National Consumers League

The #DataInsecurity Digest | Issue 97

Regulators strike back as new data puts cost of breaches at $45 billion annually

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Corporations were put on notice this week as both EU and U.Sregulators imposed record-setting fines. While UK regulators assessed fines against both British Airways and Marriott, the Federal Trade Commission (FTCreportedly voted to levee a massive $5 billion fine against Facebook. Only time will tell if the regulators’ actions will spur companies to take meaningful steps to curtail data breaches, which the Internet Society estimated inflicted over $45 billion in losses in 2018 alone.             

And now, on to the clips! 

-----------------

FTC reportedly approves massive $5 billion fine against Facebook. The fine is not only the largest ever levied “against a tech company that broke a past promise to the government to improve its privacy practices” but it is "more than 200 times greater than the previous largest fine.” (Source: Washington Post)

ICE officials search state driver's license databases without citizens’ knowledge or consent. In at least three states, Immigration and Customs Enforcement (ICE) officials have “requested to comb through state repositories of license photos,” using facial recognition. At least two states, Utah and Vermont, complied. (Source: New York Times)

House Energy and Commerce Committee look toward Fall 2019 for release of privacy bill. Aides for the committee identified two major sticking points for the bill. The first being state preemption and the second "lies in whether or not the bill should give consumers the right to sue companies for data breaches. ..." One of the aides said that although his office expects the language [a private right of action] to be included in the bill, it could upset moderate Democrats involved in the discussions.” (Source: Morning Consult)

UK regulators propose fining British Airways $230 million. The fine comes in response to the airline's 2018 data breach, which compromised about a half-million passenger records. The fine “represents the latest and by far biggest penalty initiated by national-privacy regulators across the European Union since the enactment last year of [GDPR].” (Source: Wall Street Journal)

UK regulators fine Marriott $123 million. Marriott’s costly fine was in response to a data breach the company suffered last year affecting around 383 million guests, 30 million of whom resided in the EU. “The U.K.’s Information Commissioner’s Office (ICO) said its investigation found that Marriott ‘failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.’” (Source: Tech Crunch)

Lake City, FL hit with ransomware attack. The city’s misfortune is another in a growing trend of ransomware attacks on local governments. "Experts on cybersecurity say the growing number of attacks and escalating ransom demands suggest that cyberattacks have found a ripe target: small governments with weak computer protections and strong insurance policies. The [ransom] payments keep coming even as the F.B.I. says they might be incentivizing more attacks.” In the case of Lake City, Florida, many of its files remain locked even after paying the hefty ransom. (Source: New York Times)

Google admits to listening to smart device recordings. An investigative report found “many recordings that had been captured inadvertently, without users activating their devices.” Google “emphasized that ... audio recordings are not tagged to users’ accounts in Google’s review system.” However, despite Google’s claim, journalists were “able to link some audio snippets to the users who were captured on the recordings because they included sensitive, identifiable information.” (Source: The Hill)

In 2018, there were more than 2 million cyber incidents. The report put out by the Internet Society’s Online Trust Alliance also estimated that the incidents inflicted at least $45 billion in losses. The organization predicted that its numbers were on the low side because “it is still the case that most incidents go unreported.” (Source: The Internet Society)

National Consumers League
Published July 18, 2019