Announcing the #DataInsecurity Project

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

Last December, millions of consumers busily rang up more than $600 billion in holiday purchases. Unfortunately, hackers were also having a field day — at consumers’ expense. We learned that lax security procedures combined with an insecure payment mechanism resulted in as many as 110 million shoppers at retail giant Target having their personal information compromised.

Security researcher Brian Krebs, who first broke the story of the Target breach, recently published a startling set of numbers that demonstrates the impact of this one incident. They include:

• $200 million – The cost to credit unions and community banks for reissuing 21.8 million credit and debit cards;
• $18-35.70 – The media price range per card stolen from Target and resold on the black market in the months after the breach;
• 1-3 million – The estimated number of cards stolen in the Target breach that were sold on the black market and successfully used to commit fraud;
• $53.7 million – The estimated income that hackers generated from the sale of 2 million cards stolen from Target (at a median price of $18-35.70); and
• $55 million – The size of outgoing Target CEO Gregg Steinhafel’s golden parachute.

Sobering as these numbers are, they represent the fallout from a single data breach, albeit a massive one. In 2013, the Verizon RISK team reported more than 1,300 data breaches. The non-profit Privacy Rights Clearinghouse, which tracks data breaches, reported that more than 257 million records were compromised last year as well. A recent study by the Ponemon Institute found that the average total cost of a data breach in the U.S. is $5.85 million per incident. The probability that a U.S.-based organization will experience a breach of at least 10,000 records in the next 2 years is 18.7 percent, according to the Ponemon study.

By 2020, annual global data production is expected to hit 35 zettabytes, (or 35 trillion gigabytes). This data explosion will power unfathomable changes to consumers’ daily lives. However, the existence of that much data – much of it personal and very valuable to malicious actors – demands stronger security practices. Federal agencies like the FTC are doing yeoman’s work to hold companies to account for lax data security. But the FTC’s authority in this area is in question in the courts, and case-by-case adjudication is unlikely to sufficiently address the larger problem. Organizations like the National Institutes of Standards and Technology have developed voluntary frameworks for cybersecurity, but companies and other entities are not compelled by law to adopt it. Standards bodies like the PCI Security Standards Council have industry backing, but they are sector-specific.

While no one can wave a magic wand and solve the problem of data security, more can and should be done in Congress to give enforcement agencies the tools they need to protect consumer data and prod industry to make data security a top priority.

That is why we are announcing today the launch of the NCL #DataInsecurity Project. We are calling on policymakers in Congress, federal agencies and the states to be champions for data security. For too long, policy inertia has prevented meaningful reform on Capitol Hill and elsewhere that would better protect consumers’ data. There are a number of promising bills currently pending in Congress, but more can and must be done. Pro-consumer steps to enhance data security include:

• Creating a national data breach notification standard, modeled on strong state protections such as California’s;
• Requiring businesses that maintain consumers’ personal data to protect that information via specific data security requirements;
• Giving the Federal Trade Commission and state Attorneys General civil penalty authority to enforce violations of data security requirements;
• Increasing civil and criminal penalties for malicious hacking;
• Increasing efforts to enhance cooperation with international partners to bring overseas hackers to justice;
• Requiring retailers and banks to implement the highest level of security available to protect consumers’ payment data

In an era when vast amounts of data are being collected about them, consumers must have confidence that their information is safe. The Target breach was a wake-up call. We can no longer sit idly by while sophisticated hackers steal with impunity and businesses accept the status quo as just another cost of doing business. The time for reform is now.

Mega-breaches and the importance of the Wyndham decision

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

Consumers can be excused for not following the minutiae of U.S. district court decisions, but developments this week in New Jersey marked an important victory for data security. On Monday, Judge Esther Salas allowed a lawsuit brought by the Federal Trade Commission against Wyndham Worldwide Corp. (the parent entity of Days Inn, Howard Johnson’s and Ramada, among other hotel chains) to move forward. From 2008 to early 2010, hackers breached Wyndham’s computer network, stealing credit and debit card information of approximately 500,000 customers. In 2012, the FTC sued Wyndham for the company’s alleged failure to adequately protect its customers’ information from theft.

To date, the FTC has settled more than fifty similar cases resulting from businesses’ failure to put in place reasonable data security measures.  However, in the Wyndham case, the company is challenging the FTC’s authority to regulate corporate data security practices. This is important because the FTC is the only federal regulator charged with holding companies accountable for failure to protect their customers’ data. Had Judge Salas agreed with Wyndham, it would have threatened to eliminate the FTC’s authority to hold companies to account.

The importance of Judge Salas’ decision was put in stark relief yesterday when security firm Symantec published its latest Internet Security Threat Report. The report, one of the most comprehensive security assessments in the industry, didn’t mince words when they called 2013 the “Year of the Mega Breach,” when “cybercriminals unleashed the most damaging series of cyberattacks in history.”

Headlines from the report include:

• 91% increase in targeted attacks campaigns in 2013
• 62% increase in the number of breaches in 2013
• Over 552 million identities were exposed via breaches in 2013
• Spear-phishing campaigns saw a 91% rise in 2013
• 38% of mobile users have experienced mobile cybercrime in past 12 months
• 8 of the breaches in 2013 exposed more than 10 million identities each
• 1 in 8 legitimate websites have a critical vulnerability
• 500% increase in ransomware scams in 2013

The Symantec numbers are just the latest in a string of warnings coming out of the cybersecurity community about the growing threat from hackers. For example, Tuesday also marked the end of Microsoft’s support for the Windows XP operating system, which may still be installed on nearly 28 percent of desktop computers, as well as ATMs and government computer systems. Reports indicate that this could result in a field day for hackers as remaining security vulnerabilities in the operating system are exploited. News about a major vulnerability in the widely used OpenSSL security technology could expose the two-thirds of websites that run it to hackers. And those are just the warning coming out this week!

While Monday’s decision in the Wyndham case was encouraging, the issue is far from resolved. Wyndham has stated that it will continue to challenge the FTC’s authority to regulate companies’ data security practices. This means consumers are still in danger of losing the most important data security cop on the beat. Given the constant stream of data security warnings, it’s imperative that uncertainty about the FTC’s ability to regulate data security be addressed. A number of bills currently pending in Congress would do just that. The FTC should also convene a workshop to examine the issue in depth, as NCL and others suggested last month.

To be clear, there isn’t just a cybercrime wave going on right now. What consumers and businesses across the country are experiencing is more like a cybercrime tsunami. Policymakers in Washington need to make sure the FTC can continue to respond to this threat before we’re all washed away.

The time for credit card security reform is now

(Photo: Steven Senne, AP)

During the busiest shopping time of the year – the period between Thanksgiving and Christmas – Target, one of America’s largest retailers, suffered the second biggest data breach in US history as 40 million credit and debit cards were compromised. Americans assume that when they shop their personal financial information will be kept private and away from identity thieves. Unfortunately, that is not always the case evidenced by the more than 4,000 data breaches that have been reported since 2005, an average of more than one a day over the last nine years.

Consumer advocates hope that the scale of the Target data breach will serve as the impetus for much needed credit card security reform. The time for change is now. Although consumer’s financial information will never be 100% secure, there are things that can be done. Retailers can use advanced encryption technology and more secure firewalls. Credit card companies can encourage the use of “Chip and PIN” technology in their credit cards. Our politicians can pass legislation establishing a national data breach notification standard and urge the Obama Administration to explore incentives and penalties to encourage private sector businesses to better protect consumer data. These changes will not happen without pressure from consumers.

This week, a group of Democratic Senators requested that the Senate banking Committee hold hearings to examine cybersecurity practices. The letter, written by Senators Robert Menendez (D-NJ), Mark Warner (D-VA), and Charles Schumer (D-NY) stated, “We believe it would be valuable for the Committee to examine whether market participants are taking all appropriate actions to safeguard consumer data and protect against fraud, identity theft, and other harmful consequences, and whether we need stronger industry-wide cybersecurity standards.”

