The #DataInsecurity Digest | Issue 62

Data security takes top billing at FTC Commissioners’ confirmation hearing

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Data security was a frequent topic of discussion at a confirmation hearing for a slate of new FTC commissioners. Incoming chairman Joe Simons expressed concern over the FTC’s inability to fine companies that mismanage consumers’ data and reiterated the agency’s long-standing call for Congress to grant it civil penalty authority.

The Equifax data breach is thought to be even more expansive than previously thought. Investigators are now saying that tax identification numbers, as well as additional drivers licence information, may also have been compromised. The latest revelation is fueling fears of the potential for widespread tax identity theft as tax season shifts into high gear. A new report from Sen. Elizabeth Warren that the Equifax breach also compromised passport numbers is being disputed by the company. Finally, the House Financial Services committee’s forthcoming data breach “discussion draft” bill is giving consumer advocates heartburn due to the bill’s expected preemption of state data breach bills.

And now, on to the clips!

—————–

FTC Chairman nominee requests civil penalty authority in nomination hearing. In his confirmation hearing, Joe Simons commented that “[o]ne of the things that I‘m extremely concerned about is whether the FTC has sufficient authority regarding data breaches.” @dibartz reports that Simons asked “lawmakers to consider giving the agency the authority to fine companies.” (Source: Reuters)

Equifax data breach more damaging than originally thought; may serve as catalyst for tax identity fraud. Investigators already knew that 145 million Americans had their Social Security numbers, birthdays, driver’s license numbers, and addresses compromised. Now, however, the trove of compromised data is thought to also include tax ID numbers and driver’s license states and issuing dates. @davidzmorris reports: “The additional data could make it even easier for hackers to open credit lines or otherwise exploit victim’s identities. The theft of tax ID numbers is particularly concerning, since it may increase the risk of fraudulent tax filings.” (Source: Fortune)

Equifax breach allegedly compromised passport information too. Last week, Sen. Elizabeth Warren’s (D-MA) office issued a report that found that “Equifax failed to disclose the fact that the hackers gained access to consumers’ passport numbers.” Equifax is disputing the accusation. (Source: Wall Street Journal)

With state primaries less than a month away, efforts to secure elections continue to lag. @fbajak reports that while “14 states and three local election agencies have so far asked for detailed vulnerability assessments offered by the Department of Homeland Security… only five of the two-week examinations are complete…” Further complicating things, “fewer than half of the estimated 50 senior state elections officials who requested federal security clearances have received them, DHS says. That can hinder information sharing designed to help states deal with election disruptions.” (Source: Associated Press)

Quick hit: White House estimates that malicious cyber activity cost the United States between $57 and $109 billion in 2016 alone. (Source: Reuters)

Winter Olympics hacked. “On Feb. 9, the official Winter Olympics website went down for several hours, causing a disruption to ticket sales and downloads during the opening ceremony. Localized Wi-Fi networks surrounding the games in South Korea also reportedly became temporarily unavailable in the preceding hours…” Investigators believe that “hackers compromised the main IT service provider for the Winter Olympic Games months before last week’s highly publicized cyberattack.” (Source: Cyber Scoop)

House Financial Service committee looks into data breach notification requirements. With a discussion draft of a data breach notification bill due out shortly, few details have been provided by lawmakers. “[Rep. Blaine] Luetkemeyer, who said Americans are clamoring for prompt notification, gave no indication what time limits could be placed in the bill for businesses to tell consumers their information had been stolen,” writes @tedknutsondc. Consumer advocates including @edmpirg warned that the forthcoming bill will most likely help wrongdoers, not consumers, by preempting state action. (Source: Fortune)

Report watch: Federal contractors have significantly worse data security that the agencies they serve. In a new report, @bitsight gave 50 percent of federal contractors a grade below a C for protective technology and also found that the security performance of federal agencies is significantly better than the contractors they hire. (Source: Bitsight)

Events

February 28, 2018 – Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published February 22, 2018