The Vicki Kasomenakis Business Society: Cybersecurity & Privacy

The Vicki Kasomenakis Business Society: Cybersecurity & Privacy


– I’m professor Linda
Meltzer and we’re going to have our first
Business Society meeting. Some of you may know that
we have changed the name to honor Vicki Kasomenakis,
who passed away in August, 2014, so it’s now the Vicki Kasomenakis Business Society, and it’s our first
meeting of the whole year and kind of a special one. Karen Dahlberg, who is a staff attorney for the Federal Trade Commission, how many of you know what the
Federal Trade Commission does? Okay, you will in a few minutes, came to us a couple of years ago. I think it was 2011? – That’s right.
– Somewhere there. Karen has been working
at the FTC for six years after several years of working at a Wall Street law
firm, and so she comes with tremendous
experience, but I also know firsthand the interesting
topics that are covered that Karen covers. Last time, we did identity theft. This time, we’re going to look at cyber security and privacy, so please give a warm
welcome to Karen Dahlberg. Thank you. (audience applauds) – Thank you, Linda. I’m really happy to be back here again talking to you guys. I don’t know if anybody
was here last time. I know our videographer was here last time when I came here and spoke
about identity theft. Was anybody else here? Nope, okay. That was a while back. Anyway, today I’m gonna talk
to you about cyber security and privacy, and before
we get into the meat of the discussion, I
would like to tell you a little bit about the
FTC, a little bit about me, and then I’d like to find
out a little bit more about my audience. So, first of all, what is
the Federal Trade Commission? The Federal Trade Commission
is an independent agency of the United States government, and what that means is
that we are independent from the president. When Obama was elected,
he wasn’t able to replace all of the heads of the
Federal Trade Commission. I didn’t have to worry
about losing my job, things like that, and the
president does appoint the commissioners, and
the commissioners serve for a period of a
approximately seven years and they can’t all be from
one particular party group, so even though Obama is a
Democrat and you might think that he would want to appoint
all Democratic commissioners, he doesn’t have that option. We are an independent agency,
and so there needs to be some balance at the top of our agency, and so although the president
does get to appoint people, these appointments don’t expire at the end of each presidential
term and the president can’t not only nominate people
from his or her own party. What we do is we are a regulatory and an enforcement agency
and we deal in areas of consumer protection and antitrust. When we were first set up in 1914, it was primarily for antitrust purposes, and I don’t know if you’ve
heard of the term trust busting, but basically the FTC was responsible for breaking up large
monopolies such as Standard Oil and other huge companies that were around during that time period. Since then, our agency has really morphed in a number of different ways. We still work in antitrust and we still target monopolies
and try to break them up, we review mergers to make sure that huge companies can’t get
together and create monopolies that would be harmful to consumers because they would be able to raise prices or restrict supply and that sort of thing. We also do consumer protection work. That’s something that our
agency has done a lot of since the ’70s. We do that by engaging
in enforcement actions. We are a civil agency,
not a criminal agency, so nobody goes to jail
because we sue them. However, they can lose a lot of money and that’s really a good
reason for companies to follow consumer protection
laws and to make sure that they follow our rules,
regulations, and our advice. We cover areas such as credit,
privacy, advertising, spam, and use of the internet. We are responsible for
the Do Not Call list. Some of you may be too young
to remember when we all had landlines and there were
these terrible telemarketers who would just call, and
call, and call, and call and there seemed like there was nothing you could do about it. Well, then the FTC started
Do Not Call Registry, and if you are not on
it, you should get on it. It’s donotcall.gov, is the website, and that really kept
people from being harassed. So, we are looking at making
sure that we can protect consumers from unfair practices,
from deceptive practices, and from general harassment. So, I mentioned deceptive
and unfair practices. What Section 5 of the Federal
Trade Commission Act was is prohibit unfair or
deceptive acts or practices that are in or affecting commerce. So, deceptive practices
are when a company engages in a practice that fools you. For example, if you’re looking online and you see an ad that says
that there’s a free trial for some kind of a weight loss pill or muscle enhancing supplement
or something like that and it says you just pay 4.99
for shipping and handling or something like that, and you think oh, that sounds great. I’d love to do a 14-day trial
of this diet pill, whatnot, and you give your credit card information for shipping and handling,
you expect to be paying 4.99, but that’s it, and lo and
behold, 30 days later, you see there’s a charge for 100 bucks on your credit card bill
and you have no idea what that’s about and you ignore it, thinking you probably went
on a crazy shopping spree and forgot about it, and
30 days later, same thing. You see another $100 charge. Well, it turns out sometimes
these free trial offers are not really free, and
what these companies do is they roll you in a continuity plan, which is where every 30 days until or unless you cancel, you get billed. So, that’s an example
of deceptive practices where you’ve been tricked into something through false advertising
or inadequate disclosures, things like that. Now unfairness is a little bit different. Unfairness is where
there’s an act or practice that could cause or is likely to cause substantial injury to consumers and there’s no countervailing benefit to consumers or competition. So, an unfair practice would be something where there was nothing that
you knew about this practice. There was nothing that you could’ve known about this practice. Has anyone ever been a victim
of unauthorized billing where there’s just been a charged slapped on your credit card and
you didn’t know why? Does anybody know that? So that’s an example
of an unfair practice. It’s not where you were
tricked into making a purchase, but it’s where someone
just somehow got ahold of your information and charged you. So, generally speaking, what we do is, at the FTC, is we enforce Section 5 of the Federal Trade Commission Act, which prohibits unfair and
deceptive trade practices, and how do we do that? We file lawsuits. We investigate companies and
when we find enough evidence of wrongdoing, we bring an
action, it’s a civil action, and generally we don’t get fines. What we get instead is
restitution for consumers, meaning that if consumers were scammed out of $30 million,
then we sue that company to get them the $30 million back, and ideally, if we get enough money back, we distribute it among consumers. We have some rules that are in place. One of them, for example, is
the Telemarketing Sales Rule which has certain rules in place in terms of what hours
of the day telemarketers can call you, what they need to disclose, what kind of information they need to save in terms of showing that
you’ve actually agreed to the charges that have been
