National Consumers League

The #DataInsecurity Digest | Issue 76

Financial data breach legislation on tap in Congress while cybersecurity insurance gets more attention

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: With more Americans feeling less secure over the safety of their financial data, Congress may soon take action to require that victims are notified after big banks compromise their financial data. While this is a step forward, we think the proposed bill misses an opportunity to try to protect consumers’ personal information and connected devices more broadly. These fears seem to be having more impact on the economy, with a new study finding that fears about cybersecurity are preventing consumers from installing smart devices in their homes. Finally, cybersecurity insurance seems to be getting more attention as companies struggle with ways to hedge their breach risks. However, a lack of good actuarial data is making it difficult to accurately price that risk.

And now, on to the clips!

-----------------

In the past year, 71 percent of Americans feel less secure over the safety of their financial data. The same survey found that “[m]ore than three-fifths (61%) don’t feel prepared to handle a situation in which their personal financial information is involved in a data breach online.” (Source: Nerd Wallet)

House Financial Services committee considering data breach notification bill for financial industry. @morningcybersec reports that after years of deadlock, “the House Financial Services panel might consider data breach notification and security legislation that applies only to the banking sector, a GOP committee aide told MC … Now, the Financial Services Committee wants to make some headway even if it has to do it by itself, using a modified existing draft bill written by Rep. Blaine Luetkeymeyer as a vehicle, the aide said.”(Source: Politico’s Morning Cybersecurity)

Inspector General finds that State Department was not protecting its visa data. “The division’s information security team also wasn’t regularly patching the system, scanning it for computer viruses or auditing for evidence about whether it had been compromised by hackers, according to the inspector general’s report.” (Source: Next Gov)

Majority of 25 most populous U.S. cities have cyber insurance or are shopping for it.  Analysis by the Wall Street Journal found that in the aftermath of the Atlanta cyberattack, cities are taking steps to protect themselves from the next attack. “Cities including Boston, Nashville, Tenn., Washington, D.C., and San Jose, Calif., are actively researching cyber insurance. Dallas, San Diego, Denver and Detroit are among those that already have cyber policies...Some cities—including New York, Chicago and Philadelphia—declined to say whether they have cyber insurance. Some, like San Antonio, have cyber coverage through an existing property policy. Others say they are self-insured, which can entail creating a special fund to cover losses.” (Source: Wall Street Journal)

But … but … cybersecurity insurance marketplace is ‘young and fragmented.’ More companies are turning to cybersecurity insurance as a way to hedge against data breach risk, but the industry is still in its infancy, says Axios’ @shanvav. “The cybersecurity insurance marketplace is young and fragmented. Not all formulas for premiums are equal, and there’s no consensus in the market about how to price them.” (Source: Axios)

Spousal spy apps continue to demonstrate the importance of data minimization. TheTruthSpy, an app developer that markets its products to jealous spouses, is the latest spousal spy app to suffer a breach. “This is the seventh company that sells spyware to average consumers that’s been breached in the last two years. Several hackers have targeted the sketchy industry of consumer spyware, exposing their mediocre security and questionable ethics.” L.M., the hacker responsible for this latest breach commented to @lorenzofb that “This data is very dangerous. You can know everything about any person, and also you know the attacker identity. It is very easy to ransomware them, and gain a lot of dirty money ... Any black hat hacker can fu** them and turn their life into a hell.” (Source: Motherboard)

14.8 million Texas voter records left unsecured. Researchers found a “file — close to 16 gigabytes in size…” that contained “personal information like a voter’s name, address, gender and several years’ worth of voting history, including primaries and presidential elections.” The file is believed to have been “originally compiled by Data Trust, a Republican-focused data analytics firm created by the GOP to provide campaigns with voter data.” (Source: Techcrunch)

Breach du jour: Air Canada. Many of Air Canada’s mobile app users may have had their personal data compromised. The app contains personal data such as “email addresses, Aeroplan number, passport numbers, NEXUS numbers, Known Traveler numbers, genders, birthdates, nationalities, passport expiration dates, passport countries of issuance and countries of residence… Any of this data may have been improperly accessed.” (Source: ZD Net)

Data insecurity issues are slowing smart device adoption in the home. Fortunately, some companies appear to be taking notice and are rethinking their practices. According to new research, “69 percent of [businesses] noted that the recent focus on data privacy has made them rethink their plans to collect and use data from smart devices. This trend was even stronger for companies that manufacture connected devices for consumer use…” (Source: IOT For All)

Upcoming Events

October 2018 - National Cybersecurity Awareness Month
Every October, the National Cybersecurity Alliance organizes the National Cybersecurity Awareness Month to address specific challenges and identify opportunities for behavioral change. (Source: Stay Safe Online)

National Consumers League
Published September 6, 2018