Equifax Hit Hard — Will it Matter?

On Monday it was announced that Equifax will pay up to $700 million in a settlement with the Federal Trade Commission. The settlement will end the numerous federal and state lawsuits filed against Equifax after the 2017 data breach.  

The attack initially occurred after the company failed to patch a vulnerability in their systems, one they had learned about months earlier. The breach, now considered one of the largest in history, exposed personal information such as names, social security, and payment information of over 145 million users In short, the fines amount to about about $4 per impacted person.

In Monday’s settlement, Equifax agreed to pay a minimum of $380.5 million in restitution funds for consumers effected by the breach. The company will add up to $125 million more to the fund if the initial amount runs out. Equifax will also provide free credit monitoring services for those effected.  

Alongside the restitution fund, Equifax will pay $175 million in order to end investigations by 50 state attorneys general, and an additional $100 million to end investigations by the Consumer Financial Protection Bureau and the Federal Trade Commission. 

The settlement will now go to the courts for approval. After that, consumers will be able to file a claim for credit monitoring, identity restoration services, and cash payments of up to $20,000. Information on the settlement and claims will be updated here. 

Business as Usual?

With Equifax making $3.4 billion in revenue in 2018, the settlement adds up to about 20% of their revenues (Equifax already took a charge of 690 million in Q1 of this year in anticipation of the fines. However, after an initial drop in stock price, the company has largely recovered financially from the scandal. As of today, Equifax’s stock remains unaffected by news of the settlement.  

Alongside Equifax, several large tech companies are beginning to face fines for mishandling consumer information. In March, it was announced the E.U. would fine Google $1.7 billion and earlier this month the FTC approved a $5 billion fine against Facebook. The question that needs to be asked now is how effective these fines really are. Will they be effective as a deterrent or will these large corporations simply factor them into the cost of business?  

From the standpoint of consumers, it’s beginning to seem like real change will only occur through a mix of government regulation and, perhaps more importantly, market demand. It will be up to consumers to demand that their privacy is not something to be taken lightly.  

Home Security: Keep It S.I.M.P.L.E.

Home Security: Keep It S.I.M.P.L.E.

You know that phrase, “From the privacy of my own home?” It’s comforting. After spending the day at work, a favorite restaurant, the baseball game or a movie, we want to come home, kick our shoes off and be away from the public eye. Home is where we demand the most privacy. 

But with the typical U.S. household containing five or more internet-connected devices, the reality is our homes aren’t all that private anymore. On top of that, most of us have an I.T. department in our homes, so making sure your home connection is secure can feel pretty daunting. But it doesn’t have to be.  

To Secure your Home and Family just keep it S.I.M.P.L.E:

Secure the router 

The router is the main gateway through which we connect to the internet. There are a number of things you should do to make sure it’s as secure as possible. The first step is to replace the default password that came with your router. Like with all passwords, it’s important to use something unique and hard for others to guess.  

Next, make sure that you keep the router’s firmware up to date. The firmware is basically the router’s software and will regularly be updated with important security patches. Check the manufacturer’s website to download the latest update.  

Another step you can take is to make your wireless ID hidden. You’ll be able to find it by entering the name of your network, but this will keep people in your area or who happen to pass by from being able detect it entirely. 

The final and perhaps most important step to take is to use Wi-Fi Protected Access 2 (WAP2). WAP2 is an updated encryption tool featured on all certified routers and uses tools such as message authenticity and integrity validation to keep your connection secure.  

Install Endpoint Protection for Devices 

Endpoint protection is essentially a software installed on your network that regulates what endpoint devices (laptop, smartphone, tablet, etc.) can do on that network depending on their security configuration. They can be set up to only permit devices that meet certain security standards such as approved operating systems, updated anti-virus software, VPN clients, among others. Utilizing endpoint protection will ensure all users of the network are taking appropriate steps to secure their devices.  

Multi-Factor Authentication 

For all sensitive accounts, its essential to use multi-factor authentication (MFA). MFA is a simple security process that requires more than one form of authentication when logging into an account. This often includes methods like receiving authentication code on your phone or using a PIN after entering in your password. When MFA is enabled, it will ensure anyone who may have stolen to your passwords will still be unable to access your accounts.  

Password Manager 

We all know that dangers of using one password across multiple accounts, but it also becomes incredibly cumbersome to remember different passwords for every single account. Using a password manager will solve this problem instantly. Password managers such as LastPass can be installed as an extension on your browser and will save log-in details for each account. Then, when you need to log-in, it will automatically pull those details for you to enter. Many mangers even have a password-generation feature that will create secure passwords. Their often long and nonsensical, but its most secure and with a password manager you won’t have to worry about memorizing them! 

Lock Up Your Data 

Should someone gain access to your hard drive you want to make it as hard as possible to read the information contained on it. Encryption is a method where the data in your files are scrambled up and rendered unreadable unless a key or password is entered. You can choose to encrypt only your most sensitive files, or simply encrypt the entire hard drive. Today both PCs and Macs have built in software that can encrypt your files or hard drive for you.  

Educate 

The final and maybe most important step you can take is that educate your entire family on cyber-awareness. You might be taking every possible step to securing your connection, but if someone else on the network has lax security settings, you’re just as vulnerable as everyone else. Sit down with the entire family and come up with a security plan that everyone can understand and easily follow. Talk about Phishing, SMS Phishing, and Social Media Phishing (did you know 66% of spear phishing attacks on social media sites are opened by their targets?)

