FTC Online Privacy Protection Campaign Kicks Into High Gear

As the Federal Trade Commission continues its work in evaluating the privacy practices of businesses in the Internet age, agency staffers are focusing not only on what personal information companies are collecting and how they're using it, but also on the security measures in place to keep that data out of the hands of would-be identity thieves and other bad actors.

Speaking here at an event to mark Data Privacy Day, an annual initiative led by the nonprofit National Cyber Security Alliance, Commissioner Maureen Ohlhausen stressed that the FTC's privacy work is closely coupled with its consideration of industry security practices.

When businesses fail to implement or enforce strong security practices, they run the risk of suffering a major data breach that can expose sensitive information about their customers, severely damaging the firm's brand and inviting an enforcement action from federal authorities, Ohlhausen warns.

"Data is an increasingly vital asset and companies need to protect their ... customers' personal information from theft and unauthorized access that can hurt customers and harm the business's reputation. That's where data security comes in. Data security is part of the broader topic of data privacy," she says. "Regardless of how one feels about the use of consumer data for marketing or targeting purposes, I believe we can all agree that failure to take reasonable precautions to secure data identity thieves and other malicious parties hurts consumers and legitimate businesses alike."

The timing of Ohlhausen's keynote address was apt. Earlier today, the FTC announced that it had reached a settlement with Cbr Systems, the operator of a cord blood bank, concerning allegations of a data breach that may have exposed sensitive information of nearly 300,000 consumers.

The FTC's complaint against Cbr Systems, which stores umbilical cord blood and tissue, dates to December 2010, when unencrypted backup tapes, a laptop and other equipment were stolen from an employee's car, according to the commission. As a result, sensitive health information, credit card and Social Security numbers and other data were compromised, and the laptop and a hard drive that were stolen included passwords and protocols that could have provided access to Cbr Systems' internal network.

13 Healthcare IT Trends and Predictions for 2013Top Challenges Facing Healthcare CIOs

The FTC based its complaint on its authority under the section of its charter statute concerning unfair or deceptive practices, maintaining that the company violated its own privacy policy by failing to have in place reasonable policies and procedures for safeguarding its customers' information, and that it courted further risk by carelessly transporting portable storage devices.

Under the settlement agreement, Cbr Systems submitted to 20 years of independent audits of its data-management practices.

The FTC has brought more than three dozen complaints against companies concerning data breaches, Ohlhausen said. Many of those cases had little to do with the technical protections in place to safeguard data, but instead were the product of soft policies, uneven implementation or a weak chain of custody.

"This really seems very simple, but many of the data security cases that the commission has brought involve companies who engaged in careless practices, such as dumping sensitive medical or financial information into open trash bins, and not even shredded," Ohlhausen says.

Over the coming year, the FTC intends to ramp up its scrutiny of data brokers, a sector that the agency has ide ntified as an area of concern for consumer privacy. In December, the FTC sent letters to nine leading brokers asking for detailed information about their data-collection practices, with responses expected next month. At that point, Ohlhausen says, the FTC's in-house economists and other agency staffers will review the information with an eye toward recommendations for reforms within the industry, and potentially legislation authorizing new regulations.

In the meantime, lawmakers could move to pass a bill to establish a nationwide requirement for notifying customers whose information might have been compromised in a data breach. National data-breach notification legislation, long supported by many in the tech sector, would preempt the patchwork of requirements across the 46 states with data- breach laws on the book.

"Although some of the laws are similar, they are not identical. And this means that companies need to comply with separate state notice requirements, and consumer may get notifications that are different and are triggered by different kinds of breaches," Ohlhausen says, adding that she believes there is a good chance that Congress will pass a bill this year. "I believe a single standard would let companies know what to do and let consumers know what to expect."

Ohlhausen also advises business to take steps to limit their risk of a data breach with common-sense measures like incorporating security and privacy protections in the design phase of their products and systems, securing storage, and promoting privacy through education and training programs across business units.

Then, too, they must ensure that they are living up to the security and privacy assurances they make to their customers.

"It's also really critical that businesses honor the promises they make to protect consumer privacy, and this is really at the heart of the commission's law enforcement against deceptive practices," Ohlhausen says. "But because breaches may still occur even in the most security-conscious company, it's also critical to have a plan for responding to data breaches before they happen. So putting together a response plan now may help reduce the impact of a data breach on a business and its customers later."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.

What are DDoS Attacks & How to Deal with them

The internet is abuzz with talks of the recent outage faced by Domain Registrar Godaddy. The outage was suspected to be because of a Distributed Denial of Service Attack (commonly known as a DDoS attack) that targeted Godaddy’s DNS servers, affecting several websites as well as email services. (However, a recent statement by Godaddy mentions that it was an internal network error that caused the interruption in services)

DDoS attacks are a fairly common occurrence on the internet and are something we’ve experienced in the past as well. Here is some more information on DDoS attacks, who they affect and how we mitigate such attacks.

What is a DDoS attack?

A Denial of Service attack aims to make a website unavailable to users by flooding the website’s servers with an extremely high number of requests. These multiple incoming requests can make website resolution exceedingly slow and can even cause servers to crash.

A Distributed Denial of Service (DDoS) attack is essentially a DoS attack that originates from multiple sources. Such attacks are usually carried out using thousands of unsuspecting zombie machines known as botnets.

DDoS attacks have traditionally been used by cyber criminals to extort money from website owners that rely on the accessibility of their websites. However ‘Hacktivists’ have also initiated such attacks in the past to bring down company and government websites in protest of certain policies or decisions.

A  popular recent example is anonymous’ attack in protest of the Megaupload Raids that targeted various government and music industry sites.

Who can it affect?

DDoS attacks are difficult to safeguard against completely and can affect large and small websites alike.

Having suffered a DDoS attack on our DNS servers in the past, we understand that such attacks can occur and the best solution is to have systems in place that allow you to mitigate the attack and get systems back online as soon as possible.

Which leads us to – How do we mitigate DDoS attacks?

While there isn’t a lot that can be done to prevent DDoS attacks, there are certain techniques that we employ to mitigate DDoS attacks and restore services.

To help mitigate DDoS attacks we’ve employed the services of Prolexic Technologies that is a global leader in DDoS Protection & Mitigation. While there are multiple ways in which Prolexic helps mitigate DDoS attacks, here is a simplified version of how Prolexic works.

• 
  

  • BGP Routing:
  
  

  • With BGP routing, when a DDoS attack occurs, our traffic gets routed through Prolexic’s servers where malicious and legitimate traffic is segregated and legitimate users can continue to access our services.
• 
  

  • Advanced Filtering:
  
  

  • As the traffic gets routed through Prolexic’s servers, their filtering technology identifies anomalies which are then “red flagged” by the system. Moreover, research is then conducted by Prolexic engineers to determine whether this activity should be blocked on the network. Once malicious activity has been determined, it is labeled in the system and blocked.

How can you independently mitigate attacks?

As a individual website owner you have limited control over a server but you can useCloudFlare to protect your websites from attacks.

CloudFlare protects your websites by routing traffic through their intelligent global network – a little like what Prolexic does for us 

We already provide CloudFlare on our Hosting servers so Resellers can enable and start using it immediately. More information on how CloudFlare can protect you can be found here - http://www.cloudflare.com/overview

How Web Hosting Providers should deal with a DDoS Attack:

DDoS attacks are a very real threat to website owners and hosts worldwide but like I said before, there is no foolproof way for anyone to really protect themselves against such an attack.

As a Web Hosting provider yourself, I’m sure you’ve come across Customers that consider leaving you in the aftermath of a DDoS attack. You might have felt the same of your upstream provider as well. However, it’s important to remember that anyone can be a target.

An indicator of a good Host isn’t one that hasn’t been attacked yet but one that can effectively restore services and reduce damage.

How Web Hosts handle the situation is also an important indicator. I’ve always seen that the ones that do handle attacks effectively provide detailed information on the following: (This actually applies to most issues/interruption in services)

1. Which services were affected?
2. Are the services back up or how long will it take to restore services?
3. Does the Client need to do anything?
4. Why did this happen i.e. details of the DDoS attack
5. How was the attack mitigated?
6. Can this happen again?
7. Who can Clients contact if they have any concerns?

Being honest and straightforward will go a long way in assuring your Customers that you’re doing everything you can to resolve the issue and they’ll respect you for keeping them in the loop.