Connect with us

Privacy

National Plan Required For Consumer Privacy, Congresswoman says

Published

on

Screenshot of Suzan DelBene from C-Span

April 1, 2021 — A Congresswoman from Washington State, who introduced federal legislation that would be the first national consumer privacy law if adopted, says the federal government is being outpaced by some states that are implementing their own consumer privacy legislation.

“There is a significant problem with consumer privacy in the US,” said Representative Suzan Delbene on Tuesday during a New Democratic Network event. Delbene introduced her Information Transparency, and Personal Data Control Act, a wide ranging federal privacy legislation, on March 10. Delbene is the vice chair of the Ways and Means Committee, and is the chair of the House New Democrat Coalition caucus.

There is no federal data privacy law, which has forced some states to pursue their own consumer data policies. That includes California and, recently, Virginia. Some have said the concern is that there will be a patchwork of different privacy legislation that may end up just confusing Americans.

“We need a uniform set of rights for consumers and businesses standards to follow in the digital world,” DelBene said.

The bill states that companies must provide privacy polies in plain language, must allow users to opt-in for personal information gathering, must disclose who personal information is being shared with, and must submit to privacy audits every two years. The federal law would also give the government the ability to preempt existing state laws.

Simon Rosenberg, president of New Democrat Network, said about the bill that, “together, we have a lot of work to do in the coming years to restore the promise of the Internet. One of the areas of greatest need is creating a single working privacy standard for the United States.

“In her bill, the approach Representative DelBene takes to protecting Americans’ privacy is smart, measured, and will undoubtedly be highly influential in shaping the approach Congress takes in the days ahead. It is a very welcome addition to the vital debate underway about our digital future,” Rosenberg added.

The purpose of this bill is to ensure that privacy policies are transparent and clear. “Many consumers are given lots of information with lots of legal terms, that leads them to click the accept button without knowing what they have signed up for,” DelBene said.

“There is an urgent need for consumers to understand what data is being shared,” she added. “We want to make sure there is enforcement. The law says that this will be the responsibility of the Federal Trade Commission, so the FTC must have the resources to do this.

“I think my bill is focused on privacy specifically because I think it is foundational. We build on important things, such as AI, facial recognition, and all the other issues we need to address. If we don’t start addressing the issues of data privacy, it will be hard to imagine how it will the expansion of laws to address a broader set of issues that need to get ahead of.”

Congresswoman DelBene believes the bill can be bipartisan, but she wants to make sure Congress understands its importance. “I’m not sure Congress understands these issues, so it takes a collective effort to push it forward.”

DelBene says she’s confident that Congress will follow the bill, despite many congresspeople who she said are hesitant to take that first step.

Cybersecurity

House Oversight Reveals Details of Investigation into Colonial Pipeline, Other Company Hacks

The committee released a memo stating that “small lapses” led to many prominent cyberattacks this year.

Published

on

Oversight and Reform Committee Chairwoman Carolyn Maloney, D-New York

WASHINGTON, November 17, 2021 – A House Oversight and Reform Committee investigation concluded in a staff memo that “small lapses” in cyber security led to hacks of Colonial Pipeline, meat producer JBS USA, and insurance group CNA Financial Corporation that occurred earlier this year.

Additionally, in Tuesday’s memo, the committee stated that the companies’ lack of “clear points of contact with the federal government” hampered response efforts to the attacks and that the companies faced a “huge” amount of pressure to pay hackers. Cyber security officials on Tuesday asked Congress to push legislation that would force companies to notify the government about cyber breaches.

The CNA hack occurred after an employee accepted a fake browser update and hackers gained access to JBS through an old account with a weak password that had not been deactivated. Colonial Pipeline was hacked as a result of just one stolen password linked to a profile, leading to gas shortages in several states.

Employees at JBS and Colonial Pipeline may have been operating on Internet of Things devices, which often only make use of mass-produced factory password settings due to limited processing power. This makes such devices extremely vulnerable to cyberattacks.

“Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack,” reads Oversight’s memo.

Security issues for schools and libraries

Experts say that similar issues with IoT and password security are increasingly threatening cybersecurity in schools and libraries as well. During a School, Health and Libraries Broadband Coalition event Wednesday, leaders in education emphasized data that shows attacks on the educational sector to continue increasing in frequency from a rate that already ranks second among all professional sectors.

Amy McLaughlin, executive director of technical and solutions architecture for Oregon State University, suggested during the event that schools and libraries expand their security beyond basic firewall that is paid for by E-rate funding and change default passwords when possible, avoiding using an administrator login, patch systems, as well as use anti-malware software on all devices.

Similarly, Bob Turner, field chief information security officer for higher education at Fortinet, stated that his organization recommends schools use multi-factor authentication.

The recently signed Infrastructure Investment and Jobs Act specifically allocates funding to be used for the implementation of improved cybersecurity practices in institutions including libraries, cyber security officials said Tuesday.

National security concerns

In June, Oversight and Reform Committee Chairwoman Carolyn Maloney, D-New York, told CNA, JBS USA and Colonial Pipeline via letters that she was “extremely concerned that the decision to pay international criminal actors sets a dangerous precedent that will put an even bigger target on the back of critical infrastructure going forward.”

During an Oversight and Reform panel Tuesday, committee members questioned witnesses on the efforts by President Joe Biden’s administration to push back on recent ransomware attacks by Russian-based cybercriminals.

