[BreachExchange] Data Breaches Continue to Be Focus of Consumer Complaints

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 17 20:39:02 EDT 2016


http://www.law.com/sites/articles/2016/05/16/data-breaches-continue-to-be-focus-of-consumer-complaints/?slreturn=20160417201748

Identity theft and data breaches are just not causing anxiety among C-suite
executives and legal professionals, but also causing a significant amount
of concern with everyday consumers according to The Federal Trade
Commission’s Consumer Sentinel Network (CSN) Data Book.

Released in February, the report found a 47 percent year-on-year increase
in identity theft complaints. According to the National Consumers League
(NCL), Javelin Strategy & Research estimates that close to one in three
data breach victims will also experience identity fraud.

When it comes to data breaches and identity theft, John Breyault, NCL vice
president for Public Policy, Telecom and Fraud, said there is a “strong
nexus between the two.”

Specifically, CSN received over 3 million complaints (excluding do-not-call
complaints) during 2015. These include: 40 percent for fraud complaints, 16
percent for identity theft, and 44 percent for other types of complaints.
In total, there were 490,220 ID theft complaints made during 2015,
according to the FTC.

Similarly, New York Attorney General Eric T. Schneiderman reported this
month that his office has received an over 40 percent increase in data
breach notifications involving New Yorkers so far this year. Between the
start of 2016 and May 2, there were 459 data breach notices, compared to
327 through the same period over the past year, in which the total amount
of received data breach notices topped 809. The office is expecting to
receive a record of more than 1,000 notices during 2016.

Earlier this year, Illinois Attorney General Lisa Madigan also reported
that the top 10 consumer complaints for 2015 again show that consumer debt
and identity theft ranked as the top concerns among Illinois consumers.

So too, in California, where Attorney General Kamala Harris reported
malware and hacking are the greatest threat for breaches in the state.

“There has been a significant increase in attacks based on social
engineering — phishing and spoofing, in particular — which are now coming
to light,” Miriam Wugmeister, an attorney at Morrison & Foerster, told
Legaltech News. “Companies in the U.S. have become much more sophisticated
regarding the technical controls, but the attackers are finding ways to
exploit human nature. In addition, U.S. organizations are focusing more on
these issues and thus the logging and monitoring has really been improved
in many organizations and thus organizations are more aware of malicious
activity.”

Moreover, Michael Waters, an attorney at Vedder Price, points out that the
Office of Civil Rights of the federal Department of Health and Human
Services – as well as some state regulators – have been using breaches to
conduct something similar to an audit when it comes to a company’s privacy
and security practices.

Waters advises companies take “reasonable steps” to try to protect the
personal information of customers and employees before any breach takes
place. There are already industry-specific privacy and security rules
health-care providers, for example, need to adhere to. “I would not be
surprised if I see other industries continue to follow suit,” Waters said.
These could come from companies within industries or from regulators, on a
state or federal level.

When reviewing data such as that collected by the FTC, it can help
establish trends and can launch law enforcement investigations, according
to Waters, and it can be the basis for enforcement action brought by the
FTC.

Data breaches will continue to draw the attention of the president, whoever
gets elected, Waters said, following Obama’s recent push for voluntary
information sharing on cyber-risks. “The next president will have to devote
a lot of resources to it. I don’t think it’s going to go away.”

The NCL has recommended that Congress take such steps as:

• Approving a national data breach notification standard, while protecting
strong state laws.

• Requiring data holders to abide by reasonable data security requirements.

• Clarifying and strengthening the FTC’s data security authority.

• Promoting cyber-insurance underwriting standards.

• Increasing federal civil and criminal penalties for malicious hacking.

• Strengthening international anti-cybercrime partnerships.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160517/d5bbdca5/attachment.html>


More information about the BreachExchange mailing list