Issue 14 | Feb. 18, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: This month, the Obama Administration announced its Cybersecurity National Action Plan (CNAP), a comprehensive set of initiatives intended to get federal agencies moving when it comes to improving their data security. In this issue, we take a look at the important parts of CNAP and what it means for the larger data security reform debate. Speaking of the feds, the hits keep on coming for the IRS, which suffered another data breach during its busiest time of the year. In scary news, health records at a Los Angeles hospital are being held for a cool $3.6 million ransom, driving home the real-world cost of hacker intrusions. Finally, we take a look at the continuing fight in DC over payment card security and the lack of accountability at VTech in response to its November 2015 breach.

And now, on to the clips!

—————– 

POTUS proposes $19 billion for comprehensive cybersecurity initiative. The big news on the cybersecurity front is President Obama’s new Cybersecurity National Action Plan (CNAP), the centerpiece of which is a $19 billion increase in federal cybersecurity funding. “It is no secret that too often government IT is like an Atari game in an Xbox world,” said Obama in a WSJ op-ed announcing the plan. (Source: Wall Street Journal)

Data security advice from the President: Stick to the basics. President Obama’s cybersecurity plan is heavy on cyber hygiene, both for federal agencies and the general public, writes @bbarrett. “What’s striking about all of these measures is that they’re not much different than the advice you’d give your neighbor, or any acquaintance with a casual interest in keeping themselves just a little bit safer.” (Source: WIRED)

So will CNAP help? Our take on CNAP from the consumer point of view. The verdict? Lots to like, but $19 billion will be a tough sell to Congress. “The companies and agencies that collect and use consumers’ data must have real skin in the game when it comes to protecting that information. We hope that the new Commission will take a look at the role that data security standards, strong data breach notification requirements, and cyber insurance can play in strengthening data protections.” (Source: National Consumers League)

McSweeny: IoT security, comprehensive data security legislation are still foci for FTC. In remarks before the Chamber of Commerce last week, FTC Commissioner Terrell McSweeny noted that the vulnerability of Internet of Things devices to hacking remains a concern for her. While addressing the EU-US Privacy Shield, big data, and other perennial FTC issues, McSweeney also reiterated the Commission’s long-standing commitment to comprehensive data security legislation. (Source: Lexology)

California AG: 49 million records of Californians compromised since 2012. The retail and financial sectors were the biggest sources of breached records according to the AG. In addition to “comprehensive information security programs,” the report calls for more deployment of multi-factor authentication, encryption, and fraud alerts to protect consumer credit files. (Source: California Attorney General’s Office)

Public Knowledge: FCC has a role to play in protecting broadband users’ data security. A few weeks ago, NCL joined with more than 50 other public interest organizations in a letter calling on the FCC to begin examining the privacy and security obligations of broadband providers. This week, Public Knowledge is out with an excellent white paper examing that topic in detail containing a number of noteworthy nuggets for the data security-minded reader. (Source: Public Knowledge)

EMV wars: Part 1. The smoldering lobbying fight between banks and retailers over the rollout of EMV chip card technology got some new fuel this week when @WilkinsonMolly of the Electronic Payments Coalition took decried retailer efforts to push for a PIN mandate. “Instead of reducing consumer choice by mandating a single authentication method — PIN — that is already becoming obsolete, we should embrace the idea that different technologies resolve different problems.” (Source: The Hill)

EMV wars: Part 2. The ever-vigilant @briankrebs is out with an in-depth look at why so many retailers are antsy about investing in chip-based payment terminals. “Despite the increased risk of eating the entire loss from counterfeit card use in their stores, many merchants are taking a wait-and-see approach on enabling chip card transactions … some merchants — particularly the larger ones — want to turn the often painful experience of training customers how to use the chip cards and terminals into someone else’s problem.” (Source: KrebsOnSecurity.com)

IRS e-filing system targeted again. As if last summer’s news that 300,000+ taxpayer accounts at the IRS were compromised by a hack weren’t bad enough, the IRS announced last week that identity thieves used more than 100,000 compromised Social Security numbers to obtain e-file PIN codes. Prof. Nir Kshetri of UNC Greensboro offered a great piece on why federal agencies’ cybersecurity is so lax. (Source: TheConversation.com)

IRS chief: Lack of funding to blame for cybersecurity lapses. IRS Commissioner John Koskinen laid the blame for data breaches at IRS at the feet of Congressional appropriators, whose budget cuts at the agency have resulted in $900 million dollars cut from its cybersecurity budget. (Source: Washington Examiner)

The only certainty in life… With tax filing season upon us, word comes down from @SaundersWSJ of new data breaches at tax preparers TaxAct and TaxSlayer. (Source: Wall Street Journal)

$3.6M Bitcoin ransom demanded for hospital files. Hackers are holding vital files at Hollywood Presbyterian Medical Centre in Los Angeles hostage while they wait for a $3.6M Bitcoin payment. The situation, which relies on so-called “ransomware,” has left the hospital reliant on fax machines to communicate and required the transfer of a number of patients, writes @Jason_A_Murdock. (Source: International Business Times)

VTech response to its #epicfail: Not our problem. Last year, children’s software maker VTech was hit with a breach that exposed the personal information of more than 5 million users. In response, VTech has updated its terms of service to prominently wash its hands of any future breach responsibility, writes @midian182 of TechSpot: “‘If [VTech] honestly feel they’re not up to the task of protecting personal information, then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the ‘zero accountability’ clause.’” (Source: TechSpot)

VTech’s reprieve could be short-lived, thanks to GDPR. While changes to its terms and conditions may be of limited legal usefulness in addressing breach liability, even that could evaporate in two years, thanks to the EU’s new General Data Protection Regulation, writes @kenmunro. (Source: Pen Test Partners)

Stat du jour: More than half of companies average four breaches involving payment data in the last two years. New research out from Gemalto and the Ponemon Institute pointed to the limited usefulness of PCI DSS—the payment industry’s dominant security standard—in protecting against breaches. “Compliance with PCI DSS is not considered sufficient for ensuring the security and integrity of payment data, according to 31 percent of respondents. In fact, only 17 percent of respondents say PCI DSS is essential and 18 percent of respondents say it is very important to achieving a strong payment data security posture.” (Source: Gemalto)

Quick hit: Are cyber-ratings firms coming into their own? Cybersecurity consultant Craig Calle finds comparisons with Moody’s and S&P, but for cybersecurity risk. (Source: CFO)

Quick hit 2: “Zero Days” to premier this summer, looks at Stuxnet development. Cyber warfare documentary “Zero Days” will examine how U.S. intelligence agencies took down Iranian nuclear centrifuges through the use of the Stuxnet malware, writes @euroinfocsec. (Source: Data Breach Today)

Upcoming events

RSA Conference – February 29-March 4 – San Francisco, CA
The premier conference for Internet security professionals. Agenda will include speakers from the DOJ, DOE, Department of Homeland Security, FBI, and NSA, among others.

National Consumer Protection Week – March 6-12 – Nationwide
The FTC is the hub for the annual National Consumer Protection Week. Among the topics on tap this year: identity theft and technology.

Issue 12 | Jan. 20, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: This morning, NCL joined with more than 50 public interest, consumer, and privacy organizations to call on the FCC to propose rules on broadband privacy and data security. Such rules, the groups argue, would allow the FCC to be a “brawnier cop on the beat,” to police the privacy and data security practices of the nation’s ISPs. In other news, data breach bills currently pending in Congress could move “later this spring,” according to Rep. Neugebauer (R-TX). Most consumer and public interest organizations (including NCL) have come out in opposition to Neugebauer’s bill. The LabMD data security case is not only proving to be an ongoing headache for the FTC, but also turning the former head of the company into a permanent thorn in the agency’s side (with an assist from the Koch network). National security pros seem to be a popular target for hacking lately, with news that Director of National Intelligence James Clapper has joined CIA Director John Brennan as intelligence head honchos who have had their email accounts compromised. One wonders whether these guys had two-factor authentication turned on? The breach news keeps coming with updates on old hacks (Hyatt hotels) and new ones (TaxAct, Time Warner Cable, and Nexus Mods). Finally, surveys of DC data security and privacy pros put some unsurprising topics at the tops of their to-do lists: EU Safe Harbor, EU Data Protection Regulation, encryption, breach legislation, and FCC/FTC jurisdictional fights, to name a few.

And now, on to the clips!

—————–

The price of inaction: Chaffetz says DOE breach would be “largest data breach we’ve ever seen.” Security deficiencies at the Department of Education could put data on more than half of all Americans at risk of a breach, says Rep. Jason Chaffetz (R-UT). The department recently earned “F” grades on four major security tests in an Inspector General report. “Almost half of America’s records are sitting at the Department of Education,” Chaffetz said. “I think ultimately that’s going to be the largest data breach that we’ve ever seen in the history of our nation.” (Source: WND)

ICYMI: CRS report helps you get smart quick on current state of play in data breach legislation. While you were burning off those Christmas cookie calories, the Congressional Research Service released a great report looking at the current crop of data security bills pending in Congress, the impact of federal preemption on existing state laws, and the authority of the FTC and FCC in this space. Check out @molliesiebee’s snapshot on FierceGovernmentIT. (Source: CRS)

Former LabMD head becoming a thorn in FTC’s side with an assist from the Koch network. @BrendanSasso brings us the story of how Michael Daugherty, former head of now-bankrupt LabMD, has used his ongoing fight with the FTC (supported by the Koch-connected Cause of Action) to reinvent himself as a conservative activist. “Two and a half years after the FTC first sued Lab­MD, the leg­al battle is still ra­ging, with neither side plan­ning to back down any­time soon. And the stakes have only got­ten high­er. If Daugh­erty wins, the case could sig­ni­fic­antly curb the FTC’s au­thor­ity to sue com­pan­ies for sloppy data se­cur­ity. ‘They had no idea who they were screw­ing with … I’m speak­ing all over the place on this. I’ve been sent to Aus­tralia to speak on this. I’m go­ing to Lon­don … It’s mak­ing lem­on­ade out of lem­ons. … The fun has just be­gun,’ Daugh­erty said.” (Source: National Journal)

Cyber’s #SOTU mention streak ends at four. @Cory_Bennett notes cyber issues were conspicuously absent from President Obama’s State of the Union last week. Thus ends a four-year SOTU streak in which the President repeatedly reaffirmed his Administration’s commitment to tackling the issue. (Source: The Hill)

It’s never too late for those 2016 data security policy predictions! @kirkjnahrawork of law firm Wiley Rein has a look at what will shape the data security and privacy debate in Washington and beyond. Tops on his list? EU Safe Harbor and EU Data Protection Regulation, though cybersecurity, data breach legislation, wearables/HIPAA, and FTC enforcement authority also make the cut. (Source: Bloomberg BNA)

Encryption, FCC privacy, FTC data security enforcement top 2016 priority list. @BloombergBNA’s Alexei Alexis brings us a snapshot of where DC’s data security and privacy pros see policy action this year. Spoiler alert: The election means Congressional action is unlikely, but we’ll see plenty of fireworks over encryption backdoors, the FCC’s forthcoming broadband privacy rulemaking, and the FTC’s data security role after the LabMD ALJ decision. (Source: BloombergBNA)

Trend Micro takes a deep dive into Privacy Rights Clearinghouse breach data. PRC’s data breach database is a treasure trove of information for the data security advocacy community. Security firm Trend Micro seems to think so as well, and its new report draws out some interesting conclusions from PRC’s data: “Hacking or malware were behind 25% of the data breach incidents from 2005 to April 2015 … Apart from the usual credit card, bank account, and PII dumps—whose prices in the underground have plateaued—there was a prominence of ads selling Uber, PayPal, and poker accounts.” (Source: Trend Micro)

Major BitCoin heist tied to disgraced Secret Service agent. A 2014 theft of $5 million worth of BitCoins and other virtual currencies from crypto-currency exchange Cryptsy is only now coming to light, due in part to the role that former Secret Service agent Shaun Bridges played in bringing down the Silk Road online black market. @euroinfosec has the full story at the link. (Source: ISMG)

DNI Clapper reportedly pWnEd by same group that hacked Brennan. The same hackers who broke into CIA Director John Brennan’s AOL email account last year have reportedly done the same to Director of National Intelligence James Clapper. @lorenzoofb follows the story for Motherboard: “One of the group’s hackers … contacted me on Monday, claiming to have broken into a series of accounts connected to Clapper, including his home telephone and internet, his personal email, and his wife’s Yahoo email. While in control of Clapper’s Verizon FiOS account, Cracka claimed to have changed the settings so that every call to his house number would get forwarded to the Free Palestine Movement.” (Source: Motherboard)

Are breach notifications worth their salt? Olivia Eckerson brings us her personal breach story and explains her frustrated failure to get useful information out of the breached health care provider. In addition, she highlights the difficulty too many consumers face with the risk of identity fraud stemming from data breaches. “Even though I received a data breach notification letter with plenty of numbers to call and companies to contact and a free credit report, I don’t know any more than I did before I was notified, and my occupation as a security reporter didn’t help me get any answers or clarity on the situation. In addition to the lack of information, the so-called ‘protection’ offered to me was laughable.” (Source: TechTarget)

Hackers: IoT security is “deplorable.” Deutsche Welle’s wide-ranging interview with Chaos Computer Club’s Frank Rieger is worth a read in its entirety, but Rieger’s take on the state of IoT security is what caught our eye. “The biggest problem we face right now is the Internet of Things—that is a network of all kinds of physical objects, and adding sensors to all aspects of life on the foundation of deplorable IT security. There is poor software everywhere, not enough content is encrypted, and we often lack an online security culture. Companies prefer to quickly put a product on the market and only check out safety afterwards.” (Source: Deutsche Welle)

Hyatt breach lasted months, number of impacted cards still unknown. The massive data breach at hotel chain Hyatt affected 250 locations in 50 countries and lasted from August-December 2015, according to the company. The breach is the fourth major one at a hotel chain since last October. What remains unknown is how many credit and debit cards were affected. (Source: Reuters)

Krebs: Hyatt breach highlights frustration as U.S. payment industry reform slows. @briankrebs took to his blog last week to lambast the slow pace of payment security reform. “Instead of just mandating that banks and retailers shift in lockstep on a to handling chip cards, U.S. lawmakers and regulators have for years delegated (abdicated?) accountability for credit card security to a booming industry of auditors and assessors who’ve been trying to secure a technology (magnetic stripe-based cards) that is 60 years old and is about as secure as mailing your credit card number on a postcard.” (Source: KrebsonSecurity)

Fanboy alert: More Krebs. Brian Krebs is one of the best, if not the best reporters covering data security these days (full disclosure: NCL hosted a book party to for his book Spam Nation, so we’re biased). That said, he’s been on fire since the new year, bringing us must-read articles on cybercriminal call centers, “warranty fraud,” and Russian dating scams. All are well worth your time.

Breach du jour: TaxAct. Tax prep firm TaxAct has disclosed that it suffered a breach from November to December last year in which an undisclosed number of consumers’ personal tax information was compromised. Reporting on the breach, @jeffwriter notes that TaxAct relied on the extremely vulnerable email address/password combination to authenticate users. With tax identity fraud so prevalent, this begs the question of why TaxAct was not requiring two-factor authentication for its users? (Source: eSecurity Planet)

Breach du jour (part deux): Time Warner Cable. Email address and password information on as many as 320,000 Time Warner Cable subscribers may have been compromised, reports Forbes’ @abigailtracy. While the source of the breach remains unclear, the company says it suspects malware on consumers’ computers or a breach at a company maintaining TWC data. (Source: Forbes

Breach du jour (part trois): Nexus Mods. @campuscodi brings us news that Nexus Mods, reportedly the biggest repository of gaming mods on the Internet, has confirmed that hackers compromised nearly 6 millions user accounts. The hack, which apparently occurred in 2013 and is only now coming to light, involved users who registered with the site before July 22, 2013. The hacked database contains “only user IDs, usernames, email addresses, password hashes and salts. No cleartext passwords.” Such personally identifiable information is typically used to power phishing attacks and account takeover fraud. (Source: Softpedia)

Security fears after Malheur data breach leads to employee relocation. Militants occupying the Malheur National Wildlife Refuge in Oregon inappropriately accessed government computers at the refuge. Since personal information about employees was stored on the computers, the U.S. Fish and Wildlife Service has recommended that refuge employees relocate from their homes “out of an abundance of caution.” (Source: KOIN) 

Upcoming Events 

Jan. 24-30 – Tax Identity Theft Awareness Week – Online
Tax identity theft is the fastest-growing form of identity fraud reported to the FTC, which will join forces with AARP, the Department of Treasury, IRS, Department of Veterans Affairs, and the Identity Theft Resource Center to host a series of webinars and Twitter chats at the end of January to mark Tax Identity Theft Awareness Week. Check out the FTC’s events calendar for more information.

Jan. 28 – Data Privacy Day – National
Our friends at the National Cyber Security Alliance are once again coordinating a full slate of activities to mark Data Privacy Day 2016. Privacy tips, Twitter chats, and more information is available at NCSA’s Stop. Think. Connect DPD page.

Feb. 9 – Start with Security: Seattle – Seattle, WA
The FTC’s third “Start With Security” event will take place on February 9, 2016, in Seattle, Washington, and will be co-sponsored by the University of Washington Tech Policy Lab and the University of Washington School of Law Technology Law & Public Policy Clinic. This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. This event will bring together experts to provide insights on how small companies can secure their applications and products, and how important it is to do so.

Jump to Information sharing from Health Advisory Council Members

Fireside chat between Dr. Califf and Sally Greenberg: Discussion highlights 

Influences on Dr. Califf’s career 

Dr. Califf explained how his Duke medical education, where students spend their 3^rd year doing research, spurred his interest and career in clinical research. He also discussed how the transition to electronic health records enables clinicians to study whole populations.  

Dr. Califf explained how his mother’s diagnosis of multiple myeloma at the age of 81 influenced his view of the need to rapidly develop medical products and treatments for the patients who need them. He discussed the important role of patients in advocacy and clinical trials, noting that patients can change the way things are done, from donating data and tissue samples to researchers, volunteering for clinical trials, raising money, and having a say over the questions asked to address the medical problem/issue.

Experience working at FDA  

Dr. Califf noted that FDA’s mission is to protect the public health and promote innovation at the same time. He believes this is the dilemma that makes the FDA an exciting place to work.

