Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Category Archives: Cybercrime

FCC Adopts Broadband Consumer Privacy Rules

“WASHINGTON, October 27, 2016 – The Federal Communications Commission today adopted rules that require broadband Internet Service Providers (ISPs) to protect the privacy of their customers. The rules ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs. The rules implement the privacy requirements of Section 222 of the Communications Act for broadband ISPs, giving broadband customers the tools they need to make informed decisions about how their information is used and shared by their ISPs. To provide consumers more control over the use of their personal information, the rules establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information. This approach is consistent with other privacy frameworks, including the Federal Trade Commission’s and the Administration’s Consumer Privacy Bill of Rights. The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers personal information:

  • Opt-in: ISPs are required to obtain affirmative opt-in consent from consumers to use and share
    sensitive information. The rules specify categories of information that are considered sensitive,
    which include precise geo-location, financial information, health information, childrens’
    information, social security numbers, web browsing history, app usage history and the content of
  • Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer
    opts-out. All other individually identifiable customer information for example, email address
    or service tier information would be considered non-sensitive and the use and sharing of that
    information would be subject to opt-out consent, consistent with consumer expectations.
  • Exceptions to consent requirements: Customer consent is inferred for certain purposes
    specified in the statute, including the provision of broadband service or billing and collection. For
    the use of this information, no additional customer consent is required beyond the creation of the
    customer-ISP relationship.
    In addition, the rules include:
  • Transparency requirements that require ISPs to provide customers with clear, conspicuous and
    persistent notice about the information they collect, how it may be used and with whom it may be
    shared, as well as how customers can change their privacy preferences;
  • A requirement that broadband providers engage in reasonable data security practices and
    guidelines on steps ISPs should consider taking, such as implementing relevant industry best
    practices, providing appropriate oversight of security practices, implementing robust customer
    authentication tools, and proper disposal of data consistent with FTC best practices and the
    Consumer Privacy Bill of Rights.
  • Common-sense data breach notification requirements to encourage ISPs to protect the
    confidentiality of customer data, and to give consumers and law enforcement notice of failures to
    protect such information.
    The scope of the rules is limited to broadband service providers and other telecommunications carriers.
    The rules do not apply to the privacy practices of web sites and other ìedge services over which the
    Federal Trade Commission has authority. The scope of the rules do not include other services of a
    broadband provider, such as the operation of a social media website, or issues such as government
    surveillance, encryption or law enforcement.”

What to Do When You Suspect a Data Breach: FTC Issues Video and Guide for Businesses

“If your business has experienced a data breach, you are probably wondering what to do next. The Federal Trade Commission’s new Data Breach Response: A Guide for Business, an accompanying video and business blog can help you figure out what steps to take and whom to contact. Among the key steps are securing physical areas,… Continue Reading

Extensive botnet DDoS attacks take major sites offline

TechCrunch: “Several waves of major cyberattacks against an internet directory service knocked dozens of popular websites offline today, with outages continuing into the afternoon. Twitter, SoundCloud, Spotify, Shopify, and other websites have been inaccessible to many users throughout the day. The outages are the result of several distributed denial of service (DDoS) attacks on the DNS provider… Continue Reading

Former NSA contractor removed 50 terabytes of classified data

ZDNet: “An NSA contractor siphoned off dozens of hard drives’ worth of data from government computers over two decades, prosecutors will allege on Friday. The contractor, Harold T. Martin III, is also accused of stealing thousands of highly classified documents, computers, and other storage devices during his tenure at the agency. It’s not known exactly… Continue Reading

DOT Cybersecurity Incident Handling Is Ineffective and Incomplete

DOT IG Report – October 13, 2016 DOT Cybersecurity Incident Handling Is Ineffective and Incomplete Project ID:  FI-2017-001 “An effective response to cyber incidents minimizes disruptions to information systems and data losses. We conducted this audit because of DOT’s large number of information systems that contain sensitive data as well as the high number of… Continue Reading

USSS Faces Challenges Protecting Sensitive Case Management Systems and Data

“We performed this audit as a follow-up to a September 2015 Office of Inspector General (OIG) investigation regarding United States Secret Service (USSS) employees improperly accessing and distributing sensitive information onthe agency’s Master CentraIndex (MCI) mainframe system. Our objective was to determine whether adequate controls and data protections were in place on systems to which… Continue Reading

Fortune – Publishing Hacked Private Emails Can Be a Slippery Slope

“It may be hard for the media to resist a big email dump, but there are long-term risks. Regular dumps of classified documents and other internal communications have become a fixture of modern life, thanks in part to stateless—and frequently lawless—entities like WikiLeaks. But is publishing those leaks always the right thing to do? That’s… Continue Reading

FTC – New Identity Theft Report helps you spot ID theft

“Do you ever hear from customers or employees who want you to know that they’ve been affected by identity theft? If so, you’ll probably start seeing them use the new FTC Identity Theft Report. It tells you that someone important to your business is a crime victim, has alerted law enforcement, and is working to… Continue Reading

White House Announces Russia Responsible for Hacking Democratic National Cmte

Reuters – Mark Hosenball, Dustin Volz and Jonathan Landay: “The U.S. government for the first time on Friday formally accused Russia of a campaign of cyber attacks against Democratic Party organizations ahead of the Nov. 8 presidential election. “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could… Continue Reading

NIST study – Security Fatigue

Security Fatigue, Issue No. 05 – Sept.-Oct. (2016 vol. 18) ISSN: 1520-9202 pp: 26-32 DOI Bookmark: “Security fatigue has been used to describe experiences with online security. This study identifies the affective manifestations resulting from decision fatigue and the role it plays in users’ security decisions. A semistructured interview protocol was used to collect… Continue Reading

Online or on paper, get the latest FTC identity theft info

“Looking for information on dealing with identity theft? The FTC has new and revised identity theft publications that reflect features of that make it easier to report and recover from identity theft. Here’s what’s hot off the presses: Identity Theft – What to Know, What to Do gives an overview of identity theft and… Continue Reading

CRS – Encryption: Frequently Asked Questions

Encryption: Frequently Asked Questions, Chris Jaikaran, Analyst in Cybersecurity Policy. September 28, 2016. “Encryption is a process to secure information from unwanted access or use. Encryption uses the art of cryptography to change information which can be read (plaintext) and make it so that it cannot be read (ciphertext). Decryption uses the same art of… Continue Reading