Welcome to the second issue of the Health Advisory Council Newsletter!

Mark your calendar for our end-of-year Council event: a briefing and holiday reception, featuring remarks by Dr. Robert M. Califf, Deputy Commissioner for Tobacco and Medical Products, U.S. Food and Drug Administration (FDA), recently nominated to be the next FDA Commissioner. Please join us on Monday, Dec. 7 at 4 pm at the Omni Shoreham Hotel in Washington, DC to hear from Dr. Califf, and network with other Council members. Please RSVP by Dec. 1 here!

 NCL health policy at work

Script Your Future Campaign – “So Simple, So Hard” was the theme of a medication adherence conference hosted by NCL in September in Sacramento, CA. Sponsored by the Agency for Healthcare Research and Quality (AHRQ), the speakers and attendees explored the challenges and barriers to medication adherence and highlighted tools and strategies to improve adherence and health outcomes, especially among underserved populations. NCL gathered more than 80 stakeholders including health care professionals, community health workers, advocates, industry representatives, policy makers, and researchers. Conference participants heard from researchers and experts on adherence and engaged with each other about possible collaborations and solutions. Click here to view conference presentation slides and video.[1]

In addition to the research conference, Script Your Future California partnered with the California Chronic Care Coalition and the California Pharmacists Association to conduct an informational briefing hosted by state Senators Richard Pan, MD and Jeff Stone, PharmD on Oct. 21in Sacramento. “Chronic Disease and Medication Non-Adherence: Problems worth Solving,” featured evidence based strategies to improve outcomes and reduce costs when treating people with chronic diseases, with a focus on Comprehensive Medication Management. In addition to the state Senators, speakers included Sloane Salzburg, Council for Affordable Health Care, Prescriptions for a Healthy America; Assistant U.S. Surgeon General Pamela Schweitzer, PharmD; the University of Southern California’s Steven Chen, PharmD; and Michael Hochman, MD, with AltaMed Health Services. Briefing materials are available here. 

PDUFA VI – NCL was one of two consumer groups invited by the FDA to be part of a panel  at a public hearing on the reauthorization of the Prescription Drug User Fee Act (PDUFA) at the FDA this summer. Under PDUFA, the pharmaceutical industry provides resources for FDA to review medications.  As part of her comments, Sally Greenberg, NCL executive director, made the case that there is a difference between patients and consumers, in how they view and weigh risks. A patient suffering from a serious illness is far more likely to take on greater risk to get the benefits from a specific treatment. A consumer, on the other hand, may refrain from taking a high-risk drug or choose a lower-risk drug for a moderate to mild illness or condition. The difference in risk assessment between patients and consumers is critical when considering the policy implications in the sixth reauthorization of PDUFA. 

Health insurance marketplace – NCL was part of an Alliance for Health Reform briefing in July called “Empowering the Consumer as the Ultimate Health Care Stakeholder.” The briefing, the first in a two-part series on the role of consumers and patients in our healthcare system and co-sponsored by NCL, explored questions such as: How is the evolving insurance marketplace affecting the choices consumers have when selecting a health plan, whether through a health insurance exchange, employer, or other mechanism? What information do consumers need to select a plan that is right for them? Rebecca Burkholder, NCL vice president of health policy, provided an overview of the consumer experience in today’s health care system, patients’ priorities in making health care and coverage decisions, and the challenges patients face in selecting a plan.

21^st Century Cures –  NCL was recently part of a group of patient and consumer advocates who met with FDA officials, including Acting FDA Commissioner, Dr. Stephen Ostroff, and  nominated FDA Commissioner, Dr. Robert Califf, regarding concerns about the 21^st Century Cures Act. The Act , passed the House in July,  intends to accelerate the discovery, development, and delivery of new drugs and devices. The legislation is currently being reviewed by the Senate HELP Committee. While some aspects of the bill could speed up the development of and access to new drugs, NCL and other consumer and patient groups have expressed concern that it could ultimately lower standards for approval of many medical products, placing patients at unnecessary risk. The current version of the bill would allow consideration of drug approvals based on clinical experience, replacing scientific data from large numbers of patients in well-designed and controlled clinical trials. Advocates also fear approval standards for medical devices could become less rigorous. As a part of a patient and consumer coalition, NCL is working to ensure that the bill provides greater access to medications without sacrificing safety.  

FDA approves first female treatment for low libido – This fall, NCL welcomed an announcement from the FDA of its approval of the first-ever treatment for women’s low libido. Approval of the drug—flibanserin, which will be sold under the name ADDYI—came nearly four decades after the condition of HSDD (Hypoactive Sexual Desire Disorder), which it will treat, was first recognized in scientific journals. For months, NCL and other advocates had been calling for FDA to consider the treatment option because it would be the first of its kind for women. In October 2014 and June 2015, NCL Executive Director Sally Greenberg testified in support of treatments for patients suffering from HSDD.

Reagan Udall Foundation Board – NCL is a member of the Congressionally created Reagan Udall Foundation board formed to support the FDA. RUF is a private public partnership that works on a variety of projects, including analyzing FDA data for safety signals on drugs, devices and other products regulated by the FDA. 

Medicare Advantage Care Coordination (MACC) Task Force – Despite the fact that two-thirds of Medicare beneficiaries have two or more chronic conditions, care for many of these individuals is fragmented. Beneficiaries often shuffle between numerous providers in multiple care settings, including doctors’ offices, the ER and hospital facilities. Without sufficient coordination across these various points of care, the health issues these beneficiaries are already facing may be compounded. NCL recently joined the MACC Task Force, an initiative founded by the Association of Health Insurance Plans, which is a collaboration of leading aging, caregiver, patient and provider organizations addressing the critical issue of care coordination. In October the Task Force launched the Care for Us Project, a campaign to build awareness around best practices related to care coordination and disease management of specific chronic conditions prevalent among Medicare beneficiaries

NCL staffing news

Health policy staff changes – After 14 years at NCL, Rebecca Burkholder, vice president of health policy, will be departing in early 2016 to start a new career in Thailand,  focusing on international development work. “I have truly appreciated having the opportunity to work on consumer health issues at NCL and to collaborate with so many well-respected organizations,” Burkholder said. NCL welcomes suggestions for potential candidates or other considerations as we look to fill this position. You can access the job description here. We look forward to introducing our new Director of Health Policy to the Health Advisory Council in 2016! 

Meet our new Linda Golodner Food Safety & Nutrition Fellow, Ali Schklair!

Ali is a graduate of Smith College and is from Cape Elizabeth, ME. She joined NCL staff in September after her time at the Nurse Practitioners in Women’s Health as a Continuing Education Coordinator.

“I came to NCL from an organization that works with health care providers, and it was interesting for me to switch over to an organization that supports consumers. Joining NCL with previous experience working with providers allows me to look at issues in full scope,” said Ali.

Schklair’s time at NCL has overlapped with the FDA’s new rules for the Food Safety Modernization Act (FSMA). This gave her the opportunity to learn about food safety during a very pivotal time. Read her thoughts on the final preventive control rules here.

 Member spotlight

Get to know two Health Advisory Council members–NCPIE and Lilly–with new Q&A’s. 

 Updates on member programs

National Council on Patient Information and Education (NCPIE) – Boy Scouts’ Safe Medicine Use Program. The Boy Scouts of America are joining efforts to promote safe medicine use with the new SCOUTStrong Be MedWise Award program, providing Scouts the opportunity to earn a patch for learning about responsible use of medicines. Created in collaboration with the National Council on Patient Information and Education, (NCPIE) the lessons involved in earning the patch–like learning how to read, understand, and follow a medicine label–can set youth on a course of responsible medicine use they can carry forward for the rest of their lives. The curriculum is also publicly available for educators and youth initiatives.

United States Pharmacopeia (USP) – Fight against food fraud. Globalization of food supply chains has helped make possible the wonderful, diverse, and affordable food supply that we all enjoy today. At the same time, it has increased the complexity, scale, and dynamics our food system, opening new doors of opportunities for fraudulent adulteration. To help manufacturers and regulators identify the ingredients most vulnerable to fraud in their supply chains and choose effective mitigation tools to combat economically-motivated adulteration, the USP recently released its Food Fraud Mitigation Guidance. Learn more about this tool and its potential impact on USP’s Quality Matters blog.

McNeil Consumer Healthcare – OTC Safety Program for 5^th and 6^th Graders. McNeil is thrilled to share the news of the launch of the 4^th year of the OTC Medicine Safety program. This program, developed in partnership with Scholastic and the American Association of Poison Control Centers, is an evidence-based educational program tailored towards 5^th and 6^th grade students with the goal of providing free resources to teachers, school nurses, community leaders, and families to support the education of tweens about the responsible use and storage of medicines. Research shows that students begin to self-medicate at 11 years old; if not equipped with the knowledge and training to make responsible choices around OTC use, they can form unsafe habits. Visit scholastic.com/OTCmedsafety to explore the new and improved website experience and the extensive host of optimized resources available – all available for free – to teachers, nurses, parents, and community leaders. Reach out to Leily Saadat-Lajevardi at lsaadat@its.jnj.com for materials to help you promote the program!

