Privacy is no longer the flavor of the month, but rather the issue of the decade. Growing concern over the risks inherent in the loss of control over personal information—either by unauthorized criminal access, business practice, governmental fiat or voluntary action—has brought the issue top-of-mind in 2010. People around the world finally began to recognize the reality and the dark side of global overexposure.
We asked privacy experts from government, business and consumer rights organizations for their take on the message behind the headlines. Kristin Krause Cohen is an attorney with the division of privacy and identity protection, Bureau of Consumer Protection, Federal Trade Commission. A former U.S. prosecutor, Kimberly Peretti is a director with PWC’s U.S. Forensic Technology Solutions practice. Paul Stephens is the director of policy and advocacy with Privacy Rights Clearinghouse.
Facebook—The popular social networking site ignited a firestorm of controversy in May when it altered its privacy settings, changes that included the launch of social plug-ins that share profile information with other websites.
Cohen: “The FTC is certainly concerned that businesses, including social networking sites, live up to the privacy promises they make. For example, in our recent settlement with Twitter, we alleged that the company failed to live up to its promise to safeguard consumers’ personal information.”
Stephens: “The real problem with Facebook is that so many people consider it socially indispensable. Facebook, in a sense, has a monopoly on social networking, and many people—app developers and the like—are taking advantage of this. Another key problem that makes Facebook very unfriendly to the consumer is that the privacy policy changes so often. Facebook has created this situation in which consumers feel they need to use it, yet they have a privacy policy that is incomprehensible and consistently changing.”
Google—Growing concerns over Google and privacy were amplified in 2010 when it was revealed that the Google Maps Street View team, which photographs city streets for the Street View feature, gathered more than just the occasional image of a naked person—they also nabbed personal data from unprotected Wi-Fi networks. Google called the collection “accidental” and is reportedly deleting the information, but not before privacy watchdogs showed their teeth.
Cohen: “The FTC certainly had concerns about Google’s internal policies that led to this inadvertent data collection. We’ve received assurances that they have improved their procedures, including incorporating a formal privacy review process into all their new initiatives. They have also said that they have not used the data and will delete it.”
Stephens: “There’s blame to go around here. One of the problems is that the typical default configuration of a wireless router does not maintain adequate security. It’s an extremely difficult task to properly configure a Wi-Fi router and keep it secure. That doesn’t take any of the blame away from Google, but there are two parts to this story. It should serve as a wake-up call to consumers.”
Health care—Data breaches cost the health care industry $6 billion per year—a systemic ailment if ever there was one—yet 70 percent of health care providers don’t see securing data as a priority, according to a November Ponemon Institute study with 65 survey respondents. Providers are apparently a soft target for cybercriminals: Over a two-year period, the average organization had 2.4 “data breach incidents” and lost approximately $2 million.
Cohen: “With the push for electronic health records, we also need to start pushing data security. But it’s important, too, that paper records not be ignored. [The FTC] and U.S. Department of Health and Human Services recently reached settlements with CVS and Rite Aid, in which we alleged the companies’ inadequate data disposal policies led to sensitive personal health and employee information being found in publicly accessible dumpsters.”
Stephens: “What’s unique with respect to the health care industry isn’t the number of breaches, but the nature of the data. Whereas typical data compromised in a breach tends to be financial and can contribute to identity theft, health care also has medical records that are sensitive in a different way. That information won’t help identity thieves but can cause embarrassment or issues with employers or in finding insurance.”
Albert Gonzalez—In August 2008, then- U.S. Attorney General Michael Mukasey called the indictment of hacker Albert Gonzalez “the single largest and most complex identity-theft case ever charged in this country.” In March, the hacker smackdown continued when Gonzalez pleaded guilty to all counts and was sentenced to 20 years in federal prison. (See full story here.)
Cohen: “Obviously, we’re extremely happy he’s been brought to justice, though we think it’s important to note that companies that collect sensitive data must remember that they have an obligation to protect information from hackers like Gonzalez. The burden is not solely on law enforcement.”
Peretti: “Our adversaries, the people who can attack our system, do not require a great amount of experience, resources or training. This isn’t a mafia. It’s kids meeting in high school or meeting in the shopping mall with the self-taught computer skills to get into hundreds of systems.”
Zeus Banking Scam—In case you needed more reasons not to open email attachments from unknown senders: More than 80 people were arrested worldwide in September and October in a banking scam that targeted midsize businesses and municipalities—siphoning off more than $70 million.
Cohen: “Educate yourself. The FTC has an online security site, OnGuard Online, to help consumers learn how to protect against Internet fraud and secure their personal information.”
