Recognizing Computer Threats – Data Breach Awareness, Part II

By Chris Williams

Recap from Part I

Large-scale data breaches are increasing in both frequency and magnitude, leading to an unprecedented threat to consumers’ confidential personal and financial information. Laws currently on the books concerning data breach notifications are fairly weak; compromised organizations often sit on information for weeks or months (occasionally years) before notifying affected customers that their data has been leaked—this is completely unacceptable yet seems to be common practice in certain industries such as web-based email.

Users should use unique passwords that are not shared among multiple accounts; re-using passwords creates a single point of failure that dramatically increases a consumer’s risk of private data being exposed during a hack.

There are a number of ways in which the average consumer can protect themselves from exposure, and it starts by understanding the companies you do business with; get to know their practices and policies, and make sure that they follow all applicable laws concerning what is done with your data.

Data privacy laws

How are organizations protecting your data? Do you have any recourse if you suspect they are not following these practices?

The Privacy Act of 1974 states that consumers have a right to determine how their personally identifiable information is used: more specifically, that they must give prior consent in writing before any of their PII is disseminated by a company (or organization/agency); they must be able to obtain copies of their personal records with that company upon request; and they must be provided with a means to amend or correct any incorrect information that exists in that company’s records. This doesn’t give users the level of granularity which many would like, but it’s a start.

Organizations that collect personal information of any kind should post their privacy policies online. Most do, even if these policies can be difficult to locate; alongside this, consumers can usually find the contact information for whomever is responsible for providing copies of records, and updating incorrect records. While creating an account or signing up for a service, email subscription, etc. the end-user agreement should also spell out the organization’s privacy and data collection policies—if not, that could be a potential red flag.

The Privacy act does include some provision for redressing violations in civil court: “The Privacy Act provides for four separate and distinct civil causes of action, see 5 U.S.C. § 552a(g), two of which provide for injunctive relief – amendment lawsuits under (g)(1)(A) and access lawsuits under (g)(1)(B) – and two of which provide for compensatory relief in the form of monetary damages – damages lawsuits under (g)(1)(C) and (g)(1)(D).” Litigation aside, there’s plenty of incentive for organizations to comply with these rules; among those incentives is simply public image. Customers can be very quick to turn upon companies that fail to meet privacy regulations; this can cascade quickly into widespread distrust and loss of reputation with consumers and/or industry peers. That in mind, contacting the organization to address a complaint might be more than sufficient—no need to call a lawyer just yet.

FERPA (Family Educational Rights and Privacy Act) is another federal law which governs disclosure and maintenance of information, this time dealing with the educational sector. Student records such as transcripts are protected, requiring express written consent from the student (or their legal guardian if under 18) before being disseminated for any reason, other than on official school business. Much like the Privacy Act, concerned individuals must follow a designated path to request corrections or amendments; additionally, the record owner has a right to request copies of those records as well as to receive them in a timely manner.

For information on understanding your FERPA rights, or for reporting suspected violations, visit the following: https://www2.ed.gov/policy/gen/guid/fpco/ferpa/students.html

HIPAA (Health Insurance Portability and Accountability Act) is another federal law; aimed at the healthcare sector, it is otherwise similar in concept to the previous two. Health insurance providers, doctors, hospitals, specialists, and anyone who deals with protected health information (PHI) of any kind must follow these rules. This also includes HR employees at organizations that offer health care plans as part of compensation packages.

If you have additional HIPAA questions or need to report a potential violation, the following page should help: https://www.hhs.gov/hipaa/filing-a-complaint/index.html?language=es

The takeaway

It’s extremely critical that organizations treat confidential consumer information with the respect it deserves. Many companies do not have policies or procedures that address this issue, however. Where possible avoid an unnecessary risk of doing business with organizations that have poor/nonexistent privacy policies; same holds true for companies that consistently disregard information security best practices. Laws such as the Privacy Act, HIPAA, and FERPA contain numerous measures to enforce compliance; it is important to report suspected violations for both your protection as well as the protection of other consumers.

Copyright © 2017 ParadoxPrime IA, All rights reserved

Recognizing Computer Threats – Data Breach Awareness, Part I

By Chris Williams

Data breach

If it seems like data breaches are becoming more and more commonplace all the time, that’s because it’s true: the frequency of data breach and security incidents that result in some level of data leakage is on the rise. On top of that, the public’s perception of these incidents is becoming more acute. This is in part because a larger percentage of data breaches are being publicized than ever before. Due to the prevalence of both national and state laws which require companies to notify consumers when their personally identifiable information (PII) is compromised, it is essentially unavoidable: organizations must have procedures in their incident response plans to deal with these types of contingencies. Private organizations such as Payment Card Institute (PCI) have their own rules concerning how breach notifications must take place; they typically enforce such policies through audits and by assessing non-compliance penalties.

Breach notifications

Best practice after a data breach is to send breach notification notices out as soon as the scope of the incident has been reasonably well determined; this is both for compliance purposes as well as for good “public relations”. On the other hand, companies that are slow to publicize data breaches are often maligned in the court of public opinion. Despite the bad PR that can occur when a company’s security practices are implicated after a security incident, some public forgiveness can be gained by simply being forthcoming. Additionally, when organizations provide supplemental services such as credit monitoring to data breach victims, the extra expense is typically justified by the positive effect on consumer confidence. Transparency, expediency, and ownership of the incident are surprisingly effective tools in retaining customers after an incident occurs.

All this being said, with the sheer number of incidents happening, consumers still need to understand how to minimize their risks. It is important to know what steps to take if an incident occurs targeting a service provider or retailer that they utilize. It is also vital to recognize that not all organizations are forthcoming when a breach occurs, even if the law says they should be.

Webmail accounts: use unique passwords

A data breach that compromises your email account password can mean more than just a loss of privacy (although that is of course the primary concern since most of us are uncomfortable with the prospect of strangers reading our emails). Exposure of personally identifiable information (PII) is often linked to identity theft and other forms of fraud; criminals may use this info directly or sell it via black market. This information is used to open fraudulent bank accounts, make purchases with compromised payment cards, and so on. Many users fail to consider the considerable level of PII that is exposed during a data breach. The following non-comprehensive list includes a few good examples:

Correspondences with companies you do business with, including healthcare providers (noteworthy because of the depth of information these companies retain); lists of personal friends, family members, and associates; employment-related messages such as recruitment or application emails; vacation plans; event invites; receipts for purchases, often with partially visible payment information; billing and shipping addresses; and much, much more.

A compromised webmail account can provide hackers with tremendous detail regarding your personal life—and accounts you may have with e-commerce sites and other services—therefore it is important not to re-use any passwords across multiple different services.

Scenario: compromised webmail password

Tom uses Yahoo for webmail. Tom’s yahoo.com email address is also the user name for his Amazon account, and the passwords for his Yahoo and Amazon profiles are identical. Let’s imagine his Yahoo password is stolen during a mass data breach; hackers can then gain access to his inbox, and read all of his messages. From there they determine that he has an Amazon account by skimming through transaction emails. Their next step will of course be Amazon.com. By simply entering the same password used to access his Yahoo inbox they will easily gain access to Tom’s Amazon account, because the password was re-used for both accounts; by contrast, they could not have done so if the passwords were different. (They would, however, still have his Amazon user name since it’s the same as his Yahoo email address).

Amazon, like most e-commerce retailers, allows customers to re-use payment cards that they have previously saved.  Whoever has access to Tom’s account also has access to make unauthorized purchases—without even having to provide a credit card.

The takeaway

Breach notification laws exist to protect consumers whose protected information may have been affected by a security breach. Unfortunately, these laws are not as comprehensive or as compelling as they could be, and so many companies are still slow to report & publicize incidents.

Using the same credentials for multiple email and/or other accounts is inadvisable. This practice creates a single point of failure by which attackers can gain access to all of your private data. Monitor your inbox for unsolicited messages, and check your Sent folder from time to time. Again, just because your webmail provider has not announced an incident does not mean no such event has taken place.

There’s plenty more so say about this topic: we’ll be back soon with part II!

Copyright © 2016 ParadoxPrime IA, All rights reserved