take reasonable steps to safeguard customer information from unauthorized use or disclosure.” Breached ISPs would also be required to notify the FCC within 7 days of discovery of the breach and affected customers in 10 days. (Source: FCC) 

Wheeler doubles down on data security. In a Huffington Post piece explaining the coming broadband privacy rules, FCC Chairman @TomWheelerFCC gives a shout-out to data security. “Every broadband consumer should have the right to choose how their information bits should be used and shared. And every consumer should be confident that their information is being securely protected,” said Wheeler. (Source: Huffington Post)

FTC examining PCI-DSS auditing. One of the more well-known security standards is the banks’ PCI-DSS standard, which has caused some heartburn among businesses that must comply in order to accept credit and debit cards. The FTC will take a look at the issue, thanks to orders issued to nine companies that conduct PCI-DSS assessments. @FraudBlogger has the round-up of the impact of the FTC’s action. “The FTC relies heavily on the PCI-DSS as a framework for measuring the effectiveness of merchant information security programs … This was recently put in writing with the Wyndham order the FTC released last December. The federal government has been under pressure to do something in response to the major breaches over the past couple of years. Since the FTC’s purview is retail breaches, it makes sense that they would be the government agency that starts doing more.” (Source: BankInfoSecurity.com)

Speaking of the FTC: ID theft complaints increased 47%, says NCL. Just as we went to press with last week’s #DID, the FTC released its annual Consumer Sentinel Data Book. Now that we’ve had a chance to dig in, we’ve got some more advice for policymakers. “We know that these nearly 500,000 identity theft complaints are likely just the tip of the iceberg. Far too many identity theft victims don’t report the crime, if they’re even aware of it,” said NCL Vice President of Public Policy, Telecommunications and Fraud John Breyault (aka yours truly). “Consumers can take steps to mitigate their risk of identity theft, but they can’t prevent it entirely. That’s why we need leaders in Washington to help make sure that the companies that hold consumers’ data protect it to the greatest extent possible.” (Source: National Consumers League)

Breach du jour: 2.2M patient records at 21st Century Oncology. Ft. Myers-based 21st Century Oncology, which operates a chain of 181 cancer treatment centers in the U.S. and Canada, has reported a breach that may have exposed names, social security numbers, physicians’ names, diagnoses and treatment information, and insurance information on up to 2.2M customers. The breach took place in October 2015 but the company was asked not to notify patients by the FBI until now. 21st Century Oncology also recently settled a $34.7 million fraudulent billing case with the Department of Justice. (Source: Healthcare IT News)

Breach du jour part deux: Rosen Hotels is latest hotel breach target. Orlando-based hotel chain Rosen Hotels and Resorts is the latest hotel company to have its payment system targeted, joining Hyatt, Trump Hotels, Hilton Hotels and Starwood Hotels, writes @philmuncaster. (Source: InfoSecurity Magazine)

Congress: HIPAA data security rules too slow to come. Rep. Peter DeFazio (D-OR) and Rep. Tom Marino (R-PA) are leading a group of eight bipartisan Congressmen in calling on HHS to speed up its promised data security guidance for HIPAA-covered entities, writes @HealthInfoSec. Notes the letter, “We have serious concerns about the consequences of HHS inaction. Advances in mobile health technology have the potential to dramatically improve patient outcomes and the accessibility of health care. This innovation is coming at a rapid pace, but your agency has done little to demonstrate it can manage the significance.” (Source: DataBreachToday)

Verizon has its own data security digest. Verizon is rightfully hailed for its comprehensive annual Data Breach Investigations Report. However, telecom’s budding data security business is now out with a more light-hearted digest of data breach case studies, writes @MariaKorolov for CSO. Case in point: “And there’s the story of the best developer at a company—who turned out to have outsourced his job to China in order to spend the day reading Reddit and watching cat videos. He had FedExed his authentication token key fob to the contractor, and was caught when logs showed mysterious—but authorized—VPN access from China.” (Source: CSO)

Facebook, Google, WhatsApp among big names expanding encryption in the name of security. @lancewhit breaks down the latest in Silicon Valley’s efforts to expand encryption and the government’s pushback. “Technology firms are putting a higher priority on security to convince customers their private data is fully protected. But the US government and law enforcement officials are challenging the encryption used in tech products, arguing that it obstructs their capability to access information vital in criminal and terrorist investigations.” (Source: CNET)

$19.5M set aside to settle Home Depot breach claims. The hardware retailer settled the suit, made up of 57 proposed class action lawsuits. “‘The home improvement retailer will set up a $13 million fund to reimburse shoppers for out-of-pocket losses, and spend at least $6.5 million to fund 1-1/2 years of cardholder identity protection services.’ … Home Depot also agreed to improve data security over a two-year period, and hire a chief information security officer to oversee its progress.” (Source: Reuters)

