• Failure to implement measures to monitor its networks; • Failure to segment its networks;
• Inadequate staff training;
• Failure to develop a data breach management plan; and • Inadequate follow-up on outside security audits.
PUTTING IT INTO PRACTICE: Investors are paying attention to what companies are doing and saying with regard to cybersecurity. Particularly when touting strong cybersecurity practices, companies should carefully craft messaging that accurately reflects their cybersecurity posture, and they should make sure that their actions match their words by maintaining vigilance on cybersecurity.
NY AG Settles Over Mobile App Security Issues
Posted on January 23, 2019
Five companies settled with the New York Attorney General over mobile app data security issues at the end of last year. The AG alleged that the companies, Western Union, Priceline, Equifax, Spark Networks, and Credit Sesame, had a well-known security vulnerability in their apps. This vulnerability resulted in insecure connections between the apps and the companies’ servers. As a result, a third party could easily have gained access to people’s sensitive information.
In its announcement, the AG pointed out that the vulnerability in question had been well known for many years, and that the FTC had reached a settlement in 2014 over the same issue. Also, that app developers can test their software for the vulnerability using “freely available software.” As part of the settlement the companies have agreed to implement comprehensive security programs to protect user information.
PUTTING IT INTO PRACTICE: This settlement is a reminder that companies should keep in mind security measures when developing apps or other platforms that allow users to input personal information. These issues are of particular concern to regulators, including state regulators.
Pass It On: Locks Don’t Prevent Leaks
Posted on January 9, 2019
It is common for individuals to see the “padlock icon” on their browser bar when visiting a website, and assume they are safe. Sadly, this assumption is no longer valid. As we approach Data Privacy Day (January 28, 2019) many companies are taking extra steps to train employees about steps they can take to protect themselves – and their organizations. Here’s one to pass along to the team.
The padlock on the browser bar typically accompanies a website address that begins with “https://”. This Secure Sockets Layer (or SSL) signifies that information sent to and from the website will be encrypted and therefore (relatively) secure from unauthorized access. What the padlock and SSL do not signify, however, is that the website and its owners have themselves been vetted and are secure. In fact, according to a recent study, 49% of phishing sites now use SSL certificates and therefore sport that secure-looking padlock icon. This figure is up from less than 3% only 2 years ago. Phishers, who make a living by looking legitimate when they are not, have realized that they can
 Eye on Privacy 2019 Year in Review 32