Issue 39 | February 15, 2017

#DataInsecurity Digest: Rich out, Pahl in at FTC. What does it mean for data security? Plus Spicer’s cyber woes continue

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: As with so much else in Washington these days, there will soon be a passing of the torch on data security policy at the FTC. The departure of long-time consumer advocate and privacy wonk Jessica Rich from the Bureau of Consumer Protection (BCP) may foretell a less aggressive enforcement agenda on data security at 600 Penn. In Rich’s place at BCP (at least for the time being) will be Thomas Pahl, who has made a name for himself as an advocate for deregulation. Acting Chairwoman Maureen Ohlhausen is also signaling a pullback from the aggressive data security enforcement agenda that was a hallmark of former Chairwoman Edith Ramirez’s tenure. Whether this policy will remain in place if Utah Attorney General Sean Reyes take the reins at FTC (as rumored) remains to be seen. One area Reyes probably won’t look to touch is the states’ role in data breach notification and data security standards enforcement. Finally, White House Press Secretary Sean Spicer might want to look into doing some early cyber spring-cleaning, if his trail of necktie-selling e-stores and (more importantly) the publicly available WHOIS information listing his home address and personal phone number are to be believed.

And now, on to the clips!

—————–

Ohlhausen suggests pullback from aggressive data security enforcement. Acting FTC Chairman Maureen Ohlhausen told attendees at a consumer law conference that she “will make sure our enforcement actions address concrete consumer injury…the agency should not focus on speculative injury, or on subjective types of harm.” This concerned many data security watchers as the FTC is currently suing D-Link Systems for leaving consumers’ webcams highly susceptible to hacking. Ohlhausen’s comments feed into D-Link’s arguments that its case should be suspended since FTC “cannot show any actual injury to consumers,” writes @WatermanReports. (Source: Cyber Scoop)

Rich remains optimistic about the future for privacy at FTC. After 26 years at the FTC, most recently as Director of the Bureau of Consumer Protection, Jessica Rich is leaving the Commission. Despite the change in leadership, she tells @privacypen that there is “[n]o reason to believe there is any sort of (privacy) sunset” coming to the agency. Rich noted that former Chairman Tim Muris, like current Chairman Ohlhausen, was also very focused on consumer harm, but says that was “one of our most productive times in privacy and security,” at the Commission. (Source: IAPP)

Deregulation champion Pahl to be acting director of BCP. Thomas Pahl, former managing counsel to the CFPB, has worked in various roles at the FTC for 20+ years and will soon return to assume a new role: Acting Director of the Bureau of Consumer Protection. @thehill reports that “Pahl has pushed for Ohlhausen’s tenure as head of the FTC to become permanent, championing her positions on limited government and her hesitation to regulate. Pahl has also expressed his own penchant for free-market and deregulatory policies.” (Source: The Hill)

Trump’s rumored FTC Chair advocated against preempting state data breach laws. Past statements by the rumored incoming FTC Chair, Utah AG Sean Reyes, may shed some light on how he would handle data security issues at the FTC. In a letter he sent to Congress in July 2015, Reyes called for Congress to “preserve existing protections under state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats, and to not hinder states that are helping their residents by preempting state data breach and security laws.” (Source: Utah Office of the Attorney General)

More than 355,000 credit and debit cards compromised in Arby’s breach. Fast food chain Arby’s has announced that many of its 1,000+ corporate stores have had payments systems compromised. Arby’s 2,000+ franchise locations were not affected in the breach. Arby’s has stated that it has “fully contained and eradicated the malware that was on our point-of-sale systems.” (Source: Krebs on Security) 

Breach du jour: United Press International. A hacker on the dark web is said to be selling the emails, names, and hashed passwords for 83,000 UPI accounts. @HowellONeill reports that the account credentials for the news agency “appear to include all of UPI’s email subscribers, which amounts to tens of thousands, as well as their executives, journalists and other employees who have worked at UPI within the last several years.” (Source: CyberScoop and USA Today)

InterContinental confirms data breach. In December, the hotel chain InterContinental launched an investigation into claims of a potential data breach, which it has now confirmed affected 12 U.S. locations. @Reuters reports that “only payment cards used at the restaurants and bars of the 12 hotels were affected and that cards used at the front desk of the hotels were not affected.” (Source: Reuters)

Toys ‘R’ Us becomes the latest data breach fallout victim. Last week, Toys ‘R’ Us experienced the fallout from other companies’ breaches when scammers began attempting to access customers’ rewards accounts with username and password combinations from past breaches. @Consumerist observes that “if a would-be thief has a long list of email address/password pairs, they can start flinging it at basically any website to see which ones go ‘click’ and let them in.” (Source: Consumerist)

Moderate Dems take aim at cyber. The centrist New Democrat Coalition has announced its Policy Task Forces. The Cybersecurity Task Force will be led by Representatives Derek Kilmer (WA-6), Kathleen Rice (NY-4), and Josh Gottheimer (NJ-5). The task force’s agenda will include efforts to build upon the Cybersecurity Act of 2015 and identify ways to “promote public-private sector cooperation, and innovation that protects more individuals, businesses, and governments from cyber-attacks.” (Source: Medium)

Private email server: GOP edition. House Democrats on the Science, Space, and Technology committee are asking for a hearing to investigate the Trump White House’s cyber vulnerabilities due to the administration’s “shocking disregard for cybersecurity practices.” @thehill reports that Reps. Eddie Bernice Johnson (D-TX), Don Beyer (D-VA), and Dan Lipinski (D-IL) cited “the massive amount of media and congressional scrutiny of former Secretary of State Hillary Clinton’s use of a private email server as a precedent for their request.” The authors also expressed their concern over Trump’s continued use of an unsecured Android smartphone as well as his senior staff’s reliance on an RNC email server. (Source: The Hill)

Quick hit: Senate is growing frustrated over Yahoo’s lack of cooperation with breach investigation. Senators John Thune (R-SD) and Jerry Moran (R-KS) wrote to Yahoo Chief Executive Marissa Mayer stating that “[d]espite several inquiries by Committee staff seeking information of about the security of Yahoo! user accounts, company officials have thus far been unable to provide answers to many basic questions.” The letter gave Yahoo until next Thursday to respond to five questions. (Source: Wall Street Journal)

Dessert: Sean Spicer’s cyber hygiene woes continue. Mashable’s @B_Koerber points out that the embattled press secretary’s issues stretch beyond the podium and into the cybersphere. Apparently Spicer did not clean up any of his 16 websites, leaving an old blog, his e-commerce store for selling GOP-themed neckties, his personal contact information, and his Venmo account out in the open for people to find. (Source: Mashable)

Upcoming events

May 24, 2017 – Planning for the Future: A Conference About Identity Theft – Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts, and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

May 25, 2017 – Workshop on Technology and Consumer Protection (ConPro ’17) – San Jose, CA
At this year’s 38th IEEE Symposium on Security and Privacy, a Workshop on Technology and Consumer Protection (ConPro’17) will explore computer technology’s impact on consumers, with a special focus on privacy and ways in ”which computer science can prevent, detect, or address the potential for technology to deceive or unfairly harm consumers.” ConPro’17 aims to bring together academic and industry researchers along with government officials.

National Consumers League
Published February 15, 2017