Each Month Terbium Labs’ Research Team curates news and information from the corners of the internet just for you! Articles, research, infographics, and more related to infosecurity, cybercrime, payment card fraud, automation, and other popular topics are summarized to provide market insight each month here on our blog.
New York State has passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD) Act on July 25th — don’t get excited.
Why do I care?
The SHIELD Act goes into effect on March 21, 2020, giving businesses less than a year to adapt to the latest state data breach protection law that impacts every business with data from a resident of New York State.
What does the law do?
- Broadens the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers;
- Updates the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information;
- Extends the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State;
- Expands the definition of a data breach to include unauthorized access to private information; and
- Creates reasonable data security requirements tailored to the size of a business.
While the law is a step in the right direction for most, privacy advocates do note that the law takes away an individual’s right to sue, which means no class action lawsuits. Instead, the attorney general may bring an action to enjoin violations of the law.
This article reviews the new SHIELD Act, which updates New York’s existing data protection law, at a high level.
Equifax is being fined at least $575 Million for the breach that exposed the lifetime data of 144 million people. This is either insultingly low or a step in the right direction towards regulations and punishments designed to safeguard consumer data.
Why do I care?
The company is paying at least $300 million into a fund for credit monitoring services for “affected customers”, $175 million in fines to 48 states, Washington D.C., and Puerto Rico, and $100 million in penalties to the Consumer Financial Protection Bureau. Equifax will also have to provide nine free credit reports per year to all U.S. consumers for seven years.
As far as the low fine goes, the FTC apparently did this purposefully. “We want to make sure we don’t bankrupt the company or have them go out of business,” said Maneesha Mithal, a data and privacy subject matter expert with the FTC. “We want to make sure they have the funds and resources to protect consumers going forward.”
This article reviews the penalties Equifax agreed to in response to possibly the worst leak of lifetime information in the history of the world.
Facebook has been fined $5 billion by the FTC and is required to undertake a new management structure, create an independent privacy committee, and adhere to rules the FTC has imposed regarding disclosure. Similar to NY’s SHIELD ACT, Facebook would have 30 days to report a breach or leak impacting more than 500 customers. The SEC also fined Facebook an additional $100 million for misleading investors about its data security.
Why do I care?
From a consumer’s point of view, there is room to be disappointed as the FTC also agreed to essentially give Facebook a pass on known claims of violations before June 12, 2019 and immunity to its officers and directors. The fine also doesn’t do much to educate the public, though it is a record amount. From a corporate view, the FTC’s decision is to settle on the agreed-upon amount is a win for Facebook. They have $56 billion in annual revenue. The fine is a slap on the wrist.
“The F.T.C. is sending the message that wealthy executives and massive corporations can rampantly violate Americans’ privacy and lie about how our personal information is used and abused and get off with no meaningful consequences,” - Senator Ron Wyden
This article looks at fine and fall out of the Cambridge Analytic scandal. Facebook has been fined a record $5 billion but financially, it’s a slap on the wrist.
The Financial Crime Enforcement Network (FinCEN), a U.S. Department of Treasury unit, reports that scammers made an average of $301 million per month in 2018 from business email compromise scams.
Why do I care?
BEC is continuing to be a thorn in the side of cybersecurity professionals despite additional corporate training, stronger anti-phishing and anti-spoofing measures, and generally more attention being paid to cybersecurity. The article notes that the manufacturing and construction industries are the most targeted and they represent 25% of all analyzed transactions.
BEC is attractive to criminals because of the high profit, low cost, and low risk. This article discusses the metric from the FinCEN.
Black Hat, BSides, and DEF CON are coming to Las Vegas, Nevada. Every year, everyone from lifetime cybersecurity professionals to elite hackers gather in conference rooms and on showroom floors for “hacker summer camp”.
Why do I care?
For the security professional, Black Hat especially is a time for you to check out the competition, gain market share, and visit us for a chat. But the fear of data compromise seems to rear its head every year. The article makes it pretty clear that while there will most likely be surveillance and hacking devices like Wi-Fi Pineapples, the popular penetration testing tool with interesting off label usage.
“If you work in the infosec industry and you really believe you need a burner phone for these conferences, you may need to do some soul searching. What’s the point of having a $100 billion industry if it can’t secure phones in a place where a bunch of hackers gather?” The article’s author definitely has a point.
This article is a takedown of a long-standing “hacker summer camp” myth. SPOILER ALERT: Take the burner out of your Amazon cart, you won’t need it.