made, that sort of thing. We also do some workshops and studies which supports proposed legislation that we forward on to Congress. Okay, so today, we’re generally gonna talk about privacy, data
breaches, applicable laws, and what people do with
stolen information. So, before we get to that, I told you I would tell you a little bit about me. So, my name is Karen Dahlberg. I’ve been working at the
FTC for almost six years. I work in the Bureau
of Consumer Protection and I’ve brought a number of different cases against companies. One that’s still in active litigation was against a medical
discount card company. This was a company that was selling people medical discount cards, but
marketing it as insurance, so this was a deceptive claim
where they were telling people they were buying health insurance, and people couldn’t resist
this very low price, thinking that they were
getting real coverage, and unfortunately, what
they got was just this card that would, at best, get them 30% off of certain medical services
if the card was even accepted, so that obviously caused a
lot of harm to consumers, so that’s one case that I worked on. Another was an unauthorized billing case where there was an
online clothing retailer that was seeing hard times and decided that rather than use lawful
means to try improve sales, they would just charge
people a random 49.95, 59.95, 69.95, whatever they thought
consumers wouldn’t notice, and then they later made
up the story that consumers had signed up for a frequent shoppers club when there was no proof of that and consumers didn’t remember that, so we shut down that company. I’m currently involved
in an active litigation against a debt collection group. These were debt collectors who we alleged were calling people,
threatening them arrest, threatening them with lawsuits, just generally harassing people, trying to get them to pay debts. Some of these consumers
didn’t even owe the debts or the debts had been paid off already, and these debt collectors
were still harassing them, which, that can be pretty scary. So anyway, so those are some of the cases that I’ve worked on. I also worked on a diet pill case that, it was called LeanSpa. It involved affiliate marketers, which are these online
marketers that were putting up fake news sites, so if
you’ve ever seen a website where it looks like it’s news, but it’s actually an advertorial. Yeah, so it’s that kind of thing. Does anyone here watch Girls? Do you know that show? But anyway, there was
this really funny episode where the main character, Hannah, was working on an advertorial and it was for a bone
density drug and the person she was supposed to be
interviewing for this, it’s this famous Broadway actress. Patti LuPone,
– Yeah. – Is that the name? And she was interviewing her and she said, first question was, so how long have you
had bone density issues or how long, osteoporosis,
how long have you had that? And Patti LuPone said, “I
don’t have osteoporosis. “What are you talking about? (laughing) It turned into well, if you did have osteoporosis, then how long would have that been? And it was just this whole farce and it was a real interesting, an interesting critique
of the advertorial world, but yes, there are a lot
of instances where people were putting up fake
news sites and I think since the FTC cracked down
on this, you see less of it, but there were studies and news reports that were supposed to
look like they were real, telling you about how amazing these various supplements were, but actually, they were just
ads put out by the company. So, I worked on a case like that as well, and that case was one of
these 4.99 free trial things that got people enrolled
in a continuity program. So, that’s me and now I’d like to know a little bit about you guys
and how you use technology and what kind of commerce
you’re engaging in online. So first of all, does
everybody here have an iPhone or a smartphone that’s kind of (mumbles). So, most of us do, and
is everybody on Facebook? Okay, and do people do online banking? It’s so convenient, right? And what about online
payment like, through PayPal or Venmo or anything else? Yeah, we’ve all paid
our friends via PayPal. How about online shopping, one of my personal favorite
uses of the internet? And anybody file their taxes via TurboTax or anything else online? No, you guys write it out
and send it in (laughing)? I can’t believe that. Anyway, I use TurboTax. And then how many of you are working while you’re going to school? Yeah, it’s not easy, right? But are you working at places
that accept credit card for any products or services? Yep, okay, so you know how
many credit cards you see each day and how many
transactions are going through. So, today we’re talk about
privacy, data breaches, what people do with stolen information. So, when you’re working in a
place that accepts credit cards and you see how many
transactions are run through, you can really understand the
importance of data security, or if you’re online shopping and we don’t usually think twice before we put our information
in and we click confirm and we’re just so excited
to get our Fabletics gear or whatever we’re gonna get. I did my first order a few weeks ago. I’m very happy with it, but
anyway, we don’t think twice about it and it’s something
that we take for granted, that there’s data security when we’re doing our online transactions, but the fact of the matter
is that some companies, even some big companies that
you would expect to know better have not engaged in proper data security, and when that happens, it
makes all of us vulnerable and at risk. So anyway, I’m happy to hear
that you’re all connected as I am and can relate to this topic then. Okay, so the FTC has
been involved in privacy long before people were
using the internet. As I mentioned, we have
this Do Not Call Registry, which if you guys are not
already signed up for, you should be. We also take complaints
regarding robocalls. Robocalls are when your phone rings and you pick up and it’s
an annoying recording telling you that you can
refinance your mortgage or whatever and you’re thinking,
I don’t even own a home. I don’t have a mortgage. Why are you calling me? Well, they’ve gotten just
tons of phone numbers and they’re calling everybody
with this annoying recording, and then we also are very interested in dealing with leads. Leads are, there are these companies called lead generator companies
that are generating leads which are basically phone
numbers or email addresses and names and sometimes
other basic information about people that are
then sold to companies so that they can try to
market products to you. For example, in the case that I worked on involving the medical discount card, the bogus health insurance, basically, there were these
lead-generating companies that set up these websites that said are you looking for health insurance? We can give you a free quote,
and what you would need to do to get the free quote, of course, is put in your phone number and answer some basic questions about yourself. Do you have a preexisting condition, are you within this age range, do you currently have insurance, are you unable to get insurance because of financial reasons or because of your pre-existing condition? And once they were able to categorize you in certain ways and get your email address and/or your phone number,
then you became a lead and that was something that
companies could then use to target you, knowing
that you were looking for some kind of health insurance and maybe not able to get it, and therefore, might fall victim to a medical discount card scam. Another type of lead that we see a lot is payday loan leads. Do you guys know what payday loans are? It’s something that hopefully none of you ever have to take out. They’re generally very
high interest rate loans. They’re actually illegal in New York, so you probably won’t see them, but what happens is that there are people who are in hard times and they
just need a short-term loan to get them to their
payday, and so these loans are given at very high
interest rates generally and they’re just for a very,
very short period of time. If people fail to pay them back, then you end up having to pay a lot more than you really bargained for, but what we see with payday loan leads is there are people who will go online looking for ways to get
some short-term cash and they’ll fill out a form that says would you like to be
pre-approved for a loan, and they don’t even know what kind of loan they’re even looking at, but
they fill out some information about themselves, about how much money they’re looking to borrow. They give their name or their phone number and then sure enough, that
information turns into a lead and it can be passed on
to either real lenders who will try to extend
credit to these people or unfortunately, it can
turn into what we call phantom debt where there will be people who purchase these leads
and then they just call and they harass people about debts that never even existed, so we
at the FTC are very concerned about leads and lead generators and making sure that this
area is not something that’s used to abuse people. Okay, so why do we care
so much about privacy and data security? We want to stop information practices that harm consumers and we wanna do it without constricting the
free flow of information that benefits consumers. So basically, we want
to be able to allow you to have an online transaction
that is convenient that people want me, I’m a
seven-and-a-half month pregnant woman who also is a mom of a toddler. If I need some baby bottles,
I can’t be going out in the middle of the day doing it. I need to be able to do that online and have that delivered to
my apartment two days later, and so we wanna make sure
that consumers are able to have these conveniences,
able to have that benefit but without the harm, the potential harm, that can go with it. So, what kind of harm am I talking about? Well, the main kind of
harm is identity theft, and this was, as I
mentioned, was the topic last time I came here and identity theft is the number one consumer complaint year after year after year. It affects so many people. I have been a victim of identity theft and some people here last time I was here spoke very openly about
their identity theft issues and it is a real pain. You generally don’t have to,
you don’t lose any money, but it is such an inconvenience and it’s also, it can be
very embarrassing when you go to the grocery store and
your credit card is denied because somebody else has run things up, run up some charges. It’s just super annoying,
so if you’ve been a victim of identity theft or if
you wanna learn more, please go to www.identitytheft.com. There’s a lot of resources there. You can also check to make sure you’ve not been a victim of identity theft by checking your credit report every year. Every year the three major
credit reporting agencies, Equifax, TransUnion, and
what’s the name of the third? – Experian.
– Thank you, Experian. The three major credit reporting agencies have to give you a free
credit report each year, and you can get that by going
to annualcreditreport.com. Another way that people
fall victim or something that can happen as a
result of identity theft is people can file bogus tax returns and that is not fun. If you are expecting a big refund, you go to file your taxes. Turns out someone has already
used your information, your Social Security number,
filed taxes in your name and taken the nice refund that
you were expecting to get, so that’s one reason we
are very, very concerned about data security. We don’t want people to be
a victim of identity theft. What are some other reasons
we care about privacy and data security? Because sometimes people are engaging in very private things on the internet, and I’m sure you’ve all heard about and read about and maybe laughed about the Ashley Madison scandal. I love this particular one. I actually just took this screenshot from their homepage yesterday and I think it’s so funny
that underneath the picture of the woman shushing is a little symbol that says Trusted Security
Award, 100% Discreet Service, and SSL Secure Site, so their information, as many of you know, was
hacked and then leaked and it turned out that they did not follow a lot of data security
protocols that they should’ve. One thing that they didn’t do is they didn’t really authenticate emails, so you could sign up for Ashley Madison using an email address and making up a password, but they never sent you an
email at that email address that then made you click on the link and then confirm that you were signing up. So, I actually have a
friend whose email address is linked to an Ashley Madison profile and he’s so lucky because
he was dating his now wife when it first happened and
he thought it was a joke, that she signed him up for
some free trial or something and he tried to get the emails to stop, but he couldn’t because
it was one of these emails that says you can’t
reply and just directing them to log in. He couldn’t login to change anything ’cause he didn’t have the password because he didn’t set it up, but anyway, now he found out who, it’s because of the hackers, he found out who had
used his email address and decided to send
that guy a nice letter, but anyway, another interesting
thing about Ashley Madison is that hey had an extra
fee that people could pay that supposedly would guarantee
that all the information was deleted, and what we
learned after the hack is that that actually didn’t happen. So, they told consumers that
if you wanted to make sure that all records were burned forever and you could never be
discovered, pay this extra $30 or whatever, and that didn’t happen. So, the reason I wanted to mention that is because you may wonder what
kind of security is required. Well, what the FTC
requires is what we call reasonable security,
and reasonable security means two things. There’s an absolute floor
in terms of what kind of security you need to have, but it also depends on what
information you’re collecting. So, if you’re collecting
Social Security numbers linked with names of addresses
and credit card numbers, financial information,
maybe bank account numbers, that is all the most
sensitive consumer information you could collect. Also, health information
is very sensitive, so the more sensitive the information, the higher our requirements are, so that’s one aspect of it. If all you’re doing is,
I order milk and meat from this company that comes and delivers this really fresh stuff from farms, but they don’t have any
payment information there, so all it is is my name
and then what kind of milk and meat I wanna order, so that company would not be held to as high a standard because they’re not collecting my Social Security information, they’re not collecting
my health information, they’re not collecting
any financial information, so yes, I have to have a member login ID and a password to get in, but if there were a data breach there, it wouldn’t be a big deal, so if they didn’t have
proper firewalls or whatnot, it’s not the end of the world, so depending on, it’s
kind of a sliding scale. The more sensitive
information you collect, the higher the data
security requirements are. Now the second part of
it is you have to provide as much security as you promise. So, in the case of a
