Issue 42 | March 29, 2017
#DataInsecurity Digest: Congress uses CRA to roll back broadband privacy and data security rule, Trump cyber order delays
By John Breyault (@jammingecono, firstname.lastname@example.org)
NCL Vice President of Public Policy, Telecommunications and Fraud
Editor’s Note: Congress has voted to roll back the FCC’s broadband privacy rule, which would have given consumers more choice over how Internet service providers (ISPs) use their personal data, such as browsing history. The move, which was blasted by privacy advocates (including NCL), will also remove the data security requirements the FCC's rule imposed on ISPs. The measure now heads to the desk of the President, who has signaled he will sign it. President Trump’s proposed budget allocates $1.5 billion to the Department of Homeland Security to beef up its cybersecurity programs. But Trump cyber chief Tom Bossert is telling data security experts not to hold their breath waiting for the President’s much-rumored cybersecurity executive order, suggesting that it could be “weeks or months” before the order is published. And now, on to the clips!
Congress uses CRA to remove privacy protections. Both houses of Congress voted along party lines to repeal the FCC’s broadband privacy rule, sending the measure on to the White House, where President Trump has indicated he will sign it. The rule would have required Internet service providers to limit data collection and abide by data security standards. (Source: POLITICO)
Advocates blast vote to remove broadband privacy rules. Consumer advocates such as @dallashpk expressed disappointment over the rule’s removal, stating that “These were the strongest online privacy rules to date, and this vote is a huge step backwards in consumer protection writ large...The rules asked that when things were sensitive, an Internet service provider asked permission first before collecting. That’s not a lot to ask.” (Source: New York Times)
NCL: “[It’s]...inconceivable that the Senate would seek to eviscerate strong data security standards...” NCL was equally critical of the Senate’s vote. “Not a day goes by that we aren’t reminded of the costs of failing to secure consumers' data from criminal and state-sponsored hacking,” we noted. “It is clear that data breaches raise the risk of identity fraud for millions of consumers. This being the case, it is inconceivable that the Senate would seek to eviscerate strong data security standards put in place by the FCC’s broadband privacy rules.” (Source: National Consumers League)
Trump budget gives $1.5 billion to DHS cyber protection programs. The programs would fend off cyber attacks on critical infrastructure. Rep. Jim Langevin (D-RI), founder and co-chair of the House Cybersecurity Caucus, spoke for many when he expressed concern that it is too early to tell if the budget goes far enough, as there is “too little detail in the ‘skinny budget’ released [March 16] to adequately assess the Trump Administration’s commitment to cybersecurity.” (Source: Morning Consult)
‘For sale: one billion Yahoo accounts, $200,000 or best offer.’ @vindugoel reports that, “After federal prosecutors unsealed indictments (last) week against four men they say were responsible for a 2014 intrusion into Yahoo’s systems that affected 500 million user accounts, data on one billion accounts — stolen in another attack on the company a year earlier — appeared to remain available on underground hacker forums on Friday.” The New York Times reports that while the passwords may no longer work, “The dates of birth, telephone numbers and security questions could still be useful to an adept cyberthief.” (Source: New York Times)
More delays for Trump’s cyber order. Trump’s top homeland security advisor Tom Bossert lowered expectations for a speedy release of comprehensive cyber executive order. @Joseph_Marks_ reports that while speaking at Center for Strategic and International Studies, Bossert cautioned not to “expect a multibillion-dollar investment that will modernize government cybersecurity in one fell swoop… Also, don’t expect a long-rumored executive order that outlines Trump’s cybersecurity plan in the near future, he said, suggesting it will be weeks or months before the order is released in its final form.” (Source: Next Gov)
Breach du jour: Saks Fifth Avenue exposes personal information of tens of thousands of customers. The high-end fashion retailer left the records of many of its customers on a publicly available website. The action compromised customers’ emails, the merchandise they were interested in purchasing, IP addresses, and sometimes their phone numbers. Cyber security expert @ErrataRob commented that “[t]his is as bad as security gets… Everyone is vulnerable.” (Source: BuzzFeed)
Defense Point Security’s W-2 breach reminds us that phishing attacks can fool even the best of us. The federal cyber security contractor informed its “employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.” (Source: Krebs on Security)
Missing: A Secret Service laptop with information on Trump Tower, Hillary Clinton, and Pope Francis. Fortunately, although a laptop stolen from a Secret Service vehicle contained sensitive security information, it featured “multiple layers of security including full disk encryption and was not permitted to contain classified information.” Security experts are still considering the incident a breach of national security. (Source: ABC News)
May 24, 2017 - Planning for the Future: A Conference About Identity Theft - Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts, and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.
May 25, 2017 - Workshop on Technology and Consumer Protection (ConPro ’17) - San Jose, CA
At this year’s 38th IEEE Symposium on Security and Privacy, a Workshop on Technology and Consumer Protection (ConPro’17) will explore computer technology's impact on consumers, with a special focus on privacy and ways in ”which computer science can prevent, detect, or address the potential for technology to deceive or unfairly harm consumers.” ConPro’17 aims to bring together academic and industry researchers along with government officials.
National Consumers League
Published March 29, 2017