The Federal Trade Commission recently released its 2017 update on Privacy & Data Security. The FTC has a broad range of law enforcement responsibilities in protecting consumers and competition across the U.S. economy, among those is prohibiting unfair or deceptive trade practices. In 2017 there were major players in the U.S. marketplace which found themselves in the FTC’s crosshairs.
Uber Technologies settled FTC charges that it had deceived consumers in how they protected customer’s private information as well as their driver data. If you utilized Uber in recent years, there’s a chance your personal information (phone number, credit card data, etc.) has been compromised. Part of the FTC’s complaint against Uber concerned how they store consumer data in the cloud. Uber utilized a third party cloud service, but failed to require multiple authentication factors for access to the data. Although Uber had implemented “… an automated system for monitoring employee access to consumer personal information, the company stopped using it less than a year after it was put in place …” in December 2014. The FTC and Uber entered a consent agreement that requires implementation of an extensive privacy program and subject’s Uber to regular, independent audits.
Lenovo is one of the world’s largest manufacturers of computers. Thirty-two state attorneys general joined the FTC in charging the company with selling laptops to the public beginning in August of 2014 that were loaded with an adware program called VisualDiscovery (from Superfish, an e-advertising company), which delivered unwanted ads whenever a consumer visited a website, including encrypted web pages. The program collected not only consumers’ browsing histories but their login information, Social Security numbers and other private and sensitive information, such as medical histories. In January the FTC gave its final approval to a settlement with Lenovo, which carried a $3.5 million fine to resolve the states’ claims.
Although the FTC and watchdog groups lead the fight against the companies that fail to protect the consumer data they collect and store, individual vigilance is key in protecting our private and personal information. In that regard, our password habits need a reboot. The American Bar Association’s journal series, Cybersecurity and the Law, provides a valuable checklist. As with any similar publication, it reminds all of us to practice our own threat assessments when protecting our data. Although the following are not foolproof recommendations, if you follow them you will be better protected.
- Have you been pawned? Go to haveibeenpwned.com and enter your email addresses or usernames. If a hack has occurred but it has not been verified or made public, then the site will not have that information. However, it is a good first step to know if your passwords have been compromised.
- Consider a password manager. Don’t have a list floating on a sheet in your office or home, or in a Word file or spreadsheet on your computer. A password manager will help you store your passwords, which should all be as unique as your fingerprint. Speaking of which …
- Use better passwords or phrases. The National Institute of Standards and Technology’s new guidelines recommend that you create a stronger password, or, better yet, a passphrase where possible that avoids the maddening nature of passwords with upper-case, special symbols and numbers.
- Use two-factor authentication. If you haven’t done this yet, or some of the proprietary websites you utilize haven’t, consider it essential for protecting access to your information. Two-factor authentication in most instances allows the web site or database to send you a text message with a passcode to use before you use your password or passphrase to login. (For a list of websites with two-factor authentication go to twofactorauth.org.)
- Encrypt your devices. It costs next to nothing. For iPhone users it’s as easy as turning on your passcode, which most people do already. Other device manufacturers now have turnkey encryption on all their devices. Use it.
As noted earlier, the best security measure we can all adopt is vigilance. Not just part of the time, not just in some circumstances, but all the time in all of our acting upon the cyber stage.
If you think your online identity has been compromised, and you need a forensic examination of your cell phone or computer, contact Trace Investigations at (812) 334-8857.