Friday, January 17, 2020


Could Equifax have secured its data for less than $1 Billion? Is $1 Billion enough to guarantee future security?
Equifax Ordered to Spend $1 Billion on Data Security Under Data Breach Settlement
On January 13, 2020, a federal court approved the proposed settlement for the class action suit filed against Equifax over the massive data breach it disclosed in September 2017.
As per the settlement, the credit reporting agency “will pay $380,500,000 into a fund for class benefits, attorneys’ fees, expenses, service awards, and notice and administration cost.” Attorneys have been awarded nearly $80 million.
If the amount proves insufficient, the company will pay an additional $125 million for claims for out-of-pocket losses, “and potentially $2 billion more if all 147 million class members sign up for credit monitoring,” the court’s final approval order reads (PDF).
The court also revealed that Equifax has agreed “to spend a minimum of $1 billion for data security and related technology over five years and to comply with comprehensive data security requirements,” which should reduce the likelihood of a similar data breach in the future.




Why not inform all the players?
FBI Changes Policy for Notifying States of Election Systems Cyber Breaches
WSJ.com [paywall] – “The Federal Bureau of Investigation will notify state officials when local election systems are believed to have been breached by hackers, a pivot in policy that comes after criticism that the FBI wasn’t doing enough to inform states of election threats.
The FBI’s previous policy stated that it notified the direct victims of cyberattacks, such as the counties that own and operate election equipment, but wouldn’t necessarily share that information with states. Several states and members of Congress in both parties had criticized that policy as inadequate and one that stifled state-local partnerships on improving election security…”




An example of ‘undue reliance?”
Criminals are using ‘Frankenstein identities’ to steal from banks and credit unions
  • So-called synthetic identity fraud is the fastest-growing financial crime, according to the Federal Reserve, driven in part by lending moving online. It’s also one of the hardest to detect.
  • Instead of outright stealing an identity, a criminal makes one up in what’s sometimes called a “Frankenstein” identity. The criminal then spends years building up credit under a fake alias.
  • It’s a really long con and an expensive one,” says Naftali Harris, co-founder and CEO of San Francisco-based start-up SentiLink. “But once you have this fake person who has an 800 credit score, you can then use that to get multiple high limit credit cards and unsecured loans from banks.”




Should we block phishy emails?
These subject lines are the most clicked for phishing
(This also represents the actual capitalization and spelling used in the original phishing subject lines.)
  1. Change of Password Required Immediately 26%
  2. Microsoft/Office 365: De-activation of Email in Process 14%
  3. Password Check Required Immediately 13%
  4. HR: Employees Raises 8%
  5. Dropbox: Document Shared With You 8%
  6. IT: Scheduled Server Maintenance – No Internet Access 7%
  7. Office 365: Change Your Password Immediately 6%
  8. Avertissement des RH au sujet de l'usage des ordinateurs personnels 6%
  9. Airbnb: New device login 6%
  10. Slack: Password Reset for Account 6%




We need all the help we can get.
French Supervisory Authority Publishes Second Guidance on Cookies and Similar Technologies
On January 14, 2020, the French Supervisory Authority (“CNIL”) published a new draft guidance on the use of cookies and similar technologies on websites and applications (see here, in French). The draft guidance is open for public consultation until February 25, 2020.
In its nine articles, the guidance sets out how to properly inform users and collect their consent in this context. For each requirement, the guidance provides examples and best practices.




Seeking agreement...
8 ways to ensure your company's AI is ethical
Workday recently published our Commitments to Ethical AI to show how we operationalize principles that build directly on our core values of customer service, integrity and innovation. Based on our experiences, here are eight lessons for technology companies looking to champion those principles across their organization:
1. Define what 'AI ethics' means.
2. Build ethical AI into the product development and release framework.
3. Create cross-functional groups of experts
4. Bring customer collaboration into the design, development and deployment of responsible AI.
5. Take a lifecycle approach to bias in machine learning.
6. Be transparent.
7. Empower your employees to design responsible products.
8. Share what you know and learn from others in the industry.



No comments: