The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

FTC Issues Consumer Advice re: Hacked Email and Social Networking Accounts

On August 1, the FTC provided consumers with a new resource, Hacked Email,  to help them identify a hacked email or social media account, recover their account from a hack, and prevent it from happening again.  The need for such guidance is highlighted by statistics such as these:

  • Over 60,000 compromised account logins occur every day on Facebook, according to Sophos.  
  • 62 percent of users with compromised email accounts were unaware of how their accounts had been compromised, according to a study by Commtouch, State of Hacked Email Accounts.
  • Of the third of users who noticed their account was compromised, 50 percent did not know until their friends told them. (id)

Given over half of all hacked accounts are used to send spam to promote a product (according to Commtouch) and many others are used to promote scams and spread malware resulting in loss of personal information, security credentials and financial assets, the FTC has a vested interest in protecting consumers from hacked accounts. Here are ways it suggests consumers can start tackling the problem:

  • To identify a hacked account, users should pay attention to:messages they did not send (or social media posts they did not write) but appear to originate from their account; an empty sent-mail folder (indicating a hacker sent multiple emails from the account then deleted the sent-mail folder’s contents or set it to not save emails in order to cover his or her tracks); or email from other accounts, which the user cannot open.
  • To remediate a hacked account, users should ensure their security software is up to date and delete malware; change their passwords (tips for creating strong passwords are included); contact their account service provider for account-specific advice on account restoration; check account settings to ensure messages are not being forwarded to an unfamiliar address or no new “friends” have been added to a social networking account; and inform friends and family so they don’t run the risk of getting hacked themselves by opening emails from the user’s hacked account. By going above and beyond just telling users to change their account password, these tips are likely to be useful to consumers, as, according to Commtouch, most users (42%) do nothing to solve the problem except change their password and 23 percent do nothing at all.
  • To avoid getting hacked again in the future, users should employ unique passwords for financial and other important sites; use two-factor authentication when available; not click on links or open attachments from unknown users; and only download free software from known, trusted sites.  The FTC also gives guidance around using safely using public computers and wi-fi networks.

While the tips are useful to consumers, businesses can also benefit from leveraging the FTC’s consumer-facing tips to educate their employees and customers. For example, given that 29 percent of breaches involved social tactics like phishing (getting employees to click on fake emails) according to the Verizon 2013 Data Breach Investigations Report, one of the FTC’s tips of particular use is that users should avoid clicking on links or open attachments from unknown users.

Hacked Email is one of a series of educational materials consumers can leverage to protect themselves, available at www.onguardonline.gov, which is managed by the FTC in partnership with the Department of Homeland Security and the National Institute of Standards and Technology. Guidance on avoiding identity theft, scams and other issues touching on consumer privacy and security is provided on the site.

Advertisements


Leave a comment

New Developments on Canadian Anti-Spam Law

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL), which is expected to come into force in 2012.  The newly released regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

  • businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
  • CEMs are are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

  • simply include the name by which they carry on business (rather than both that and their legal name);
  • include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
  • include the information in the above point on a website that “is readily accessible” (rather than via a single click);
  • use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
  • simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.


Leave a comment

Comparing CAN-SPAM to Canada’s new Anti-Spam Law

Those who operate or have customers in the U.S. market, are already familiar with the requirements of the 2003 CAN-SPAM Act. If your operations or customers extend into Canada, however, there are new Canadian Anti-Spam rules you need to know. Why? Because these new rules will impact how you engage in online communications in Canada, starting in early 2012.

The SlideShare presentation linked below provides an overview of the key differences between Canada’s new Anti-Spam Law, CASL, and CAN-SPAM. Here are a few:

• Broader application: CASL also applies not only to e-mail, but also to IM, text and more. It also covers more activities, including the installation of computer programs.

• Clear reach outside Canada: CASL expressly applies to messages “accessed from a computer system in Canada”. This means that a message can be sent from outside Canada.

• Higher standard for consent: “Opt-in” consent for CASL versus “Opt-out” for CAN-SPAM.

• Higher penalties: $10 million maximum penalty for an organization that contravenes CASL.

The implications of this:

More online activities will be caught by CASL.

• More activities affecting Canadians will be caught by CASL, even if initiated outside Canada.

More steps will be needed under CASL to be permitted to communicate online.

Overall, there is greater exposure to liability under CASL.

Learn more about CASL, including what steps to take now to avoid liability:

www.slideshare.net/fmclaw/casl-vs-canspam-canadas-antispam-law


Leave a comment

Marketing Firm Experiences Data Breach

Late last week, on March 31, 2011, the marketing firm Epsilon notified its customers that it had experienced a large-scale data breach affecting consumer information. According to Epsilon, the data breach was “limited to email addresses and/or customer names only,” and “no other personal identifiable information associated with those names was at risk.” The breach affects email addresses provided by a wide-array of clients, including many major financial institutions–such as JPMorgan Chase, Capital One, and Citibank–and numerous retailers–such as Target, Walgreens, Brookstone, and the Home Shopping Network. Epsilon sends more than 40 billion permission-based emails a year and manages consumer databases from 2,500 clients.

Security experts have expressed worries that, while the information harvested from Epsilon may seem like a minor threat, hackers can use email addresses and other compromised information to disseminate targeted phishing campaigns designed to trick consumers into revealing more sensitive personal information. The U.S. Secret Service has begun investigating Epsilon’s data breach.


Leave a comment

“Whaling” Is the Latest Phishing Craze

First there was "phishing" (sending spoofed e-mails in mass to see who would bite), then "spear phishing" (aimed at particular victims), and now "whaling" (aimed at large corporate targets).
 
So look before you click on that official subpoena.