Daily Krebs: DDoS protection firm Staminus hacked. Staminus, a firm specializing in protecting websites from distributed denial of service (DDoS) attacks was itself knocked offline in a hack that reportedly cost the company 15GB of customer data. DDoS protection firms are frequent targets for DDoS attacks themselves since they are frequently used to protect websites hosting questionable content. (Source: KrebsonSecurity.com)

Daily Krebs, take two: IRs suspending “Get IP PIN” after system thoroughly pWn3d. Cyber blogger extraordinaire Brian Krebs’ reporting on the IRS’s leaky system for protecting tax identity fraud victims certainly got the feds’ attention. Writes @briankrebs, “Citing ongoing security concerns, the Internal Revenue Service (IRS) has suspended a service offered via its Web site that allowed taxpayers to retrieve so-called IP Protection PINs (IP PINs), codes that the IRS has mailed to some 2.7 million taxpayers to help prevent those individuals from becoming victims of tax refund fraud two years in a row. The move comes just days after KrebsOnSecurity first exposed how ID thieves were abusing the service to revisit tax refund on innocent taxpayers two years running.” (Source: KrebsonSecurity.com)

IRS breach’s lessons for financial services. American Banker’s @pennycrosman notes the parallels between the IRS’s growing breach problems and the financial services industry’s similar issues. “So while it’s tempting to roll your eyes and crack jokes when a government agency slips up, the IRS breach may hold some useful lessons for the financial services industry. … There are a few takeaways for banks from this mess. 1. Rethink knowledge-based authentication … 2. Don’t let bureaucracy kill a good security idea. … 3. Teach customers to protect their Social Security numbers and other personally identifiable data … 4. Try stronger authentication technology.” (Source: American Banker)

Even ISIS has data breach headaches. @a_greenberg covers the breach of 22,000 ISIS members’ personal information, proving that even the world’s most dangerous terrorists have to worry about data security. “A defector has allegedly leaked what appears to be a USB drive’s worth of ISIS’s secret data, including the personal information of 22,000 ISIS fighters. That personal data includes the fighters’ names, phone numbers, hometown and even blood types—all information they apparently filled out on forms in the process of signing up to join the violent group.” (Source: WIRED)

Quick hit: Average breach falls below cyber insurance policy deductible, study shows. (Source: DarkReading.com, via @gold_em)

Quick hit: Recap of the big non-policy news from RSA. (Source: iCrunchData News)

Infographic du jour: 2015 in data breach numbers. (Source: SafeNet)

Upcoming events

March 31 – FCC March Open Meeting– Washington, DC
The Commission will consider a Notice of Proposed Rulemaking seeking comment on a proposed framework for ensuring that consumers have the tools they need to make informed choices about how their data is used and when it is shared by their broadband providers.

June 15 – FTC Start with Security – Chicago – Chicago, IL
The FTC’s fourth “Start With Security” event will take place on Wednesday, June 15, 2016, in Chicago, Illinois, and will be co-sponsored by Northwestern Pritzker School of Law. During this one-day event, the FTC will bring together experts who will provide businesses with practical tips and strategies for implementing effective data security.

National Consumers League
Published March 16, 2016

Last December, we were delighted to host Council members at a meeting that featured a fireside chat with then-nominee Dr. Robert Califf, and just weeks ago, we welcomed the news of his formal Senate confirmation as Commissioner of the U.S. Food and Drug Administration (FDA). NCL looks forward to future collaborations with the FDA and expects that under Dr. Califf’s leadership, the agency will ensure that patient and consumer protection remain the highest priority.

Since our December meeting, NCL and Council members have been active on many fronts. Please read on for NCL policy updates, Q&A’s with two members, updates, and more.

 NCL Health Policy at Work 

Script Your Future Medication Adherence Campaign update – Launched in 2011, NCL’s Script Your Future campaign is a national educational campaign to raise awareness of the importance of taking medications as directed.

New Script Your Future research. In December 2015, NCL released the results of survey research that compared adherence in the campaign’s pilot cities (Baltimore, MD; Birmingham, AL; Cincinnati, OH; Providence, RI; Raleigh, NC; and Sacramento, CA) before the campaign launched in 2011, at its midpoint in 2013, and again in 2015. The results demonstrate improvement in communication and adherence, particularly in the campaign’s target market cities, where patients were significantly more likely than those in a control market to say they are taking their medicines better than in the previous year. NCL was pleased to receive good media coverage of the survey results, including in the February issue of Population Health News.

Read on for more updates about NCL’s health policy work.

NCL health policy staffing news

Welcome NCL’s new Health Policy Associate Janay Johnson – NCL is pleased to announce that Janay Johnson will join NCL’s health policy department this month. Janay received her MPH from George Washington University and comes to us from the American Heart Association. We know that you’ll enjoy working with Janay!

 Member spotlight

Get to know two Health Advisory Council members–Johnson & Johnson Consumer Inc., McNeil Consumer Healthcare Division and the U.S. Pharmacopeial Convention (USP)–with new Q&A’s. 

 Updates on member programs

Eli Lilly and Company – Finding common ground

​In a unique partnership, Eli Lilly and Company and Anthem, Inc., have teamed up to drive policy changes that would pave the way for value-based drug pricing—with the goal of ensuring that patients get the best value for their health care dollars. This collaborative approach was unveiled in late January in an op-ed (“Discovering New Medicines and New Ways to Pay for Them”) published in Health Affairs and co-authored by David Ricks, Lilly’s senior vice president and president of Lilly Bio-Medicines, and Samuel Nussbaum, M.D., who recently retired as Anthem’s executive vice president and chief medical officer. Ricks and Nussbaum said they approach pricing issues from “different perspectives but with common ground” and with the shared belief that innovative medicines are an “incredibly powerful and cost-effective way to improve people’s lives.” To learn more, check out the LillyPad blog on the topic, which links to two white papers that detail the new initiative.

National Alliance for Caregiving

In February, the National Alliance for Caregiving, in partnership with Mental Health America and the National Alliance on Mental Illness, released On Pins & Needles: Caregivers of Adults with Mental Illness. The study examines the unique difficulties and opportunities for caregivers of adults with moderate-to-serious mental illness. Major findings of the survey: caregivers said their loved one faced an average of 11.8 years to get a diagnosis; access to treatment and support services is problematic for nearly two out of three; and half have trouble finding case managers, in-patient treatment, and substance abuse treatment. This year, the Alliance also celebrates its 20^th anniversary by exploring what the next 20 years in caregiving will look like at the American Society on Aging meeting. 

Society for Women’s Health Research (SWHR)

The Society for Women’s Health Research (SWHR) 26th Annual Gala “Revolutionizing Healthcare & Research Through Data” is on Wednesday, May 4 at The Ritz-Carlton Hotel. With regard to Policy developments, SWHR has recently launched The Patient’s Alliance for Drug Safety Protections to bring awareness to the importance of Risk Evaluation and Mitigation Strategies (REMS) as a tool to advance patient safety and protect public health. The organization will also host two policy roundtables to examine the regulatory issues surrounding pain management and novel therapies with the goal of providing consensus statements and recommendations for regulatory actions in mid-to-late 2016. 

Save the Date! NCL’s 2016 Trumpeter Awards

We hope you will join us on September 21 for NCL’s Trumpeter Awards dinner and reception in Washington. For more than 40 years, NCL’s Trumpeter Awards have recognized leaders who speak out for social justice, public health, and for the rights of consumers and workers. Past recipients have included FDA Commissioner Margaret Hamburg, Surgeon General Regina Benjamin, legislators, investigative journalists, and other leaders. Learn more about the 2016 Trumpeter Award and how to participate this year here.

Upcoming event

Food Waste Conference – Late last year, the U.S. Department of Agriculture (USDA) and the U.S. Environmental Protection Agency (EPA) announced a national goal to reduce food waste in the U.S. by 50 percent by 2030. NCL has been covering the issue of food waste for the last year, but in 2016 we are amplifying our efforts. In May, we’ll host the first ever consumer-focused Food Waste Summit, in partnership with the Keystone Policy Center, to engage representatives from across the stakeholder spectrum on how to actively involve consumers in reducing waste. The conference will take place on May 11 at the Pew Charitable Trusts in Washington, DC. Get more information or RSVP here.

 We want to hear from you!

Launching new online members-only discussion board – Health Advisory Council members have told us that one of the most highly valued membership benefits is the ability to connect with the broad range of health policy stakeholders represented on the Council. To facilitate increased member communication, NCL will soon launch an online members-only discussion board where members may share news, suggestions, and ideas. Information on how to access this new communications portal is coming soon.

Meetings in the works – We are in the process of planning our annual Health Advisory Council Membership meeting in the Spring, as well as a policy forum on patient access in the Fall. We welcome your ideas or suggestions! Please feel free to contact Karin Bolte (karinb@nclnet.org) or Amy Sonderman (amys@nclnet.org).

_______________

National Consumers League
Published March 16, 2016

Access – to medications, health care, information, coverage – is a prominent theme among members as a priority, as well as in the issues we are addressing at NCL. And with the recent decision by the U.S. Supreme Court in King v. Burwell, access to health care for millions under the Affordable Care Act will continue, even while we work to ensure consumers have access to critical medications and treatments they need. The Supreme Court’s 6-3 vote is a major victory for consumers nationwide.

