An increasingly common and relatively easy way for hackers to access sensitive data is through “phishing,” where unwitting recipients of email or texts (SMS phishing or “smishing”) trust the sender with the sought after information. According to Verizon’s new 2016 Data Breach Investigations Report, about 90% of security incidents stem from some form of phishing. Verizon reports that phishing continues to trend upward and is found in the most opportunistic attacks as well as “sophisticated nation-state tomfoolery.” But president of the Olympia School District chuckles (yes, that’s right, chuckles) at its recent breach resulting from phishing because, according to what he told MyNorthwest reporter, Sara Lerner:
“It happens…it’s an opportunity to have that conversation and move forward with it. You could call it a teachable moment if you want to,” he said, with a chuckle.
That kind of cavalier attitude is exactly the problem that we have with so many school districts and government agencies. One cannot be careless, when it comes to sensitive data, whether it is at a school district or at the Health Care Authority/Apple Health Data Breach, where an employee’s mishandling and HCA’s insufficient privacy protocols allowed the medical records of 91,000 individuals to get sent to an unauthorized recipient
As we continue our class action litigation regarding the Anthem data breach as well as the Amerigroup Washington data breach, I learn more about how stolen protected health information (PHI) is marketed on the dark net. To those who want to toss caution to the wind, feel free to do so with your own data. Just not everyone else’s.
BTW: If you were one of those who received a data breach notification from HCA or the Olympia School District, please contact me at Catherine@Stritmatter.com or 206.448.1777. I would like to learn your perspective and story, as well as share the details of how we’re trying to hold these organizations accountable to prevent future data breaches.
Bravo Apple for standing up for privacy and data security.
I usually avoid discussing September 11, 2001. But this is relevant. Since 9/11, so many private citizens in this country think it’s ok to give up privacy in the name of homeland security. They will say, “I have nothing to hide,” only those like the terrorists have anything to hide. But valuing our privacy is not about wanting to hide information. It is about having control over what we disclose to whom at the time when we choose. When a governing body has easy access to the minute details of each of us, we have given away so much of ourselves without anything in return (except the sweet promise of catching the bad guys). We have already made it so easy with government surveillance programs.
Trust me: Just thinking about 9/11 still gets me spitting mad at the radicals who claimed to kill in the name of their god. In one of the most horrific ways imaginable (burning innocent people to death, who were trapped in the towers) they stole my brother and best friend from me on his first day at his new job at the 96th floor of the WTC North tower. Many other brothers, sisters, fathers, and mothers were robbed from their families that day as well. If anyone has an inextinguishable desire to rid our world of terrorists, it is me.
But ramming down iPhone security is not the way to go about fighting terrorism. Weakening security that protects each of us from bad actors for the sake of getting a discrete set of information is not the answer.
Each of us need to understand why our personal data and privacy is worth fighting for. If we are ready to throw our privacy out the window for the sake of an investigation, we give in to all that we have fought for since 9/11.
Tomorrow, January 28, 2016, is Data Privacy Day. Big deal? It actually is: The first Data Privacy Day that occurred in the United States and Canada was in 2008, which was observed as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981 signing of Convention 108, which was the first legally binding international treaty dealing with privacy and data protection.
Now led by the National Cyber Security Alliance (NCSA), Data Privacy Day has become the signature event promoting privacy awareness. Without committed defenders of privacy, like the Electronics Frontier Foundation, we would not have seen a complaint filed with the FTC against Google for unauthorized collection of school aged children’s information, when they are using Google Apps and Chromebooks in their schools. Google’s unauthorized collection of personal information from school children via Chromebooks and Google Apps for Education (GAFE)—caught the attention of Senator Al Franken, a ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law. Franken responded by writing a letter to Google CEO Sundar Pichai asking for information about GAFE’s privacy practices.
The first step to ensure that our student privacy campaign succeeds, is to educate ourselves as parents. This way, we can direct our energy and knowledge effectively. On this Data Privacy Day, take the time to check out the resources that the Electronic Frontier Foundation compiled to regain control of your children’s privacy. Please spread the word about student privacy by sharing these and similar resources with other parents!
I can’t emphasize enough how important it is that parents understand their and their children’s rights. We live in a world where parents may be asked by schools to waive those rights before their youngsters are permitted to use technology in the classroom. Third parties will too often encourage parents to give schools consent to release their children’s information to those very third parties.
Interested in becoming part of the “privacy defender team?” There are many ways in which you can get involved.
- Create a culture of privacy at your organization.
- Own your personal online presence.
- Share your privacy knowledge with your local communities.
- Attend a Data Privacy Day event.
- Become a Data Privacy Day Champion.
I wanted to share the above infographic from The Economist. which illustrates the spike in data breaches since 2005. Most notable: Medical records data breaches rose over 40% last year. Subcontractor and Employee negligence are also on the rise. A couple of positive takeaways is that there is apparently less insider theft and a decreasing percentage of breaches that include social security numbers.
I read an interesting post earlier today on one of WSJ’s blogs. It admitted that the pendulum has swung in favor of consumers in data breach cases. While defendant companies continue to get cases bounced on the flawed premise that no its data breach victims have not suffered any “actual harm,” more courts are sympathetic to the consumers.
Two big cases come to mind. One is the Wyndham data breach case (FTC brought the action). This past August, the Third U.S. Federal Circuit Court ruled against Wyndham, finding that the FTC can take action against organizations that adhered to poor IT security practices.
Several weeks before Wyndham was decided, the U.S. Court of Appeals for the Seventh Circuit reinstated a data breach case against Neiman Marcus. Why? It found that the risk of harm was enough to establish standing. The 350,000 affected customers “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing,” the court ruled.
The Seventh Circuit, however, reinstated both types of claims – those who had incurred expenses tied to the Neiman Marcus hack, and those who feared identity theft in the future. Chief Judge Diane Wood pointed out that a breach victim’s fear of hackers in the future is not too “speculative” for a day in court.
Wood asks: “Why else [other than to cause harm] would hackers break into a store’s database and steal consumers’ private information?”
Can you imagine a world without Google? I can’t.
I have a Droid phone as well as an iPhone. But everything tethers to my Google world — contacts, maps, videos, etc.
It wasn’t always this way, but internet marketers (including Google) have figured out that the key to making money off of content is via online profiling and highly targeted advertising. If you Google something or shop on Amazon, do you notice how your latest online shopping follows you to online news sites, your gmail, yahoo mail, etc? That’s how sophisticated online marketing has grown. (As I mentioned elsewhere, I too used to work in the online marketing/high tech world. We would hear concerns about privacy, but needed to tune them out to figure out how to get the most bang for our clients’ marketing/advertising dollars.)
Finnish security researcher and chief research officer Mikko Hypponen tried to vow a life of unGoogleness. After all, he understood his privacy was threatened every time he broke his vow. But, try as he might, he couldn’t.
Hypponen spoke at a WSJ technology conference, WSJDLive, openly confessed that the Internet has evolved into a privacy nightmare because of the users’ reliance on “free” services. (I will talk more about “free” and sex in an upcoming blog post.)
“I really tried getting rid of Google,” he said. “You can’t avoid Google. We are way beyond that.” True that.
Let me know if you’ve succeeded in upholding the vow of nonGoogleness. I’d love to know how you did it!
Top Democrat Senator Sherrod Brown (D-OH) on the Senate Banking Committee demands that credit agency Experian provide more details about a data breach in which personal information on millions of T-Mobile customers was stolen.
“Protection of this information is of the utmost importance, especially because the scope of the information is vast and virtually no consumer can apply for credit without entering your system,” Brown wrote in a letter sent to Experian today.
Experian said earlier this month hackers had broken into a server containing data on T-Mobile customers. The breach exposed personal information of 15 million customers and possible customers, including Social Security numbers of those who might have applied for T-Mobile cell service between Sept. 1, 2013 and Sept. 16, 2015.
Experian’s main consumer credit database was not broken into, Experian says, and T-Mobile and Experian are providing two years of credit monitoring services and identity theft recovery services for free.
Along with increased disclosure about the breach, Brown also asks Experian to provide “credit freezes” to affected customers for free. Credit freezes allow customers to restrict access to their credit reports in cases of potential identity theft, but typically credit agencies charge for this service. Brown also asked Experian to explain how well its credit monitoring and identity theft protection services work.
Data breaches, identity theft and cyber security have become a priority as more companies have disclosed breaches of their systems. Lawmakers have attempted to legislation to address the issue, including a bill that would require companies to inform their customers about a breach within 30 days of learning about it themselves.
Experian, in a statement, said they had received Brown’s letter, “understand the concerns raised” and will respond accordingly.
WA AG Ferguson urges T-Mobile customers “…to take immediate steps to determine whether you have been a victim of ID theft, and to protect your information going forward,” he said in a statement offering advice to affected consumers.
According to T-Mobile and the credit-reporting company Experian, the breach compromised data that was used by T-Mobile to run credit checks of individuals who applied for T-Mobile services from Sept. 1, 2013, through Sept. 16, 2015. Unauthorized access was gained to Experian’s servers, exposing data including name, address, birthdate, Social Security number, other ID numbers (such as driver’s license, military ID, or passport numbers), and additional information used in T-Mobile’s credit assessment. An estimated 15 million consumers nationwide may have had their data compromised. Experian plans to notify affected consumers.
The Attorney General’s Office offers affected consumers the following advice to guard against identity theft.
- Monitor your credit reports. You are entitled to one free credit report every 12 monthsfrom each of the three nationwide credit bureaus (Equifax, Experian and Trans Union). You can request one free report from a different bureau every four months to monitor throughout the year.
- Consider placing a “fraud alert” with each of the three credit bureaus. An alert does not block potential new credit, but places a comment on your history. Creditors should contact you prior to opening a new account.
- Consider placing a “security freeze” with each of the three credit bureaus to prohibit the release of any information from your reports. A security freeze can help prevent identity theft since most businesses will not open credit accounts without checking a consumer’s credit history first. This increases the likelihood that if an ID thief tries to open a new account under your name, they will be denied.
- Beware of unsolicited calls or emails offering credit monitoring or identity theft services. Consumers should never provide their Social Security number, credit card numbers or other personal information in response to unsolicited emails or calls.
If you find unexplained activity on your credit reports, or if you believe you are the victim of identity theft, check these resources for information on steps you can take to protect yourself.
- Review the Attorney General’s ID theft website.
- Review the Federal Trade Commission’s ID theft website.
This entry is republished from an Oct. 9, 2015 blog entry at http://nw-injurylawyers.com/.