National Consumers League

The #DataInsecurity Digest | Issue 94

Senator questioning Alexa privacy issues; states leading efforts to strengthen security requirements

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Delaware Senator Chris Coons wants to know if Alexa is collecting more information than we've been led to believe. As prospects for Congress to pass a comprehensive data security and privacy bill remain largely unresolved, New York and North Carolina are joining the growing number of states seeking to implement their own data security standards legislation and/or strengthen existing laws related to breach notification and credit freezes. New data highlighting the high cost to U.S. businesses and consumers from data breaches—particularly in the healthcare sector—will undoubtedly fuel additional state efforts.

And now, on to the clips!

-----------------

Senator Coons presses Amazon on privacy concerns about Alexa. Senator Chris Coons (D-DE) wants to know whether consumers’ control over what Alexa knows about them is as good as it’s cracked up to be. “While I am encouraged that Amazon allows users to delete audio recordings linked to their accounts, I am very concerned by reports that suggest that text transcriptions of these audio records are preserved indefinitely on Amazon’s servers, and users are not given the option to delete these text transcripts,” wrote Coons in a letter to Amazon CEO Jeff Bezos. “The inability to delete a transcript of an audio recording renders the option to delete the recording largely inconsequential and puts users’ privacy at risk.” (Source: Security Magazine)

SHIELD Act would bring GDPR-style data security rules to New York. Legislation proposed in the New York State Senate would tighten data breach notification rules and implement data security requirements, bringing the state more in line with similar rules on the books in Europe. “Once passed, NY’s SHIELD Act would likely be among the strictest laws in the country,” writes @FYRashid. The bill is separate from the Right to Know Act, a privacy-focused bill that is also pending in the New York Senate. (Source: Decipher)

North Carolina bill would require “reasonable” data security, free credit freezes. Under bipartisan legislation in North Carolina, businesses collecting consumer data would be required to implement reasonable data security practices. North Carolinians would also gain the right to place or lift a credit freeze free of charge—a key part of “digital hygiene.” The bill has powerful backers, including Representative Jason Saine (R), Senior Appropriations Chairman, House Deputy Majority Leader Brenden Jones (R), House Deputy Democratic Leader Robert Reives, II (D), and Attorney General Josh Stein (D). (Source: Fisher Phillips/JD Supra)

Quick hit: Five key data security takeaways from recent FTC consent orders

40 percent of healthcare organizations faced WannaCry-related attacks in past six months. The WannaCry malware continues to wreak havoc in healthcare organizations worldwide, according to new research by security firm Armis. “The researchers noted that WannaCry was reportedly behind 30 percent of all ransomware attacks during the third quarter of 2018,” writes @_JF_Davis_. “Further, there were devices infected by WannaCry that weren’t addressed during the attack, which continued its spread to other computers.” (Source: Health IT Security)

Premera Blue Cross settles breach suit for $74 million. More than 11 million victims of a 2014 breach at health insurer Premera Blue Cross may soon see some relief, thanks to a settlement reached in a long-running lawsuit related to the breach. “As part of the settlement, plaintiffs will receive an additional two years of premium credit monitoring and identity protection services, out-of-pocket losses, as well as cash payments to all class members who make a claim,” writes @Slabodkin. (Source: Health Data Management)

ForgeRock: 2018 breaches cost the United States $645 billion, exposed 2.8 billion records. New data from digital security firm ForgeRock shows growing costs to sectors such as financial services, government, and healthcare from data breaches. “Almost half (48%) of all consumer data breaches happened in the healthcare sector, four times as many in any other sector,” writes @helpnetsecurity. (Source: HelpNetSecurity)

Breach du jour: Quest Diagnostics. Nearly 12 million patients of Quest Diagnotics had their credit card numbers, bank account information, medical information, and Social Security numbers compromised in a breach lasting from August 2018 to March 2019. “In a filing with the Securities and Exchange Commission, Quest said a billing collections vendor, American Medical Collection Agency, notified it last month of potential unauthorized activity on AMCA’s web payment page,” writes @AngelicaLaVito. (Source: CNBC)

Breach du jour, part deux: Flipboard. News aggregation app Flipboard, which counts more than 500 million downloads on the Google Play store, recently announced a breach that compromised email addresses, usernames, and hashed passwords for 20 million users. During the breach, which lasted more than 8 months, the hackers also had access to digital tokens that would allow hackers to “read or make posts and messages on the account and access some user account information, such as user name, profile information, posts to the site, and connections. In some cases, this access also allowed changes to this information, such as inviting new people to connect.” (Source: Naked Security by Sophos)

Upcoming Events

June 27, 2019: Federal Trade Commission’s PrivacyCon – Washington, DC
Each year, the FTC convenes a group of privacy experts, academics, policymakers, and regulators to discuss the latest research surrounding consumer privacy and data security. (Source: Federal Trade Commission)

National Consumers League
Published June 6, 2019