company like Ashley Madison that told people if you
pay this extra $30 fee, then everything’s gonna be deleted, well, guess what? We’re gonna hold you to that standard, so anyway, that’s why I love this example, and just so you know, the reason why I talk to you guys as if you’re businesses is because you’re here as
part of the Business Society and I assume that in not too long, those of you who are not
already working will be working, and I can tell you that in
a lot of small businesses, people who have set up
the companies years ago and maybe are not as familiar
with emerging technologies, they’re not really thinking
about these things, and so we’re asking the younger generation to look out or people, and when you go and you start your job or
if you’re already working, you go to work and you might wanna say to your employer hey, I’m not
sure that we should be using the same password as the login name to get into all this sensitive information or maybe we should encrypt this or if we’re working in a storefront that has customers coming in, then that network should
be password protected so that people can’t get in and get this information, so that’s why I’m kind of saying what
you were required to do because I see you guys as all
probably going into business if you’re not already
working and being people who can really influence
the folks you work for and talk about these
very important issues. Okay, so why is information
important to the business, information security
important to businesses? Because the amount of data that we capture doubles every 12 to 18 months, so we’re kind of at this
point where we’re able to capture and store so much information and people don’t always
know how to dispose of it or to get rid of it. Like for example, Ashley
Madison might have thought that they were getting rid
of all these email accounts when people asked to be deleted, but clearly they didn’t do that, so it’s really important
to think about how we can either collect less
information from consumers or find ways to either not store it or store it in a sensitive way
and dispose of it properly, and so the reason it’s important also is because we’re concerned about ID theft or other harm, and that
really harms businesses, and the reason it harms businesses is because customers are saying
that they care about this. One in five people has
been a victim of ID theft. 85% of people say that their personally
identifiable information, what we call PII in the industry,
is very important to them and 91% of people are concerned that their data may be stolen. Have people seen, just
in the last few days, there have been all these
Facebook status updates where people say I do
no consent to Facebook taking my information and
that was largely a hoax, but it’s something that people care about. People care about their
privacy and people care about having some ownership
of what they’re doing online and the pictures that
they’re putting online and consumers are telling
people that they care about privacy and so because
it matters to customers, it’s gotta matter to businesses, and it needs to matter to businesses because breaches happen a lot. Small businesses say that half of them have been subject to
breaches in the last years, in the last year, for
multinational corporations, 86% within the last three years. Do you guys all remember the Target hack that happened, the Target breach? That affected a lot of people and it really affected
Target, the company. There was a huge drop in stock price because there was a concern
that there wasn’t integrity in the information being
stored by the company. So, lots of studies show
that there were huge numbers of breaches and whether
or not that results in identity theft, there’s
the fear that it’s going to. I personally may have a reason
to be concerned about this because as I mentioned, I work
for the federal government and you’ve all probably
heard about the OPM breach, the Office of Personal Management, that was by, we believe, Chinese hackers, and all of our sensitive information has been stolen and that’s
really terrible for us as individuals and it’s
very terrible for our nation because we have to be
concerned about another country learning about anyone’s
potential vulnerabilities, if you will, so it’s a big deal. So anyway, what I tell
people when I go and talk about cyber security is do as I say, not as the government did
because unfortunately, anyone can be subject to a breach. So, what does a breach cost to businesses? It’s very, very expensive,
which is just amazing because the ability to take
inexpensive security measures that are pretty good, it’s out there. You can now protect
yourself pretty cheaply, but a lot of companies just
aren’t staying on top of things and so there’s the cost
of discovering the breach, of responding to the breach, of providing notice to the customers, and so that’s estimated at $50 per record, so per file that’s taken. There’s a lost employee productivity, so employees having to spend all this time to deal with the breach,
and that’s estimated to be $30 per record. Then you have lost
customers, as I mentioned, after that huge Target data breach, there were a lot of consumers
who didn’t wanna shop at Target anymore because
they were concerned that they would be
victims of a data breach, so that’s expected to
be about $98 per record, and then there’s other intangibles. I think stock price is pretty tangible, but it’s just that you
can’t link it directly to that necessarily. There’s reputation and
more, and so the bottom line is if you have a breach that
compromises 10,000 records, you can expect it to cost a company between one and $3
million, so that’s no joke. I mean, that’s enough
to put some companies out of the business. Okay, so what does that mean for us? Well, as I mentioned, consumers
care a lot about this issue. They care about their privacy, they care about data security. We’re talking about a lot of money here. The problem just keeps
getting worse and worse and there’s constantly
emerging technologies, both good technologies that
can help prevent breaches, but there’s also emerging
hacker technology and people are always
finding new ways to get in and breach security, so
businesses and governments, particularly the OPM, need to do better to protect consumer information. So, there are existing laws
that require businesses to implement security
measures that are reasonable and appropriate under the circumstances, so as I mentioned, it’s a sliding scale. The more sensitive the
information that’s collected, the more security measures
they need to take. There’s also a requirement
that consumers be notified in the event of the data breach, and information that has to be protected is stuff like Social Security numbers, account information,
information from credit reports. Legal standards. There are a lot of different
laws covering this. This is just a few examples. There’s the Federal Trade Commission Act. We enforce data security issues
under the unfairness prong of Section 5 of the FTC Act. We also will go after
deceptive privacy policies, so to the extent that
there’s a privacy policy that’s out there and the
company doesn’t actually follow or give you the level of
privacy that they tell you they’re giving you, then we would use the deceptive practices portion of the FTC Act to enforce that. There’s the Fair Credit Reporting Act. Do you guys know about that? The Fair Credit Reporting
Act is basically a rule that restricts the use
of credit information, and so if you apply for a
credit card, for example, there’s gonna be a credit
report that’s run on you, right? And that credit report
is gonna be provided to the credit card company
or to the issuing bank, and that company will
decide whether or not to issue credit to you. In the event that you are declined and it’s based on information
in your credit report, then that needs to be disclosed to you. That’s one of the requirements of the Fair Credit Reporting Act, and the reason is because
there can be things that are wrong on a credit report. For example, after I
had my identity stolen, there was a lot of information
on my credit report that was wrong and consumers
needs to be notified of that so that they have the
opportunity to clean up any inaccuracies or discrepancies there. There’s the Gramm-Leach-Bliley Act, the FTC Disposal Rule, which talks about how to
properly dispose of information. There’s other federal laws. HIPAA governs health records. There’s DPPA, FERPA, and state laws, and I’m not gonna get into everything, but I till tell you a
little bit about COPPA, which is the Children’s
Online Privacy Protection Act, and this is aimed at kids because everybody’s playing games on apps and doing things on mobile
phones and there were issues with children’s apps and
people collecting information about kids, which we didn’t want. So, there are changes that are in effect. We are, for example, personal
information about a child includes photos, video or audio, child screen name, IDs. We’re very concerned about
protection of children because they may not be
thinking about privacy issues the way their parents are. Okay, so as I mentioned,
we have used Section 5 of the FTC Act to enforce privacy and data security and we
require reasonable procedures to protect information and we also require that companies live up to
the promises that they make. So, our philosophy is
that information security is an ongoing process. You can’t just set up your website, put in reasonable security practices, and then forget about it. As you learn about new types of scams and new types of hacks
and new types of malware, you’ve gotta constantly be reevaluating data security practices and make sure that the company’s
practices are up to date. It has to be reasonable in
light of the circumstances, as I mentioned, that sliding scale. The more sensitive information you take, the more you need to protect it, and this is interesting. A breach does not necessarily show that the company didn’t have
reasonable security measures. So, we don’t only go after companies that have been victims of breaches. There are some companies that we go after where there hasn’t been a breach and there hasn’t been
any real consumer harm, but if we become aware
of lax security measures, then we will go after them. Oops. Okay, so the Fair Credit Reporting Act, which I talked about briefly, it requires consumer reporting agencies to know their consumers and
use reasonable procedures to allow access to consumer reports only to legitimate users. Now what’s interesting is
that consumer reporting agencies is a defined term that doesn’t just include
Equifax, Experian, and TransUnion, it also
includes other companies, and there was an interesting
case against Spokeo. Do you guys know what Spokeo is? It’s this website that collects
information about people that it gathers from online sources and Spokeo was a data aggregator that then offered profiles
to employment agencies, human resources, staffing firms, and recruiters, and it
would have information such as your name, your
address, your online activity, your hobbies, pictures you’ve posted, anything that you had done publicly, and then it was marketing those
specifically to recruiters. They set up a URL that was
like, www.spokeo.com/hr and they had bought advertising terms that recruiters and employment agencies, temp agencies would be attracted to so that they would market to
those particular companies, and then the problem there is that people were making employment decisions based on the information they saw. In fact, one of the taglines
that Spokeo was using was go beyond the resume, saying you can learn a lot
about these job candidates just from what they’ve put online and we’ll aggregate all this and show you what this candidate is really about, and so then people were having adverse employment consequences and
not being told about that, which is a violation of the FCRA, so anyway, that’s one interesting Credit Reporting Act case. Okay, so there’s just some requirements. A business has to provide consumers with information about a fraud. They have to identify the identity of any applicants who have fraud alerts on their credit report profiles. They can’t sell or collect
on a fraudulent debt and they can’t report a fraudulent debt to the credit bureaus,
and the credit bureaus are those three major
credit reporting agencies that I mentioned. Okay, I’m taking too
long, so I’m gonna skip through some of these things, but these rules basically,
these laws basically are various ways that the government
enforces security rules. So, information security is currently a major FTC priority. We have brought a lot of cases
against some of the companies whose logos are displayed here. I’ll talk to you about a few of ’em, but I unfortunately will not have time to get into all of them. So, as I mentioned, we have brought cases against companies who have misrepresented their security procedures
or their privacy policies. We have brought cases regarding
wireless vulnerabilities, so BJ’s Wholesale Club, Dave & Buster’s, those
places where you can go and play all the video
games and carnival games and eat pizza and that sort of thing. They had wireless vulnerabilities where there were easy to guess
passwords or no passwords and there was basically open access to tons of credit card information. Then this company, Guidance
software, had vulnerabilities to command injection attacks. That’s a very particular type of hack and what’s interesting about
the Guidance Software case is Guidance Software sold
software and related materials to customers who would use this software to investigate and respond
to computer breaches and other security incidents, so this was a company that
was actually selling software related to security breaches and somehow they themselves were vulnerable to these particular
command injection attacks, so that was one issue. We have brought cases about
data retention issues. CardSystems was a big
case that we brought. CardSystems was a case where
the company provided merchants with products and services used
in authorization processing, which is the process of
approving credit card and debit card purchases, and they were just keeping
too much information and storing it improperly. Then there was the failure to authenticate prospective customers, and this was a case involving ChoicePoint. This was an FCRA case, and in this one, they were obtaining and
selling to businesses personal information of consumers, including names and
Social Security numbers, birth dates, employment information, and credit histories, and in this case, they didn’t monitor their
application procedures for their perspective
customers well enough, and they were selling this
information to bogus companies that were using commercial mail receiving, like a post office drop
box kind of things, so if you use a UPS store
address or a Regus virtual office or these kind of phony addresses, they were selling to companies that were using those types of things, not real companies, and
so it was just dangerous to be providing that kind of information to bogus companies, and
then another case involved inadequate employee training, and this was a case against Eli Lilly. Eli Lilly is the maker of