Consumer Healthcare Products Association (CHPA) – Acetaminophen Awareness Coalition “Double Check; Don’t Double Up” Campaign. Acetaminophen is found in more than 600 over-the-counter (OTC) and prescription medicines, including many that treat cough, cold, and flu symptoms. It’s safe and effective when used as directed, but there is a limit to how much you can take in one day. Taking more than directed is an overdose and can lead to liver damage. Taking two medicines with the same ingredient could be harmful. That’s why it’s important to read and follow the label every time you take a medicine. Double check; don’t double up! Find out more at KnowYourDose.org

CHPA survey on consumer knowledge About OTCs. In September, the CHPA Educational Foundation released the results of its national survey, conducted to identify consumers’ knowledge gaps around the appropriate use, storage, and disposal of oral OTC medicines. The survey was conducted online by Harris Poll in February 2015 among 2,002 U.S. adults 18 and older who have used or purchased oral OTC medicines in the last six months. Learn more at KnowYourOTCs.org

CHPA’s Up and Away Campaign. Pediatrics, the official journal of the American Academy of Pediatrics, in September reported a declining number of emergency department (ED) visits for unsupervised medication exposures in young children since 2010. After rising steadily from 2004 through 2010, the number of ED visits for these exposures peaked in 2010. According to the article, after 2010 this trend reversed, and visits decreased by an average of 6.7 percent annually. Through Up and Away and Out of Sight, a campaign led by CHPA’s Educational Foundation and the U.S. Centers for Disease Control and Prevention’s PROTECT Initiative, CHPA continues to remind parents and caregivers to store their medicine up and away and out of the reach of children. For more information, visit UpAndAway.org. 

 We want to hear from you!

We are seeking Advisory Council member input on events and activities for 2016. Feel free to contact Amy Sonderman with any ideas or suggestions (amys@nclnet.org).

Issue 6 | Oct. 20, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: As Congress returns from its Columbus Day recess, there are rumblings that the Senate is expected to take up the long-delayed Cybersecurity Information Sharing Act of 2015 (CISA). The case for data security reform (though not necessarily CISA itself) was highlighted last week when NCL, along with 24 other consumer privacy organizations, called on the CFPB and FTC to investigate the breach at Experian that led to the exposure of 15 million T-Mobile customer records. CISA also made waves on the presidential campaign trail when Democratic candidate Sen. Bernie Sanders announced his opposition to the bill. Finally, if you haven’t already done so, mark your calendars for the FTC’s second “Start with Security” event in Austin on Nov. 5. We will be following the event with interest, particularly to see what Commissioner McSweeny has to say about data security and the startup economy.

—————–

Bloomberg: Dow Jones breach potentially involved market-moving info. @MichaelRileyDC has the story on the latest hack of potential market-moving information: “The breach is described by the people as far more serious than a lower-grade intrusion disclosed a week ago by Dow Jones, a unit of Rupert Murdoch’s News Corp. … Information embargoed by companies and the government for release at a later time could be valuable to traders looking to gain an edge over other market participants, as could stories being prepared on topics like mergers and acquisitions that move stock prices.” (Source: Bloomberg)

Groups urge FTC & CFPB to investigate Experian/T-Mobile breach. More than two dozen consumer and privacy organizations (including NCL) are calling on the FTC and CFPB to investigate security lapses at Experian and T-Mobile that could have contributed to the breach of 15 million T-Mobile customers’ and applicants’ personal information. The letter, via @USPIRG: “We believe this breach, occurring at one of the nationwide CRAs, takes this problem to a whole new and dangerous level given the extraordinarily large amounts of critical financial information they hold.” (Source: USPIRG)

More Experian/T-Mobile fallout: Senator wants answers. Sen. Sherrod Brown is using his perch as ranking member on the Senate Banking, Housing and Urban Affairs Committee to demand answers from Experian and push for free credit freezes and an end to forced arbitration (h/t @KatieBoWill). (Source: Office of U.S. Senator Sherrod Brown)

Krebs: Talent exodus at Experian could have contributed to T-Mobile breach. @briankrebs talks to a number of ex-Experian security staff to get the inside scoop on factors that could have allowed the T-Mobile breach to occur: “Over the past week, KrebsOnSecurity has interviewed a half-dozen security experts who said they recently left Experian to find more rewarding and less frustrating work at other corporations. Nearly all described Experian as a company fixated on acquiring companies in the data broker and analytics technology space, even as it has stymied efforts to improve security and accountability.” (Source: KrebsOnSecurity)

Bernie comes out against CISA. No candidates on the Democratic side of the ledger had taken positions on the Cyber Information Sharing Act until Bernie Sanders made his opposition clear last week. @ericgeller for @DailyDot: “Sanders’ stance … aligns him with privacy advocates and makes him the only Democratic presidential candidate to stake out that position … Sanders has not decided whether or not to join a potential filibuster. His office told the Daily Dot that he is waiting to see which of the 22 proposed amendments get votes on the Senate floor.” (Source: The Daily Dot)

Study: 87% of Android devices are vulnerable. @RonAmadeo covers disturbing new information on the vulnerability of the world’s most popular mobile OS for @ArsTechnica: “…a recent study … finds that ‘on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities.’ … As for why so many Android devices are insecure, the study found that most of the blame sits with OEMs. The group states that ‘the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities.’”

