Privacy and Data Protection

FTC Settles Charges Against Online Company for Deceiving Consumers

The US Federal Trade Commission (FTC) has announced that it has finalised an Order (7 June 2011) settling charges that online advertising company Chitika Inc (Chitika) tracked consumers’ online activities even after they chose to opt out of online tracking on the company’s website. Chitika is prohibited from “misleading consumers about the extent of its consumer data collection and the extent to which consumers can control the collection, use or sharing of their data”, among other matters.
FTC’s media release (17 June 2011)
(Source: FTC)

Breach Revelations the New Trend

The Wall Street Journal (WSJ) reports that companies seem more inclined to disclose data breach incidents than before, even when not required to do so by law. When Epsilon Data Management experienced a data breach in March 2011, the firm reportedly “assembled a crisis team”, which used a breach-response plan to decide how to respond and how to notify clients. According to the WSJ, this approach is more sophisticated than breach responses in past years, and more companies using pre-prepared plans to manage security breaches. Firms are also reportedly finding that a well-handled breach disclosure can actually improve reputation and customer loyalty.

Whether customers reach favourably or not to a data breach reportedly relates to the timeliness of disclosure and how much information and guidance is provided. For example, Sony Electronics and Citigroup have both reportedly been criticised for delaying disclosure, and the former has been faulted for not stating what information was involved in the breach.

ICR data breach response specialist Michael Fox reportedly suggested that more people attributed breaches to hackers’ ingenuity, rather than a firm’s incompetence, and so there is “not as much of a stigma attached” to admitting that a breach has occurred.
WSJ: Firms Adjust to Hacks (17 June 2011)
(Source: WSJ)

Energy and Resources Security Survey

Deloitte has released its 2010 Energy & Resources Global Security Study (2011), finding that though the industry must manage serious issues like critical infrastructure security and smart grid data, many respondents have not fully embedded information security in core business goals and objections. More positively, data protection and information security governance and training have finally made the list of top-five initiatives in the energy and resources sector.

Other key findings include that:

  • security and privacy breaches typically arise from within a company;
  • security has failed to keep up with the rate of third party outsourcing;
  • a majority of respondents admitted they do not have a relevant business continuity management strategy; and
  • greater use and connectivity of industrial control IT systems create a risk of “an increase of cyber-attacks by means of network intrusions, malicious codes, and unauthorized access”.

Further information from Deloitte
(Source: Deloitte)

User Accounts Left Open

Wired reports that Dropbox, which allows users to share files online, accidentally permitted access to all users’ online storage lockers for four hours. The glitch, which reportedly arose due to a programming bug, meant that any password could be used to access an account. The company has reportedly advised that “fewer than 1% of accounts were opened during that time and it force-closed all of those sessions to cut off access to anyone who authenticated with false credentials during that time”. However, security researcher Christopher Soghoian has reportedly claimed that Dropbox has too many security vulnerabilities, principally because file encryption happens at the company’s servers and not on a user’s computer. Wired reports that Mr Soghoian has already filed a complaint with the US Federal Trade Commission, claiming that Dropbox has overstated its security to users.
Wired: Dropbox Left User Accounts Unlocked for 4 Hours Sunday (20 June 2011)
(Source: Wired)

More Gamers’ Data at Risk

The Age reports that hackers have stolen data relating to 1.29 million Sega customers, including “names, dates of birth, email addresses and encrypted passwords”. Sega has reportedly advised that no credit card information was involved, and that an investigation into the breach has commenced. The gaming company has also reportedly stated that it will strengthen network security and will issue further details on the incident.
The Age: 1.29 million Sega customers’ data stolen by hackers (20 June 2011)
(Source: The Age)