Prozac, the antidepressant, and this was a case that
spawned from an email that an Eli Lilly employee
sent to 699 people that disclosed the email
addresses of people who had subscribed to this
auto reminder kind of thing to remind people to take their medication or remind people to get a refill. So, have you ever gotten an email where somebody really
should have BCC’d everybody, but instead they just wrote to? So, imagine that sort of thing happening, but now all the sudden,
699 people all know the email addresses of everybody else who is taking Prozac and
wanting to be reminded to take their meds or to refill them, so that’s pretty sensitive information. So, we brought an action against Eli Lilly based on that. Then there are other vulnerabilities, and these are important for
businesses and consumers alike. Passwords are the keys. There should be double
factor authentication. Double factor authentication
is we require people to for example, have an email confirmation where you would receive an email and then have to click
on a link and use that to then finalize the setup, and passwords should be
required to be strong. Do you guys know what a strong password is versus a weak one? So a weak password would be one like, exactly the same as your
login name or your name or something like that,
something that’s easy to guess, and a strong password is
one that has a combination of capital letters,
lowercase letters, numbers, other characters, that sort of thing. We are concerned about
companies not installing patches when there is a known vulnerability. Do you guys know what patches are? So, if you have some kind
of say, Norton AntiVirus or some other kind of antivirus software, generally hackers will find
ways to get around this, and so software companies
put out what’s called patches that are like Band-Aids
to fix the little problems where there could be
breaches, and so companies need to stay on top of the patches and make sure that they
install them in a timely way. Everybody needs to be concerned
about tech support scams. Has anybody heard about
these where you’re, were you a victim of it, or?
– No, but it comes with my laptop with a MacBook Keeper, and it’s like, that’s fate. Tech support’s doing a
cyber report, but it’s fake and (faint speaking).
– Right, so that’s exactly it. You’ll get a popup that tells you that there’s some kind of
malware or some kind of virus that’s trying to attack your computer, and so a lot of people will see that and they’ll just click on that. Well, guess what? A lot of times, that’s a scam and when you click on it, that’s when the malware will be installed or that’s where somebody
will be able to remote into your computer and then do
things like record keystrokes or do other things that
would give them access to your information. Recording keystrokes where what
you type is being recorded, so then when you go online and you wanna do your Citi banking online and pay all your bills, somebody can be basically
watching what you’re doing and that’s pretty scary to think about. Then there’s Spear Phishing attacks. That’s when it’s a targeted
attack where there’s an email. Oftentimes it looks like it’s
coming from somebody you know and all it requires is
that you click on a link and then boom, everything’s open. So, we have brought cases
under the unfairness doctrine, as I mentioned, over
data security practices saying that when there’s
inadequate safeguards, then there’s this likelihood
of causing consumer harm without any countervailing benefits. Okay, I don’t have time to go over all of these key principles, so I’m just gonna mention them briefly, but if this is something that
people are interested in, I can order these publications for you and maybe have Linda get them. It’s this guide called
Protecting Personal Information, A Guide for Businesses. I’ll talk to Linda about
that or maybe I can find out from you guys if you’re interested in any of these kinds of pamphlets. Unfortunately, I think I have
to order them in hundreds, so we’ll talk about that. That’s why I didn’t bring them today. So, what businesses
need to do is take stock of the information they are collecting. Scale down, only collect what they need. Lock it up, make sure
that what they do collect is kept securely. Pitch it, meaning discard it properly, and plan ahead. If you are a victim of a data breach, because so many companies are, then you need to plan accordingly. Have a protocol in place so that you know how you’re gonna notify people, you know who’s gonna be
in charge to deal with it, that sort of thing. So, I’m gonna skip through these. Okay, so how is data obtained other than security breaches? There are situations
where a privacy policy will say that data is gonna
be shared indiscriminately, so does anybody here
read terms and conditions in privacy policies and that kinda stuff? I have to admit I should
because I know better, but even I generally just click through these kinds of things, but
there are privacy policies out there that will tell you that they’re gonna sell your information or they’re gonna share the information, so there’s a lot of times
where information isn’t stolen, it’s just been provided by you and that information has been freely given and nobody’s broken any
laws because they told you they were gonna give it up, so consider looking at some
of these privacy policies. Then there’s a situation where
scammers are tricking you into providing information. Some of those can be like
lead generation websites and that kind of thing, and then people seem to
get a lot of information if they think they can win something. So, we had a case against a company that was texting people
saying that they won a $1,000 gift card to Walmart
or to any other, Best Buy, big box stores kind of
thing, and all you had to do was verify your information,
and so people were giving tons of information,
their name, their address, their Social Security number. People hear that they’ve won $1,000 and they’re pretty excited about that and they’re willing to
give up information, but of course, it was a scam and there was no gift
card and all people did was give up valuable information. So, the name of that case was FTC v. Acquinity Interactive, LLC. So, what do these
companies do with the data? They are using it generally
to either sell leads or sometimes they’re
just selling data dumps that you can buy on, you guys have heard of Silk Road, right? Silk Road is the digital
underground is what I call it. It’s a place you can go online. Now don’t everybody go on
after I tell you about it, but Silk Road, there’s actually a really
interesting article, I think it was a three-part
article in Vice magazine or Vice online about Silk Road. It was started by this guy
who was a computer programmer and a hardcore Libertarian
and recreational drug user who really felt that the government should be getting out of drug regulation and that people should
be able to take ecstasy whenever they wanted and to get it, and he wanted to find a secure way to have a marketplace for this, and so Silk Road is
basically the Craigslist of illegal activities, so anything, you go on Craigslist to get a roommate, you go on Silk Road to get a prostitute. Think of it like that, okay? So, Silk Road turned into crazy stuff. People were hiring hits, meaning trying to kill
people, just anything. So, one thing that you
can buy on Silk Road is you can buy data dumps
of credit card files, so hackers will do a security breach, they’ll get in, collect tons
of credit card information, and then they will sell that
information on Silk Road. So anyway, it’s also called the dark web is what it’s called.
