Privacy Commissioner May Get Bigger Canadian Club. Canada Debates Stronger Enforcement Powers and New Data Breach Privacy Rules.

Posted on April 24th, 2014 by Dan Rampe

Canada

A new bill proposing updates to Canada’s Digital Privacy Act will give the country’s privacy commissioner more clout while calling for steep fines for businesses not reporting data breaches.

Industry Minister James Moore said, “Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from online threats.”

In her story on cbc.ca, Emily Chung of CBC News went into the bill in detail: (Note her report has been edited to fit our format.)

The bill proposes “important improvements” to the Personal Information Protection and Electronic Documents Act, the legislation governing how the private sector handles personal information [in Canada].

The bill would:

• Require businesses and organizations to track data breaches — events in which personal information might be lost or stolen — and report them to consumers and the privacy commissioner if they pose a “real risk of significant harm to an individual,” for example, if they could lead to identity theft. Non-compliance would be punishable by fines of up to $100,000.

• Give new powers to the privacy commissioner to help uphold privacy laws. Specifically, the commissioner will be able to negotiate voluntary but binding compliance agreements with organizations that commit to taking action on privacy violations. The commissioner and private complainants would also be able to ask the Federal Court of Canada to order compliance or award damages to someone harmed by a privacy violation up to a year after an investigation. And the commissioner will have more flexibility to release information about non-compliant organizations if it is in the public interest.

• Require businesses and organizations to “communicate clearly” when obtaining consent for collecting and using their personal information; and to consider whether their target audience, such as children, can understand the consequences of sharing their information.

• Allow for the sharing of personal information without explicit consent to help protect individuals from harm, such as seniors suspected of being financially abused or to detect and prevent fraud.

• Make it easier for businesses to collect, use and share information to manage employees, conduct due diligence when buying another company, or process insurance claims.

Charmaine Borg, digital issues critic for the NDP [Canada’s New Democratic Party], said, “Overall, these are good first steps.” Borg, MP for the Quebec riding [electoral district] of Terrebonne-Blainville, added, “We have been pushing for these measures and I’m happy to see them introduced.” However, she said she would have liked to see the legislation go a bit further.

In particular, she said, she was disappointed that consumers and the privacy commissioner only need to be notified of a data breach “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” Borg called that “a little bit of a high threshold.”

She also doesn’t like the fact that organizations have to evaluate the risk for themselves. While most large companies have a privacy officer, the evaluation “might be a little hard for mom-and-pop shops who are affected, but who might not have the privacy expertise to make that assessment themselves.”

She had previously proposed in a private member’s bill that data breaches be reported to the privacy commissioner if they posed a potential risk, and the commissioner’s office would use their expertise to determine if consumers should be notified.

Borg thought the proposals regarding privacy agreements and new enforcement powers for the privacy commissioner were also good steps forward, although she would have liked them to have been “a little stronger.”

The office of the privacy commissioner of Canada has long advocated for updates to Canada’s privacy laws, including some of those in the new bill.

Interim Privacy Commissioner Chantal Bernier said at first glance, the bill contains “some very positive developments,” especially with regard to mandatory data breach notification, new penalties, and “provisions that will make it easier for my office to ensure that companies carry through on commitments they have made during investigations.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

ThreatMetrix Shares Strategies for Businesses to Protect Identities in Use in Support of Data Privacy Day

Posted on January 13th, 2014 by Dan Rampe

Data-Privacy-Day-PR

Businesses Must Move Beyond Focusing Merely on Data at Rest and Protect Customer Identities Against Fraudulent Activity Following Data Breaches

San Jose, Calif. – January 13, 2014 – ThreatMetrix™, the fastest-growing provider of integrated cybercrime solutions, kicks off its commitment to Data Privacy Day by announcing several strategies for businesses to protect identities in use following a data breach.

Every time an identity is used online, especially when a new account is opened, there’s a chance that identity has been stolen or compromised. However, many organizations simply focus on guarding data at rest–inactive data stored on an internal server–rather than understanding the implications of identities in use and taking action to protect them.

Following a data breach, a significant implication is that customer and corporate identities are used without an individual or company’s knowledge. A key requirement for data protection is for businesses to assure personally identifiable information is screened against unauthorized use prior to being processed. Every year, ThreatMetrix protects more than four billion transactions and identities in use and has several strategies for businesses across industries to prevent spoofed or stolen identities.

Key strategies that businesses can implement to protect identities in use include:

Device Identification – Using a visitor’s browser and machine attributes as a passive form of two-factor authentication reduces effectiveness of cybercriminals reusing stolen credentials from a new or known fraudulent device. In addition, advanced proxy piercing and virtual private network (VPN) detection capabilities eliminate IP spoofing, the most common attack vector for identity thieves.

Malware Detection – Frictionless malware detection can analyze risk on a customer’s behalf giving businesses the option to prevent access to sensitive data if there is a known Trojan on the customer’s device.

Behavior-Based Identity Proofing – Analyzing patterns of usage including locations, identities, devices and associations over time provide ‘spoof-proof’ identity screening.

Anonymized Trust Federation – Passively leveraging prior authentication and verification information across departments and organizations reduces customer friction and authentication costs.

“Cybersecurity strategies often prioritize minimizing a company’s monetary losses following a data breach over protecting customer identities and data obtained by cybercriminals,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Personal identities, both consumer and workforce, account for a large amount of identities in use, and organizations and service providers must protect individual identities by investing in frictionless customer protection and fraud prevention technologies. Examples of fraudulent activity may include using a spoofed IP address to hide online location, using work-at-home scams for stolen goods deliveries or using bots for brute force attacks against customer account passwords.”

Customer data contains sensitive information–including banking credentials, email passwords, medical information and social security numbers. Once this data is exposed, it is at risk for fraudulent activity by cybercriminals or can be sold via online crime rings. To prevent such risks, businesses need to understand how stolen identities are used against consumers and companies – including fraudulent credit card transactions, social media logins and banking logins.

“Data breaches are a key focus for cybersecurity providers, but many companies don’t consider how stolen identities are eventually used against their customers for cybercrime,” said Faulkner. “ThreatMetrix is uniquely positioned to help businesses measure and understand how identities are used online, especially regarding the risks and implications of exposed customer identities following a data breach or cyber attack.”

One of the most effective ways businesses can protect online data is through an anonymized global data repository, such as the ThreatMetrix™ Global Trust Intelligence Network (The Network), to differentiate between authentic and suspicious transactions and online activity. The Network is the most comprehensive global repository of identity and fraud data, protecting hundreds of millions of users and data points each day from cybercrime. Its real-time analytics evaluate logins, payments, new account registrations and remote access attempts for validity.

By collaborating on a global level through a shared network, businesses can effectively build trust on the Internet by mitigating cybercrime risks. Given the severity of today’s high profile data breaches, no business can afford to stand alone in the fight against cybercrime and protecting customer identities.

Data Privacy Day, sponsored by the National Cyber Security Alliance, takes place annually on January 28, and encourages businesses and consumers to make protecting privacy and data a greater priority. Due to its alignment with online data protection and cybercrime prevention, ThreatMetrix was named a Data Privacy Day Champion by the National Cyber Security Alliance, which educates and empowers a digital society to use the Internet safely at home, work and school. ThreatMetrix will publish additional news surrounding data privacy throughout the month of January.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com

ThreatMetrix Predicts 2014 Cybercrime Will See Evolving Threats – Including Internet of Things and Risks to Critical Infrastructure

Posted on December 18th, 2013 by Dan Rampe

As Cybercrime Continues to Grow, ThreatMetrix Protects Businesses Across Industries from Evolving Threats

San Jose, Calif. – December 18, 2013 – ThreatMetrix™, the fastest-growing provider of integrated cybercrime solutions, today announces several predictions for the top cybercrime threats businesses and consumers will face 2014. The biggest threats in 2014 include the risk of cybercriminals compromising the Internet of Things and our nation’s critical infrastructure. In addition, businesses across industries will have to brace for another year of sophisticated cybercrime attacks.

As more of our day-to-day operations and appliances are connected online – including water utilities, power utilities, smart watches and smart home systems – the risk of cybercrime will infiltrate more aspects of our everyday lives than ever before. As a result, not only has cybercrime grown, but the cybersecurity industry as a whole is on the rise, in an effort to stop criminals in their tracks. In the past year, venture capital funding has poured $1.4 billion into 239 cybersecurity deals.

“The Internet of Things is coming on faster than we can cope with – soon enough, we will be living in smart houses and all of our critical infrastructure will be managed online,” said Andreas Baumhof, chief technology officer, ThreatMetrix. “This extensive interconnectivity poses a severe risk for cybercriminals to have a detrimental impact on such critical utilities as our nation’s water supply in 2014 and beyond.”

Cybercrime Predictions for 2014

ThreatMetrix has predicted the top cybercrime trends of 2014, which businesses and consumers must be aware of as they increasingly connect online and via mobile devices.

The Internet of Things will lead to all appliances and operations eventually connecting to the Internet. While still in early stages, as soon as next year, smart refrigerators, locks and thermostats will move into the mainstream. As with any online activity, the Internet of Things offers cybercriminals the opportunity to compromise this connectivity and steal personal information or cripple resources.

Critical infrastructure risks have recently become so severe that President Obama signed an Executive Order on Improving Critical Infrastructure Cybersecurity. Water, power and other critical utilities are gradually moving online and this opens the door for cybercriminals – either individuals or nation-states to wage a new form of warfare. Critical infrastructure already faces cyber attacks every day – and this is sure to increase in 2014.

Data privacy is and will continue to be a significant concern to individuals and businesses, especially given the recent revelation that the National Security Administration’s PRISM program spied on data from several top technology companies. Citizens that are connected online or via mobile are now concerned about the safety and privacy of their online activities, leading to a downfall of trust on the Internet.

Alternative payments have increased in usage this year, especially with the massive growth of Bitcoins, Facebook credits, gift cards and more. In 2014 and beyond, more forms of alternative payments are sure to emerge and unregulated payments are at risk for malware and money laundering.

Mobile transactions are gaining market share – they are expected to grow by 40 percent to $325 billion in 2014. Since mobile is an emerging marketplace, the good and bad actors are on a level playing field. Businesses are still figuring out the best ways to protect mobile devices and transactions leading into 2014, while cybercriminals are in the early stages of determining strategies to compromise mobile transactions.

Online transactions will increasingly continue to be targeted. Such attacks have been ongoing for several years. In 2014, attacks will become more widespread, as sophisticated malware that was previously developed for attacking high security banking sites will now attack online businesses across industries – many of which are not nearly as prepared to prevent cybercrime as online banks.

“Current and emerging cybercrime threats will continue to compromise businesses and consumers on a global level in 2014,” said Baumhof. “To address and prevent these threats, continued innovation in the security market is crucial. Simple anti-virus solutions and addressing fraud and security separately is no longer effective given today’s sophisticated cybercriminals. Rather, businesses must collaborate through a global network for a collective response to cybercrime.”

To address the global concerns of cybercrime, businesses across industries – including financial services, e-commerce, payments, enterprises, social networks and more – must leverage a global data repository such as The ThreatMetrix™ Global Trust Intelligence Network (The Network) to differentiate between authentic and suspicious transactions and online activity. The Network is the most comprehensive global repository of fraud data and protects tens of millions of users every day from cybercrime threats with real-time analytics that evaluate logins, payments, new account registrations and remote access attempts for validity.

By collaborating on a global level through a shared network, businesses can effectively build trust on the Internet by mitigating cybercrime risks posed by such trends as the Internet of Things, critical infrastructure transitioning online, data privacy and more. Given the severity of account takeover, payment fraud, identity spoofing and other threats now and in the years to come, no business can afford to stand alone in the fight against cybercrime.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Tory Patrick
WalkerSands Communications
Tel: 312-533-9823
Email: tory.patrick@walkersands.com