Tag Archives: identity theft

California AG Takes Lead In Cybersecurity

Kamala HarrisData breaches at major retailers Target and Neiman Marcus during last year’s holiday shopping season affected more than 100 million people and focused new attention on the need to protect person information stored online.

While it’s clear that tough data breach legislation must be enacted, California Attorney General Kamala Harris is taking action to improve cybersecurity in the state before new laws are passed.  Today she released recommendations to California businesses to help protect against and respond to the increasing threat of malware, data breaches and other cyber risks.

In addition Harris is leading an investigation by state attorneys general into the Target and Neiman Marcus breaches, Don Thompson of The Associated Press reported:

Harris’ office also disclosed that California is leading a multistate investigation into the massive holiday season consumer data theft at discount retailer Target Corp. and luxury retailer Neiman Marcus, breaches that left tens of millions of customers at risk. More than 7 million Californians were affected by the Target breach alone, Special Assistant Attorney General for Law and Technology Jeff Rabkin said.

The U.S. Justice Department is taking the lead in trying to identify the culprits, who are suspected to be based overseas, while the multistate investigation focuses on whether the retailers share blame because they lacked the necessary precautions to prevent the thefts. The state investigation also will explore whether Target and Neiman Marcus acted properly as soon as they learned of the problem, Rabkin said in a telephone interview.

The guide, Cybersecurity in the Golden State, offers suggestions focused on small to mid-sized businesses, which are particularly vulnerable to cybercrime and often lack the resources to hire cybersecurity personnel. In 2012, 50 percent of all cyber attacks were aimed at businesses with fewer than 2,500 employees and 31 percent were aimed at those with less than 250 employees, Harris said.

Key recommendations for small business owners include:

  • Assume you are a target and develop an incident response plan now.
  • Review the data your business stores and shares with third parties including backup storage and cloud computing. Once you know what data you have and where it is, get rid of what is not necessary.
  • Encrypt the data you need to keep. Strong encryption technology is now commonly available for free, and it is easy to use.
  • Follow safe online practices such as regularly updating firewall and antivirus software on all devices, using strong passwords, avoiding downloading software from unknown sources and practicing safe online banking by only using a secure browser connection.

In 2003 California was the first state to pass a data breach notification.  In 2012 the law was amended to require any breach that involved more than 500 Californians be reported to the attorney general.

>The 170 breaches reported to the attorney general’s office in 2013 represent a 30 percent increase over the 131 identified the year before,  according to figures provided to The Associated Press. Among entities reporting breaches in 2012 were American Express Travel Related Services Co., Kaiser Permanente and several state government agencies, including the departments of Public Health and Social Services.

Given the current data breach laws Harris is taking meaningful action.  But, what’s ultimately needed is a law that would make her best practice recommendations legal mandates.  We need a California Financial Information Privacy Act that would:

  • Change breach notification standards to be immediate.
  • Set limits on the time data can be retained. And limits on what information can be collected and retained.
  • Write minimum-security standards into the law so that they are no longer voluntary.
  • Most importantly: create a private right of action. Put a price tag on retailers’ mistreatment of our private financial information.

John Simpson

Until there is a real price to pay, Target, Neiman Marcus and other retailers will continue to make us targets.

Posted by John M. Simpson, Consumer Watchdog’s Privacy Project Director.

PG&E Commits Facebook Identity Theft for Prop 16

Several weeks ago, I noticed that one of my friends on Facebook was a “fan” of Proposition 16 – PG&E’s Monopoly Protection Act that is easily the worst measure on the June ballot.  After I chewed him out for it, he expressed shock to even be on that page.  Apparently, PG&E had added him on as a supporter without his consent.  Today, just as the Prop 16 campaign boasted that it now has 50,000 “fans” on Facebook, I received a press release from the Sunrise Center in Marin County – who complained that some of their own staffers (who are working hard to defeat Prop 16) have also been added as “fans.”  Besides exposing a serious loophole in Facebook’s privacy features, it also proves that PG&E’s $40 million campaign to pass Prop 16 includes committing identity theft.

Christy Michaels, the Corte Madera-based Sunrise Center office manager, said she was surprised to hear from a friend that an ad showed up on her friend’s Facebook page claiming, “Christy Michaels likes Prop 16.” When Christy went online she found she was named as a supporter of PG&E-funded Prop 16 on the Sunrise Center Facebook page and her personal page.

Women’s Energy Matters (WEM) is reporting these incidents to the Secretary of State, Attorney General, California Public Utilities Commission and State Senator Mark Leno, asking for immediate investigations and injunctions against PG&E and Facebook. WEM, Christy, and Kiki are advocates for Marin Clean Energy, the community-run alternative to PG&E that launched May 7th and provides local residents and businesses twice the renewable energy as PG&E at the same cost.  If Prop 16 passes, local communities would require a two-thirds vote to create a similar “public option” to PG&E – which scares the giant utility company because they would have to face competition.

Barbara George, Executive Director of WEM commented, “The whole point of Facebook is to be in touch with people you know and trust, so for PG&E’s campaign to misappropriate Facebook identities and friends lists in order to falsely claim that people ‘like’ Prop 16 is an intolerable invasion of privacy and subversion of democracy. The June 8 election on  this measure has been tainted by massive false advertising and dirty  tricks, and Facebook identity theft is a new low. PG&E is already spending $46 million on TV and print ads promoting Proposition 16 which, if it passes, would make it virtually impossible for communities to follow Marin’s lead to provide cleaner cheaper power for their residents and businesses.”

Attorney General Jerry Brown should consider pressing criminal charges against PG&E, who appears to have committed identity theft.  Ironically, Facebook’s former Chief Privacy Officer — Chris Kelly — is running to replace Brown in next week’s election.