Announcing the #DataInsecurity Project

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

Last December, millions of consumers busily rang up more than $600 billion in holiday purchases. Unfortunately, hackers were also having a field day — at consumers’ expense. We learned that lax security procedures combined with an insecure payment mechanism resulted in as many as 110 million shoppers at retail giant Target having their personal information compromised.

Security researcher Brian Krebs, who first broke the story of the Target breach, recently published a startling set of numbers that demonstrates the impact of this one incident. They include:

  • $200 million – The cost to credit unions and community banks for reissuing 21.8 million credit and debit cards;
  • $18-35.70 – The media price range per card stolen from Target and resold on the black market in the months after the breach;
  • 1-3 million – The estimated number of cards stolen in the Target breach that were sold on the black market and successfully used to commit fraud;
  • $53.7 million – The estimated income that hackers generated from the sale of 2 million cards stolen from Target (at a median price of $18-35.70); and
  • $55 million – The size of outgoing Target CEO Gregg Steinhafel’s golden parachute.

Sobering as these numbers are, they represent the fallout from a single data breach, albeit a massive one. In 2013, the Verizon RISK team reported more than 1,300 data breaches. The non-profit Privacy Rights Clearinghouse, which tracks data breaches, reported that more than 257 million records were compromised last year as well. A recent study by the Ponemon Institute found that the average total cost of a data breach in the U.S. is $5.85 million per incident. The probability that a U.S.-based organization will experience a breach of at least 10,000 records in the next 2 years is 18.7 percent, according to the Ponemon study.

By 2020, annual global data production is expected to hit 35 zettabytes, (or 35 trillion gigabytes). This data explosion will power unfathomable changes to consumers’ daily lives. However, the existence of that much data – much of it personal and very valuable to malicious actors – demands stronger security practices. Federal agencies like the FTC are doing yeoman’s work to hold companies to account for lax data security. But the FTC’s authority in this area is in question in the courts, and case-by-case adjudication is unlikely to sufficiently address the larger problem. Organizations like the National Institutes of Standards and Technology have developed voluntary frameworks for cybersecurity, but companies and other entities are not compelled by law to adopt it. Standards bodies like the PCI Security Standards Council have industry backing, but they are sector-specific.

While no one can wave a magic wand and solve the problem of data security, more can and should be done in Congress to give enforcement agencies the tools they need to protect consumer data and prod industry to make data security a top priority.

That is why we are announcing today the launch of the NCL #DataInsecurity Project. We are calling on policymakers in Congress, federal agencies and the states to be champions for data security. For too long, policy inertia has prevented meaningful reform on Capitol Hill and elsewhere that would better protect consumers’ data. There are a number of promising bills currently pending in Congress, but more can and must be done. Pro-consumer steps to enhance data security include:

  • Creating a national data breach notification standard, modeled on strong state protections such as California’s;
  • Requiring businesses that maintain consumers’ personal data to protect that information via specific data security requirements;
  • Giving the Federal Trade Commission and state Attorneys General civil penalty authority to enforce violations of data security requirements;
  • Increasing civil and criminal penalties for malicious hacking;
  • Increasing efforts to enhance cooperation with international partners to bring overseas hackers to justice;
  • Requiring retailers and banks to implement the highest level of security available to protect consumers’ payment data

In an era when vast amounts of data are being collected about them, consumers must have confidence that their information is safe. The Target breach was a wake-up call. We can no longer sit idly by while sophisticated hackers steal with impunity and businesses accept the status quo as just another cost of doing business. The time for reform is now.

Mega-breaches and the importance of the Wyndham decision

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

Consumers can be excused for not following the minutiae of U.S. district court decisions, but developments this week in New Jersey marked an important victory for data security. On Monday, Judge Esther Salas allowed a lawsuit brought by the Federal Trade Commission against Wyndham Worldwide Corp. (the parent entity of Days Inn, Howard Johnson’s and Ramada, among other hotel chains) to move forward. From 2008 to early 2010, hackers breached Wyndham’s computer network, stealing credit and debit card information of approximately 500,000 customers. In 2012, the FTC sued Wyndham for the company’s alleged failure to adequately protect its customers’ information from theft.

To date, the FTC has settled more than fifty similar cases resulting from businesses’ failure to put in place reasonable data security measures.  However, in the Wyndham case, the company is challenging the FTC’s authority to regulate corporate data security practices. This is important because the FTC is the only federal regulator charged with holding companies accountable for failure to protect their customers’ data. Had Judge Salas agreed with Wyndham, it would have threatened to eliminate the FTC’s authority to hold companies to account.

The importance of Judge Salas’ decision was put in stark relief yesterday when security firm Symantec published its latest Internet Security Threat Report. The report, one of the most comprehensive security assessments in the industry, didn’t mince words when they called 2013 the “Year of the Mega Breach,” when “cybercriminals unleashed the most damaging series of cyberattacks in history.”

Headlines from the report include:

  • 91% increase in targeted attacks campaigns in 2013
  • 62% increase in the number of breaches in 2013
  • Over 552 million identities were exposed via breaches in 2013
  • Spear-phishing campaigns saw a 91% rise in 2013
  • 38% of mobile users have experienced mobile cybercrime in past 12 months
  • 8 of the breaches in 2013 exposed more than 10 million identities each
  • 1 in 8 legitimate websites have a critical vulnerability
  • 500% increase in ransomware scams in 2013

The Symantec numbers are just the latest in a string of warnings coming out of the cybersecurity community about the growing threat from hackers. For example, Tuesday also marked the end of Microsoft’s support for the Windows XP operating system, which may still be installed on nearly 28 percent of desktop computers, as well as ATMs and government computer systems. Reports indicate that this could result in a field day for hackers as remaining security vulnerabilities in the operating system are exploited. News about a major vulnerability in the widely used OpenSSL security technology could expose the two-thirds of websites that run it to hackers. And those are just the warning coming out this week!

While Monday’s decision in the Wyndham case was encouraging, the issue is far from resolved. Wyndham has stated that it will continue to challenge the FTC’s authority to regulate companies’ data security practices. This means consumers are still in danger of losing the most important data security cop on the beat. Given the constant stream of data security warnings, it’s imperative that uncertainty about the FTC’s ability to regulate data security be addressed. A number of bills currently pending in Congress would do just that. The FTC should also convene a workshop to examine the issue in depth, as NCL and others suggested last month.

To be clear, there isn’t just a cybercrime wave going on right now. What consumers and businesses across the country are experiencing is more like a cybercrime tsunami. Policymakers in Washington need to make sure the FTC can continue to respond to this threat before we’re all washed away.

The time for credit card security reform is now

(Photo: Steven Senne, AP)

(Photo: Steven Senne, AP)

During the busiest shopping time of the year – the period between Thanksgiving and Christmas – Target, one of America’s largest retailers, suffered the second biggest data breach in US history as 40 million credit and debit cards were compromised. Americans assume that when they shop their personal financial information will be kept private and away from identity thieves. Unfortunately, that is not always the case evidenced by the more than 4,000 data breaches that have been reported since 2005, an average of more than one a day over the last nine years.

Consumer advocates hope that the scale of the Target data breach will serve as the impetus for much needed credit card security reform. The time for change is now. Although consumer’s financial information will never be 100% secure, there are things that can be done. Retailers can use advanced encryption technology and more secure firewalls. Credit card companies can encourage the use of “Chip and PIN” technology in their credit cards. Our politicians can pass legislation establishing a national data breach notification standard and urge the Obama Administration to explore incentives and penalties to encourage private sector businesses to better protect consumer data. These changes will not happen without pressure from consumers.

This week, a group of Democratic Senators requested that the Senate banking Committee hold hearings to examine cybersecurity practices. The letter, written by Senators Robert Menendez (D-NJ), Mark Warner (D-VA), and Charles Schumer (D-NY) stated, “We believe it would be valuable for the Committee to examine whether market participants are taking all appropriate actions to safeguard consumer data and protect against fraud, identity theft, and other harmful consequences, and whether we need stronger industry-wide cybersecurity standards.”

Changing and improving security standards will inevitably cost time and money. No one wants to foot the bill for needed innovations. Our lawmakers must capitalize on the current consumer awareness of the need for better cybersecurity and hold a congressional hearing to determine how businesses can better protect consumer data.

The NSA scandal: balancing safety and liberty

By Sally Greenberg, NCL Executive Director

On June 6, Edward Snowden leaked classified information about the National Security Agency’s (NSA) collection of massive amounts of data over the last decade. First came the revelation that the secretive agency demanded that telecom providers hand over droves of phone conversation metadata, including the telephone numbers of those making and receiving calls and how long those calls lasted. Later we learned that the NSA also requested online data collected from Google, Facebook, Yahoo, and others.