Changing and improving security standards will inevitably cost time and money. No one wants to foot the bill for needed innovations. Our lawmakers must capitalize on the current consumer awareness of the need for better cybersecurity and hold a congressional hearing to determine how businesses can better protect consumer data.

The NSA scandal: balancing safety and liberty

By Sally Greenberg, NCL Executive Director

On June 6, Edward Snowden leaked classified information about the National Security Agency’s (NSA) collection of massive amounts of data over the last decade. First came the revelation that the secretive agency demanded that telecom providers hand over droves of phone conversation metadata, including the telephone numbers of those making and receiving calls and how long those calls lasted. Later we learned that the NSA also requested online data collected from Google, Facebook, Yahoo, and others.

Some have called Snowden a hero, others a traitor. The U.S. government has charged Snowden with espionage. Snowden, a 29-year-old high school drop-out (he later earned his GED), had been hired by an outsourced government contractor and working with sensitive NSA data since 2009. His release of the classified information has not only raised serious questions about the legality of such data collection and what this means for people living in a free, democratic society such as ours, but also has muddled international relations with China and Russia, both countries in which he has appeared since fleeing. Neither Russia nor Hong Kong were willing  to extradite  him  to the US.

Much of the media’s focus over the last few weeks has revolved around Snowden’s whereabouts, but these revelations about NSA’s actions have also started a more sobering discussion about what role the government plays in both protecting the American people from terrorist attacks and preserving civil liberties.

Polls taken since the disclosure of NSA’s policies show Americans are divided on this issue. A PEW poll reported that 56 percent of Americans think the NSA’s tracking of “millions of Americans” phone records is an acceptable way for the government to investigate terrorism. Conversely, in a CBS poll that asked about collecting phone records of “ordinary Americans” only 38 percent of respondents found the practice acceptable. Due to the lack of transparency in the NSA program, Americans are unclear how useful such data collection is to ensuring our safety and security.

Continue reading →

Federal medical privacy rules strengthened; Medication adherence must be protected

By Sally Greenberg, NCL Executive Director

Last week, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) published its long-awaited final rule revising the nation’s federal medical privacy requirements under the HITECH Act of 2009 – a.k.a. the “HIPAA Privacy Rule.” NCL, a founding member of the Best Privacy Practices Coalition, congratulates HHS for strengthening consumer privacy and data security protections, and enhancing enforcement for HIPAA violations by covered entities and their business associates.

The final rule attempts to strike a balance between patients’ privacy concerns and the meaningful benefits of sponsored and non-sponsored communications that can improve adherence to prescribed therapies and greatly improve patient health. Notwithstanding HHS’s efforts, there remains some tension between certain of the privacy protections and the goals of bolstering public health.

The problem of poor medication adherence is a major, and significantly under-appreciated health problem. Studies suggest that nearly three-out-of-four Americans do not take their medication as directed and that the cost to the health care system of non-adherence annually is a $290 billion. To address the problem, NCL is leading a medication adherence public awareness campaign, Script Your Future (www.scriptyourfuture.org). NCL’s campaign is designed to help patients take their prescribed medication as directed and better manage health problems such as diabetes, COPD, asthma, high blood pressure, and high cholesterol.

To help combat this problem of poor adherence, most pharmacies, health plans, and doctors provide a broad range of patient-directed communications regarding prescription drug therapies, including communications that encourage patients to stay on prescribed therapy. NCL’s views these communications, particularly “refill reminders,” as tools that help patients follow their medication regimen.

While we are pleased that the rule does allow use of “refill reminders” we are concerned that HHS’s final rule is more restrictive than the prior HIPAA Privacy Rule in requiring patient authorization (opt in) for health care providers’ (and health plans’) capability to use patient information to execute certain sponsored patient communications programs (refill reminders are excepted). To its credit, in addition to codifying the statutory exception for “refill reminder” messages, HHS also maintained the exception for sponsored communications that are delivered in face-to-face settings (e.g., in the pharmacy or doctor’s office).

In particular, we are concerned that the statutory exception for “refill reminders” is available only if compensation received by the covered entity provider or plan is “reasonably related” to the entity’s costs of making the communication. Although Congress included this “reasonable in amount” limitation in the HITECH Act, NCL believes that HHS has gone too far in its preamble interpretation by limiting such compensation to only certain direct costs. Specifically, under the final rule, HHS considers permissible costs to be restricted to those of labor, supplies, and postage to make the communication and that they include “only the pharmacy’s cost of drafting, printing, and mailing the refill reminders.” It sounds like a minor point, perhaps, but we are concerned that this could have a negative impact on patient adherence. We think that a broader definition of costs is called for, including such things as computer hardware, software, and other overhead – because we don’t want to inhibit in any way communications that can help improve the likelihood of patient adherence to medication.

We also are concerned that, from a policy standpoint, the “reasonable compensation” requirement may inhibit HHS efforts to promote medication adherence, and in the end does little to advance patient privacy. For instance, HHS’s Centers for Medicare and Medicaid (CMS) requires and rewards patient adherence programs in several respects, including through physicians’ “meaningful use” of electronic health records (EHRs). Furthermore, in order for vendors implementing Medicare part D to qualify for reimbursement, they must make use of CMS’s Medication Management Therapy Programs (MTMP), which are, by their very nature, adherence -focused incentives. In addition, HHS’s Agency for Healthcare Research and Quality (AHRQ) has studied the comparative effectiveness of medication adherence interventions and funds adherence educational programs.

We’re concerned that HHS’s interpretation of “reasonable compensation” may not be grounded in good public policy and could actually hamper sponsored adherence efforts, which are widely regarded as beneficial to public health. In the final rule, HHS signaled its intention to issue informal guidance on the “refill reminder” exception. NCL hopes that, in so doing, HHS will make clear that the exception serves an important public health function and that “reasonable compensation” ought to be interpreted in the broadest possible fashion in order to ensure that we are doing all we can to promote improved medication adherence.

NCL symposium examines consumer issues and the next Congress

By John Breyault, NCL Vice President of Public Policy, Telecommunications and Fraud

The freshman class of the 113^th Congress will feature 12 new Senators and 67 new Representatives. For consumer advocates, this is an opportunity to introduce ourselves to these new lawmakers and develop relationships that can help promote our economic and social justice mission on the Hill. Freshman like Senator-elect Elizabeth Warren have long been heroes to the consumer movement, but others such as Senator-elect Heidi Heitkamp and Members-elect Kevin Cramer, Joseph Kennedy III, and George Holding all have experience in regulatory agencies and in the legal system where consumer issues arise.

The incoming members of the 113^th Congress will have a full agenda when it comes to consumer issues. Even before the next Congress, the Lame Duck session of the current 112^th Congress is tackling the so-called “fiscal cliff” of tax increases and spending cuts mandated by the Budget Control Act of 2011.

It is in this context that NCL convened our inaugural Consumer Issues Symposium on Wednesday, November 14 to examine the future of three important consumer issues in the lame duck session and the coming 113^th Congress. We chose to focus the event on three issues near and dear to NCL’s heart – food safety, sequestration and privacy. The goal of the event was to examine not only the future prospects for consumer-focused legislation in Congress, but also to highlight the real-world impact of these policy areas on consumers.

For example, the sequestration cuts envisioned as part of the “fiscal cliff” will require numerous federal agencies to significantly scale back their activities. When the USDA’s Food Safety and Inspection Service is projected to take an $86 million haircut, what does that mean for the safety of America’s food supply? Likewise, in a scenario where the federal Low-Income Home Energy Assistance Program is on track to take a $285 million budget hit, how will consumers living through the cold winter months adjust?

The event, organized in partnership with the law firm of Kelley Drye, was a great success. (Historical note: One of Kelley Drye’s name partners was Nicholas Kelley, son of Florence Kelley, the first General Secretary of NCL). It featured more than a dozen expert speakers from Executive Branch, Congress and advocacy organizations, including FTC Commissioner Julie Brill, FDA Deputy Commissioner Michael Taylor and former Congresswoman and CPSC Commissioner Anne Northup. Photos from the event are currently viewable on NCL’s Facebook page.

 

Facebook privacy

By Sally Greenberg, NCL Executive Director

The Wall Street Journal, of late, has done a very admirable muckracking job looking at privacy policies of Facebook, Skype, Yahoo and other sites. Why are privacy policies important to consumers? Because marketers want information about consumers so they can try to sell us stuff and in the process they dig deep for our personal data. And so the Facebooks, Skypes, and Yahoos of the world offer us access to their many fantastic applications – and many are fantastic – but only if we share information about ourselves.

The authors of a recent article in the Journal– Julia Angwin and Jeremy Singer-Vine, put it like this: “This appetite for personal data reflects a fundamental truth about Facebook, and by extension, the Internet economy as a whole: Facebook provides a free service that users pay for, in effect, by providing details about the lives, friendships, interests and activities.” And Facebook has 800-million-plus subscribers so that’s a lot of money.

You have to ask yourself why Facebook so highly valued – if it goes public it may be valued at $100 billion. Access to Facebook is free for consumers so we pay with our private information which Facebook then sells to advertisers. The Journal also says that Facebook isn’t always enforcing its own rules on data privacy. Dozens of apps apparently allow advertisers that haven’t been approved by Facebook.

Privacy proponents like Helen Nissenbaum, who wrote a book called “Privacy in Context,” are calling for digital “fences” around data usage and even the White House has called for consumers to be told how any data collected will be used. These are serious concerns for all of us who value our privacy and don’t want our personal data collected and sold. Hopefully this Journal series on privacy will get the ball rolling in that direction.

Caller ID spoofing threatening cell phone privacy

By Sally Greenberg, NCL Executive Director

Recently the New York Times reported on the explosion in spoofing caller ID’s by debt collectors or marketers. It turns out that anyone basically can get access to a consumer’s cell phone and spoof the caller ID number—pretend to be a friend, a relative, or a nonprofit like the Humane Society to get you to answer the call.

Ironically, after reading the Times story, I searched the paper’s Web site and found two sites that promise “legal spoofing” so that you can pretend to be someone else when make calls. Spoof Card sells credits—$4.95 is the cheapest—and anyone can buy the credits and use them to spoof any other number but their own.

The other site sounds more sinister, and its name is fitting. “Phone Gangster” makes the following claims and says its spoofing is legal in the USA and Canada:

Upon calling a person, you will get to choose what number you want to appear as. Best of all, there is no way the party can find out what phone number the call originated from because their phone records will display the altered number. Our service is not only fun and useful, but it is legal as well. We have tested and confirmed our caller id spoofing service works in the USA and Canada. Purchase an instant phone card from us today!

In September, the Federal Trade Commission received 140,000 complaints about pre-recorded robocalls, more than double the 61,000 complaints in the same month a year ago, the agency said.

Under the Truth in Caller ID Act, passed last year and enforced by the Federal Communications Commission, it is illegal to transmit inaccurate or misleading caller ID information “with the intent to defraud, cause harm or wrongfully obtain anything of value.”

In addition to potentially violating the law, what’s wrong with being able to call someone using a phony caller ID? Because this would be a heyday for telemarketers, debt collectors, and scammers who already prey on consumers using landlines. Cell phones are the last bastion of privacy, where friends, family, and business associates—in other words, only those you choose to share your number with—get access to your cell phone. If that falls victim to spoofers, consumers will lose the trust they have in their cell phones and their cell phone providers.

Enforcement of the FCC and FTC protections are important, but state attorneys general offices should also stay involved, and no legislation should preempt their ability to protect consumers from the mischief of the explosion of fake caller IDs.

Smart computing

By Jacob Markey, Summer 2010 LifeSmarts intern

In just a few weeks, LifeSmarts teams from across the country will travel to Hollywood to compete for the 2011 LifeSmarts National Championship. They will get the chance to put their knowledge to the test, while also enjoying the city, meeting some great new people, and having a ton of fun.

Like other readers of the Savvy Consumer Blog, they would be wise to review this month’s LifeSmarts post on Technology. As I mentioned back in December, there are many safety concerns consumers should keep in mind online to keep their personal information private online to better avoid identity theft. With more consumers going online to buy goods, conduct online banking, or read the news, identity theft is a persistent problem for consumers.

Here are some helpful tips to ensure that you have a safer experience online:

• Know that the site you are buying from is safe and reliable. Be thorough and review a person’s or online store’s background information: Check the person’s online ratings to see if others give the seller positive or negative reviews; see if the business is accredited with the Better Business Bureau in their state; make sure the site is secure if you are paying with your credit card. By taking these types of actions, you will decrease the likelihood that you will do business with a person looking to scam you.

• Watch the actions you take when using an unsecured wireless network at places like cafes, hotels, and airports. Computer thieves can snoop on unsecured connections to steal your personal information and exploit it if they acquire it. It is recommended that you abstain from reviewing banking and other sensitive information when using an unsecured wireless network. If you need to work on confidential information, it is better to choose a secured wired connection or an encrypted wireless connection that requires a password.

• Do not click on links or go to sites that you are unsure of or don’t trust. The page or file could contain viruses, spyware, or other material that could wreck your computer. As repairs can cost hundreds of dollars, it is important to practice safe browsing.

Teens must be aware that there is much to watch out for on the Internet. Even Web sites that look harmless may contain dangerous information. If you have any concerns about these types of issues, ask your parents for advice.

Identity theft and computer issues remain a problem. Following smart Internet browsing will help decrease the likelihood that your computer will become infected, your personal information stolen, and losing a ton of money.

LifeSmarts: teens’ technology education destination

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

The thought of teaching a modern teenager about technology may seem counterproductive to many people. Indeed, it is teens who seem to be the ones on the cutting edge of technology. The vast majority of teens not only use the latest social networking sites like Facebook, but they are also often inseparable from their cell phones.

Unfortunately, expertise about how to use these technologies doesn’t always equate to knowledge of how to do so safely.  Today, it is more important than ever for teens to know how to use technology wisely. For example, snooping on unsecure wifi connections (such as those found in many coffee shops) is increasingly easy for unscrupulous scam artists. Privacy, which for many Facebook-obsessed teens may seem to be an afterthought, could actually be critically important in college admissions and getting jobs later in life.  Online scholarship and grant scams is also an area where NCL has noticed an uptick as well.

Fortunately, there are tools and smart practices that teens can use to avoid some of the most common technology pitfalls. It is these good technology habits that LifeSmarts’ technology curriculum seeks to promote. LifeSmarts team members learn, for example, the importance of taking advantage of their privacy settings on Facebook to make sure third parties can’t get access to sensitive personal information. Knowing how to differentiate a secure Web site from an insecure one can save teens from having nasty malware surreptitiously installed on their computers. Understanding the importance of using strong passwords (as opposed to easy-to-guess common words) can save teens from seeing their laptops become part of a botnet or worse.

During National Consumer Protection Week, we urge teens and their parents to consider the important value of this knowledge in today’s 24/7 digitally-connected world. By becoming savvy technology consumers, LifeSmarts participants become better prepared to choose their own cell phone plans, get broadband service at their first apartments, and pass on lessons learned in LifeSmarts to friends, family members and, eventually, their own children.

For more information on the LifeSmarts technology curriculum, visit LifeSmarts.org. To learn more about National Consumer Protections Week, visit www.ncpw.gov.