Continue Reading

Cybersecurity

Cyber Officials Reiterate Need for Private-Public Sector Cyber Threat Information Sharing

Calls are growing louder for mandatory breach reporting for cybersecurity incidents.

Published

on

Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency

WASHINGTON, November 16, 2021 – Cybersecurity officials from the federal government told the House Committee on Oversight and Reform Tuesday that Congress needs to press forward on legislation that would force companies to share information on cyber attacks with the federal government.

In July, Sens. Mark Warner, D-Virginia, Marco Rubio, R-Florida, and Susan Collins, R-Maine, introduced the Cyber Incident Notification Act of 2021, which requires federal and private sector cybersecurity intrusions to be reported to the government within 24 hours.

On Tuesday, the oversight and reform committee, which is studying how the government can crack down on ransomware, heard from three cyber security witnesses that a priority of Congress should be to pass such legislation to force that information sharing so the government is better prepared to respond, and prevent, attacks.

“Passing cyber threat notification legislation is a top priority,” said Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency. “We need the information because that enables CISA and the FBI to both engage with that victim, offer our assistance, understand what’s happening on their networks, and protect other victims as well as all the threat response and going after the actor and following the money.”

The comments and the calls for legislation come against the backdrop of high-profile cyberattacks, including against oil transport company Colonial Pipeline and software company SolarWinds, which prompted a Senate hearing on the matter. Recently, investment app Robinhood suffered its own data breach.

The attacks also raise even more alarm as the pandemic has made remote work more commonplace.

Wales noted that there have been improvements in terms of public-private partnerships to better deal with cyberattacks, including the launch of the Joint Cyber Defense Collaborative, which will lead development of cyber defense plans and executive plans in coordination with the federal, state, local and tribal governments, as well as the private sector.

Those companies Wales specified were those that have the most “visibility” on these attacks, including major cloud companies, internet service providers and cyber security firms.

“As we work together to spot threat activity, we are able to provide more protection than anyone can do individually,” Wales said.

Last month, Secretary of State Antony Blinken announced the department intends to create a new cyber bureau to help tackle the growing challenge of cyber warfare.

Other legislation before Congress

The signing into law Monday of the Infrastructure Investment and Jobs Act includes cybersecurity grants to state and local governments, which Wales said he is hopeful will help

The House recently passed the Small Business Administration Cyber Awareness Act, which would require only small businesses of their cybersecurity capabilities and notify Congress about cyber breaches.

Before that, Senator Angus King, I-Maine, called for the crafting of legislation that would require all companies to report cyber breaches to the federal government, which backed by a Department of Justice official in further testimony before the Senate judiciary committee earlier this year.

Continue Reading

Robocall

Charging for Call Whitelisting Could Hamper Robocall Fight, Small Provider Says

Small provider says cost and fast-moving deadlines making it hard to implement robocall regulations.

Published

on

From left to right: Bob McCausland, Greg Rogers, Michael Pryor, Sheba Chacko

November 9, 2021 – A representative at a small voice service provider is warning that alleged anticompetitive behavior, such as charging customers for whitelisting phone numbers, can slow progress on the illegal robocall fight.

“We have to be careful about [anticompetitive] practices like having customers pay to be on a whitelist to have their calls go through,” said Greg Rogers, head of global policy and regulatory affairs at communications software company Bandwidth, at the INCOMPAS 2021 conference in Las Vegas on October 25. “Those kinds of practices are bad for smaller businesses less able to cover the cost of these new solutions.”

“Whitelisting” is a tool that allows only calls from numbers in someone’s contact list. Some companies already offer these capabilities for free, but others may charge for them. Rogers said he thinks voice companies should offer the service to the general public for free and not as an additional cost “add on” service.

Rogers said these additional charged services can help larger companies pay for their compliance with the STIR/SHAKEN framework, which requires voice service providers to place measures to combat illegal robocalls that often lead to scams that affect millions of Americans. Those new measures include analytics software that labels calls based on authenticity. The deadline for large providers to implement these rules was June 30 this year and June 30, 2022 for smaller providers.

Despite the longer timeline for smaller players to implement the rules, Rogers said it is going to be harder for them to do so without the additional revenue stream.

Cumbersome deadlines

Rogers warned that the FCC may be pushing the industry too hard for deadlines that are hard to meet. “We’re moving too fast in implementation and expectations are not being set appropriately,” he said. “It’s a bipartisan, political winner to be against robocalling, and we’ve seen a really fast, hard driving set of demands.” Rogers pointed to the FCC’s December 2020 mandates as a good example of demands that are hard to meet. The FCC’s Fourth Report and Order required voice providers to add call blocking notifications to indicate that a call is unwanted. “The pushback is, it’s too hard. We can’t do it that fast, we need more time.”

Rogers said the complexity of the issues combined with a globally interconnected network makes it hard to deliver consistent service while optimizing their systems for call blocking.

“I didn’t say we should move slow, but people have to recognize how hard it is,” Rogers said. “[the call blocking effort] will march forward and that’s good. Don’t get expectations set that it’s gonna be fixed tomorrow. It’s not.”

The industry-wide endeavor to eliminate harmful robocalling continues as robocalls have risen over the past month. Analytics company YouMail’s call blocking data shows that Americans received over 4 billion robocalls in October, increasing 3.1 percent since September. So far this year, Americans have received 42.8 billion robocalls. Since robocall mitigation tools took effect on June 30, robocalls decreased about 8 percent per month on average.

Continue Reading

Recent

Signup for Broadband Breakfast

Get twice-weekly Breakfast Media news alerts.
* = required field

Trending