Dr. Califf praised the dedication of FDA’s employees. Since FDA regulates about 25 percent of the economy, almost everyone is affected by the FDA’s actions. As a result, numerous constituents are concerned about the FDA.

Improving healthcare provider-patient communication  

Highlighting NCL’s Script Your Future medication adherence campaign, Sally Greenberg asked Dr. Califf how healthcare provider–patient communication could be improved. Dr. Califf agreed that more work needs to be done in this area, because there is not a simple, ready solution. He believes that team-based care is the key, as well as better utilization of the Internet and personal devices.   

Ensuring patient-centered care and access to medications

Dr. Califf stressed that although FDA is prohibited from regulating the practice of medicine, there are steps that FDA can take to ensure that drug and device development is more patient-centered, such as encouraging industry to consult with patient groups and bring patients to FDA meetings early in the development process. In addition, in conjunction with industry and the medical community, Dr. Califf stressed that patient information will be a focus over the next two years.

In discussing the cost of medication, Dr. Califf again stressed that FDA has to stay within the bounds of its mission. It has no legal authority to intervene in the case of drug prices or monopolies. However, FDA can prioritize generic drugs (which comprise 88 percent of prescriptions) and strike up competition within the innovator category.

The value of public–private partnerships    

Dr. Califf stated that public-private partnerships such as the Clinical Trials Transformation Initiative were one of his areas of expertise before joining the FDA. He believes that establishing partnerships between FDA, industry, patient groups, and academia is the way business should be done. Rules of engagement are important, however, because at the end of the day, FDA has to make a decision without being influenced by the innovators. 

Importance of ‘real world data’

Dr. Califf credited a mentor of his for helping him to understand the importance of real world data. He gave an example of an algorithm that predicts patients who are at high risk of suicide. Having this data helps primary care physicians intervene with their high-risk patients.

Improving R&D

Dr. Califf discussed 3 areas to improve the research and development process:

1. Patient-centeredness – Understanding patient preferences
2. The use of biomarkers and surrogate endpoints
3. Streamlining clinical trials to make them simpler 

Information sharing from Health Advisory Council Members

Robert Nauman, North Carolina Alliance for Healthy Communities – Robert Nauman praised the Health Advisory Council for facilitating dialogue and partnerships between Council members. For example, through connecting with the Consumer Healthcare Products Association (CHPA), Rob’s organization used the Up and Away campaign materials with seniors across North Carolina, urging them to safely store medications out of the reach of children.

Bradi Granger, Duke University – Bradi Granger said she appreciates the opportunity to work with NCL and its Script Your Future campaign. Duke’s Medication Adherence Alliance gives providers tools to improve medication adherence.   

Michelle Oshman, Eli Lilly and Company – Michelle Oshman said she values participation in the Health Advisory Council because it enables Lilly to speak and partner with the consumer community. 

Kimberly Rawlings, Office of Communications, Center for Drug Evaluation and Research, FDA – Kimberly Rawlings reported that CDER has plans to release a Biomarkers and Standards campaign in the spring of 2016. Rawlings also discussed the release of two new mobile apps since the Council’s previous meeting: the Orange bookExpress and another app on Drug Shortages. 

Marsha Henderson, Office of Women’s Health, FDA – Marsha said how much she has appreciated working with NCL over the past 20 years. She announced FDA’s Diverse Women in Clinical Trials Awareness Campaign, which is co-sponsored with the NIH Office of Research on Women’s Health. FDA/OWH will also be releasing a new publication on Women and Heart Disease.  

Ernie Boyd, Ohio Pharmacists Association – Ernie Boyd thanked NCL for allowing state associations to be a member of the Health Advisory Council. The Ohio Pharmacists Association is pleased to be a part of NCL’s Script Your Future campaign, and to have seven Ohio colleges working with SYF to improve medication adherence.

Bri Morris, National Community Pharmacists Association – Bri Morris announced that NCPA is preparing to roll out a large-scale smoking cessation program for community pharmacists in 2016. She also reported the results of NCPA’s year-long study which measured the collective impact of appointment-based medication synchronization (ABMS) services provided by 82 participating community pharmacies across Arkansas. The study found that patients who received ABMS services were more than 2.5 times more likely to stick with their medication as prescribed by their doctor.

