Each month, we’ll bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss a potential federal privacy law, the 2019 Dreamforce conference, Microsoft’s response to CCPA, and more.
November was a busy month for Salesforce. The 2019 Dreamforce conference saw hundreds of thousands of Salesforce enthusiasts from all industries as they shared innovations and ideas for transforming business and the world of managing the workflow of tomorrow. Two significant underlying themes of the week were privacy and trust.
“We are shifting now into a time of responsible social corporations…you have an ability to pursue profit and success, but at the same time genuinely and fundamentally be part of an absolutely transformative generation. I think this generation is expecting that of you,” said Richard Curtis, Film Writer and Director and United Nations SDG Advocate. “We talk about the consumer revolution, and the consumer revolution I see is one where the consumer is now starting to understand fundamentally that businesses are shaping the world.”
Woven throughout keynote speeches, panels on AI and improving the state of the world, and dozens of speaking sessions was the theme of the power that businesses hold to foster trust, which is becoming the center of the consumers’ universe. To develop trust, companies must offer customers the data privacy and security they deserve.
“It’s a trust revolution. Everything is changing in our industry. Everything is changing in our work.”
– Marc Benioff, Salesforce Chairman and Co-CEO
The data privacy revolution continues with a new bill that was introduced in November. The intent of The Consumer Online Privacy Rights Act (COPRA), proposed by Washington senator and Senate Commerce Committee member Marie Cantwell, is to provide consumers with foundational data privacy rights, create robust oversight mechanisms, and establish meaningful enforcement. The bill would require companies to increase transparency regarding the use of consumers’ personal information – citizens could request details about the personal data a company has on them and request that companies delete their information from all records, including third-party sources. Like California’s CCPA, COPRA would limit the amount of information companies could collect and require consent when sharing data.
Fellow senators Amy Klobuchar, Brian Schatz, and Ed Markey support Cantwell’s bill. The proposed bill will be discussed during the Commerce Committee hearing in December.
The US Postal Service’s semi-annual report to Congress identifies the most pressing management challenges the organization has faced. The report, which covered six months between April 1 and September 30, 2019, flagged cybersecurity and IT modernization as critical obstacles.
“Customers and businesses demand timely, relevant, and accurate information and data as part of their digital experience,” said USPS inspector general Tammy Whitcomb. “The network must have the ability to meet these demands as well as the flexibility to continually adjust to the ever-changing business and regulatory environment. As information technology and the cyber-threat landscape evolves, security continues to be an ongoing challenge.”
The Office of the Inspector General (OIG) recommended the USPS create an administrative budget for planning and administering a long-term cybersecurity program. The anticipated implementation date for this recommendation is March 2020.
“A modern information technology network with sufficient capacity is critical to the success of the Postal Service.”
– Tammy Whitcomb, USPS Inspector General
Although the California Consumer Privacy Act (CCPA) covers the data privacy of California citizens, tech giant Microsoft announced that it plans to expand its CCPA provisions for users across the US. CCPA is designed to offer more rights to California consumers – the right to know what personal information of theirs a company has collected, opt-out of the sale of their data, request its deletion, and more.
The sale of customer data comprises a large percentage of many tech firms’ annual revenue, which is a significant reason for the criticism the law has received from the tech industry. Microsoft – in an effort to differentiate itself from the industry – offers customers more comprehensive levels of privacy and simplifies compliance efforts across the company’s regions. The company has chosen to support CCPA across the United States.
“While many of our customers and users will find that the data controls we already offer them through our GDPR commitment will be stronger than those rights offered by the new California law, we hope this step will show our commitment to supporting states as they enact laws that take us in the right direction.”
– Julie Brill, Microsoft Chief Privacy Officer
Minneapolis-based retail giant Target is suing its insurer for $74 million to recoup the expenses associated with a 2013 data breach. Target is claiming that ACE American Insurance Co. didn’t cover the cost of issuing new payment cards to customers after their cards were compromised during the incident. In November 2013, hackers broke into Target’s network and accessed the personal information of more than 60 million customers and payment information from over 40 million customers.
Target argues that its insurance policy should cover the costs of the card replacement and other associated breach costs. The lawsuit against ACE, part of Chubb Corp., states that Target has paid $138 million to banks in an effort to settle breach-related claims, but the expense of the reissued cards remains out of Target’s pocket.
When asked for a comment on the situation, Steve Durbin, Managing Director of the Information Security Forum, said, “Cyber risk is unquestionably one of the biggest challenges facing the insurance industry today and the knock-on effect will be with us for some time as claimants continue to try to lodge claims on policies that were not specifically designed to cover all the intricacies of cyber risk.”
A former employee of the cybersecurity firm Trend Micro was fired upon the discovery that they’d accessed and sold customer data to a malicious third party. The firm estimates that almost 70,000 customers were affected by the incident– exposed information includes names, addresses, emails, and phone numbers. After suspicious calls from scammers pretending to be Trend Micro support staff, the company launched an investigation and determined months later that an insider threat triggered the phone calls. The firm disabled the unauthorized account access, fired the employee, and turned over the investigation to law enforcement.
Trend Micro is reminding their customers that the company never makes unsolicited phone calls to consumers. A spokesperson said, “If a support call is to be made, it will be scheduled in advance. If you receive an unexpected phone call claiming to be from Trend Micro, hang up and report the incident to Trend Micro support.”
A mobile phone app designed by the UK Government to facilitate EU citizens applying for UK residency is rife with security problems – namely, basic security measures are lacking, leaving passport and biometric information of more than one million users vulnerable. The “EU Exit: ID Document Check” Android application was pitted against common cyberattack tactics and tools during testing, and its lack of malware prevention demonstrated that it would be an easy target for hackers to access and steal sensitive data. According to Promon, a Norwegian security firm, the app also lacks protections against device rooting, debugging in runtime, and obfuscation, all of which create security gaps for attacks like spyware, DDoS, and more.
“At this time of political uncertainty, the last thing that people who are applying to remain in the United Kingdom need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers.”
– Tom Lysemose Hansen, Promon CTO