BREAKING NEWS: FTC, 35 State Attorney Generals, Reach $12 Million Settlement with LifeLock

FTC Chairman Jon Leibowitz and Illinois Attorney General Lisa Madigan announced $12 million settlement with LifeLock for deceptive advertising.

Leibowitz made it clear the settlement represents all the company’s cash reserves to compensate more than a million LifeLock consumers. Leibowitz and Madigan called LifeLock’s advertising campaign and CEO Todd Davis “shameless” for exploiting consumer fear about identity theft.

“No service can provide 100 percent protection against identity theft,” said Madigan. She said LifeLock offered no protection against the most common type of fraud – existing account fraud. Ironically, Madigan received a
direct mail piece from LifeLock stating she was at risk of identity theft.

“As a nonprofit committed to helping consumers, we’ve been worried about LifeLock’s ads for a long time because we felt they were misleading,” said ITAC President Anne Wallace. “We’re happy the FTC has taken action to protect consumers.”

PODCAST: Katrina Blodgett, Division of Privacy and Protections, Federal Trade Commission

The Federal Trade Commission (FTC) has been making some significant headlines regarding identity theft these days: the recent announcement of top consumer complaints for 2009, and the news regarding the dangers of peer-to-peer networks. We were fortunate enough to interview Katrina Blodgett, Senior Staff Attorney, Division of Privacy and Protection, Federal Trade Commission, on these very topics. Check out this exclusive podcast!

Monday Morning News Kick Off: Heartland Breach Still Hitting Banks; Cyber Czar Says “No Cyber War” and More

Welcome to the Monday Morning News Kick Off post from the ITAC blog. As our editorial team is digging out from the RSA 2010 show last week, we wanted to spend some time on news stories that are non-RSA related. Don’t get us wrong. There are plenty of news stories still coming from the show, which we included in this post. We just wanted to branch beyond the 24/7 RSA news cycle from last week and highlight some interesting stories. One that came to mind is that hotels seems to be prime for data breaches, as was reinforced by the recent Westin and Wyndham breaches, and the Heartland breach is still impacting banks. Read on!

U.S. Cybersecurity Czar Says “There is No Cyberwar”
Obama’s new cybersecurity czar doesn’t much like the term “cyberwar,” calling it a “terrible metaphor” and a “terrible concept.” But just in case his dislike of the term didn’t get through, Howard Schmidt flat-out stated that “there is no cyberwar” during a Wired interview at the RSA Security Conference in San Francisco. Schmidt noted that the real cybersecurity threats are online crime and espionage. His words seem to stand in contradiction to a statement last week by Michael McConnell, former director of national intelligence, who told Congress that the U.S. was already in the midst of losing a cyberwar. Schmidt seemed more than willing to downplay McConnell’s Cold War mentality. Read the full Popular Science article here.

Homeland Security Chief Napolitano Seeks Citizen Cybercrime Fighters
Uncle Sam wants to recruit you to help fight cybercrime. Department of Homeland Security Secretary Janet Napolitano is calling on anyone with good ideas for boosting public awareness about the importance of making the Internet safer to step forward. “We are challenging our nation’s best and brightest to utilize their expertise and creativity to devise new ways to engage the public in the shared responsibility of safeguarding our cyber resources and information,” she said. Read the full USA Today article here.

Heartland Breach Still Hitting Banks
Around 5000 First National Bank of Durango customers have been unable to use their cards in stores, although they can still withdraw cash at ATMs. In a notice on its Web site, the bank says: “Please be aware that as a result of a security breach at Heartland Payment Systems that occurred over a year ago, debit cards issued by the First National Bank of Durango may have been compromised.” The warning continues: “It is important to note that there was not a security breach at First National Bank of Durango, our systems remain secure. The breach occurred at a 3rd party processor. Read the full Finextra article here.

Westin Hotel in LA Reports Possible Data Breach
People who stayed at the Westin Bonaventure Hotel & Suites in Los Angeles last year and used their credit or debit card to eat there should keep a close eye on their bank statements. Hotel officials disclosed Friday that the hotel’s four restaurants, along with its valet parking operation, may have been hacked at some time between April and December, disclosing names, credit card numbers and expiration dates printed on customers’ debit and credit cards. The Westin Bonaventure is in L.A.’s downtown financial district, near the Los Angeles Convention Center and the Staples Center. Read the full Computerworld article here.

