I’ve previously reported on the FCC’s expanding privacy jurisdiction. In particular, Chairman Tom Wheeler has proposed new privacy rules that will apply to Internet Service Providers (ISPs). My prior concerns about these rules include the fact that they do not apply to the so-called “edge providers” (e.g., Google, Amazon, Facebook) and so the lauded privacy protections will not cover many of consumers’ online activities.

The prior proposed rules had been open for public comment; the newly revised proposal has been amended to incorporate some of the comments and concerns that had been raised. The latest version goes to the entire Federal Communications Commission (Commission) on October 27th for a vote.

The Commission will be voting on a revised proposal that will require ISPs to tell their customers about the ways in which their personal information will be collected, used and shared. Are these good end goals? Yes — and it’s precisely because these are worthwhile and important goals that the Commission should have prepared a set of rules that would have encompassed more of the online entities with which consumers interact.

However, the new proposal has a category of “sensitive” information for which consumers would have to give affirmative permission to the ISPs before the ISPs could use and share it. The list omits such personal information as a consumer’s name and email address — this is considered “non-sensitive” and an ISP could share it unless a consumer opts-out. Why is this bad? A consumer could consider his name and/or email address sufficiently sensitive that he would want to have control over whether it’s used and shared; opt-out puts the burden on the consumer so the default is that this information will be used and shared unless the consumer takes whatever steps will be needed.

The privacy of consumers personal information will still not be protected as completely or effectively as could have been done if Chairman Wheeler and the Commission had tackled the harder issue — the one of including many of the online entities with whom consumers interact more frequently. These other entities collect as much, perhaps even more, personal information as the ISPs and are subject to far less stringent rules than the FCC’s proposal for ISPs.


Here’s yet another one of those scam emails intended to make consumers get scared, act fast and give scammers personal financial information.

I got an email from “Chase” with the exact replica of their logo. The heading was “Account Has Been Suspended” and the email said that my online Chase account had been suspended due to a violation of the terms of service. The email included a link to a Chase site and said I needed to go to that site and confirm my account information.

I don’t have a Chase online account but this still gave me concern. I didn’t open the link and  immediately called the Chase customer service number and got a very knowledgeable customer service representative. He asked me precise questions about the email itself that conclusively confirmed this was spam.

Here are his very important tips about any legitimate emails that Chase sends to customers:

  • The customer’s name is in the body of the email. The email I got didn’t have my name.
  • The last four digits of the customer’s account will be included but only the last four digits. The email I got didn’t have any account digits.
  • Be careful even if this specific information’s included since scammers are getting more and more sophisticated and might be able to include some or all of this individual information.

He asked that I forward the email to the Chase security division that collects and addresses these scams — he said it’s very important that Chase learn about these scams in “real time”. I  forwarded the email to: abuse@chase.com. I got an automatic reply which repeated what I had heard and said Chase customers should call the customer service number or contact them (chase.com/contactus) about any suspicious emails.


It’s even worse than originally thought. Today’s top news includes an update about the Yahoo data breach I wrote about yesterday. Now it’s being reported that at least 500 million Yahoo customer user accounts were hacked back in July.  I now repeat with even greater emphasis and urgency what I said in yesterday’s post — Yahoo customers have to change their passwords right now!

Why is this mega data breach only being announced now by Yahoo — who knows the real reasons? The company is saying some of the usual reasons offered when there’s this kind of 2+ month delay. They’re saying they needed time to investigate the breach after there were the first signs detected that accounts were being hacked. The cynics — or realists — among us might also suggest that Yahoo wanted to wait until the Verizon deal was completed.

Regardless, the damage is done. What information was hacked? Per Yahoo, the hackers might have gotten customers’ email addresses, phone numbers, dates of birth and answers to security questions. Yahoo claims that customers’ credit card numbers weren’t stolen since that information is kept in a separate system.

However, Yahoo customers shouldn’t assume that there won’t be ways hackers can use the information they’ve already gotten to try and gain access to customers’ financial information.

Again, Yahoo customers must change their passwords ASAP and be very alert to suspicious financial transactions on credit and debit cards as well as bank accounts.

As was reported over the summer, Yahoo is investigating what appears to be a massive data breach. Graham Cluley posted an article today in which he said that, per a report by Recode, Yahoo might be making an announcement very soon about that investigation (www.grahamcluley.com; “Yahoo ‘expected to confirm massive data breach’ says Recode”).

The hacker or hackers breach was rumored to have gained access to 200 million user accounts. In fact, Yahoo has been sending out emails to users urging them to change their passwords.