Issue 9 | Dec. 2, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The massive hack of Chinese toymaker VTech has once again put the issue of consumers’ data security squarely in the national spotlight. The VTech breach, coming at the height of the holiday shopping season and involving the exposure of especially sensitive children’s information, is already prompting investigations by attorneys general in Connecticut and Illinois. More regulatory scrutiny of VTech and the data security practices of connected toys is sure to follow. The VTech hack comes nearly two years after the massive data breach at Target that served as the impetus for NCL to launch our #DataInsecurity Project. Since December 2013, we’ve seen data security rise to the top of the DC policy agenda, though actual legislation to improve consumers’ data security remains frustratingly elusive. As we look forward to 2016, we expect that the FTC will continue to push businesses to better protect their customers’ data (despite a recent setback in the LabMD case). Fortunately, more businesses are embracing the need for better security. For example, Amazon recently became the latest tech giant to enable two-factor authentication for its users. In this week’s #DID, we look at personal stories of victims of data insecurity. Author Lisa Bennett describes her experience with an IRS scammer and we get an inside look at how the Sony hack affected their employees.

And now, on to the clips!

—————–

VTech breach: 6.4 million children’s information exposed. The announcement of a massive breach of 6.4 million children’s and 4.9 million parents’ personal information at toymaker VTech during the height of the holiday shopping season looks like it could be a catalyst for data security reform. “The disclosure of the scope of the breach is troubling,” said Jaclyn Falkowski, a spokeswoman for Connecticut’s attorney general. Connecticut and Illinois said on Monday they plan to investigate the breach. Regulators in Hong Kong are also looking into the matter.” (Source: Reuters)

VTech hacker was interested in raising awareness of VTech vulnerability. @lorenzofb of @Motherboard, who first broke the VTech breach story (earlier articles here, here, and here) interviews the hacker behind the breach. The anonymous hacker claims that he doesn’t intend to profit from the sale of the breached data. “The hacker noticed that the site was using Flash, and had a login box. He then quickly found out the site was vulnerable to the ancient, yet still very effective, hacking technique known as SQL injection. The hacker then quickly obtained the maximum level of administrative privileges on the server, known as ‘root’ in technical jargon, and realized he could basically do whatever he wanted. … ‘All the evidence suggested I wasn’t the only person outside of VTech who could have got the data,’ he said.” (Source: Motherboard)

How I fell face-first for an epic IRS scam. There is no one profile for scam victims, as former Harvard Fellow and Ashoka Changemaker @LisaPBennett illustrates with her fascinating, courageous account of how she almost fell victim to an IRS debt scam. “If anyone should have known better, it was me. I’m a somewhat experienced adult, with more than one degree from an Ivy League university. … But the truth is that I fell for this scam — almost completely.” (Source:  narrative.ly)

FTC may “pump the brakes” on data security investigations after LabMD decision. A decision handed down by the FTC’s Administrative Law Judge will likely be a setback for the Commission’s efforts to be the country’s data security cop on the beat, according to @natlawreview. “…this decision challenges the conventional wisdom that the FTC has a lower standard to meet with respect to showing harm than private litigants. … provides potential defenses for companies facing an FTC action based solely on allegedly lax data security practices, and it may also make the FTC less likely to bring such enforcement actions against companies without evidence of likely harm to consumers.” (Source: National Law Review)

ALJ decision comes too late for LabMD, gives ammunition to FTC’s critics. @CauseofActionDC lawyer @DanielZEpstein (who represented LabMD against the FTC) took to the WSJ to decry the Commission’s investigation of LabMD (“Hounded Out of Business by Regulators”). “…the case illustrates the injustice of the federal system that allows agencies to cow companies into submission rather than seek a day in court. … That’s what happens when a federal agency serves as its own detective, prosecutor, judge, jury and executioner.” (Source: Wall Street Journal)

Norton: 348 million identities exposed in 2014. Security giant Norton is out with their latest Cybersecurity Insights Report. Among the pertinent data points: 348 million identities were exposed in 2014, 6 in 10 U.S. consumers believe using public WiFi is riskier than using a public restroom and 1 in 3 consumers do not have a password on their smartphone or computer at all. (h/t @TimStarks) (Source: Norton)

Amazon force-resets passwords, enables two-factor authentication. While the two are likely unrelated, the world’s largest e-tailer is taking steps to protect its users’ data security during the busiest online shopping period of the year. As @zackwhittaker reports, the online giant is force-resetting an unknown number of users’ passwords after discovering that passwords were “improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party.” Good thing Amazon rolled out two-factor authentication last week, right? (Source: ZDNet) 

Step-by-step: How to enable Amazon’s two-factor authentication. Hacked e-tailer accounts (and Amazon is the biggest of the big) are a valuable ways for hackers to monetize their stolen data. Before you start your holiday shopping, take a minute to enable two-factor authentication on your Amazon account. @t1mmoynihan has provided a helpful step-by-step guide for enabling TFA on Amazon. (Source: WIRED) 