– Is it still, I thought it was closed down? – It may have been closed down because the founder was arrested and leading up to that arrest
is what this Vice article was all about, but there are other, Silk Road is the most famous, but there are plenty of
other dark web websites. So anyway, I encourage
everybody to go to Vice and read about that Silk Road stuff ’cause it’s really fascinating, but anyway, so that’s why we are concerned about data security is
because it’s just so easy for hackers to get at this information if there isn’t proper security, and it’s also so easy
for them to monetize it by selling your information. One type of lead is to get people to apply for credit cards. When I was in college, I
remember there was always the free T-shirt offer, and it was like, apply for this credit card
and you get a free T-shirt, and in retrospect, I can’t
believe anybody fell for this, but this was something
that people wanted to do, and the idea is that if you
can extend credit to people, then they’re gonna be paying the interest and penalties and whatnot. Another thing like we talked about, the bogus tax returns, people
will use your information to file a tax return in your name and under your Social Security number and take your return. Then there’s the payday loan leads. You have to worry about
getting harassed about loans that may or may not exist. Phantom debt, as I mentioned, is when the debt was never
real, it’s made up debt and you’re just getting
harassed until you pay it, and then there are other
online bogus forms, lead generation forms that you
have to be concerned about. FTC v. Accusearch was a privacy case that we brought were Accusearch, Inc. was selling listed phone numbers, and so if there were
stalkers, for example, who wanted to harass
somebody and that person changed their number
to an unlisted number, they could pay Accusearch
and get that information. This is particularly creepy. This case, now I’m just
telling you examples of our privacy cases. Aaron’s, Inc. was this
rent-to-own computer store and you could rent a PC
and what you didn’t know is that the little camera
that’s on top of the monitor that came with it could record everything and not just when you hit record. They had control over
looking out of your screen and taking pictures, and
you could only imagine some of the pictures they took. They had pictures of people changing, they had pictures of people involved in intimate activities, they had some pretty private stuff there. They also recorded keystrokes, which, as I mentioned, that’s
when it’s as if somebody is watching you and seeing
what you are typing in and getting access to all of your login and password information, and of course, the
reason this is a problem is because they didn’t tell
people they were doing this. They were renting the computer
and I guess they wanted to be able to know where the computer was and find info on people
to get them to make sure they made their payments or gave it back and that’s how they chose to do it, and that was illegal, so we sued them. So, we are concerned about extortion. I’ve talked about ID theft, I’ve talked about private information like Ashley Madison type of
information getting out there. We’re also concerned
about people putting up embarrassing information and
charging you to remove it. The FTC recently brought
a case called jerk.com which was really interesting. It was this website that basically, you could report somebody as being a jerk and then they would have to pay to have their name removed
from this jerk list, so that’s a pretty
interesting case, I think, and then maybe you guys
have heard about this horrible, horrible thing out there called revenge porn,
but there are websites that are set up that
are specifically places where people can put inappropriate photos that may have been sent to
them by an ex-girlfriend or ex-boyfriend, and then
it’s available for all to see. So, we’re concerned about situations where people are either being exposed or where there’s extortion and people are being charged money to have to take some pictures down. Okay, so I feel like I need to skip through some things ’cause
I’ve already been talking for nearly an hour and I wanna make sure we have enough time for questions, so I’m gonna skip some of this. We talked about tech support scams. Okay. Okay, so we also have another publication that I think would be useful if anyone’s interested in the subject. It’s called, we have
more at ftc.gov/privacy, and I wanted to quickly now just show you some of the resources we have available. Okay. So, if you go to ftc.gov
and you go to Tips & Advice, we have the Business Center here and there’s a link that
goes to Privacy and Security and it talks about different
rules and requirements that we have and maybe
more interesting to you is if you go to tips and
advice for consumers, we have a Privacy & Identity tab here and if you are a victim of identity theft, you can click on Recover
from Identity Theft. This, I think, everybody
should be aware of, Limiting Unwanted Calls & Emails. There are all of these
things that you can do to stop unsolicited
mail, phone calls, email. I need to do this again actually, and it’ll tell you how to report scams, that kind of stuff. Then there’s a whole
section on computer security talking about free security scams, which is a lot of these
tech support scams, generally talking about
computer security, cookies. Do you guys all know what cookies are? So anyway, there’s a
lot of information here. Also, disposing of old computers. There was this terrible
scam where all these people who donated computers
had their identity stolen because they weren’t
wiping the hard drives before turning them over, so you have to be concerned about that. This talks about peer-to-peer file-sharing
risks, phishing scams. Anyway, there’s a lot of information here and I really encourage you
all to go to our website and to take a look at some of these things because it’s just amazing and alarming to see how frequent data breaches are, and because we do so much online and have such sensitive information passed over the internet,
