GDPR and What it Means for U.S. Companies

Standard

The following was published in today’s editions of Foster’s and Seacoast Sunday.

Keep Calm GDPR

GDPR is the European Union’s new data protection law. It stands for the General Data Protection Regulation and it goes into effect May 25. While this is a European law, U.S. companies are still subject to it, as are any organizations that possess private data on European Union citizens. It’s a sweeping update to existing data privacy laws that could have wide reaching implications.

The United States has yet to pass a truly comprehensive data privacy standard. Individual states have passed varying data privacy laws, which make compliance confusing and very inconsistent. GDPR stands to set the standard for broad reaching regulation that standardizes compliance and enforcement across borders, within the European Union and across the globe.

This past week, the Computing Technology Industry Association, CompTIA, released a survey on “The State of GDPR Preparedness in the U.S.” Some of the findings are scary. More than half of U.S. companies say they are still trying to determine whether or not GDPR is applicable to them. Well if they have any personal information on a citizen of the European Union, it does. So, for example, if you have just one employee, who holds dual citizenship with a country in the European Union, GDPR applies. If a single citizen of the European Union has purchased something from your company, requiring them to submit payment and shipping information to your company, GDPR applies to your company. You get the idea.

In addition to not knowing if GDPR applies to their business, nearly 65 percent of companies are unaware of the substantial fine structure associated with violations of GDPR. This could lead to significant financial exposure for companies that have not familiarized themselves with GDPR and its applicability to their business.

Those that have looking into GDPR’s impact on their business may think about whether or not they want to continue doing business with the European Union. It’s too soon to tell if the regulation will turn out to hamper business between companies within and outside of the European Union. Of the organizations surveyed, one-third indicate they have no plans to change their business practices with the European Union and its citizens and one-third say it may. The remaining one-third is not sure.

Some of the unique provisions of GDPR that may be difficult for businesses to comply with are the requirements for data transparency and the right to be forgotten, among others. Data transparency requires that a person be able to review any personal information that a company stores about them. The company must also provide a way for an individual to correct any inaccuracies in that stored information. Even more daunting, perhaps, is the right to be forgotten. To be in compliance, companies must be able to prove that they have completely erased personal information on any individual who wants the company to do so.

We won’t know for sure, what real implications GDPR will have for U.S. companies until one gets caught in violation. Once that first case comes to light, we will know how successful this law will be and whether it will become a model that others will follow. Until then, ambiguity, confusion and the threat of significant fines seem to be how GDPR is being perceived in the U.S.

Participating in Our Democracy

Standard

I am honored to be invited to testify before the U.S. Senate Small Business Committee at an upcoming field hearing on the campus of my Alma Mater, the University of New Hampshire.

The hearing is entitled Net Neutrality: Impacts on New Hampshire Small Businesses.  If you have thoughts on the impact of the recent repeal of Net Neutrality rules by the FCC, please let me know so I can consider your thoughts as part of my testimony.

Invitation to Testify

GDPR Isn’t Just for Europe. What US Companies Need To Know.

Standard

As I posted yesterday, It Happens One Month From Today, the European Union’s GDPR data privacy regulations go into effect in less than one month now.

GDPR-USA

CompTIA, representing the global information technology industry surveyed 400 US based companies about their understanding of and readiness for GDPR.  The results were not good, if you are concerned about data privacy and companies compliance with laws governing it.

CompTIA issued a press release yesterday, highlighting the results of its survey on the topic.  As the press release highlights;

“Confusion about the regulations remains a significant problem for many companies,” said Todd Thibodeaux, CompTIA president and CEO.   “Only one in four respondents claim to be very familiar with GDPR,” Thibodeaux reported. “Some believe it applies primarily to companies in the EU; others, only to large multinational corporations. Alarmingly, three in ten companies believe GDPR does not go into effect until the end of 2018.”

Alarming indeed!  Data privacy issues do not know borders nor governments.  It transcends everyone and everything.  To think that so many organizations do not think the new regulations impact them and have not even started to plan to support the new regulations within one month of implementation is negligent.

If you are concerned about data privacy, I encourage you to review the CompTIA State of US GDPR Readiness survey results and take action to protect yourself and your business.

It Happens One Month From Today

Standard

GDPR

On May 25, 2018 GDPR goes into effect.  What is GDRP?  It’s the General Data Protection Regulation of the European Union.  In other words, it’s the newest and most sweeping data protection law in the world and it’s implications extend beyond the boarders of European Union member countries.

GDPR will replace the prior regulations, which were enacted in 1995.  The Internet was just gaining mainstream recognition in 1995, so this is a significant replacement, though EU regulators are downplaying the immediate impact of the changes.

In practical terms, GDPR introduces new rights for individuals and new requirements for businesses related to the storage and dissemination of personal information.  For the individual, they will have more access to the information that companies hold about them.  The companies holding that data have to meet enhanced security requirements related to personal information.  Business are also subject to a new range of fines, should they violate the new regulations.

There has been some considerable angst about GDPR among private industry and the tech industry specifically.  With four weeks to go, I’m sure you will be hearing more about GDPR as the implementation date draws closer.  I’ll be blogging about GDPR over the next month as we prepare to see the real impacts come online on May 25th.

So Mr. Zuckerberg Went To Washington

Standard

The following was published in the Sunday, April 15, 2018 edition of Foster’s and Seacoast Sunday.

Zuckerberg Testimony

I think the woman in green represents how everyone in the room was feeling, except the members of Congress.

Amidst the outcry over revelations that the political data mining firm Cambridge Analytica inappropriately accessed and used the personal data of nearly 87 million Facebook users, Facebook founder and CEO Mark Zuckerberg answered the call from Congress to come to Washington, D.C.

He faced two days of questioning from House and Senate committees. The results were sometimes downright bizarre.

I think Zuckerberg should be complimented for agreeing to come to Washington and face this questioning. While many criticized Facebook’s initial response to the scandal, the company has done a lot since then and is acknowledging where it can do better. What’s that old cliché? The first step to admitting you have a problem is to say you have a problem. Facebook admits it has a problem and Zuckerberg directly apologized for the breach of the public trust and took responsibility as any good leader should.

Now, as for the value of the questioning and what it says about both Facebook and our elected representative? It sure didn’t leave me feeling great. The talk among my colleagues in the industry ranged from outright laughter to downright disgust. What came through loudest was how unprepared our elected officials are to deal with issues like this. The sheer lack of basic technical understanding from some of the members was appalling.

I could only watch bits and pieces of the sessions because I became frustrated by the lack of preparation on the part of the members, our elected officials, who have an obligation to protect our interests. The vast majority of them should be embarrassed and apologize to both Facebook and us, their constituents, for wasting our time and distracting themselves from the important work we expect from our Congress.

Instead, many grandstanded, obviously relishing the spotlight they were able to exploit for who knows what purpose. There was no real outcome from the hearings, other than Congress feeling they should legislate a solution and everyone else fearing what that legislation might look like.

The members of Congress would have been far better serving the interests of their constituents if they had consulted with industry and privacy experts to understand exactly what happened and to equally understand what complexities will come to the table in trying to prevent a recurrence. Instead, it felt like several of the members had searched for social media conspiracy theories and crafted their questions accordingly.

Clearly, it wasn’t all bad, but unfortunately, the bad outweighed the good by a significant margin. Facebook has a problem. All of social media has a problem, but perhaps the biggest problem of all is that many people still do not grasp social media for what it is. Most are platforms that do not charge any fee to the individual to be a member. Why, because they make their money in other ways. Mostly through advertising and data sharing. We all know this, so the outrage is just a tad overblown, in my humble opinion. If you wouldn’t choose to hang up a banner outside your home announcing your name, hometown, relationship status and your most precious pictures, then why would you put it on social media? If you are using a complex, technology driven platform like social media for free, shame on you if you didn’t stop to think about how the company is making money from your membership.

As I wrote about in my last column, you can do a lot to limit what information Facebook shares about you. The same is true of most social media platforms, but Facebook is the one in the spotlight at the moment. As I suggested, Facebook has made a lot of improvements to its app settings over the last several weeks. When you click the arrow next to the help icon and select settings and go to apps, you’ll find it much more obvious what apps you have allowed to be connected to your Facebook account. It’s easy to now select the apps you don’t want to have access and remove them with the click of a single button. The options for all of the apps is much easier to find and intuitive to change. The same is true for the ads settings.

So unlike one senator or congressman who made the statement that he likes chocolate and didn’t understand why after he mentioned chocolate on Facebook he started seeing chocolate ads, hopefully you understand how that happens and how to manage your exposure.

Hopefully, this entire fiasco has made you a more educated social media user. I wish the same were true for the people who have the power to limit and regulate the technology we have access to. Hopefully they will catch up to their constituents, many of whom were shaking their heads this week.

A New Low

Standard

Following up on my post about a Phishing Example, the people behind these phishing attacks have sunk to a new low.

Playing on the fears of active shooter events, especially at schools, these latest phishing scams try to trick you into clicking on a link related to an event on a college or high school campus.  When you click the link, you are presented with a fake Microsoft login screen to try to steal your Microsoft Account credentials.  This started in Florida, but will like quickly spread around the country, so be on the lookout!

Security firm KnowBe4 sent out the following advisory related to this new, low trick:

“Heads-up. You’d think it could not get any worse, but some bad guys have sunk to a new low. They are now exploiting recent active shooter events on campus to get people panicked and “click-by-reflex” to find out if a loved one is safe.

This same phishing attack could be used against any organization with an active shooter protocol and training in place. If you see emails with titles like:

cyberscooty-alert_phishing

  • “IT DESK: Security Alert Reported on Campus”
  • “IT DESK: Campus Emergency Scare”
  • “IT DESK: Security Concern on Campus Earlier”

Please think before you click, and look for any red flags related to a phishing scam.”

Phishing Example

Standard

Last week, I attended an industry conference and spoke on a security panel.  More on that in a post over the next couple of days.  One of the consistent themes around cyber security was how effective phishing email and social engineering are.  It has become the number one vehicle that hackers are using to gain access to secure networks.  This morning, I received a well crafted phishing email that I want to share, as it has several elements that are good to be aware of, in order to not fall victim.

Let’s take a look at the email that arrive this morning with the subject “Shipment Tracking Number” from “notification@fedex.com.”  Both the subject and From address seem legitimate.  Here is the actual message:

FedEx Phish.png

This message looks fairly legitimate and if you were to simply quickly glance at the message, many people would likely click on the link, so let’s look deeper.

If you hover over the link instead of just clicking it, which is ALWAYS recommended, here is what you see:
FedEx Phish Hover

When you look at the image above, when hovering over the link, the URL does not match the URL that was in the email.  This should be a clear warning that could be a phishing message.

Now let’s look a little more closely at the message text itself:

FedEx Phish Markup.png

The sentence that begins at the #1 is not properly capitalized.  The dollar representation at #2 is not in proper currency format and the USD should be capitalized.  The comma following usd is also misplaced and follows a random space.  There is no punctuation at #3 or #4.  #5 lacks proper capitalization and punctuation.  #6 is not the real FedEx logo.  Notice how it is standard text and not the bold logo where the d and E are actually connected.

So, taken all together, do you think the real FedEx would ever allow a message like this to be sent?  No, not at all.  This is definitely a phishing email, designed to get you to click on the link, which will instantly infect your computer and allow a hacker access to your computer or worse, to capture everything you type on your keyboard, which will give them access to far more.

For the more technically inclined, if you also look at the email header, you will find several other identifying details that confirm this is not really from FedEx and a phishing email:

X-Country-Path Denmark->
X-Note-Sending-IP 212.237.47.12
X-Note-Reverse-DNS host12-47-237-212.serverdedicati.aruba.it

These three lines of the header really confirm this.  The IP address resolves to the domain aruba.it.  A WhoIs lookup of that domain shows it being registerd to an organization called Aruba Spa, surely a fake organization.  The country is reported as Denmark, but if you know your world geography, Denmark is in Europe and Aruba is in the Carribbean.  Further, the .it domain suffix is actually the top level domain for the country of Italy.  So, did this email come from Denmark, Aruba or Italy?  Probably none.  It’s likely all an elaborate path to mask the real sender, who, if you were not convinced to this point, you should now know without a shadow of a doubt, is not FedEx.

I hope all this information helps you protect yourself from these types of socially engineered phishing scams.

Cell Phone Spying is Here

Standard

As if we didn’t have enough privacy worries, confirmation came this week that cell phone spying is actively taking place in the United States and specifically in Washington, DC.

Now this should really not come as a huge surprise, but the ease with which it can beStingRayII done is a cause for concern.  In DC, the Department of Homeland Security has confirmed that it has identified several “StingRay” devices in the city.  These are devices that trick mobile phones into connecting to them instead of a legitimate cell tower.  In so doing, they are able to intercept voice conversations and text messaging.  Some experts suggest malware could also be installed onto connected devices, without the user knowing.  These immitation cell towers are also able to track the location of a given device, making them an excellent tracking tool.  What’s more is that these devices are not physically large.  We are not talking about a fake cell tower that rises high into the skyline.  Some say they can be as small as a cell phone, or like a moderately sized piece of audio equipment.  There is even some thought that they are able to be deployed in low flying aircraft to not only lock on to a mobile device but to follow it almost without limit.

These devices are known to be in use by some police departments and the intelligence services.  This partly explains a battle between the FCC and the wireless carriers around who is responsible for securing the wireless networks from these types of threats.  Fully securing the wireless infrastucture could prevent police and intelligence services from carrying on surveillance that may be critical to national and local security.

This will not be an easy issue to address.  If you’ve been thinking that your cell phone is immune to being intercepted, think again.  It will be interesting to see how this plays out.

Update on Recent Data Breaches

Standard

As a follow up to my recent posts “MyFitnessPal Data Breach” and “Now it’s Lord & Taylor and Saks” I wanted to share an email I received today from ID Shield, a service I subscribe to through my employer.

ID Shield


What you need to know about two recent breaches:

Saks-Lord & Taylor and MyFitnessPal 


Dear Valued Member:

As part of the IDShield family, we want to make you aware of recent large data breaches that have the potential to cause concern among consumers.

THIS MESSAGE IS NOT AN ALERT THAT YOU ARE AFFECTED

BY EITHER OF THESE BREACHES.

We hope these breaches don’t affect you. However, since you have IDShield protection, we can alert you to potential threats to your identity and have experts ready to assist with those threats, should it be needed.

Saks-Lord & Taylor

More than five million credit and debit card numbers from in-store customers of Saks Fifth Avenue and Lord & Taylor, mostly in New York and New Jersey, have been stolen. At this time, it is unknown if any personal data of these customers has been exposed; the stores’ e-commerce platforms do not appear to have been affected.

What you should do: If you made any purchase at a Saks or Lord & Taylor store between May 2017 and March 2018, monitor your card’s activity. The easiest way to do this is to sign up for transaction alerts on your credit card accounts so you will be notified of any activity in real-time. Ensure that you’ve activated all of the monitoring available to you through your IDShield membership by visiting myidshield.com. We will alert you if there are any changes in account activity, such as a new address, credit limit increase, past due status, etc.

MyFitnessPal

Approximately 150 million MyFitnessPal accounts were hacked in February. According to parent company Under Armour, the compromised data includes usernames, encrypted passwords and email addresses but not bank account, driver’s license or Social Security numbers.

What you should do: MyFitnessPal is notifying its members of the breach and requiring them to change their account password. If you were using that password for any other online account(s), you should change the password on those as well, choosing a unique password for each account.

IDShield is here for you.

As always, we will keep a close eye out for suspicious use of your personal information and alert you should we find anything you may need to be aware of.

Sincerely,

IDShield Member Services

Now it’s Lord & Taylor and Saks

Standard

Yesterday, Lord & Taylor, Saks Fifth Avenue and Saks Off 5th announced a data breach impacting 5 million debit and credit cards.  If you are a customer, check your accounts closely.

L&T-SaksAccording to reports from security firms and financial institutions, it appears this breach took place from May 2017 until March 28, 2018 when the hacking synidcate associated with this breach made it known.  Reports also indicate that many of the breached payment cards are posted for sale on the Dark Web.  It appears that this breach targeted locations in New York and New Jersey, so if you have shopped these stores in those states, be especially vigilant.