Vaccines – Meningitis B (MenB) outbreaks on college campuses has been a devastating public health issue in recent years. The FDA recently approved two MenB vaccines, and, in June, the CDC’s Advisory Committee on Immunization Practices (ACIP) met to decide on recommendations as to who should receive them—only high-risk populations or broader populations. NCL spoke at the ACIP meeting in favor of a routine, or broad, recommendation to ensure access to this vaccine before a deadly outbreak occurs. Dozens of speakers addressed the ACIP, including survivors of the disease as well as relatives of victims, all urging the committee to recommend routine vaccinations for young adults ages 16-23. Ultimately, the CDC declined to give a broad recommendation for the MenB vaccinations, recommending instead that decisions to vaccinate adolescents and young adults be made at an individual level with healthcare providers. NCL is disappointed with the decision and stands with patients and their families in support of protecting young people from the devastating consequences of MenB.

Flibanserin – NCL has championed women’s health and gender equality for decades and recently applauded the vote by the FDA advisory committee to recommend approval of the drug Flibanserin for low libido in women, or female sexual dysfunction (FSD). The most common FSD condition is loss of sex drive, or HSDD. At present, there are no FDA-approved drugs to treat FSD. Although there has been a diverse range of opinions concerning the drug, NCL presented testimony at the recent FDA meeting in favor of approving this treatment, and in support of giving women the same access to treatment for HSDD as provided to men, who now have 26 drugs for sexual dysfunction. 

Script Your Future Campaign – The Script Your Future campaign announced the winners of its 2015 Team Challenge, an annual competition that encourages health profession students and faculty across the nation to develop creative ideas, events, and initiatives to raise public awareness about the importance of medication adherence. NCL is proud to announce that this year’s Challenge winners were the University of Pittsburgh School of Pharmacy, University of Maryland School of Pharmacy, University of Charleston School of Pharmacy, and the Northeast Ohio Medical University College of Pharmacy (NEOMED). NCL continues to fulfill frequent requests for medication adherence materials, including Public Service Announcements and wallet cards that help patients keep track of their medications and provide basic questions for patients to ask their HCPs about the medication they are taking.  

21^st Century Cures – The 21^st Century Cures Act was introduced in Congress to focus on accelerating the discovery, development, and delivery of new drugs and devices. While some aspects of the bill could speed up the development of and access to new drugs, NCL and other consumer and patient groups have expressed concern that this legislation could ultimately lower the standards for approval of many medical products, placing patients at unnecessary risk. The current version of the bill would allow consideration of drug approvals based on clinical experience, replacing scientific data from large numbers of patients in well-designed and controlled clinical trials. And approval standards for medical devices could become less rigorous. As a part of a patient and consumer coalition, NCL is working to ensure that the bill provides greater access to medications without sacrificing safety.  

Cosmetics – Cosmetics reform is long overdue. The current cosmetic product legislation, or the Federal Personal Care Products Safety Act, has remained unchanged since its enactment in 1938. Senator Dianne Feinstein (D-CA) and Senator Susan Collins (R-ME) are co-sponsoring new legislation that would give the FDA broader oversight of personal care products and more authority over companies to disclose adverse product reactions reported by consumers. Consumer groups, including NCL, are encouraging lawmakers to include additional measures to the bill that will help to ensure enhanced consumer protections.

New navigating healthcare marketplace site – NCL is partnering with a communications firm and Anthem to develop a new resource to help Americans navigate a complex and changing health care system. The content will focus on such decisions as choosing a health plan, selecting providers, sorting through drug formularies, and the information needed to make informed choices.

Biosimilars – Biosimilars, which are essentially identical versions of biologic drugs, are complex medicines made from living cells that treat deadly and debilitating diseases. It is good news for consumers that biosimilars are expected to enter the U.S. marketplace in the coming weeks. The first biosimilar for Neupogen, which reduces the risk of infection from chemotherapy for cancer patients, was approved by the FDA in March. NCL has a long history of advocating for increasing affordable access to lifesaving medicines. Biosimilars hold great potential for saving consumers money and increasing their access to lifesaving treatments.

PDUFA VI – Under the Prescription Drug User Fee Act (PDUFA), the pharmaceutical industry provides resources for the FDA to the review medications. The legislation expires in 2017 and, in order for the agency to continue to collect these user fees, it must be reauthorized. NCL has been asked by the FDA to be part of a panel on July 15 at the FDA headquarters in White Oak to represent the consumer perspective as part of this reauthorization process.

NCL continues to monitor other issues related to medication safety: compounding pharmacies, counterfeit drugs, dietary supplements, the safe use of pain relievers, and more.