It’s always a smart move to change passwords and now that’s even a more timely reminder for Yahoo users.

I’ll keep everyone posted as more news emerges about this breach.

I’ve written before about the set-top box proposal that the FCC Chairman Tom Wheeler and his fellow Commissioners were considering. The proposal generated strong pushback from various industry components due to a variety of content and competition issues. My concern is from a privacy perspective since the original proposal would have presented a cascading number of issues due to the number of companies that would have had potential access to consumers’ data.

Chairman Wheeler and the FCC responded to the criticisms by redrafting the proposal. He just circulated the revised proposal yesterday (Thursday, September 8th) as part of the FCC’s September meeting agenda. The latest proposal would give all the affected industry entities 2 years to implement the changes.

I’m going to review this latest version to see what, if any, improvements have been made from a consumer privacy perspective. I’ll post my analysis once I’ve done my review.

Stay tuned.



I am not one of those individuals who believes there are stronger privacy protections in foreign countries than in the United States. However, I believe in giving credit when it’s due so I want to applaud an upcoming proposal by the European Union (EU).

The EU is going to be proposing more rules soon that will apply stricter privacy and security protections for Internet communications companies. Although the proposed rules have not yet been issued, there are some details that have been made known. One of the key proposals will be do make it easy — or easier — for consumers to move their own information if they decide to switch to other services. That would be an excellent improvement and one that should be adopted in the U.S.

I’ll be following this issue and report more details as the proposed rules are released.


There is a major breaking news story about a data breach at the Starwood Hotels chain. More details are just emerging but what is currently known is that the systems containing guests’ credit card information were breached. It appears that the breach started sometime in 2015 and continued until its recent discover.

Starwood Hotels is the parent corporation for a wide-range of hotels located in the United States and abroad. The Starwood Hotels chain includes Marriott, Westin and Sheraton hotels. The data breach was reported to potentially include guests at many of these hotels.

Consumers who stayed at any of these hotels over the last year should be even more alert to any suspicious charges on their credit cards.

I’ll post updates as more information is reported.


The European Union (EU) is launching an important study that is worth noting. On July 13th, the European Union Agency for Network and Information Security (ENISA) announced that it is going to create a comprehensive list of the various cybersecurity policies and tools and standards and measures that can be used to strengthen security in the next-generation of cars.

The ENISA initiative was the subject of an informative article by Winston Maxwell and Timothy Tobin, attorneys with Hogan Lovells, an international law firm (www.hldataprotection.com/2016/07/articles/international-eu-privacy-enisa-jumpstarts-con; “ENISA Jumpstarts Connected Car Cybersecurity Study for EU”). In their article, Mr. Maxwell and Mr. Tobin note that the ENISA study was generated by the EU’s recognition of the ever increasing interconnection between and among cars. These advances means a corresponding increase in concerns about the global repercussions from a security perspective.

The ENISA study writers will issue recommendations following the conclusion of their work. The recommendations will focus on measures that will help enhance smart car security for EU consumers. When issued, the study’s findings and recommendations should be studied by U.S. federal, State and local agencies and policy makers with responsibility for these car and cybersecurity issues.

The U.S. should gain the benefit of the ENISA report so that our next-generation cars are as safe as possible from cybersecurity issues.

Brian Krebs published an article alerting consumers that the Kimpton Hotel chain is investigating a data breach at its hotels (www.krebsonsecurity.com/2016/07/kimpton-hotels-probes-card-breach-claims). It appears that thieves have stolen credit card information from multiple locations of this hotel.

So this is a “heads up” alert for anyone who has stayed at a Kimpton Hotel over the last few months. Read Mr. Krebs article and — as always in these situations — keep a very close tab on your credit card charges.

The Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) has issued a new fact sheet providing guidance to entities that have patient medical records covered under the Health Insurance Portability and Accountability Act (HIPAA).  The fact sheet identifies the types of information security measures that these entities should have in place to prevent a cyber or ransomware attack (www.hhs.gov; “FACT SHEET: Ransomware and HIPAA”).

Although not addressed to consumers, the FACT SHEET is worth reading for educational purposes. For example, the OCR HHS fact sheet underscores the notification obligations of an organization that experiences a ransomware breach.

Reading the OCR HHS FACT SHEET  will help consumers understand the kinds of security safeguards OCR HHS recommends for their medical providers as well as others in the health industry.  That way, in case of a breach, consumers can know what information they should receive and be pro-active if they haven’t gotten timely notification.