Are You Sure You’re Prepared for a Data Breach?
We’ve all seen the sobering stats: Nearly 500 major data breaches have been reported in the United States since the beginning of 2009, impacting more than 220 million records. And that doesn’t even account for the many breaches that weren’t publicly reported. So chances are that your company will be hit by a breach, if it hasn’t already. In fact, some would say it is almost as inevitable as the finger of blame being pointed squarely at you, the company’s senior security professional and chief scapegoat, when a breach strikes. Read the full SC Magazine article here.

BBB Small Business Advice: Reduce the Damage Done by a Data Breach
While the volume of data breaches declined in 2009, data breaches at businesses—as opposed to the government or non-profit sector—are on the rise. Better Business Bureau recommends that small business owners take steps to protect their data and also develop a plan of action in order to react quickly and reduce the damage if a data breach does occur. There were more than 498 reported data breaches in 2009, according to the Identity Theft Resource Center. While this is an improvement from the 657 breaches in 2008, unfortunately, the share of data breaches occurring in the business sector, specifically, increased to 41 percent. Read the full Better Business Bureau post here.

Happy Monday!

Friday’s Food for Thought: We Are At War

Welcome to the Friday’s Food for Thought post. As the editorial staff collects their thoughts from RSA 2010, which took place in San Francisco this week, we can’t help but think about one thing: we are at war. A cyber war that is…

Of course this is not a new revelation by any stretch of the imagination. But, judging from many of the discussions going on from the RSA show, we can safely conclude that we are deep in a cyber war. And, despite the vast number of vendors offering various solutions, we can’t seem to crack the code for keeping the bad guys at bay.

As pointed out to us by renowned industry analyst and Computerworld blogger Eric Ogren at the show, when someone turns on their television set, there is absolutely no risk of being hacked or becoming a victim of identity theft. It is a completely secure system – always has and will be. Unfortunately, in the cyber world, there are too many platforms, applications, and poor standards that don’t keep systems safe, creating the perfect storm for nefarious characters to cause damage.

It seems that the “wild west” days of the .dot com era has defined our approach to the digital age – meaning that innovations, VC funding and multiple competing solutions have created too many platforms with too many holes in them.

So, what do we do know? Go back to being a paper driven society? Time to break out the type writers and copy machines? No way. Technology has made us more productive, smarter and more beautiful (well, that may be a stretch). We just need to find away to make our digital lives more safe.

Dispatches from RSA 2010: Lots of Industry Cyber Solutions; Solving Cyber Security Issues Still Elusive

The RSA 2010 Conference has been a whirlwind of industry vendors and big conjecture about how to solve the cyber security issues that plague our great nation. But, despite, all of this effort, it seems that solving this security crisis seems very elusive. As our editorial team walked the show floor, we could not help but feel that we are experiencing a digital security bubble right now — lots of vendors that seemed to be offering the same thing and touting the same messages. We wonder…what will the RSA Conference be like next year? Alas, there is no crystal ball. In terms of living in the present, we have compiled some of the most interesting news stories from the show:

Microsoft Exec: Infected PCs Should Be Quarantined (Q&A)
In his keynote at the RSA security conference on Tuesday, Scott Charney, Microsoft’s corporate vice president of Trustworthy Computing, suggested that the security industry should follow the health care model of quarantining infected PCs to prevent them from being used to send spam and conduct denial-of-service attacks. In a follow-up interview afterward, Charney elaborated on his vision for reducing the damage from botnets and explains how infected computers should be kept off the Internet just like doctors quarantine sick people and smokers are restricted as to where they can light up in public. Read the full CNET article here.

RSA 2010: US Declassifies Comprehensive National Cybersecurity Initiative
The US government has declassified a description of the Comprehensive National Cybersecurity Initiative (CNCI) launched in secret in January 2008. The announcement was made by White House cyber security coordinator Howard Schmidt at the RSA Conference 2010 in San Francisco. “As of noon today you will be able to go to whitehouse.gov/cybersecurity and download the unclassified description of the CNCI and each of the 12 initiatives under the CNCI,” he said yesterday. Read the full ComputerWeekly article here.

Companies Urged to Share Data Breach Information
Sharing information with law enforcement after a breach is critical to successfully battling increasingly sophisticated and organized cybercriminals, security experts said during a panel discussion at the RSA Conference. The biggest challenge for law enforcement is trying to work with domestic companies victimized by breaches, said Kimberly Kiefer Peretti, senior counsel with the Department of Justice’s Computer Crime Section. “The only way we can fight this is to get good support. We’re not there as your enemy but your friend,” she said. Law enforcement does its best to respect a company’s needs and won’t interrupt business during an investigation, she added. Read the full SearchSecurity.com article here.

