Announcing the #DataInsecurity Project

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

Last December, millions of consumers busily rang up more than $600 billion in holiday purchases. Unfortunately, hackers were also having a field day — at consumers’ expense. We learned that lax security procedures combined with an insecure payment mechanism resulted in as many as 110 million shoppers at retail giant Target having their personal information compromised.

Security researcher Brian Krebs, who first broke the story of the Target breach, recently published a startling set of numbers that demonstrates the impact of this one incident. They include:

  • $200 million – The cost to credit unions and community banks for reissuing 21.8 million credit and debit cards;
  • $18-35.70 – The media price range per card stolen from Target and resold on the black market in the months after the breach;
  • 1-3 million – The estimated number of cards stolen in the Target breach that were sold on the black market and successfully used to commit fraud;
  • $53.7 million – The estimated income that hackers generated from the sale of 2 million cards stolen from Target (at a median price of $18-35.70); and
  • $55 million – The size of outgoing Target CEO Gregg Steinhafel’s golden parachute.

Sobering as these numbers are, they represent the fallout from a single data breach, albeit a massive one. In 2013, the Verizon RISK team reported more than 1,300 data breaches. The non-profit Privacy Rights Clearinghouse, which tracks data breaches, reported that more than 257 million records were compromised last year as well. A recent study by the Ponemon Institute found that the average total cost of a data breach in the U.S. is $5.85 million per incident. The probability that a U.S.-based organization will experience a breach of at least 10,000 records in the next 2 years is 18.7 percent, according to the Ponemon study.

By 2020, annual global data production is expected to hit 35 zettabytes, (or 35 trillion gigabytes). This data explosion will power unfathomable changes to consumers’ daily lives. However, the existence of that much data – much of it personal and very valuable to malicious actors – demands stronger security practices. Federal agencies like the FTC are doing yeoman’s work to hold companies to account for lax data security. But the FTC’s authority in this area is in question in the courts, and case-by-case adjudication is unlikely to sufficiently address the larger problem. Organizations like the National Institutes of Standards and Technology have developed voluntary frameworks for cybersecurity, but companies and other entities are not compelled by law to adopt it. Standards bodies like the PCI Security Standards Council have industry backing, but they are sector-specific.

While no one can wave a magic wand and solve the problem of data security, more can and should be done in Congress to give enforcement agencies the tools they need to protect consumer data and prod industry to make data security a top priority.

That is why we are announcing today the launch of the NCL #DataInsecurity Project. We are calling on policymakers in Congress, federal agencies and the states to be champions for data security. For too long, policy inertia has prevented meaningful reform on Capitol Hill and elsewhere that would better protect consumers’ data. There are a number of promising bills currently pending in Congress, but more can and must be done. Pro-consumer steps to enhance data security include:

  • Creating a national data breach notification standard, modeled on strong state protections such as California’s;
  • Requiring businesses that maintain consumers’ personal data to protect that information via specific data security requirements;
  • Giving the Federal Trade Commission and state Attorneys General civil penalty authority to enforce violations of data security requirements;
  • Increasing civil and criminal penalties for malicious hacking;
  • Increasing efforts to enhance cooperation with international partners to bring overseas hackers to justice;
  • Requiring retailers and banks to implement the highest level of security available to protect consumers’ payment data

In an era when vast amounts of data are being collected about them, consumers must have confidence that their information is safe. The Target breach was a wake-up call. We can no longer sit idly by while sophisticated hackers steal with impunity and businesses accept the status quo as just another cost of doing business. The time for reform is now.

Advertisements

Mega-breaches and the importance of the Wyndham decision

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

Consumers can be excused for not following the minutiae of U.S. district court decisions, but developments this week in New Jersey marked an important victory for data security. On Monday, Judge Esther Salas allowed a lawsuit brought by the Federal Trade Commission against Wyndham Worldwide Corp. (the parent entity of Days Inn, Howard Johnson’s and Ramada, among other hotel chains) to move forward. From 2008 to early 2010, hackers breached Wyndham’s computer network, stealing credit and debit card information of approximately 500,000 customers. In 2012, the FTC sued Wyndham for the company’s alleged failure to adequately protect its customers’ information from theft.

To date, the FTC has settled more than fifty similar cases resulting from businesses’ failure to put in place reasonable data security measures.  However, in the Wyndham case, the company is challenging the FTC’s authority to regulate corporate data security practices. This is important because the FTC is the only federal regulator charged with holding companies accountable for failure to protect their customers’ data. Had Judge Salas agreed with Wyndham, it would have threatened to eliminate the FTC’s authority to hold companies to account.

The importance of Judge Salas’ decision was put in stark relief yesterday when security firm Symantec published its latest Internet Security Threat Report. The report, one of the most comprehensive security assessments in the industry, didn’t mince words when they called 2013 the “Year of the Mega Breach,” when “cybercriminals unleashed the most damaging series of cyberattacks in history.”

Headlines from the report include:

  • 91% increase in targeted attacks campaigns in 2013
  • 62% increase in the number of breaches in 2013
  • Over 552 million identities were exposed via breaches in 2013
  • Spear-phishing campaigns saw a 91% rise in 2013
  • 38% of mobile users have experienced mobile cybercrime in past 12 months
  • 8 of the breaches in 2013 exposed more than 10 million identities each
  • 1 in 8 legitimate websites have a critical vulnerability
  • 500% increase in ransomware scams in 2013

The Symantec numbers are just the latest in a string of warnings coming out of the cybersecurity community about the growing threat from hackers. For example, Tuesday also marked the end of Microsoft’s support for the Windows XP operating system, which may still be installed on nearly 28 percent of desktop computers, as well as ATMs and government computer systems. Reports indicate that this could result in a field day for hackers as remaining security vulnerabilities in the operating system are exploited. News about a major vulnerability in the widely used OpenSSL security technology could expose the two-thirds of websites that run it to hackers. And those are just the warning coming out this week!

While Monday’s decision in the Wyndham case was encouraging, the issue is far from resolved. Wyndham has stated that it will continue to challenge the FTC’s authority to regulate companies’ data security practices. This means consumers are still in danger of losing the most important data security cop on the beat. Given the constant stream of data security warnings, it’s imperative that uncertainty about the FTC’s ability to regulate data security be addressed. A number of bills currently pending in Congress would do just that. The FTC should also convene a workshop to examine the issue in depth, as NCL and others suggested last month.

To be clear, there isn’t just a cybercrime wave going on right now. What consumers and businesses across the country are experiencing is more like a cybercrime tsunami. Policymakers in Washington need to make sure the FTC can continue to respond to this threat before we’re all washed away.

FTC report shines light on continuing problem of ID theft

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

In the world of fraud fighting, the release of the Federal Trade Commission’s Consumer Sentinel Data Book is something of a wonky holiday. Yesterday was no exception, with the agency publishing the annual report, which examines trends in the 2 million-plus complaints the FTC receives annually.

The headline of the report was depressingly familiar: identity theft continued to be the biggest driver of complaints to the FTC for the 14th straight year. This trend is one of the reasons NCL produced our State of Identity Theft in 2013 report last year, which examined the continuing threat of ID theft and why we are making the issue of data insecurity a top priority in 2014.

Looking deeper into the Sentinel data, some additional interesting trends and questions come to light, including:

  • Does youth correlate with risk of identity theft? The FTC noted that 20% of ID theft complaints came from consumers aged 20-29, who comprise only 13.8% of the population. There is also a steady reduction in ID theft complaint rates as consumers get older. For example, 8% of ID theft complaints come from consumers aged 70-plus, which is consistent with their overall 9% distribution in the population. An open question is whether identity theft risk decreases as consumers age or whether the correlation is due to an increased likelihood that younger consumers will report identity theft.
  • The telephone is scammers’ contact method of choice. While recent news has been dominated stories about high-tech data breaches, it appears that scammers are returning to a somewhat old-fashioned tool: the telephone. Last month’s Fraud.org Top Ten Scams report noted that telemarketing fraud was making a major comeback, with 36% of complaints mentioning the telephone as the method of contact. The FTC’s new data confirmed this, finding that 40% of complaints cited the telephone as the method of contact. The telephone is now the preferred method of contact by scammers, overtaking email for the first time since 2011. Congress is taking notice as well. In December, a bipartisan group of legislators introduced the Anti-Spoofing Act, which would crack down on scammers disguising their calls by altering Caller ID information.
  • Scammers shifting technique in “grandparent’s scams.” Con artists have long used the story of a loved one in distress to defraud consumers, particularly older adults. Also known as the imposter scam, this fraud starts with the fraudster calling a victim with an urgent appeal for funds to help a friend or family member in need. For example, the scammer might claim that a beloved grandson was in a car accident overseas and needs money to pay a hospital bill or to get bailed out of jail. More than 121,000 consumers reported an imposter scam to the FTC in 2013, an increase of more than 36,000 complaints since 2012. The scam is evolving as well. Whereas fraudsters used to impersonate a friend or family member, they are increasingly claiming to represent a business or government official.
  • Encouraging signs in the fight against lottery scams. For the second year in in a row, complaints about this type of fraud have decreased (down by almost more than 10,000 complaints since 2011). Thanks in part to consumer education campaigns like DeliveringTrust.com growing awareness of these scams seems to be having an impact.

More than 2.1 million complaints were filed with the FTC in 2013, with reported losses of more than $1.6 billion. Given that fraud is a chronically underreported crime, we should assume that many millions more consumers were harmed. As we prepare to mark National Consumer Protection Week, this new data should serve as a reminder of the immense toll that fraud takes on U.S. consumers.

This data should push all of us — anti-fraud advocates, law enforcement, policymakers and everyday consumers — to redouble our vigilance in the fight against scammers.

It’s time for broadcasters to step up on deceptive advertising

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

If you’ve turned on the television or radio recently, chances are that you’ve heard at least one advertisement that made you sit up and say “what the…?” From bogus weight-loss products, to suspicious tax “advice” firms, to “free” cruises to the Bahamas, it often seems difficult to avoid ads that are misleading, if not outright fraudulent.

At the federal level, the Federal Trade Commission (FTC) is charged with protecting consumers from unfair and deceptive advertising. Over the years, the agency has brought hundreds of cases against companies that have made dubious claims in their advertisements. In addition, in cases where there is evidence of fraud the FTC can also shut down operations under its “unfair and deceptive acts or practices” authority. State attorneys general also have authority to go after deceptive advertising and fraudulent operations.

Unfortunately, given the limited resources at their disposal, regulators are often only able to go after the most egregious cases of deception and fraud. The result? Ads for all kinds of deceptive and fraudulent products and services continue to proliferate on the public airwaves and on cable TV.

So what can be done to better police the airwaves for deceptive and fraudulent content? As part of its recent enforcement action against four bogus weight-loss companies, the FTC sent a letter to publishers and broadcasters asking them to refer to the FTC’s guidance on spotting phony weight-loss claims when advertisers submit ads.

While this action is a step in the right direction, we think the broadcasting and publishing industries can and should do more to vet the ads they run before they run. The FTC has largely steered clear of putting pressure on publishers and broadcasters to take this common-sense step. The Commission’s last significant effort on this was back in 2003, when former chairman Tim Muris asked cable television advertisers to strictly screen weight-loss ads.

As the Washington Post’s Lydia DePillis noted in a recent article on this topic, publishers and broadcasters usually cite two big reasons for resisting ad screening: their First Amendment right to publish and broadcast what they wish and the expense of setting up a screening program. With the proliferation of Internet-based advertising, the problem becomes even harder to control.

That said, we don’t think that these excuses are reason enough for the industry not to even try. Consumers tend to trust the ads they see on the radio or on television to a greater extent than online ads. When a fraudulent or deceptive ad runs, it undermines confidence in the advertising industry generally. More concretely, when a deceptive advertiser goes under due to enforcement actions, it can leave media outlets holding the bag. For example, when “tax resolution” company TaxMasters went bankrupt in 2012 after being investigated by the Texas Attorney General’s office, it owed CNN and Fox News Channel more than $3.5 million in unpaid advertising.

Doing a better job of screening out deceptive ads is not only the right thing to do from a public interest point of view, but it makes good business sense too. That being the case, why aren’t more companies doing it? Consumers deserve no less.

 

Shoppers deserve trust and security from our biggest retailers

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

Imagine that you’re the CEO of Target today. As one of the 25 most admired companies in the world, consumers’ trust in your brand is paramount to your success. Over the past week you’ve learned that your company is the victim of one of the largest retail data breaches in U.S. history. Cyber thieves compromised 40 million consumers’ credit and debit cards. To add insult to injury, the breach happened during the height of the holiday shopping season – the most important month in your company’s calendar. With every media story about the incident, each outraged consumer Facebook comment and critical tweet, that trust is eroded. It’s clear that Target is facing a public relations nightmare. How they react to this will determine how much faith consumers will continue to place in the brand.

Unfortunately, the advice consumers are getting from the company so far is depressingly familiar: monitor your credit and debit card statements, keep an eye on your credit report and report irregularities promptly.

This is the advice consumers hear after virtually every data breach. Are the increasing number of data breaches just something that consumers need to get used to? In a recent article about the Target breach Mark Rasch, a former U.S. prosecutor of cybercrime said, “Most of these attacks are just a cost of doing business,”

As advocates for consumers, we categorically reject the notion that the status quo is an acceptable outcome.

We must not accept a marketplace where consumers are asked to make ever more data available to more entities but are stuck with the consequences when those entities fail to protect our data. We think that the government and private sector can and should do more to protect the vast amounts of sensitive data that they are collecting from consumers.

This is not a new issue. For decades, data security experts have discussed ideas about how to improve the situation. At its core, consumer and business data is the focus of a never-ending arms race between those that want to protect consumer data and those that want to steal it for fraudulent uses. Just as no bank can ever be 100% secure from a robbery, no data can ever be 100% secure from a breach. However, consumers should be able to rely on a certain basic level of data security.

Unfortunately, that is exactly what we lack today. Shockingly, there is no one law in the U.S. that mandates the steps businesses should take to protect their customers’ data. Instead, consumers are reliant on precedents set by Federal Trade Commission enforcement actions. Since 2000, the FTC – under it’s “unfair and deceptive acts or practices” authority — has brought nearly fifty data security cases against companies whose data security practices (or lack thereof) have put consumers at risk. However, that authority could be taken away if the FTC loses in two closely watched court cases. Should the FTC lose, consumers will be left without one of the most important watchdogs in this fight.

Consumers should not be left to fend for themselves against the legions of sophisticated and organized data thieves. The Target breach, and the daily smaller breaches that go unreported should serve as a wake-up call for legislators and regulators that data security reform is urgently needed.

Did you know another American falls victim to ID theft #every3seconds?

clock graphicBy John Breyault, Vice President of Public Policy, Telecommunications and Fraud

NCL’s “State of ID Theft” Conference To Put National Spotlight on Continuing Problem

For thirteen years, the crime of identity theft has generated more complaints to the Federal Trade Commission than another other fraud. In 2012, more than 12 million Americans were affected by identity theft, costing the U.S. economy $20.9 billion. Every three seconds, a consumer’s identity is comprised by this pernicious crime.

Seven years ago, President George W. Bush, recognizing the seriousness of the threat of ID theft, created the federal Identity Theft Task Force. Made up of eighteen federal agencies, the task force was charged with implementing a range of recommendations to address the threat of ID theft. The task force made thirty-one recommendations, from reducing the use of Social Security Numbers by federal agencies, to improving coordination by law enforcement, to passing a national data breach notification standard, to name a few. The implementation of these recommendations by the federal government, as well as improved anti-fraud procedures in the private sector, have done much to make life harder on ID thieves.

Despite these advances, ID theft is still a major threat to consumers, business and the government. According to one conservative estimate, more than 1.1 billion records have been comprised by identity theft. Data breaches, which put information on millions of consumers in the hands of fraudsters, are still occurring at a rate of at least one per day.

Just as troubling, it appears that we may be on the cusp of a new wave of ID theft. With ever larger amounts of data being collected about consumers by government and the private sector, data breaches become more likely. Identity thieves are shifting towards scams that are harder to detect, such as tax-related ID theft and medical ID theft. And the criminal themselves — often located overseas — are becoming more professional and organized.

How will these new factors affect consumers’ vulnerability to identity theft? What can we learn from the last seven years of fighting this problem? What should consumers expect from regulators, law enforcement and the private sector as this crime evolves?

To examine these and other questions, the National Consumers League will be hosting our first State of ID Theft conference on December 12 in Washington, DC. The event will bring together some of the brightest minds in the country for panel discussion examining the continuing threat of ID theft and what can be done to better protect consumers. Headlining the conference will be a lunchtime conversation between FTC Chairwoman Edith Ramirez and Former Chairwoman Deborah Platt Majoras, who co-chaired the federal Identity Theft Task Force from 2006-08.

Registration is free but space is limited. Please RSVP here. For more information please contact John Breyault at johnb@nclnet.org.

Additional consumer protections could help prevent more Jamster’s

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

The Federal Trade Commission (FTC) today announced its second major enforcement action against a wireless cramming scheme – a $1.2 million settlement with Jesta Digital, a.k.a. Jamster. While enforcement actions may give some scammers pause, the dozens of FTC enforcement actions against landline cramming scammers since the early 2000’s show that enforcement alone isn’t the answer. As the FTC itself has stated, wireless cramming is a “significant consumer problem,” demanding action by federal regulators.

We couldn’t agree more. Based on data reported by the California Public Utilities Commission, the Federal Communications Commission (FCC) and the Vermont Attorney General’s office, we estimated that wireless cramming fraud is costing consumers as a much as $887 million per year. As we have said before, the Jamster case as well as Wise Media and JAWA before it, are likely just the tip of a very large iceberg when it comes to wireless cramming.

Unfortunately, the wireless industry seems determined to defend its assertion that there is not a significant wireless cramming problem in the U.S. For example, in June, CTIA, the wireless industry’s association, published an industry-funded study the called into question the results of an earlier study by the Center for Rural Studies at the University of Vermont. The Vermont study found that 60% of third-party charges on consumers’ wireless phone bills were unauthorized. An earlier analysis by the Illinois Consumer Utility Board found that 44% of third-party charges were unauthorized.

Continue reading