Life at Sony after the hack. Writing for Slate, @amandahess takes an insider’s look at what life was like inside Sony after one of the most intrusive breaches in history. “Target is just a place they bought bedsheets. Anthem is a card they brandish at doctors’ visits. The Sony hack hit employees in the place where they spend most of their waking hours and expend most of their mental and physical energy, and not necessarily because they’re super passionate about filing paperwork for Adam Sandler movies. The leak of information threatened their personal financial futures, and the destruction of property threatened their livelihoods. As one employee put it: ‘Everything we had to do to make a living became such a chore.’” (Source: Slate)

Hotel breach du jour: Hilton Worldwide. Hotel giant Hilton Worldwide (operator of Hilton Hotels, Doubletree, Embassy Suites, Waldorf Astoria, and others) is the latest company to have its point-of-sale (POS) system breached. It’s unclear at this time how many payment cards were affected, but official word from the company is that the compromised PII includes “cardholder names, payment card numbers, security codes and expiration dates, but no addresses, personal identification numbers (PINs) or Hilton HHonors account information.” (Source: Hilton)

Hilton’s just the latest in a string of hotel breaches. The hack of Hilton’s POS system comes on the heels of breaches over the last twelve months at Starwood Hotels, Trump Hotel Collection, Mandarin Oriental, and White Lodging (twice!) (h/t @briankrebs)

On the move: CDT’s Privacy & Data Project has a new Kopp on the beat. The Center for Democracy & Technology is bringing on Katharina Kopp to head it’s Privacy & Data Project. Most recently with American Express, Kopp will “lead CDT’s efforts to protect and enhance the privacy rights of individuals in all aspects of their digital lives. Beyond privacy, she will also work to broaden the assessment of, and policy solutions to, the impact of technology on individual autonomy and society as a whole.” (Source: CDT)

Two years already? What we learned from the Target hack. We’re coming up on two years since the epic @Target hack woke up the country to the need for better data security. Tech entrepreneur @chrisbihary takes a look at what we’ve learned. Among the lessons: “Hiding the data breach from customers was a PR nightmare. … Target has $10 million in escrow to settle class action lawsuits and paid approximately $200 million in crisis management after insurance coverage.” (Source: Garland Technology)

Upcoming Events 

Dec. 15, 2015 – Gartner: Data Security in the Age of the Road Warrior – Webcast
Data Loss Prevention experts, Heidi Shey, senior analyst at Forrester Research, and Dave Bull, content security solutions product director at Intel Security will discuss data breaches and data protection concerns. Key takeaways include: The current state of sensitive data access, use, and loss; The changing requirements for protecting this data—from privacy laws to threats that employees face as they travel for work; and what you need to do to when architecting your protection strategy to defend against today’s threats.

Jan. 14, 2016 – PrivacyCon – Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

Feb. 9, 2016 – Start with Security: Seattle – Seattle, WA
The FTC’s third “Start With Security” event will take place on February 9, 2016, in Seattle, Washington, and will be co-sponsored by the University of Washington Tech Policy Lab and the University of Washington School of Law Technology Law & Public Policy Clinic. This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. This event will bring together experts to provide insights on how small companies can secure their applications and products, and how important it is to do so.

Welcome to the first issue of the Health Advisory Council Newsletter!

The purpose of our quarterly newsletter is to share Council news and events, as well as current NCL initiatives. We release this first issue on the heels of the Supreme Court ruling in King vs. Burwell, which upheld the tax credits under the Affordable Care Act and puts us another step closer toward the goal of providing health insurance for all Americans, a longstanding principle endorsed by NCL founders and leaders throughout our 115-year history.

Since May’s inaugural meeting, NCL and Council members have been active on many fronts. Please read on for policy updates, Q and A’s with two Council members, upcoming events, and more.

 NCL Health Policy at Work 

Access – to medications, health care, information, coverage – is a prominent theme among members as a priority, as well as in the issues we are addressing at NCL. And with the recent decision by the U.S. Supreme Court in King v. Burwell, access to health care for millions under the Affordable Care Act will continue, even while we work to ensure consumers have access to critical medications and treatments they need. The Supreme Court’s 6-3 vote is a major victory for consumers nationwide.

Read on for more updates about NCL’s health policy work.

 Member spotlight

Get to know two Health Advisory Council members – Astellas and the Centers for Disease Control and Prevention (CDC) – with our new Q&A’s. 

 We want to hear from you!

We are currently seeking Council member input on the planning of an NCL health policy briefing in late 2015 / early 2016. Please get in touch with Kamay Lafalaise (kamayl@nclnet.org) if you are interested in participating in a small working group. 

 Updates on Member Programs

Consumer Healthcare Products Association (CHPA) – Updated Consumer Resource Available to Promote Safe Acetaminophen Use; Up and Away Campaign

In partnership with the Acetaminophen Awareness Coalition (AAC), the Know Your Dose campaign is excited to announce an updated resource for consumers to learn how to safely use medicines containing acetaminophen. It begins by following four safe use steps:

1. Always read and follow the medicine label
2. Know if your medicines contain acetaminophen
3. Never take two acetaminophen-containing medicines at the same time
4. Ask your healthcare provider or pharmacist if you have any questions

On the updated site, you’ll find an interactive medicine label reader, a list of common medicines containing acetaminophen, and an interactive game. Take a tour of the updated site, KnowYourDose.org.

Did you know that approximately 60,000 young children visit emergency rooms each year because they got into medicines that were unintentionally left within sight and reach? This Grandparents Day (September 13th), the Up and Away campaign will be reminding families—especially those with both young children and grandparents in the home—to keep their medicines and vitamins up and away (and out of sight). To help spread the word and to receive social media graphics, posts, and links to the campaign’s resources—including safety tip sheets, and even a coloring book for children—please email thollern@chpa.org. Up and Away is an initiative of PROTECT in partnership with the CDC.

McNeil Consumer Healthcare – OTC Literacy Program

OTC Literacy is the result of a partnership between American Association of Poison Control Centers (AAPCC) and Scholastic publishing, with support from McNeil Consumer Healthcare.  These organizations have come together to develop a free comprehensive education program that reaches 5^th and 6^th graders with the objective of teaching responsible medicine use and storage. Modeled after the FDA’s Medicines in My Home program, OTC Literacy’s proven results have led to its acceptance for a live presentation at the annual Safe Kids Worldwide Prevention Convention in July. The program is gearing up its 4^th year launch in mid-October. Visit http://www.scholastic.com/otcliteracy/ for more details!

National Council on Patient Information and Education (NCPIE) – Talk About Your Medicines Month this October

Talk About Your Medicines Month (October 2015) – This October marks the 30^th annual observance of “Talk About Your Medicines Month” by the National Council on Patient Information and Education to call attention to the impact that high-quality patient—healthcare provider communication can play in promoting better medicine use and better health outcomes. “Talk About Your Medicines” Month messaging is “evergreen” and can be used throughout the year. Visit TalkAboutRx.org for details.  

The Society for Women’s Health Research (SWHR) – Beyond the Bruises Campaign

The Society for Women’s Health Research is a national non-profit and thought leader in research on sex differences in health and disease, recently launched “Beyond the Bruises,” an online campaign uniting survivors, advocates, organizations, and celebrities in bringing awareness to the effects of domestic violence on chronic diseases. The campaign features a short film that shares the stories of domestic violence survivors who struggle with chronic diseases as a result of their abuse, as well as the website BeyondtheBruises.org, a resource center that houses information on the often unrecognized effects of domestic violence on chronic illness.

United States Pharmacopeia (USP) – Quality and Safety of Dietary Supplements

Protecting public health by ensuring the quality of medicines has been the mission of the United States Pharmacopeia since its founding almost 200 years ago. USP quality standards for drugs are recognized in US law and enforced by the FDA. USP also creates standards for dietary supplements and provides seals of approval on supplements that meet their rigorous testing program. However, dietary supplements are regulated as a food, not a medicine, and USP standards are voluntary. 

There is growing concern about the quality and safety of dietary supplements. The USP Verified Mark reassures consumers that what is on the label is actually in the bottle.  More information about third-party verification programs can be found highlighted in a recent Newsweek article and a New York Times blog. 

 NCL’s 2015 Trumpeter Awards

For more than 40 years, NCL’s Trumpeter Award has recognized leaders who speak out for social justice, public health, and for the rights of consumers. Recipients have included FDA Commissioner Margaret Hamburg, Surgeon General Regina Benjamin, legislators, investigative journalists, and others.

On October 6, U.S. Senator Amy Klobuchar (D-MN) and the Honorable Edith Ramirez, chairwoman of the Federal Trade Commission, will receive the 2015 Trumpeter Awards. Join us for an evening of celebrating their careers, as well as the work of NCL. Learn more about the 2015 Trumpeter Award.

 NCL in the news

CBS This Morning: FDA taking another look at sex drug for women
Huffington Post: Little-known provision of the Affordable Care Act is about to pay major dividends for US consumers
The Washington Post: FDA advisory panel recommends approval of ‘female Viagra’
The New York Times: Aid to women, or bottom line? Advocates split on libido pill
Fox News: ‘Female Viagra’ is dividing the women’s health community
The Hill: FDA should rescind switch to electronic drug labeling
NCL statement applauding CA legislation to ban vaccine personal exemptions
NCL statement in support of San Francisco move on sugary beverages

{{ broadcaster.name }}
{{ settings.site.full_url }}