Some have called Snowden a hero, others a traitor. The U.S. government has charged Snowden with espionage. Snowden, a 29-year-old high school drop-out (he later earned his GED), had been hired by an outsourced government contractor and working with sensitive NSA data since 2009. His release of the classified information has not only raised serious questions about the legality of such data collection and what this means for people living in a free, democratic society such as ours, but also has muddled international relations with China and Russia, both countries in which he has appeared since fleeing. Neither Russia nor Hong Kong were willing  to extradite  him  to the US.

Much of the media’s focus over the last few weeks has revolved around Snowden’s whereabouts, but these revelations about NSA’s actions have also started a more sobering discussion about what role the government plays in both protecting the American people from terrorist attacks and preserving civil liberties.

Polls taken since the disclosure of NSA’s policies show Americans are divided on this issue. A PEW poll reported that 56 percent of Americans think the NSA’s tracking of “millions of Americans” phone records is an acceptable way for the government to investigate terrorism. Conversely, in a CBS poll that asked about collecting phone records of “ordinary Americans” only 38 percent of respondents found the practice acceptable. Due to the lack of transparency in the NSA program, Americans are unclear how useful such data collection is to ensuring our safety and security.

Continue reading

Federal medical privacy rules strengthened; Medication adherence must be protected

By Sally Greenberg, NCL Executive Director

Last week, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) published its long-awaited final rule revising the nation’s federal medical privacy requirements under the HITECH Act of 2009 – a.k.a. the “HIPAA Privacy Rule.” NCL, a founding member of the Best Privacy Practices Coalition, congratulates HHS for strengthening consumer privacy and data security protections, and enhancing enforcement for HIPAA violations by covered entities and their business associates.

The final rule attempts to strike a balance between patients’ privacy concerns and the meaningful benefits of sponsored and non-sponsored communications that can improve adherence to prescribed therapies and greatly improve patient health. Notwithstanding HHS’s efforts, there remains some tension between certain of the privacy protections and the goals of bolstering public health.

The problem of poor medication adherence is a major, and significantly under-appreciated health problem. Studies suggest that nearly three-out-of-four Americans do not take their medication as directed and that the cost to the health care system of non-adherence annually is a $290 billion. To address the problem, NCL is leading a medication adherence public awareness campaign, Script Your Future (www.scriptyourfuture.org). NCL’s campaign is designed to help patients take their prescribed medication as directed and better manage health problems such as diabetes, COPD, asthma, high blood pressure, and high cholesterol.

To help combat this problem of poor adherence, most pharmacies, health plans, and doctors provide a broad range of patient-directed communications regarding prescription drug therapies, including communications that encourage patients to stay on prescribed therapy. NCL’s views these communications, particularly “refill reminders,” as tools that help patients follow their medication regimen.

While we are pleased that the rule does allow use of “refill reminders” we are concerned that HHS’s final rule is more restrictive than the prior HIPAA Privacy Rule in requiring patient authorization (opt in) for health care providers’ (and health plans’) capability to use patient information to execute certain sponsored patient communications programs (refill reminders are excepted). To its credit, in addition to codifying the statutory exception for “refill reminder” messages, HHS also maintained the exception for sponsored communications that are delivered in face-to-face settings (e.g., in the pharmacy or doctor’s office).

In particular, we are concerned that the statutory exception for “refill reminders” is available only if compensation received by the covered entity provider or plan is “reasonably related” to the entity’s costs of making the communication. Although Congress included this “reasonable in amount” limitation in the HITECH Act, NCL believes that HHS has gone too far in its preamble interpretation by limiting such compensation to only certain direct costs. Specifically, under the final rule, HHS considers permissible costs to be restricted to those of labor, supplies, and postage to make the communication and that they include “only the pharmacy’s cost of drafting, printing, and mailing the refill reminders.” It sounds like a minor point, perhaps, but we are concerned that this could have a negative impact on patient adherence. We think that a broader definition of costs is called for, including such things as computer hardware, software, and other overhead – because we don’t want to inhibit in any way communications that can help improve the likelihood of patient adherence to medication.

We also are concerned that, from a policy standpoint, the “reasonable compensation” requirement may inhibit HHS efforts to promote medication adherence, and in the end does little to advance patient privacy. For instance, HHS’s Centers for Medicare and Medicaid (CMS) requires and rewards patient adherence programs in several respects, including through physicians’ “meaningful use” of electronic health records (EHRs). Furthermore, in order for vendors implementing Medicare part D to qualify for reimbursement, they must make use of CMS’s Medication Management Therapy Programs (MTMP), which are, by their very nature, adherence -focused incentives. In addition, HHS’s Agency for Healthcare Research and Quality (AHRQ) has studied the comparative effectiveness of medication adherence interventions and funds adherence educational programs.

We’re concerned that HHS’s interpretation of “reasonable compensation” may not be grounded in good public policy and could actually hamper sponsored adherence efforts, which are widely regarded as beneficial to public health. In the final rule, HHS signaled its intention to issue informal guidance on the “refill reminder” exception. NCL hopes that, in so doing, HHS will make clear that the exception serves an important public health function and that “reasonable compensation” ought to be interpreted in the broadest possible fashion in order to ensure that we are doing all we can to promote improved medication adherence.

NCL symposium examines consumer issues and the next Congress

By John Breyault, NCL Vice President of Public Policy, Telecommunications and Fraud

The freshman class of the 113th Congress will feature 12 new Senators and 67 new Representatives. For consumer advocates, this is an opportunity to introduce ourselves to these new lawmakers and develop relationships that can help promote our economic and social justice mission on the Hill. Freshman like Senator-elect Elizabeth Warren have long been heroes to the consumer movement, but others such as Senator-elect Heidi Heitkamp and Members-elect Kevin Cramer, Joseph Kennedy III, and George Holding all have experience in regulatory agencies and in the legal system where consumer issues arise.

The incoming members of the 113th Congress will have a full agenda when it comes to consumer issues. Even before the next Congress, the Lame Duck session of the current 112th Congress is tackling the so-called “fiscal cliff” of tax increases and spending cuts mandated by the Budget Control Act of 2011.

It is in this context that NCL convened our inaugural Consumer Issues Symposium on Wednesday, November 14 to examine the future of three important consumer issues in the lame duck session and the coming 113th Congress. We chose to focus the event on three issues near and dear to NCL’s heart – food safety, sequestration and privacy. The goal of the event was to examine not only the future prospects for consumer-focused legislation in Congress, but also to highlight the real-world impact of these policy areas on consumers.

For example, the sequestration cuts envisioned as part of the “fiscal cliff” will require numerous federal agencies to significantly scale back their activities. When the USDA’s Food Safety and Inspection Service is projected to take an $86 million haircut, what does that mean for the safety of America’s food supply? Likewise, in a scenario where the federal Low-Income Home Energy Assistance Program is on track to take a $285 million budget hit, how will consumers living through the cold winter months adjust?

The event, organized in partnership with the law firm of Kelley Drye, was a great success. (Historical note: One of Kelley Drye’s name partners was Nicholas Kelley, son of Florence Kelley, the first General Secretary of NCL). It featured more than a dozen expert speakers from Executive Branch, Congress and advocacy organizations, including FTC Commissioner Julie Brill, FDA Deputy Commissioner Michael Taylor and former Congresswoman and CPSC Commissioner Anne Northup. Photos from the event are currently viewable on NCL’s Facebook page.

 

Facebook privacy

By Sally Greenberg, NCL Executive Director

The Wall Street Journal, of late, has done a very admirable muckracking job looking at privacy policies of Facebook, Skype, Yahoo and other sites. Why are privacy policies important to consumers? Because marketers want information about consumers so they can try to sell us stuff and in the process they dig deep for our personal data. And so the Facebooks, Skypes, and Yahoos of the world offer us access to their many fantastic applications – and many are fantastic – but only if we share information about ourselves.

The authors of a recent article in the Journal- Julia Angwin and Jeremy Singer-Vine, put it like this: “This appetite for personal data reflects a fundamental truth about Facebook, and by extension, the Internet economy as a whole: Facebook provides a free service that users pay for, in effect, by providing details about the lives, friendships, interests and activities.” And Facebook has 800-million-plus subscribers so that’s a lot of money.

You have to ask yourself why Facebook so highly valued – if it goes public it may be valued at $100 billion. Access to Facebook is free for consumers so we pay with our private information which Facebook then sells to advertisers. The Journal also says that Facebook isn’t always enforcing its own rules on data privacy. Dozens of apps apparently allow advertisers that haven’t been approved by Facebook.

Privacy proponents like Helen Nissenbaum, who wrote a book called “Privacy in Context,” are calling for digital “fences” around data usage and even the White House has called for consumers to be told how any data collected will be used. These are serious concerns for all of us who value our privacy and don’t want our personal data collected and sold. Hopefully this Journal series on privacy will get the ball rolling in that direction.