Laws, Questionable Fines, and Black Hat Prep? - The Month of July in 5 Articles

Next: Scrapers, Ransomware, and ID Checks - Oh My!...
Previous: Capital One Breached: Who’s in Your Wallet?
August 02, 2019

Brittney serves as Product Marketing Manager at Terbium Labs and loves research, technology, and Idris Elba though not necessarily in that order. Some say on quiet nights, if you hold your laptop up to your ear, you can hear her typing blog posts to “Reynes of Castamere."

Each Month Terbium Labs’ Research Team curates news and information from the corners of the internet just for you! Articles, research, infographics, and more related to infosecurity, cybercrime, payment card fraud, automation, and other popular topics are summarized to provide market insight each month here on our blog.

New York Puts its Foot Down

New York State has passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD) Act on July 25th — don’t get excited.

Why do I care?

The SHIELD Act goes into effect on March 21, 2020, giving businesses less than a year to adapt to the latest state data breach protection law that impacts every business with data from a resident of New York State.

What does the law do?

  • Broadens the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers;
  • Updates the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information;
  • Extends the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State;
  • Expands the definition of a data breach to include unauthorized access to private information; and
  • Creates reasonable data security requirements tailored to the size of a business.

While the law is a step in the right direction for most, privacy advocates do note that the law takes away an individual’s right to sue, which means no class action lawsuits. Instead, the attorney general may bring an action to enjoin violations of the law.

The Gist

This article reviews the new SHIELD Act, which updates New York’s existing data protection law, at a high level.

Equifax is Fined, Barely

Equifax is being fined at least $575 Million for the breach that exposed the lifetime data of 144 million people. This is either insultingly low or a step in the right direction towards regulations and punishments designed to safeguard consumer data.

Why do I care?

The company is paying at least $300 million into a fund for credit monitoring services for “affected customers”, $175 million in fines to 48 states, Washington D.C., and Puerto Rico, and $100 million in penalties to the Consumer Financial Protection Bureau. Equifax will also have to provide nine free credit reports per year to all U.S. consumers for seven years.

As far as the low fine goes, the FTC apparently did this purposefully. “We want to make sure we don’t bankrupt the company or have them go out of business,” said Maneesha Mithal, a data and privacy subject matter expert with the FTC. “We want to make sure they have the funds and resources to protect consumers going forward.”

The Gist

This article reviews the penalties Equifax agreed to in response to possibly the worst leak of lifetime information in the history of the world.

Facebook is Fined $5.1 Billion and It’s Not Enough

Facebook has been fined $5 billion by the FTC and is required to undertake a new management structure, create an independent privacy committee, and adhere to rules the FTC has imposed regarding disclosure. Similar to NY’s SHIELD ACT, Facebook would have 30 days to report a breach or leak impacting more than 500 customers. The SEC also fined Facebook an additional $100 million for misleading investors about its data security.

Why do I care?

From a consumer’s point of view, there is room to be disappointed as the FTC also agreed to essentially give Facebook a pass on known claims of violations before June 12, 2019 and immunity to its officers and directors. The fine also doesn’t do much to educate the public, though it is a record amount. From a corporate view, the FTC’s decision is to settle on the agreed-upon amount is a win for Facebook. They have $56 billion in annual revenue. The fine is a slap on the wrist.

“The F.T.C. is sending the message that wealthy executives and massive corporations can rampantly violate Americans’ privacy and lie about how our personal information is used and abused and get off with no meaningful consequences,” - Senator Ron Wyden

The Gist

This article looks at fine and fall out of the Cambridge Analytic scandal. Facebook has been fined a record $5 billion but financially, it’s a slap on the wrist.

Want to Make $301 Million Per Month?

The Financial Crime Enforcement Network (FinCEN), a U.S. Department of Treasury unit, reports that scammers made an average of $301 million per month in 2018 from business email compromise scams.

Why do I care?

BEC is continuing to be a thorn in the side of cybersecurity professionals despite additional corporate training, stronger anti-phishing and anti-spoofing measures, and generally more attention being paid to cybersecurity. The article notes that the manufacturing and construction industries are the most targeted and they represent 25% of all analyzed transactions.

The Gist

BEC is attractive to criminals because of the high profit, low cost, and low risk. This article discusses the metric from the FinCEN.

Don’t be Weird at Black Hat

Black Hat, BSides, and DEF CON are coming to Las Vegas, Nevada. Every year, everyone from lifetime cybersecurity professionals to elite hackers gather in conference rooms and on showroom floors for “hacker summer camp”.

Why do I care?

For the security professional, Black Hat especially is a time for you to check out the competition, gain market share, and visit us for a chat. But the fear of data compromise seems to rear its head every year. The article makes it pretty clear that while there will most likely be surveillance and hacking devices like Wi-Fi Pineapples, the popular penetration testing tool with interesting off label usage.

“If you work in the infosec industry and you really believe you need a burner phone for these conferences, you may need to do some soul searching. What’s the point of having a $100 billion industry if it can’t secure phones in a place where a bunch of hackers gather?” The article’s author definitely has a point.

The Gist

This article is a takedown of a long-standing “hacker summer camp” myth. SPOILER ALERT: Take the burner out of your Amazon cart, you won’t need it.

events August 30, 2018
Risk, Cyber Crime and Strategic Security: Highlights from Black Hat 2018

Members of the Terbium Labs team once again made the summer trek to Las Vegas for Black Hat USA in search of the latest developments in information security.

industry June 10, 2019
Moody’s Equifax Downgrade: What it Means for the Future

In this post, we will discuss the reasons for Equifax’s outlook downgrade from stable to negative and possible future credit rating downgrade by Moody’s Investor Service. We will also take a look at the...