Issue 38 | February 1, 2017

#DataInsecurity Digest: No executive action on cyber just yet, reflecting on Ramirez, and more

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: With battle over President Trump’s immigration policies consuming much of the political oxygen, it might be easy to overlook what was an exciting few weeks on the data security front. President Trump’s much-discussed executive order on cybersecurity — rumored to reduce DHS’s role in protecting the nation’s critical cyber infrastructure — was delayed late Tuesday for reasons that remain unclear. Underscoring fears about the lack of clear direction from the Trump Administration so far on data security, new data from the Pew Research Center finds that nearly 2 in 3 Americans have been affected by data breaches, doing significant damage to consumers’ faith in the Internet. That may be one reason a bipartisan group of senators is calling for a permanent Senate committee to focus attention on cybersecurity. The fallout from two massive breaches at Yahoo look likely to push the close of its merger with Verizon into Q2, a delay that is attracting the SEC’s attention. Finally, we say goodbye to FTC Chairwoman Edith Ramirez, who prepares to depart an agency that her admirers (including yours truly) are increasingly seeing as the Federal “Technology” Commission.

And now, on to the clips!

—————–

Cybersecurity order delayed amid concerns over reduced role for DHS. President Trump’s much-anticipated signing of an Executive Order on cybersecurity was delayed yesterday for reasons that remain unclear to many data security watchers. A draft version of the order had suggested that the Pentagon would be elevated to a co-equal role with the Department of Homeland Security, though–as of Monday night–DHS officials had reportedly not yet seen a finalized version of the order. @attackerman (who has the must-read story on these developments) writes that “[a] former senior DHS official said the department’s apparent downgrading would lead to surveillance fears among companies concerned with customer privacy, as well as interrupting relationships … with Silicon Valley firms in the years after the disclosures of Edward Snowden.” (Source: The Guardian)

Pew: Shocking number of Americans are victims of a major data breach. We know that data insecurity affects millions of Americans, but a new study from the Pew Research Center is casting light on the scope and effects on consumers. Pew found that 64 percent of Americans “have experienced or been notified of a significant data breach pertaining to their personal data or accounts.” The same study found that “[r]oughly half of Americans think their personal data are less secure compared with five years ago.” This should be of particular concern for social media sites, with more than half of survey respondents expressing a lack of confidence in a company’s ability to protect their data. (Source: Pew Research Center)

Senators call for permanent cybersecurity committee. Senators Cory Gardner (R-CO) and Chris Coons (D-DE) are calling on colleagues to create a permanent Senate Select Committee on Cybersecurity to address the scattered nature of Congressional oversight of cybersecurity. Last Congress, at least 20 standing committees of the House and Senate held hearings on the topic of cybersecurity. Gardner and Coons hope such a committee will draw together the various committees with jurisdiction and focus attention and resources on addressing the problem. “With a stronger cybersecurity congressional oversight structure, our federal government agencies could have built more proactive and resilient defenses,” wrote Gardner in TIME. “Even if these safeguards failed, with greater congressional oversight, it may not have taken a year for OPM to disclose that its network was breached.” (Source: TIME)

SEC investigation is the latest Yahoo breach fallout. Federal authorities are now investigating whether Yahoo violated Securities and Exchange Commission (SEC) rules after the company took 2+ years to report its massive 500-million-account breach to investors. @WSJ reports that Yahoo could be in hot water as “[t]he SEC requires companies to disclose cybersecurity risks as soon as they are determined to have an effect on investors.” Former SEC enforcement official John Reed commented that the Yahoo case was particularly interesting: “Here you are talking not just about the potential for a data breach, but a deal [the proposed Verizon-Yahoo merger] blowing up because of a data breach.” (Source: Wall Street Journal)

Yahoo/Verizon deal delayed. Yahoo executives had hoped to complete the estimated $4.8 billion buyout by the end of Q1 2017. However, Yahoo’s two massive data breaches may be gumming up the deal as executives are now “working expeditiously to close the transaction as soon as practicable in Q2.” (Source: CNET)

Third Circuit Court allows data breach class-actions to proceed. Under the Supreme Court’s ruling in Spokeo v. Robins, it is extremely hard for consumers affected by data breaches to bring a class-action lawsuit. That could be changing, thanks to a decision by the Third Circuit Court of Appeals earlier this month. The court ruled that even when plaintiffs’ injuries are intangible (such as when the defendant in the case, Horizon Healthcare, exposed the plaintiff’s data through an unsecured laptop) victims may form a class action. If the decision stands, the ability of consumers to be compensated for harm suffered as a result of data breaches could become a reality. (Source: Reuters)

Acer settles with New York Attorney General Office for $115,000. Taiwanese computer manufacturer Acer left 35,000+ credit card numbers unprotected in plain text for more than a year, and now they’re paying for it. Last week, NY AG Eric Schneiderman reached a settlement that will prevent Acer from making such a mistake again. “Businesses have a duty to protect their customers’ personal information as securely as possible,” Schneiderman said in a statement. “Lax security practices like those we uncovered at Acer put New Yorkers’ credit card information and other personal data at serious risk.” (Source: PC Magazine)

Farewell to Ramirez. As FTC Commissioner (formerly Chairman) Edith Ramirez prepares to leave her post, analysis of her time at the FTC reveals her influence as having established, in effect, the Federal “Technology” Commission. @omertene argued that “after three years in office and six years as FTC Commissioner, Ramirez leaves the agency stronger and better equipped to deal with the challenges of the next years.” (Source: IAAP)

@POTUS Twitter account linked to insecure private email account. President Trump’s @POTUS Twitter account, as well as the First Lady’s @FLOTUS, and Vice President Pence’s @VP accounts, are seriously vulnerable to hacking since they were linked to commercial Gmail addresses. While the accounts have been moved to more secure whitehouse.gov addresses, the episode continues to fan concerns about the ability of the Trump White House to protect its data. “It’s unclear whether compromising those email addresses would give an attacker access to the accounts,” writes @russellbrandom. “President Trump has drawn criticism from many in the security world for apparently continuing to use his unsecured Android phone, while his senior staff has drawn similar fire for maintaining private email accounts at the RNC.” (Source: The Verge)

Upcoming events

May 24, 2017 – Planning for the Future: A Conference About Identity Theft – Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts, and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

May 25, 2017 – Workshop on Technology and Consumer Protection (ConPro ’17) – San Jose, CA
At this year’s 38th IEEE Symposium on Security and Privacy, a Workshop on Technology and Consumer Protection (ConPro’17) will explore computer technology’s impact on consumers, with a special focus on privacy and ways in ”which computer science can prevent, detect, or address the potential for technology to deceive or unfairly harm consumers.” ConPro’17 aims to bring together academic and industry researchers along with government officials.

National Consumers League
Published February 1, 2017