Three Security Themes to Watch for at the 2010 RSA Conference
Attackers aren’t getting more sophisticated, but their methods are getting more automated, wreaking havoc on corporate networks and the people who are supposed to protect them. Several themes may emerge when this year’s 2010 RSA Conference kicks off this week. Experts will explain what organizations can do to protect their networks in the wake of the Google attacks. Meanwhile, enterprises are building a mixture of public and private clouds, and vendors are eager to present ways that they can be better secured. What exactly is a private cloud or a hybrid approach is up to interpretation. Finally, Howard Schmidt, the White House appointed cybersecurity coordinator, is sure to set the tone early during the conference when he explains what the government is doing this year to protect critical systems from attack. Here’s a snapshot of the themes that could emerge this week. Read more of the SearchSecurity.com article here.

RSA 2010: Computer Health Check Could Stem Spread of Viruses
Microsoft has raised the idea of enforcing computer system “health checks” before they are allowed to connect to the internet as a way of curbing malware infections. “Many corporate computers are scanned for malware before they are allowed to connect remotely to internal networks. But the same is not true for most other computers that connect to the internet,” Steve Lipner, senior director of security engineering strategy at Microsoft, told Computer Weekly. Read the full article here.

Dispatch from the BAI Payments Connect: Scott Talbott, Senior Vice President of Government Affairs, The Financial Services Roundtable

Yesterday at the BAI Payments Connect Conference in Kissimmee, Florida, I served on a panel to discuss the impact of legislation and regulation on the payments system. Other panelists included Paul Weiss, senior manager, Deloitte Consulting; Carl Pry, Compliance Officer, Key Bank; and Joe Samuel, Senior Vice President of Public Policy and Community Relations at First Data.

The bulk of the conversation focused on the challenges facing the industry regarding CARD Act, Regulation E, interchange regulation, and the on-going efforts to create a CFPA (consumer financial protection agency).

The themes running through the presenter’s remarks include the uncertainty facing the industry and consumers.

Innovation is expected in the mobile payments system and government payments arena.

To help alleviate the uncertainty and develop plans for moving forward, the panelists urged the 100 or so attendees to stay in close contact with their regulators, the various departments at the financial services companies, and, of course, their consumers.

Monday Morning News Kick Off: RSA Conference 2010 Kicks Off; News Summary

Welcome to the Monday Morning New Kick Off post from the ITAC blog. We are very excited about all the news that will be coming out of the RSA Conference 2010 this week…and, we are also excited to announce that our editorial team will be on site at RSA, blogging and tweeting about the event in real time. So, we recommend that you stay tuned and be sure to visit this blog throughout the week. We are aiming to provide you with the latest and greatest news as it comes — real time — from RSA 2010. And, in the meantime, we wanted to provide you with a quick summary of news already coming out from the show. Happy Monday!

RSA Conference 2010 Opens Today in San Francisco
Information security professionals and business leaders from around the world convened today to open the 19th annual RSA Conference being held at San Francisco’s Moscone Center. Taking place March 1-5, RSA Conference 2010 provides information security professionals with the best educational opportunities and access to the most important issues through interactions with peers, industry luminaries and emerging and established companies. Read the full RSA Conference press release here.

Cyber Warriors Gather as Online Battles Rage
US national security leaders and top cyber warriors from around the world are gathering here to plot defenses against criminals and spies that increasingly plague the Internet. Homeland Security Secretary Janet Napolitano and White House Cyber Security Coordinator Howard Schmidt will take part in this week’s RSA conference along with computer defense companies and technology icons such as Apple co-founder Steve Wozniak and Craigslist creator Craig Newmark. “We have before us more data moving into the cloud and more sophisticated cyber criminals,” said Qualys chief executive Philippe Courtot, who is among the keynote speakers at the premier event that kicks off on Monday. Read the full Sydney Morning Herald article here.

RSA Conference 2010 Preview
Here we go again. Thousands of the world’s data security specialists and the vendors desperate to sell to them are about to descend upon the Moscone Convention Center in San Francisco for the RSA Conference, which is now in its 19th year. The first ever conference was held in 1991, in Redwood City, attracted 50 delegates and didn’t even last a full day. Different now. Much has changed, not least the scale and nature of the industry that we now call information security. The RSA Conference today has become big business itself – even my hotel keycard has been sponsored by RSA and Microsoft. Read the full SK Magazine article here.

RSA Conference to Spotlight Threats, Security Strategies
From data protection to cloud computing to application development, this year’s RSA Conference is keeping an eye toward practical strategies for dealing with today’s cyber-threats. The conference, which will run from March 1 to March 5 at the Moscone Center in San Francisco, has expanded this year to include 250 sessions across a total of 18 class tracks. Two of the class tracks—’Data Security’ and ‘Security in Practice’—are brand new. The Security in Practice is focused on helping businesses deal with the day-to-day, practical challenges of implementing security, explained Hugh Thompson, chief security strategist at People Security and Program Committee Chair of the conference. Read the full eWeek article here.

Government Voice to Echo Loudly at RSA Conference
The 2010 iteration of the RSA Security Conference which opens Monday in San Francisco will feature an impressive array of influential government heavyweights among its featured keynote speakers. After the Obama Administration declined to deliver a specific strategy around cyber-security at RSA in 2009, it appears that a stronger message will be sent by government officials this year. As issues of electronic infiltration, exploitation and data theft continue to gain greater attention everywhere from the White House to the electrical grid, driven by some notable incidents and attacks reported over the last year, this year’s version of the IT security industry confab bears a decidedly government flavor — in addition to its annual showcase of top IT security industry executives. Read the full eWeek Security Watch article here.

Wow, it’s going to be quite a week! It seems that the Obama Administration is going to use RSA as a platform to address all of the cyber security issues that it has been slipping on – at least that is from a PR perspective. Stay tuned for more breaking RSA news!

Friday’s Food for Thought: Please Rob Me; Are We Too Open With Personal Data?

Welcome to the Friday’s Food for Thought post on the ITAC blog. A new, and rather funny spoof web site called PleaseRobeMe.com, has shed some light on a very serious topic: how we too often open with our personal data. Basically, PleaseRobMe.com aggregates publicly shared check-ins from when people share their location data via Google Buzz and Foursquare, which basically lets the bad guys know that you are not at your house.

So, does sharing too much information – especially about your location — make you vulnerable to being robbed? Well, check out this Mashable story where this actually happened to a person. That is right…a few Tweets about going on a vacation can leave you totally exposed to a burglary.

And, what about people who actually prefer to leave their houses unlocked? Believe it or not, there are people in large cities like NYC and San Diego who do just that – they don’t lock their houses/apartments. Check out this article in the NY Times about this phenomenon. And, the article points out that a 2008 survey by State Farm Insurance of 1,000 homes across the country reported that fewer than half of those surveyed always locked their front doors.

Wow. Not locking your doors and telling the world that you are not home. Man, we are going to re-think what we do for a living and pursue a career in the burglary arts. The opportunities are endless (kidding of course!).

Happy Friday!

Cybersecurity, Safety and Ethics Education Falls Short in U.S. Schools

America’s young people aren’t receiving adequate instruction to use digital technology and navigate cyber space in a safe, secure and responsible manner and are ill-prepared to address these subjects, according to a new poll released by the National Cyber Security Alliance (NCSA) and supported by Microsoft Corporation. The State of K-12 Cyberethics, Cybersafety and Cybersecurity Curriculum in the U.S. Survey found that more than three quarters of U.S. teachers have spent fewer than six hours on any type of professional development education related to cyberethics, cybersafety, and cybersecurity within the last 12 months; more than 50% of teachers reported their school districts do not require these subjects as curriculum; and only 35% taught proper online conduct. Read the full press release here.

Identity Theft No. 1 Consumer Complaint According to the Federal Trade Commission

Yesterday, the Federal Trade Commission issued its top consumer complaints for 2009, which shows that while identity theft remains the top complaint category, identity theft complaints declined 5 percentage points from 2008. Overall, of the 1.3 million complaints the agency received last year, 21 percent were for identity theft. Debt collection agencies ranked second, with 9 percent of complaints, according to the Consumer Sentinel Network Data Book released Wednesday.

While this encouraging that there has been a 5 percent decline, the reality is that identity theft continues to be major problem. And, these findings very much reinforce the recent findings of the Javelin Strategy & Research’s “2010 Identity Fraud Survey Report,” which found that the number of identity fraud victims in the United States increased 12 percent to 11.1 million adults in 2009, while the total annual fraud amount increased by 12.5 percent to $54 billion.

And, if you do find yourself becoming a victim of identity theft, check out this video that the FTC produced about how to file a complaint with the agency: