National Consumers League

The #DataInsecurity Digest | Issue 16

Issue 16 | March 16, 2016

By John Breyault (@jammingecono,
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The FCC’s broadband privacy proposal is generating quite a lot of heat in Washington, since it would impose new rules on cable and telecom companies—no slouches when it comes to lobbying. Less talked about are the data security and breach notification requirements which would apply to ISPs businesses. The FTC has also begun an inquiry into PCI-DSS certification, which sounds pretty wonky, but in fact, represents a significant effort by the Commission to make sure that one of the most widely known security standards is up to snuff. No #DataInsecurity Digest would be complete without news of the latest data breaches and this edition is no different. Cancer treatment center franchise 21st Century Oncology is the latest victim, with more than 2.2 million consumers affected. Breach fallout continues to plague the IRS, which recently had to shut off its “Get IP PIN,” since hackers figured out how to compromise the system, which was put in place to help victims of tax ID fraud.

And now, on to the clips!


FCC broadband privacy proposal includes data security and breach notification requirements. While most of the news about the FCC’s broadband privacy proposal focused on the limits the proposal would place on ISPs ability to use customer information for advertising purposes, the Commission has also proposed strong data security rules. Notes the fact sheet: “The proposal would require broadband providers to take reasonable steps to safeguard customer information from unauthorized use or disclosure.” Breached ISPs would also be required to notify the FCC within 7 days of discovery of the breach and affected customers in 10 days. (Source: FCC

Wheeler doubles down on data security. In a Huffington Post piece explaining the coming broadband privacy rules, FCC Chairman @TomWheelerFCC gives a shout-out to data security. “Every broadband consumer should have the right to choose how their information bits should be used and shared. And every consumer should be confident that their information is being securely protected,” said Wheeler. (Source: Huffington Post)

FTC examining PCI-DSS auditing. One of the more well-known security standards is the banks’ PCI-DSS standard, which has caused some heartburn among businesses that must comply in order to accept credit and debit cards. The FTC will take a look at the issue, thanks to orders issued to nine companies that conduct PCI-DSS assessments. @FraudBlogger has the round-up of the impact of the FTC’s action. “The FTC relies heavily on the PCI-DSS as a framework for measuring the effectiveness of merchant information security programs … This was recently put in writing with the Wyndham order the FTC released last December. The federal government has been under pressure to do something in response to the major breaches over the past couple of years. Since the FTC's purview is retail breaches, it makes sense that they would be the government agency that starts doing more." (Source:

Speaking of the FTC: ID theft complaints increased 47%, says NCL. Just as we went to press with last week’s #DID, the FTC released its annual Consumer Sentinel Data Book. Now that we've had a chance to dig in, we’ve got some more advice for policymakers. “We know that these nearly 500,000 identity theft complaints are likely just the tip of the iceberg. Far too many identity theft victims don’t report the crime, if they’re even aware of it,” said NCL Vice President of Public Policy, Telecommunications and Fraud John Breyault (aka yours truly). “Consumers can take steps to mitigate their risk of identity theft, but they can’t prevent it entirely. That’s why we need leaders in Washington to help make sure that the companies that hold consumers’ data protect it to the greatest extent possible.” (Source: National Consumers League)

Breach du jour: 2.2M patient records at 21st Century Oncology. Ft. Myers-based 21st Century Oncology, which operates a chain of 181 cancer treatment centers in the U.S. and Canada, has reported a breach that may have exposed names, social security numbers, physicians' names, diagnoses and treatment information, and insurance information on up to 2.2M customers. The breach took place in October 2015 but the company was asked not to notify patients by the FBI until now. 21st Century Oncology also recently settled a $34.7 million fraudulent billing case with the Department of Justice. (Source: Healthcare IT News)

Breach du jour part deux: Rosen Hotels is latest hotel breach target. Orlando-based hotel chain Rosen Hotels and Resorts is the latest hotel company to have its payment system targeted, joining Hyatt, Trump Hotels, Hilton Hotels and Starwood Hotels, writes @philmuncaster. (Source: InfoSecurity Magazine)

Congress: HIPAA data security rules too slow to come. Rep. Peter DeFazio (D-OR) and Rep. Tom Marino (R-PA) are leading a group of eight bipartisan Congressmen in calling on HHS to speed up its promised data security guidance for HIPAA-covered entities, writes @HealthInfoSec. Notes the letter, “We have serious concerns about the consequences of HHS inaction. Advances in mobile health technology have the potential to dramatically improve patient outcomes and the accessibility of health care. This innovation is coming at a rapid pace, but your agency has done little to demonstrate it can manage the significance.” (Source: DataBreachToday)

Verizon has its own data security digest. Verizon is rightfully hailed for its comprehensive annual Data Breach Investigations Report. However, telecom’s budding data security business is now out with a more light-hearted digest of data breach case studies, writes @MariaKorolov for CSO. Case in point: “And there's the story of the best developer at a company—who turned out to have outsourced his job to China in order to spend the day reading Reddit and watching cat videos. He had FedExed his authentication token key fob to the contractor, and was caught when logs showed mysterious—but authorized—VPN access from China.” (Source: CSO)

Facebook, Google, WhatsApp among big names expanding encryption in the name of security. @lancewhit breaks down the latest in Silicon Valley’s efforts to expand encryption and the government’s pushback. “Technology firms are putting a higher priority on security to convince customers their private data is fully protected. But the US government and law enforcement officials are challenging the encryption used in tech products, arguing that it obstructs their capability to access information vital in criminal and terrorist investigations.” (Source: CNET)

$19.5M set aside to settle Home Depot breach claims. The hardware retailer settled the suit, made up of 57 proposed class action lawsuits. “‘The home improvement retailer will set up a $13 million fund to reimburse shoppers for out-of-pocket losses, and spend at least $6.5 million to fund 1-1/2 years of cardholder identity protection services.’ … Home Depot also agreed to improve data security over a two-year period, and hire a chief information security officer to oversee its progress.” (Source: Reuters)

Daily Krebs: DDoS protection firm Staminus hacked. Staminus, a firm specializing in protecting websites from distributed denial of service (DDoS) attacks was itself knocked offline in a hack that reportedly cost the company 15GB of customer data. DDoS protection firms are frequent targets for DDoS attacks themselves since they are frequently used to protect websites hosting questionable content. (Source:

Daily Krebs, take two: IRs suspending “Get IP PIN” after system thoroughly pWn3d. Cyber blogger extraordinaire Brian Krebs’ reporting on the IRS’s leaky system for protecting tax identity fraud victims certainly got the feds’ attention. Writes @briankrebs, “Citing ongoing security concerns, the Internal Revenue Service (IRS) has suspended a service offered via its Web site that allowed taxpayers to retrieve so-called IP Protection PINs (IP PINs), codes that the IRS has mailed to some 2.7 million taxpayers to help prevent those individuals from becoming victims of tax refund fraud two years in a row. The move comes just days after KrebsOnSecurity first exposed how ID thieves were abusing the service to revisit tax refund on innocent taxpayers two years running.” (Source:

IRS breach’s lessons for financial services. American Banker’s @pennycrosman notes the parallels between the IRS’s growing breach problems and the financial services industry’s similar issues. “So while it's tempting to roll your eyes and crack jokes when a government agency slips up, the IRS breach may hold some useful lessons for the financial services industry. ... There are a few takeaways for banks from this mess. 1. Rethink knowledge-based authentication … 2. Don't let bureaucracy kill a good security idea. … 3. Teach customers to protect their Social Security numbers and other personally identifiable data … 4. Try stronger authentication technology.” (Source: American Banker)

Even ISIS has data breach headaches. @a_greenberg covers the breach of 22,000 ISIS members’ personal information, proving that even the world’s most dangerous terrorists have to worry about data security. “A defector has allegedly leaked what appears to be a USB drive’s worth of ISIS’s secret data, including the personal information of 22,000 ISIS fighters. That personal data includes the fighters’ names, phone numbers, hometown and even blood types—all information they apparently filled out on forms in the process of signing up to join the violent group.” (Source: WIRED)

Quick hit: Average breach falls below cyber insurance policy deductible, study shows. (Source:, via @gold_em)

Quick hit: Recap of the big non-policy news from RSA. (Source: iCrunchData News)

Infographic du jour: 2015 in data breach numbers. (Source: SafeNet)

Upcoming events

March 31 - FCC March Open Meeting- Washington, DC
The Commission will consider a Notice of Proposed Rulemaking seeking comment on a proposed framework for ensuring that consumers have the tools they need to make informed choices about how their data is used and when it is shared by their broadband providers.

June 15 - FTC Start with Security - Chicago - Chicago, IL
The FTC’s fourth “Start With Security” event will take place on Wednesday, June 15, 2016, in Chicago, Illinois, and will be co-sponsored by Northwestern Pritzker School of Law. During this one-day event, the FTC will bring together experts who will provide businesses with practical tips and strategies for implementing effective data security.

National Consumers League
Published March 16, 2016