 

Following these six steps will go a long way to reclaiming your family’s privacy at home. Just remember, Keep it S.I.M.P.L.E.: 

Secure router 

Install Endpoint Protection on Devices 

Multi-Factor Identification 

Password Management  

Lock up your data 

Educate  

Naked and Afraid — Bulgarian Edition

Last month, Bulgaria’s Nation Revenue Agency (NRA) suffered a massive data breach. The breach is reported to have exposed the information of up to 5 million Bulgarian citizens — over 70% of the entire population. The information included in the breach is thought to include victims’ names, addresses, income, as well as PIN and social security information. According to the New York Times, this information could be worth up to $200 million. 

A Lassize-Faire To Remember 

While the investigation into the attack is still on going and a suspect is in custody, many are blaming the Bulgarian government’s lackluster approach to cyber security. Initial reports indicate the attack was likely a result of weaknesses in the NRA’s system for filing tax returns from abroad. More damning is a report from Reuters stating the Bulgarian Industrial Association warned the governments of flaws in their systems over a year ago.  

In the anonymous email sent to news outlets, even the self-proclaimed hacker wrote, “Your government is slow to develop, your state of cybersecurity is a parody.” 

The Bulgarian Personal Data Protection Commission (PDPC), the country’s GDPR supervisory board, has said the NRA could face fines up to €20m ($22.43 million), the maximum allowed under EU regulations.  

This breach is just another reminder to governments and businesses alike that cyber-attacks are a viable threat and must be treated accordingly.  With the number of data breaches increasing and privacy regulations on the rise, there is no longer any excuse for not taking the steps to protecting against such attacks.  

Whose Identity is it Anyway?

Whose Identity is it Anyway?

Our identity is something we often take for granted. Traditionally understood, identity is a simple one-to-one relation. It’s what links a single person to a single identity.  

However, the digital landscape has changed the very nature of our identity. Now, it’s more accurate to say that a single person contains a whole multiplicity of identities, many of which we don’t have a lot of say in. At bottom, digital identities are constructed far less by what we think and say about ourselves, and far more through a complex network of information that moves and interacts with other elements to construct who we are. 

The Digital Footprint 

 When we go online, we leave a trail of our interactions. From browsing history, to shopping preferences, to movie and music tastes, to ‘likes’ on social media, everything we do is logged and collected. And the emerging landscape of artificial intelligence and the ‘internet of things’ (IoT) greatly expands the traces we leave.  

In some cases, this is done to make our experience online more efficient and convenient. Much of the time, however, our digital footprint is being used to build a detailed profile of who we are. The issue here isn’t so much that we have to wade through a bunch of highly-targeted ads. Instead, it raises essential questions over who has control over who we are 

In a post we wrote last month —and really, it bears repeating— we quoted an article by Shoshana Zuboff, who argues that data collection “is not only to know our behaviour but also to shape it in ways that can turn predictions into guarantees. It is no longer enough to automate information flows about us; the goal now is to automate us.” 

No Privacy without Control of Identity  

In the direction we’re headed, our identities are constructed for us instead of by us. This is largely because of the fact that our informational society is driven far more by the interests of the organizations collecting personal information than the interests of consumers. 

The question then becomes: how can we retain our privacy when it is only known in a digital footprint which, by its nature, is programmed by a third party? Defining our relationship to these identities is essential so that we can define how to protect them.  

The 3 P’s: Policy Protects Privacy

In many ways, we’ve accepted that handing over personal information is the cost of interacting online. The issue, however, is that in the U.S., when it comes to handling consumer information, the rule of business has largely been ‘Anything Goes!’ 

And if the deluge of privacy scandals that tech companies have faced tells us anything, it’s that consumer privacy is not exactly a top priority for many businesses. 

Because of this, it’s become clear that there needs to be some level external policy which places limits on what data can be collected and for what purposes. 

Information Fiduciaries  

New York Privacy Act is the latest consumer-focused regulation to take steps in this direction, and it contains some innovative approaches to help protect users’ personal information.  

One such approach is the inclusion of the privacy concept “information fiduciaries,” originated by Yale Law School professor Jack Balkin. The proposed regulation would require any organization that handles personal information to act as an information fiduciary and must “exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and [] act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker.” 

As expected, this has many tech companies up in arms. According to an article from Wired, Facebook has argued that the line requiring companies to act ‘in the best interest of the consumer is too broad: “Different consumers, Facebook argues, have different interests when it comes to the use of their data, making that a fuzzy line to draw.”  

Facebook’s argument over differing interests might seem to make sense, but, when it comes to creating sound privacy policy, it falls far short of the mark 

The problem is that in today’s landscape, it’s becoming impossible to pinpoint consumers’ true interests. In an article titled, “Privacy and human behavior in the age of information,” the authors collected empirical data and found a variety of issues when it comes to accurately located consumers’ concern for privacy. One point they discovered was that companies have been able to effectively influence users’ privacy concerns:  

Some entities have an interest in, and have developed expertise in, exploiting behavioral and psychological processes to promote disclosure. Such efforts play on the malleability of privacy preferences, a term we use to refer to the observation that various, sometimes subtle, factors can be used to activate or suppress privacy concerns, which in turn affect behavior.” 

Disinterested Policy 

The question then becomes: how can a privacy policy rely on the individual consumers’ interest if those interests are being influenced by entities that depend on the collection, processing and sale of personal information? 

Because the tech environment is a complex world of interactions, because of the limitations in our ability to discern attempts by others to leverage our behavioral biases, and because we cannot fully trust that the intentions of the tech platforms like Facebook are congruent with our own interests, there needs to be some external baseline of privacy policies protections that help create a level playing field for everyone The question, of course, is where that baseline is drawn.  That comes down to being able to answer these questions:  What do we want to keep private?  When do we want to keep it private?  How and when do we want to share?

Sounds simple, but in a digital world of constant measurement and surveillance, it’s not so easy.