we really need to think about these issues. So, do you guys have any questions for me about data security or privacy issues? – [Woman] Just in relation
to the small businesses and that they’re not up to
spending that much money on security, does the FTC hold workshops for small businesses
so that they may become more aware of issues they
need to do (faint speaking)? – We do. The question was whether the FTC has workshops for businesses
so that they know, for small businesses, so that
they have an understanding of what’s required of them. For example, here on our main webpage, we’ve got a link to PrivacyCon. This is gonna be in January in D.C. And it’s really gonna be a
whole convention about privacy, and we have, under Tips & Advice, we have this Business Center here and we’ve got Privacy and Security, and this has a ton of
information for small businesses about what’s required of them. We also have a brochure which I’m gonna, I just brought one copy
that I’ll leave with you called Start with Security:
A Guide for Businesses, and you can order more of these for free and I encourage everyone to look at it, and so yes, we have a lot of educational
resources for businesses. We feel like at the FTC, we
need to educate consumers and we also need to educate businesses because consumers need to be aware of what they’re getting into and there are issues like,
I talked about unfairness where there’s things,
it’s traps that consumers can’t avoid, you don’t see them. It’s not like deception where maybe if you’d taken a closer look or looked at the fine
print, you would’ve learned what was happening to
you when it comes, woops, when it comes to unfairness,
there’s a lot of things that consumers don’t
have any control over, so it’s very important to us that we advise small
businesses and make sure we have resources available to them. Any other questions? You can ignore it, you
can file a complaint with the FTC. So if you go to ftc.gov/complaint,
file a complaint, and then next time you
get a call, let them know that you filed a complaint with the FTC.
– No, I just, I told them. I said, you know what we can put in the, with the police, we can put it in the (faint speaking). You can tell them whatever
information you have and we can go forward from there. – The problem is that the police often don’t do anything about these things.
(faint speaking) Well, ’cause it’s not an immediate threat. Somebody else is getting
beat up at the same time, so it’s–
– I feel like if somebody is coming at your door
and knocking the door and unless you get killed, we are not as, you are not–
– Right, so the police are more interested in
avoiding imminent harm and so if there’s a real
threat of physical force or like the police told you, if somebody’s at your door, then that’s when they wanna get involved, but I think that generally speaking, it’s gonna be more effective for you to contact the Federal Trade Commission and file a complaint, and
so if you go to www.ftc.gov, you’ll get to this website, which is the Complaint Assistant, and you can select a category here and let’s see, credit and debit. So, Debt Collection
practices of a company. So, you can put in information here about a complaint against
a debt collection company. Give us as much information as you can, the phone number they called from, the names of the companies they’re using, what they said to you exactly, claiming to be the IRS, whatnot. As I mentioned, I’m currently involved in an active litigation against
a debt collection company, or actually several debt
collection companies, and they did pretend to be the IRS. In fact, one of the names was International Recovery Service so that they could use the acronym IRS and one of our allegations against them is that they were claiming
government affiliation when they, of course, were not affiliated with the government, and so in that case, before we filed the lawsuit, we were aware of more than 1,100 consumer complaints against these companies. Since filing the lawsuit,
we’ve learned of even more. So, what happens is there are
a lot of these debt collection companies that are out
there and the best thing you can do is file a
complaint with the FTC because when enough complaints are filed, we know that it’s time to take action and we have the evidence that we need to go after these companies, so please, instead of calling the police, they’re likely not gonna help you unless there’s a real
threat of physical force being used against you. So, contact the FTC and contact also the Better Business
Bureau and let them know, and next time you get
a debt collection call, let them know that you’ve
already filed a complaint with the FTC and you’ve
already filed a complaint with the Better Business Bureau and these people, hopefully,
won’t want to mess with you anymore because they know
that they could get caught if they do.
– Same thing is with the (faint speaking) symbol, that they pretend to be caller victim and your electricity bill
you didn’t pay last month and they’re gonna cut it, (faint speaking) one day or so, you have to (faint speaking) pay right now and all that stuff.
– Same type of scam. If you know you paid your Con Ed bill and you’re hearing these kinds of things.
– I just asked him what kind of company? Con Ed would call me personally and tell me that you didn’t pay your bill. – Right (laughing). – [Female Voice] Instead
of just (faint speaking). – Yeah (laughing). So yeah, make sure you file
complaints with the FTC, but your local precinct is
probably not gonna be able to do much to help you there. Does anyone else have any questions? Okay, well, listen, thank you all. I really appreciate it. I’ll give the mic back to Linda, but I really appreciate you
all coming and hearing me out, and if you have any questions, please go to the FTC’s website. We have a lot of resources available. – Okay, thank you so much, Karen for a lot of information
I didn’t know before. Those of you have the attendance sheet, please sign it and make sure I get it, and again, thank you so much. (audience applauds)
– Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *