As we discussed recently, the Equifax data breach has inevitably brought a great deal of scrutiny and legal action against the credit reporting agency. Amidst the numerous brewing class actions and other reactions from government agencies and state AGs, it’s worth pointing out another front on which the company—and more importantly, individuals within the company—may face legal consequences.
Since September 7, 2017, Equifax, one of three credit rating agencies in the United States, has been dealing with the fallout from one of the largest (known) data breaches of personal information, putting 143 million Americans at risk from fraud and identity theft (roughly 44% of the U.S. population).
After counter-protests ended in tragedy, a small group of social media users took to Twitter to expose the identities of the white supremacists and neo-Nazis rallying in Charlottesville, Va. Since last Sunday, the @YesYoureRacist account has been calling on Twitter users to identify participants in the rally. Twitter users identified several white supremacists, including Cole White. Users revealed White’s name and place of residence and his employer reportedly fired him from his job at a restaurant in Berkeley, Calif. Several other employers fired employees identified online as attending the rally. In the wake of what will likely be just the latest incident where such behavior will be exhibited and subsequently called out on social media, it’s a good time to look at doxing and the legal environment in which it exists.
Voting in local, state and national elections could be viewed as a rudimentary form of social media, by which voters share their views and preferences via selection of a candidate or party platform. The distance between this “old school” social media and its multi-headed modern form has shrunk thanks to the advent of electronic voting machines and online voting. But, as always, with the implementation of new technologies comes new risks. Even though some progress has been made to shore up and protect the voting process from cybersecurity threats, there are plenty of ways government data breaches can “rock the vote” outside of the voting booth.
On December 14, 2016, operators of online extramarital dating and social networking website AshleyMadison.com came to an agreement with the Federal Trade Commission, and several States, to settle FTC and related state charges that the website deceived consumers and failed to protect 36 million users’ account and profile information. As we discussed immediately following the July 2015 breach (and in several later posts) the data of some 36 million AshleyMadison.com accounts was posted online. It was reported by KrebsOnSecurity that the breach included the theft of user databases, financial records (including salary information), and other records from AshleyMadison, Cougar Life, and Established Men, three social networking web sites operated by the Toronto, Canada-based firm Avid Life Media, now known as Ruby Corp.
FriendFinder Networks is a company in the adult entertainment, social networking, and online dating space. Several databases from FriendFinder Networks web sites with more than 412 million accounts, including usernames, e-mails, and passwords, have been breached and leaked.
November reports of this data breach on The Verge, LeakedSource and TechCrunch, to name a few, describe it as of one of the largest security breaches of 2016, and possibly the largest breach to date, surpassing the breach of approximately 360 million Myspace usernames, passwords and e-mail addresses reported earlier this year.
It seems like managing data breaches has become a part of doing business these days. From the October denial of service attack on Dyn (a company that provides core internet services to companies like Twitter, Spotify and Netflix) to the recent hacks of the Clinton campaign’s emails, data breaches are increasing in frequency, scope and cost. The average cost of a data breach increased to $4 million in 2015, and the 2016 Cost of Data Breach Study: Global Analysis published by IBM and the Ponemon Institute places the likelihood of a company having a material data breach involving 10,000 lost or stolen records in the next 24 months at 26 percent.
In this political season, much has been made about late-night Twitter rants targeting women and other social media attacks on individuals and celebrities. Although these harsh online critiques create a more hostile cyber community, more imminent danger may arise from the safety risks that accompany online activity in general. Law-enforcement officials have long warned users against disclosing travel plans on social media to would-be thieves by, for example, posting pictures of a boarding pass from that long-awaited trip to Barcelona. But what about apps and services like Find My Friends, where users can share their location with up to 50 friends, or Snapchat, which shows a user’s location when posting an image or video? With a culture focused on sharing and instant access to information via social media feeds, it bears considering if location-revealing apps engender some inherent danger, whether the app developers disclose potential risks, and what steps can be taken to protect personal safety.
Today’s online world is all about engaging and staying connected with others via social media. For businesses, establishing a presence on various social media platforms is an enticing way to connect with current customers as well as foster new business.
Yet the immense popularity of social media sites can also draw unwanted attention to its users. Just as businesses are drawn to popular social medial sites to market their brands and products, so, too, are potential cybercriminals interested in targeting those who engage with these sites. On many of these platforms, user engagement is public. In other words, when a user chooses to “follow” a company or leave a comment, not only does the business take notice of the user, but everyone else on the platform can, as well, including those who are not themselves following the business. This provides a would-be cybercriminal a target-rich group upon whom to practice new (and old) scams.