Peretti: “Cybercriminals are constantly changing their attack. In this case we saw them using malware to steal credentials, but they also constantly changed their attack based on the financial institution’s particular security practices. It demonstrates the need for an active and ongoing incident response approach to cyberincidents.”
We asked privacy experts from government, business and consumer rights organizations for their take on the message behind the headlines. Kristin Krause Cohen is an attorney with the division of privacy and identity protection, Bureau of Consumer Protection, Federal Trade Commission. A former U.S. prosecutor, Kimberly Peretti is a director with PWC’s U.S. Forensic Technology Solutions practice. Paul Stephens is the director of policy and advocacy with Privacy Rights Clearinghouse.
Facebook—The popular social networking site ignited a firestorm of controversy in May when it altered its privacy settings, changes that included the launch of social plug-ins that share profile information with other websites.
Cohen: “The FTC is certainly concerned that businesses, including social networking sites, live up to the privacy promises they make. For example, in our recent settlement with Twitter, we alleged that the company failed to live up to its promise to safeguard consumers’ personal information.”
Stephens: “The real problem with Facebook is that so many people consider it socially indispensable. Facebook, in a sense, has a monopoly on social networking, and many people—app developers and the like—are taking advantage of this. Another key problem that makes Facebook very unfriendly to the consumer is that the privacy policy changes so often. Facebook has created this situation in which consumers feel they need to use it, yet they have a privacy policy that is incomprehensible and consistently changing.”
Google—Growing concerns over Google and privacy were amplified in 2010 when it was revealed that the Google Maps Street View team, which photographs city streets for the Street View feature, gathered more than just the occasional image of a naked person—they also nabbed personal data from unprotected Wi-Fi networks. Google called the collection “accidental” and is reportedly deleting the information, but not before privacy watchdogs showed their teeth.
Cohen: “The FTC certainly had concerns about Google’s internal policies that led to this inadvertent data collection. We’ve received assurances that they have improved their procedures, including incorporating a formal privacy review process into all their new initiatives. They have also said that they have not used the data and will delete it.”
Stephens: “There’s blame to go around here. One of the problems is that the typical default configuration of a wireless router does not maintain adequate security. It’s an extremely difficult task to properly configure a Wi-Fi router and keep it secure. That doesn’t take any of the blame away from Google, but there are two parts to this story. It should serve as a wake-up call to consumers.”
Health care—Data breaches cost the health care industry $6 billion per year—a systemic ailment if ever there was one—yet 70 percent of health care providers don’t see securing data as a priority, according to a November Ponemon Institute study with 65 survey respondents. Providers are apparently a soft target for cybercriminals: Over a two-year period, the average organization had 2.4 “data breach incidents” and lost approximately $2 million.
Cohen: “With the push for electronic health records, we also need to start pushing data security. But it’s important, too, that paper records not be ignored. [The FTC] and U.S. Department of Health and Human Services recently reached settlements with CVS and Rite Aid, in which we alleged the companies’ inadequate data disposal policies led to sensitive personal health and employee information being found in publicly accessible dumpsters.”
Stephens: “What’s unique with respect to the health care industry isn’t the number of breaches, but the nature of the data. Whereas typical data compromised in a breach tends to be financial and can contribute to identity theft, health care also has medical records that are sensitive in a different way. That information won’t help identity thieves but can cause embarrassment or issues with employers or in finding insurance.”
Albert Gonzalez—In August 2008, then- U.S. Attorney General Michael Mukasey called the indictment of hacker Albert Gonzalez “the single largest and most complex identity-theft case ever charged in this country.” In March, the hacker smackdown continued when Gonzalez pleaded guilty to all counts and was sentenced to 20 years in federal prison. (See full story here.)
Cohen: “Obviously, we’re extremely happy he’s been brought to justice, though we think it’s important to note that companies that collect sensitive data must remember that they have an obligation to protect information from hackers like Gonzalez. The burden is not solely on law enforcement.”
Peretti: “Our adversaries, the people who can attack our system, do not require a great amount of experience, resources or training. This isn’t a mafia. It’s kids meeting in high school or meeting in the shopping mall with the self-taught computer skills to get into hundreds of systems.”
Zeus Banking Scam—In case you needed more reasons not to open email attachments from unknown senders: More than 80 people were arrested worldwide in September and October in a banking scam that targeted midsize businesses and municipalities—siphoning off more than $70 million.
Cohen: “Educate yourself. The FTC has an online security site, OnGuard Online, to help consumers learn how to protect against Internet fraud and secure their personal information.”
Peretti: “Cybercriminals are constantly changing their attack. In this case we saw them using malware to steal credentials, but they also constantly changed their attack based on the financial institution’s particular security practices. It demonstrates the need for an active and ongoing incident response approach to cyberincidents.”
Read more posts on Identity Theft 911 »