EU moves toward comprehensive data breach notification. @markscott82, who handles EU tech reporting for @NYTimes, takes a look at the coming EU breach notification regs: “Under the proposals, any company — even one based outside Europe — that collects and manages data about the region’s more than 500 million residents would need to inform a national privacy watchdog within 72 hours of discovering a data breach. … The rules, which are still being negotiated, are expected to be completed by early next year and take effect as early as 2018.” (Source: New York Times)

Think Millennials don’t care about privacy & security? Think again! UK-based cybersecurity firm @IntercedeMyID is out with a new survey of Millennials’ attitudes towards privacy and security online. Significant findings: “New survey reveals fewer than 5% of UK and US Millennials believe their digital identity is completely protected by effective safeguards; 70% believe risk to their online privacy will increase as we become more digitally connected; 54% claim failure of businesses to implement better online security will result in public distrust of goods and services.” (Source: Intercede)

California Gov. signs expanded breach notification bill. @natllawreview covers the impact of the changes Gov. Jerry Brown has made to California’s data breach notification law, considered the gold standard for breach notification laws by some. Among the changes: a strengthened definition of “encryption,” standardizing breach notice verbiage, and expanding the definition of “personally identifiable information” to cover data captured by automated license plate recognition (ALPR) system. (Source: National Law Review)

Stat du jour: Medical ID theft to affect 25M patients over next 5 years. New research from @Accenture puts the tab for health system cyber attacks at $305 million over the next five years, with one in 13 patients having their personal information compromised. (Source: Accenture)

Breach du Jour: America’s Thrift Stores. The chain of for-profit Christian charity thrift stores last week announced that its point-of-sale system was compromised last month, affecting credit and debit card transactions made Sept. 1-27. Point-of-sale systems have been a frequent target for hackers, as the stolen data can be quickly sold on online dark markets to carding rings who use the hacked cards to purchase high-dollar merchandise for resale. (Source: Krebs on Security)

ICYMI: New ITRC app puts ID theft counselors in your pocket. TheSan Diego-based Identity Theft Resource Center (@ITRCSD) recently released a helpful app to help ID theft victims. The new app “offers resources for victims including direct links to victim advisors, all free of charge to consumers. The app also offers educational tools for consumers wanting to protect themselves against identity theft.” Check it out! (Source: ITRC)

Upcoming Events

National Cybersecurity Awareness Month – National
October 2015

Oct. 30 – Follow the Lead: An FTC Workshop About Online Lead Generation – Washington, DC
The workshop will bring together a variety of stakeholders, including industry representatives, consumer advocates, and government regulators. The FTC has invited the public to submit research, recommendations for topics of discussion, and requests to participate as panelists.

Nov. 5 – Start with Security – Austin, TX
This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. Aimed at start-ups and developers, this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response.

Jan. 14, 2016 – PrivacyCon – Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

National Consumers League
Published October 20, 2015

Issue 5 | Oct. 6, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Welcome to October and National Cybersecurity Awareness Month! NCL is a proud supporter of this effort to raise awareness about the need for everyone to take steps to make the Internet a safer and more secure place. There are many data security events taking place this month, so be sure to check out the calendar below!

Unfortunately, new breaches at Experian, Hilton, Scottrade, and Trump Hotels remind us how much work is still to be done. However, the news isn’t all bad. The much ballyhooed EMV liability shift began October 1 for many retailers. With that shift should come an accelerated transition from insecure mag-stripe credit and debit cards to more secure chip-based cards. However, the crooks know what’s coming too and they’re likely to shift to online card fraud, so keep checking those statements, friends! Finally, rumor has it that the Cybersecurity Information Sharing Act (CISA) could have fresh legs now that Congress has managed to fund the government. Stay tuned, since advocates like NCL have some serious reservations about how useful the bill would be for protecting consumers’ data, at the price of significant civil liberties concerns. Fireworks to come!

P.S. You can catch yours truly via livestream today at my presentation to the Department of Energy’s NCSAM conference. I’ll be discussing tips and tricks that workers can use to reduce their risk of hackers. The action kicks off at 11am ET at http://energy.gov/live.

P.P.S. Also don’t forget about NCL’s Trumpeter Awards Dinner tonight! Honorees include data security champions FTC Chairwoman Edith Ramirez and Senator Amy Klobuchar.

And now, on the to clips!

—————–

POTUS marks National Cybersecurity Awareness Month. October is when data security advocates across the country recommit to the fight against data breaches and online scammers of all stripes. President Obama kicked things off with a presidential proclamation affirming that cybersecurity is one of the most important consumer issues of our time: “It is the responsibility of every American to proactively defend our digital landscape. The Department of Homeland Security’s “Stop.Think.Connect.” campaign is designed to inform our citizenry of the dangers posed by cyber threats and to provide the tools needed to confront them. I urge all Americans to take measures to decrease their susceptibility to malicious cyber activity, including by choosing stronger passwords, updating software, and practicing responsible online behavior.” (Source: White House)

Breach at Experian exposes data on 15 Million T-Mobile subscribers. More depressing news about another mega-breach. This time, wireless carrier T-Mobile announced that data on 15 million subscribers was compromised at credit-check partner Experian. Names, birthdates, and mailing addresses are among the personal information that was compromised. Worryingly, the encryption protecting more sensitive data, such as Social Security Numbers and driver’s license numbers, could also have been compromised. Additional FAQ on the breach available at Experian. (Source: T-Mobile)  

More breaches making news this cycle. Hilton Hotel Properties and Trump Hotel Collection.

CISA talk bubbling back up in Senate. @TimStarks brings us intriguing news about possible movement on the controversial Cybersecurity Information Sharing Act (CISA). “Sen. Dianne Feinstein said they’re still trying to chop down the number of amendments, possibly by adding some to a manager’s amendment. She didn’t sound excited about more being added – a possibility under the existing agreement. ‘I wouldn’t be for any more amendments. Twenty-two seems like enough,’ she said. … A whip notice from Tuesday that includes the word ‘cybersecurity’ also suggests CISA is likely on deck.” (Source: POLITICO)

NTIA’s vulnerability disclosure process off to a rocky start. @KimZetter brings us excellent reporting on the security researcher vs. company tensions that came to a boil at the first NTIA multistakeholder process meeting on cybersecurity disclosures: “Security researchers and vendors have long been locked in a debate over how to disclose security vulnerabilities, and there’s little on which the two sides agree. Apparently this extends even to the question of whether they should meet to hash out their disagreements. … ‘The DMCA has already created a chilling effect on some research,’ one participant, who asked to remain anonymous, said. ‘The Wassenaar agreement is [also] a problem. This is the Commerce Department. What makes you think they won’t take [information gathered from this meeting] to Congress [to get legislation passed]?’” (Source: WIRED)

OPM hack gets worse: 5.6M fingerprints among the hacked data. The drip-drip-drip of fallout from the hack at the U.S. Office of Personnel Management continues. @AP has the story: “OPM says the ability of an adversary to misuse fingerprint data is limited, though an agency statement acknowledged that “this probability could change over time as technology evolves. For American intelligence agencies, the notion that the Chinese have fingerprints on millions of federal security clearance holders, some of whom may be intelligence officers overseas, is troubling. Any intelligence officer whose prints have been taken would face great risk in operating under an alias because those prints would give away someone’s true identity.” (Source: Associated Press)

Why hacked fingerprint data is kind of a big deal. @euroinfosec brings us some scary scenarios for what could be done with all that stolen OPM fingerprint data: “Some security researchers refer to authentication systems based on fingerprints – such as unlocking an iPhone by using the home button’s fingerprint reader – as a type of active biometrics, as opposed to passive biometrics, which might look at the location or MAC address of a PC that is attempting to log into a banking application. And when active-biometrics data gets stolen, there’s little that victims can do to prevent the data from being abused.” (Source: BankInfoSecurity.com)

The October 1 liability shift could be costlier for retailers. @KimZetter gets a double-mention in this #DID thanks to her look at the October 1 EMV liability shift and its impact on retailers and card cloning fraud: “‘Every market [where EMV has been adopted] has seen an explosion with ecommerce fraud despite the fact that CVVs are used, and it will happen here too,’ Horwedel says. ‘It’s very predictable. In a couple of years you’ll see that the merchants are going to be responsible for more fraud than they’re bearing today because internet fraud is going to explode because we have no real solution to prevent ecommerce fraud.’” (Source: WIRED)

House Small Business Committee tees up the impact of EMV shift on small biz on Oct. 7. Witness List for the hearing includes reps from Visa, Electronics Transactions Association, TCM Bank, and State Department Federal Credit Union. (Source: House Small Business Committee)

European data protection law could be a boon for cyber insurance providers. A tip o’ the cap to @taknockless at PropertyCasualty360.com for flagging this new data: “According to a new report from Timetric, the cyber risk insurance market is experiencing rapid development, with the size of global gross written premiums growing from US$850 million in 2012 to an estimated US$2.5 billion in 2014. … The demand for cyber insurance in Europe is expected to grow substantially, once the new General Data Protection (GDPR) law is finalised by the end of 2015. It is expected to come into force by 2017 in all the EU member states, making data breach notification compulsory. This will likely give more power to the regulators, along with an increase in penalties – up to EUR1 million (US$1.3 million) or 2% of company’s global annual turnover.” (Source: Timetric)

Upcoming Events

Today – International #2FactorTuesday Kick-Off – Washington, DC
The National Cyber Security Alliance and FIDO Alliance warmly invite you to participate in #2FactorTuesday to raise international awareness for two-factor authentication as a means of enhancing the security of online accounts. Confirmed speakers include: Michael Daniel, Special Assistant to the President & Cybersecurity Coordinator at the White House; Brett McDowell, Executive Director at FIDO Alliance; Charles McColgan, Chief Technology Officer at TeleSign; Marc Boroditsky, Vice President & General Manager at Authy; Michael Kaiser, Executive Director at NCSA; Sean Brooks, Privacy Engineer at NIST; Stephan Somogyi, Product Manager, Security & Privacy at Google.

Today – U.S. Chamber of Commerce: Fourth Annual Cybersecurity Summit – Washington, DC
The U.S. Chamber of Commerce is pleased to host the Fourth Annual Cybersecurity Summit to explore the latest threat landscape, market-based and public-private solutions, and the new framework. The summit will feature speakers from the business community, international experts, the administration, and Congress. 

Oct. 8 – Creating a Culture of Cybersecurity at Work – Webinar
Join the National Cyber Security Alliance, the U.S. Department of Homeland Security, the Council of Better Business Bureaus and the Federal Trade Commission for a 1-hour webinar in honor of National Cyber Security Awareness Month (NCSAM) to discuss cybersecurity and online safety for small businesses. This webinar will discuss the security landscape for businesses and highlight resources and programs available to help businesses establish cultures of cybersecurity.

Oct. 14-15 – ICF International: CyberSci Summit – Fairfax, VA
ICF International is hosting this workshop to teach attendees about key solutions to challenges in cyber science, technology, and research and development in an age of cyber weapons. Keynote speakers include: William Glodek (U.S. Army Research Laboratory), General Michael Hayden (former CIA director), and Dr. Michael A. Wertheimer (former NSA research director). Free admission for federal employees, contractors, White House staffers, and academia.

Oct. 30 – Follow the Lead: An FTC Workshop About Online Lead Generation – Washington, DC
The workshop will bring together a variety of stakeholders, including industry representatives, consumer advocates, and government regulators. The FTC has invited the public to submit research, recommendations for topics of discussion, and requests to participate as panelists.

Jan. 14, 2016 – PrivacyCon – Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

National Consumers League
Published October 6, 2015

The National Consumers League is a private, nonprofit advocacy group representing consumers on marketplace and workplace issues. We are the nation’s oldest consumer organization. In support of our mission, we routinely advocate through petitions to agencies, promotion of legislation, and through litigation. Below are some examples of such advocacy:

Petitions to State and Federal Agencies

• NCL calls on the FDA to investigate misleading labeling on Martin’s ‘100% Whole Wheat Potato Bread’
• NCL urges the Withdrawal of Federal Reserve Nominee Stephen Moore over Comments Supporting the Abolition of Child Labor Laws and Unequal Pay for Women (Press release May 1, 2019)

Promotion of Legislation

• National Consumers League testimony to Senate: Congress must act to restore air travelers’ rights
• NCL testimony before the DC Committee on Public Services and Consumer Affairs for Unit Pricing Act
• NCL’s Reid Maki testifies at a Congressional briefing before the Committee on Education and the Workforce on the “FLSA and Child Labor” and the need for legislation to fix our broken child labor laws. (June 21, 2018)
• Title II of the Consumer Disclosure Act of 2017 (B22-0020)

   

Samples of Amicus Filings

• Cox et al v. Spirit Airlines, Inc. 18-3484 (U.S. Court of Appeals, 2^nd Circuit)
• Attias v. CareFirst, Inc., No. 16-7108 (U.S. Court of Appeals, D.C. Circuit)

Advocacy through Litigation

• The Nat’l Consumers League v. Kellogg Company, No. 2009 CA005211 B (D.C. Superior Ct.)
• The National Consumers League v. Cosi, Inc., 2013 CA 6551 B (D.C. Superior Court)
• The National Consumers League v. Doctor’s Associates Inc., No. 2013 CA 006549 B (D.C. Superior Ct)
• The National Consumers League v. Flowers Bakeries, LLC, No. 2013 CA 00650 B (D.C. Superior Ct)
• The National Consumers League v. Bimbo Bakeries USA, No. 2013 CA 006548 B (D.C. Superior Ct)
• The National Consumers League v. Gerber Products Co., No. 2014 CA 008202 B (D.C. Superior Ct)
• The National Consumers League v. McCormick & Company, Inc. and Giant of Maryland LLC No. 2015 CA 005484 B (D.C. Superior Ct.)
• The National Consumers League v. Wal-Mart Stores, Inc., J.C. Penney Corporation, Inc., and The Children’s Place, Inc. No. 2015 CA 007731 B (D.C. Superior Ct)
• The National Consumers League v. Del Monte Foods, Inc., No. 2017 CA 008259 B (D.C. Superior Ct)

Issue 2 | Aug. 26, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Editor’s Note: The posting of subscriber data from extramarital affair site AshleyMadison.com last week underscores the significant harm that can affect millions of consumers when sensitive data is leaked. While little usable financial data was leaked, the nature of the Ashley Madison data means that subscriber information could result in lost jobs, the breakup of marriages, blackmail, or worse. Unfortunately, many of the data security and data breach notification bills that have been proposed in Congress include harm triggers that rely on financial harm to trigger notification. The Ashley Madison leak, despite its embarrassing nature, illustrates that broad definitions of “harm” should be included in any data security legislation that Congress considers when it returns from recess.

On to the clips…

—————–

Ashley Madison leak is a sign of things to come; could lead to lost pensions, blackmail, suicides. @MikeMillerDC has the WaPo story on the fallout from the public posting of leaked subscriber data from the AshleyMadison.com hack: “Within minutes of the alleged leak, people began combing the data for information and posting their findings. Journalists and security experts quickly noted that there were 15,000 .mil or .gov email addresses among those used for the site. … Under military rules, philanderers can be punished by a year in confinement and a dishonorable discharge, which means losing their pension.” (Source: Washington Post)

Toronto PD: Unconfirmed reports of suicides linked to the leak. @Riannon_Westall @SunnyFreeman report from Avid Life Media’s home base in Toronto: “The Ashley Madison hack … has triggered spinoff extortion crimes and unconfirmed reports of suicides,’ … published U.S. media reports have said a police captain in San Antonio, Texas took his own life after his official email address was linked to an Ashley Madison account.” (H/T @BrianKrebs) (Source: Toronto Star)

Email addresses in Ashley Madison tied to “multiple” gov’t agencies, House, and Senate. @Cory_Bennett notes potential DC connections in leaked data. “Buried in the list are emails that could be tied to multiple administration agencies, including the State Department and Department of Homeland Security, as well as several tied to both the House and Senate. … Other tech news outlets … have discovered British government officials, United Nations employees, and Vatican staff among the millions of people in the leaked database.” (Source: The Hill)

AP connects Ashley Madison subscribers to White House, DOJ, DHS. @jackgillum and @tbridis find the first of what are sure to be many federal employees with sensitive jobs in the leaked data: “By tracing the IP addresses of people who visited the site over more than five years, AP reporters determined the visitors included two assistant U.S. attorneys; an information technology administrator in the Executive Office of the President; a division chief, an investigator, and a trial attorney in the Justice Department; a government hacker at the Homeland Security Department; and another DHS employee who indicated he worked on a U.S. counterterrorism response team.” (Source: Associated Press)

Krebs (@BrianKrebs) already seeing Ashley Madison extortion attempts. “Kellerman is convinced we’ll see criminals leveraging the AshleyMadison data to conduct spear-phishing attacks … ‘There is going to be a dramatic crime wave of these types of virtual shakedowns, and they’ll evolve into spear-phishing campaigns that leverage crypto malware,’ Kellerman said. ‘The same criminals who enjoy deploying ransomware would love to use this data.’” (Source: Krebs on Security)

More on Ashley Madison … “this feels like a momentous event.” @hermann of TheAwl.com sees the future in the AshleyMadison leak: “I’m not sure anyone is really reckoning with how big this could be, yet. If the data becomes as public and available as seems likely right now, we’re talking about tens of millions of people who will be publicly confronted with choices they thought they made in private … The result won’t just be getting caught, it will be getting caught in an incredibly visible way that could conceivably follow victims around the Internet for years.” (Source: The Awl)

Media interest in Ashley Madison data could linger. @lilyhnewman compares the coming fallout to revelations from the Sony breach: “In the case of the Sony hack, various embarrassing details about the company—or even just interpersonal relationships between high-profile people—came to light for weeks because the North Korean hackers had released huge troves of email correspondences. The Ashley Madison data will probably lead to the same type of slow but persistent revelations. Some discoveries will attract broad interest, but most will be important on a community or individual scale.” (Source: Slate)

What can we learn from the Ashley Madison leak? Via @euroinfosec: “Ashley Madison Fallout: 8 Security Takeaways” (Source: InfoRisk Today)

And in non-Ashley Madison news…

BIG win for the FTC; Court upholds data security authority. @b_fung has the story on the 3rd Circuit’s much-anticipated Wyndham decision: “Yes, federal regulators can go after firms whose lax security policies result in big hacks and a loss of personal data, a federal appeals court ruledMonday. … Monday’s decision from the Third Circuit Court of Appeals clarifies the FTC’s powers, giving it more ammunition against businesses that fail to invest in their own security.” (Source: Washington Post)

House Oversight teeing up another round of OPM hack hearings. @thisismaz preps for continued fallout from the OPM breach: “…Rep. Jason Chaffetz, chairman of the House Oversight and Government Reform Committee, is looking for details on the timeline of the response to the hacks as reported to [U.S. CERT] and details on computer security manuals exfiltrated from the Office of Personnel Management. … Rep. Gerry Connolly, a senior Democrat on the committee, says firings are not the answer … ‘Going after an agency head or CIO is a lot easier, a lot more comfortable, than dealing with the big systemic questions that Congress has failed to deal with.’” (Source: Federal Computer Week)

Box CEO: Gov’t IT “fundamentally broken.” Cloud storage company Box’s CEO @levie took to the pages of the WaPo to highlight the risks the OPM breach exposed: “…legacy software and infrastructure are the biggest weaknesses to protecting information. Attackers know how to exploit archaic technology—software that was designed in an era of less emphasis on security risk—and processes riddled with vulnerabilities.” (Source: Washington Post)

Former DHS CIO Richard Spires (@raspires) piles on with his take on gov’t IT’s security woes. “We will now likely pay an even greater cost in the exposure of the personally identifiable information of millions of current and former government employees—certainly in terms of those individuals’ privacy and potentially in terms of our national security as well.” (Source: Federal Computer Week)

Industry efforts to silence security researchers leaves consumers at risk. @kansasalps writes for WaPo on how Volkswagen’s efforts to silence security vulnerability research helps criminals, hurts consumers: “But the story seems to represent a cautionary tale about how efforts to suppress security research can backfire, according to some experts: Companies attempting to save face or avoid costly repairs by keeping quiet about problems may end up leaving consumers at risk and without the information they need to make educated decisions about whom to trust.” (Source:Washington Post)

Target settles breach suit with Visa for $65M, but small lenders aren’t happy. Robin Sidel writes for the WSJ: “Card issuers have long complained about the process by which they are reimbursed for data breaches and the fraud that results from them. … the Visa agreement quickly drew criticism from small financial institutions … said the latest agreement fails to fully reimburse them for their losses.” (Source: Wall Street Journal)

POTUS 2016 hopefuls need basic cybersec education. @josephcox gives the candidates an earful on basic #cybersec for @WIRED: “…anyone running for office in 2016, or working as an official (or really anyone, period) needs a basic grasp of good privacy and security practices. In February, Jeb Bush dumped a huge cache of his governmental emails onto the web in the name of transparency. What his office forgot to do, however, was redact the personal information of anyone included within that dump—such as the social security numbers of some Florida residents.” (Source: The Verge)

Quick hit: @jtarnow of Drinker Biddle reviews the pending student privacy bills, many of which have data security components. (Source: National Law Review)

Upcoming Events

Sept. 9 – FTC: Start with Security – San Francisco
The FTC’s initial “Start With Security” conference will focus on data security challenges for startups and developers. Last week, the FTC released its speaker lineup, and it’s a doozy. In addition to remarks from Chairwoman Edith Ramirez, we’ll also hear from Michael Coates (Twitter), Raymond Forbes (Mozilla), Paul Moreno (Pinterest), Pierre Farr (Google) and Yan Zhu (Yahoo), among others. Not to be missed: FTC chief technology Ashkan Soltani’s fireside chat with Accel’s Arun Mathew. Agenda. Start with Security guide for businesses.

October – National Cybersecurity Awareness Month
Designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.

Oct. 14-15 – ICF International: CyberSci Summit – Fairfax, VA
ICF International is hosting this workshop to teach attendees about key solutions to challenges in cyber science, technology, and research and development in an age of cyber weapons. Keynote speakers include: William Glodek (U.S. Army Research Laboratory), General Michael Hayden (former CIA director), and Dr. Michael A. Wertheimer (former NSA research director). Free admission for federal employees, contractors, White House staffers, and academia.

Oct. 30 – Follow the Lead: An FTC Workshop About Online Lead Generation – Washington, DC
The workshop will bring together a variety of stakeholders, including industry representatives, consumer advocates, and government regulators. The FTC has invited the public to submit research, recommendations for topics of discussion, and requests to participate as panelists.

National Consumers League
Published August 26, 2015