Recently, oral arguments were heard in a very important case in the U.S. Court of Appeals for the Second Circuit. The case is officially titled In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, but it is being referred to as Microsoft v. United States for short.
PCI Training: Reducing the Risk of Phishing Attacks
The Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks. Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS). One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, and protect PCI data.
A major threat to PCI data is phishing, with almost a third targeted at stealing financial data.
According to a stat in the PCI Guide, Defending Against Social Engineering and Phishing Attacks,: “Every day 80,000 people fall victim to a phishing scam, 156 million phishing emails are sent globally, 16 million make it through spam filters, 8 million are opened.”
Start with Security: The FTC’s Data Security Guidance
Recently, the FTC issued a short guide to what organizations can do to protect data security. It is called Start with Security (HTML) — a PDF version is here. This document provides a very clear and straightforward discussion of 10 good information security measures. It uses examples from FTC cases.
Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents
By Daniel J. Solove
Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.
“HIPAA?” the doctors will ask.
“Yes, HIPAA,” I confess.
And then the doctor’s face turns grim. At first, it looks like the face of a doctor about to tell you that you’ve got a fatal disease. Then, the doctor’s face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called “HIPAA face.” It’s about as bad as “stink eye.”
5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham
Over at Fierce IT Security, Professor Woodrow Hartzog and I have a new essay, 5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham. The piece discusses some enforcement strategies we believe the FTC should use to maximize its effectiveness in improving data security. Our suggestions include:
- Do more proactive enforcement
- Take on more data security cases
- Push companies toward improved authentication – moving beyond mere passwords
- Restrict the use of Social Security numbers for authentication purposes
- Develop a theory of data stewardship for third parties
Please check out our essay for our explanation of the above agenda and a lot more detail.
New Security Training Program: Social Engineering: Spies and Sabotage
I am pleased to announce the launch of our new training program, Social Engineering: Spies and Sabotage. This course is a short module (~7 minutes long) that provides a general introduction to social engineering.
After discussing several types of social engineering (phishing, baiting, pretexting, and tailgaiting), the course provides advice for avoiding these tricks and scams. Key points are applied and reinforced with 4 scenario quiz questions.
The High Cost of Phishing and the ROI of Phishing Training
A study recently revealed that nearly 25% of data breaches involve phishing, and it is the second most frequent data security threat companies face. Phishing is an enormous problem, and it is getting worse.
In a staggering statistic, on average, a company with 10,000 employees will spend $3.7 million per year handling phishing attacks.
Social Dimensions of Privacy
I recently received my copy of Social Dimensions of Privacy, edited by Beate Roessler & Dorota Mokrosinska. The book was published by Cambridge University Press this summer.
I’m delighted as I look over this book. The book has a wonderful selection of short philosophical essays on privacy, and I’m honored to be included among the terrific group of chapter authors, who include Anita Allen, Paul Schwartz, Helen Nissenbaum, Judith Wagner DeCew, Kirsty Hughes, Colin Bennett, Adam Moore, and Priscilla Regan, among many others. Each chapter is succinct and well-chosen.
From the book blurb: “Written by a select international group of leading privacy scholars, Social Dimensions of Privacy endorses and develops an innovative approach to privacy. By debating topical privacy cases in their specific research areas, the contributors explore the new privacy-sensitive areas: legal scholars and political theorists discuss the European and American approaches to privacy regulation; sociologists explore new forms of surveillance and privacy on social network sites; and philosophers revisit feminist critiques of privacy, discuss markets in personal data, issues of privacy in health care and democratic politics. The broad interdisciplinary character of the volume will be of interest to readers from a variety of scientific disciplines who are concerned with privacy and data protection issues.”
My chapter is entitled “The Meaning and Value of Privacy.”
Here’s a full table of contents:
The FTC Has the Authority to Enforce Data Security: FTC v. Wyndham Worldwide Corp.
by Daniel J. Solove
The U.S. Court of Appeals for the 3rd Circuit just affirmed the district court decision in FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd. Cir. Aug. 24, 2015). The case involves a challenge by Wyndham to an Federal Trade Commission (FTC) enforcement action emerging out of data breaches at the Wyndham.
Background
Since the mid-1990s, the FTC has been enforcing Section 5 of the FTC Act, 15 U.S.C. § 45, in instances involving privacy and data security. Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce.” Deception and unfairness are two independent bases for FTC enforcement. During the past 15-20 years, the FTC has brought about 180 enforcement actions, the vast majority of which have settled. Wyndham was one of the exceptions; instead of settling, it challenged the FTC’s authority to enforce to protect data security as an unfair trade practice.
Among the arguments made by Wyndham, three are most worth focusing on:
(1) Because Congress enacted data security laws to regulate specific industries, Congress didn’t intend for the FTC to be able to regulate data security under the FTC Act.
(2) The FTC is not providing fair notice about the security practices it deems as “unfair” because it is enforcing on a case-by-case basis rather than promulgating a set of specific practices it deems as unfair.
(3) The FTC failed to establish “substantial injury to consumers” as required to enforce for unfairness.
The district court rejected all three of these arguments, and so did the 3rd Circuit Court of Appeals. Here is a very brief overview of the 3rd Circuit’s reasoning.
Should the FTC Kill the Password? The Case for Better Authentication
Co-authored by Professor Woodrow Hartzog.
Authentication presents one of the greatest security challenges organizations face. How do we accurately ensure that people seeking access to accounts or data are actually whom they say they are? People need to be able to access accounts and data conveniently, and access must often be provided remotely, without being able to see or hear the person seeking access.