• The California Attorney General announced a new California Consumer Privacy Act (CCPA) regulation that bans a business practice that makes it more difficult for consumer privacy opt-out.  
  • The new CCPA regulation means businesses will not be able to direct consumers to different web pages or to sit through explanations of why they should not opt-out. It also means the addition of a new button for companies to use to guide people where they can opt-out of having their data sold. 
  • The American Medical Collection Agency (AMCA) settled with 41 state Attorney Generals over the 2019 AMCA data breach. If AMCA does not live up to the settlement terms, it could lead to $21 million in fines to be paid to the states. 
  • For more information on the new CCPA regulation, consumer privacy opt-outs, and the AMCA data breach settlement, listen to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown podcast. 
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.   
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org

But Wait, There’s More! 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 19, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. 

Back in the early days of infomercials, there would come the point in a television ad selling the latest knife set or blender when the person making the pitch would stop, look earnestly into the camera, and shout, “but wait, there’s more!” That’s the title of this week’s episode, where we look at a new California Consumer Privacy Act (CCPA) regulation and provide an update on a major 2019 data breach.  

New CCPA Regulation and its Effect on Consumer Privacy Opt-Outs 

Even though the CCPA has been in effect for more than a year, there’s an important part of the legislative process that tends to be left out of civics lessons. Most laws require regulations to be adopted to enforce them. 

The new CCPA regulation formally adopted this past week was proposed in response to a practice known as “Dark Patterns.” This practice makes exercising one’s right so confusing or frustrating that people give up trying.  

Consumers may be directed to another web page, forced to click on multiple pages, or scroll through a series of screens. People may even have to sit through a long explanation of why they shouldn’t opt-out of allowing a company to sell their data. 

That’s not what the California legislature had in mind when it passed the law in 2018. There were promises it would be easy for Golden State residents to exercise their new-found privacy rights. Chief among those rights was a requirement for businesses governed by the CCPA to put a “Do Not Sell My Information” button in a prominent place on the web pages.  

Along with banning practices that impede a consumer privacy opt-out of data sales, the new CCPA regulation also includes a new button that companies can use to help guide consumers to where on their website they can go to exercise their privacy rights.  

Known as the Privacy Options icon, the blue website button was designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information. It was tested against other icons to determine the best design for communicating consumers’ privacy choices. 

Look for those coming to a website near you. 

But wait, there’s more! 

American Medical Collection Agency Settles with States over 2019 Data Breach 

In 2019, medical debt collection company, American Medical Collection Agency (AMCA), revealed the company had been the target of an eight-month-long cyberattack. It resulted in a data breach of information regarding at least seven million people and possibly as many as 21 million people. Shortly after announcing the security and data breaches, AMCA filed for bankruptcy. 

Forty-one state attorney generals intervened in the bankruptcy proceeding recently and received the court’s permission to enter into a settlement with AMCA. No financial penalties apply because of the financial condition of the company. However, AMCA agreed to a series of cybersecurity upgrades and ongoing audits. If AMCA fails to live up to the terms of the agreement, it will trigger $21 million in fines to be paid to the states. 

As Steve Jobs would say, just one more thing. 

Contact the ITRC 

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics.  

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • Changes are about to happen when it comes to mobile device privacy. Privacy advocates have long sought regulations in the U.S. to mandate opt-in requirements rather than opt-out.  
  • In the spring, Apple will change their mobile operating system to automatically block data collection unless someone explicitly opts-in. 
  • Some advertising experts estimate that between 50 to 75 percent of iPhone users will pass on agreeing to share data based on experiences with other opt-in opportunities. Some researchers believe as few as five percent of Apple product owners will opt-in. 
  • The trend in marketing and advertising gives consumers more of a voice in what information is collected about them and how it is used. It’s the core of modern privacy – informed consent. The more transparency that exists about personal data and its use, the more informed the consent. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for February 19, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we look less at security and more at privacy, specifically about major changes that are about to happen to mobile device privacy and how that relates to our travels around the internet. 

Sir Walter Scott wrote in his epic poem – “Oh what a tangled web we weave when first we practice to deceive.” That gives us the title for this week’s episode: “A Tangled Web.” 

Cookies on the World Wide Web 

From the earliest days of the internet, when it was still called the “World Wide Web,” small pieces of code were added to websites that would attach to a website visitor’s browser. The code snippet was called a “magic cookie” because it would help websites remember someone already visited the website and provided information that personalized the experience. 

Privacy Concerns Around Tracking Cookies  

Over the next 20 years, the amount of data collected by cookies and how cookies were used to track movement around the web became a source of privacy concerns. In 2018, the European Union (EU) became the first government to regulate cookies to require website owners to get visitors to express permission to attach a tracking cookie – before the web content the user was trying to access could be delivered.  

The rule’s practical effect was to end the practice of using tracking cookies to collect consumer information to fuel online advertising – first in the EU and now globally. The major browser makers – Apple, Mozilla, Microsoft and Google – have all blocked third-party tracking cookies or will soon do so. 

Identifier for Advertisers (IDFA) on Apps 

Moving around the internet with a mobile device is a bit little different. Most people use an app rather than a browser to access the web. Instead of cookies, there is a different piece of code known as an Identifier for Advertisers (IDFA) that collects and reports who and how one uses an app.  

However, unlike a cookie, an IDFA can be managed easily in a phone or tablet’s settings if the device maker allows one to opt-out of app data collection. The default settings on all smartphones today are to enable data collection from apps.  

Opt-In and Opt-Out Requirements 

Here’s where we talk about the big changes on the horizon in mobile device privacy. Privacy advocates have long sought regulations in the U.S. to mandate opt-in requirements rather than opt-out. This is so consumers have the opportunity to make an informed decision about what data is collected, by whom, and how it is used. To date, most laws and regulations – if they mandate any consumer consent at all – require consumers to be offered the chance to opt-out of data collection. 

Apple to Block Data Collection Unless Someone Opts-In 

However, in the spring, Apple will change their mobile operating system to automatically block data collection unless someone explicitly opts-in. In fact, the first time someone opens an app after the upgrade, they will be asked if they want to allow data collection. That’s a monumental change in mobile app privacy from today’s opt-out world. 

People may have read in the media that not everyone is happy about this change. Facebook and other large advertisers are concerned with the loss of consumer data that will result if a large number of iPhone and iPad users decline to opt-in to data sharing.  

Some advertising experts estimate that between 50 to 75 percent of iPhone users will pass on agreeing to share data based on experiences with other opt-in opportunities. Some researchers project as few as five percent of Apple product owners will opt-in. 

The clear trend in marketing and advertising is giving consumers more of a say in what information is collected about them and how it is used. It’s the core of modern privacy – informed consent. The more transparency that exists about how personal data is used, the more informed the consent. 

Informed consent includes understanding that there will be fewer targeted, personalized ads with less personal data available to marketers and advertisers. Also, there may be fewer free products and services as website owners add fees or subscriptions to make up for lost revenue from data sales. 

Apple has not announced when the update that includes the new mobile device privacy settings will be released, so consumers should stay tuned for more details. 

Contact the ITRC 

If anyone has questions about protecting their personal information, they can visit www.idtheftcenter.org, where they will find helpful tips on this and many other topics.  

If someone thinks they have been the victim of an identity crime or a data breach and need help figuring out what to do next, they can contact us. Victims can speak with an expert advisor on the phone (888.400.5530), live-chat on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started. 

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown


  • Approximately 56 percent of California voters passed The California Privacy Rights Act (CPRA). The law will be the toughest privacy law in the U.S. once it goes into effect in 2023.
  • California residents will have more control over what happens to their personal information when businesses collect it. Consumers from the state can also have information corrected they think is inaccurate.
  • California businesses will be required to update agreements with contractors and sub-contractors that binds them to meet the provisions of the CPRA.
  • For more information on the privacy law, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website.

California voters went to the polls to decide the fate of the strongest privacy law in the United States. After counting the ballots, Proposition 24 – The California Privacy Rights Act (CPRA) – passed and will go into effect in 2023.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we look at CPRA and what it means for businesses and consumers.

How The California Privacy Rights Act Passed

Approximately 56 percent of California voters approved the privacy law. However, Big Tech and Big Privacy joined forces to oppose the proposal. The initiative was proposed to strengthen the existing state privacy law, The California Consumer Privacy Act (CCPA), in many different ways.

What Consumers Need to Know About The California Privacy Rights Act

There are a few different things for California residents to know about the CPRA:

  1. Since voters approved the CPRA and not the state legislature, it will be more difficult to amend the law in the future. The legislature must submit any proposed changes to the popularly approved law to the voters in a future election. That makes it very difficult to weaken the privacy provisions in the CPRA.
  2. The CPRA gives California residents even more control over what happens to their personal information when a business collects it. The CCPA gives residents the right to access the information companies collect about them and request it be deleted in certain circumstances. It also prohibits the sale of their information for marketing purposes. The CPRA will give consumers rights linked to sharing information – not just selling data to third parties – clarifying one of the most confusing parts of the current privacy law, the CCPA.
  3. The CPRA adds a right to correct any information that a consumer thinks is inaccurate. Californians will now have the right to opt-out of automated decision processes that use their personal information. Also, they will have the right to see how automated decision processes work.
  4. The CPRA creates a new category of personal information that California residents can access and control in certain circumstances, like sharing information with third parties. The new category is known as “sensitive personal information” and includes precise geolocation data, race, religion, sexual orientation, Social Security numbers and certain health information.
  5. Finally, the new privacy law gives consumers the right of data portability, which means someone can tell a company to share their information with another company. It is like when someone changes their mobile phone or insurance companies.

What Businesses Need to Know About The California Privacy Rights Act

Businesses will also have a host of new duties that apply to them:

  1. Companies will have to create data silos, meaning they will have to keep personal information used in marketing separate from other consumer information. Companies, especially smaller ones, are already struggling to meet the existing consumer rights of access, review, deletion and opt-out. The new provision could compound the compliance issues.
  2. The most significant change for businesses will be the requirement that companies update agreements with contractors and sub-contractors that bind them to meet the provisions of the CPRA. In past podcast episodes, the ITRC has talked about data breaches resulting from “supply chain attacks.” That is where a company has good cybersecurity. Still, a third-party vendor ends up breached, and the company’s customer data is exposed. The requirement to update agreements with contractors and sub-contractors is designed to address supply chain attacks and clarify that everyone in the supply chain is responsible for protecting consumer information.
  3. Businesses do get some benefits in the CPRA. Employee and B2B data are exempt from the law until at least 2023, and businesses may be charged fees if consumers opt-out of data collection and sharing. That provision is the reason privacy advocates joined Big Tech companies to oppose the CPRA.

Toughest Privacy Law in the United States

The CPRA will be the toughest privacy law in the U.S. when it goes into full effect in 2023. In the meantime, state officials will propose the regulations needed to implement the new law. In the case of the CPRA, there will also be a new state agency created to enforce the new privacy law. For now, the California Attorney General will continue to enforce the existing law, CCPA.

Privacy Law Passed in Massachusetts

There was another state privacy law recently approved by a vote in Massachusetts. Car owners now have the right to see the information their car is wirelessly sharing with automakers. Approximately 75 percent of voters approved the proposal; carmakers have until 2022 to comply.

notifiedTM 

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC

If you have a question about The California Privacy Rights Act, data privacy, or if you receive a breach notice and you’d like to know how to protect yourself, contact the ITRC. You can speak with an expert advisor toll-free at 888.400.5530 or by live-chat on the company website. Also, download the free ID Theft Help App to access resources, a case log and much more. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.  

  • Two new research papers from OpSec Security and Consumer Reports shows how consumer privacy and cybersecurity views are evolving across the U.S. 
  • Findings in the OpSec Security report show that cyberattacks and data breaches are pervasive, and consumers are concerned and desensitized by the volume of information compromises. 
  • The Consumer Reports report concludes that consumers believe companies are primarily responsible for protecting the personal information businesses collect, store and use. 
  • For more information on the latest data breaches, visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notifiedTM. It is updated daily and free to consumers.  
  • For cybersecurity, privacy or data breach advice, contact the ITRC toll-free at 888.400.5530 or by live-chat on the company website. 

Privacy and cybersecurity impact consumers. Two new research papers show how consumer privacy and cybersecurity views are evolving across the U.S. The reports validate a central concern among consumers that there is not enough done to protect their most precious possession; their name. 

Subscribe to the Weekly Breach Breakdown Podcast 

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we will look at two new research reports. The first focuses on recent changes in consumer attitudes. The second takes a longer-term look at how consumer privacy and cybersecurity views are different now compared to 25 years ago when the modern commercial internet was born.

The Importance of Reputation 

Reputations are important to individuals, companies and organizations. That’s why OpSec Security, a global cybersecurity firm, recently surveyed 2,600 consumers throughout the U.S. and four European countries. Researchers asked consumers whether they have been affected by cybercrime, their perceptions of brands, and if their role – or the role they should play – in keeping consumers safe has changed over time. 

The findings show that cyberattacks and data breaches are pervasive and consumers are both concerned and desensitized by the volume of information compromises. Some of the key findings in the last year include the following: 

  • 40 percent of respondents were a victim of an email or phishing scam
  • 51 percent of respondents say they receive more phishing attempts now than before the COVID-19 pandemic. 
  • 35 percent of respondents experienced credit or debit card fraud. 
  • 21 percent of respondents were a victim of identity theft at some point.  

Meanwhile, 30 percent of respondents were impacted by a data compromise, which did not surprise nearly one-third of the people who received a data breach notice. Of those who had their data compromised, 46 percent were contacted more than five times. Almost half of those who haven’t received a data breach notice, 48 percent, are worried they will soon.  

Those 30 percent of consumers in the OpSec survey who say they had their data compromised in a data breach equal the same percentage of people who responded to a similar question from Consumer Reports.  

Consumers Think Businesses are Responsible for Protecting Personal Information 

Both surveys came to a similar conclusion: consumers believe companies are primarily responsible for protecting the personal information businesses collect, store and use. Consumer Reports surveyed more than 5,000 U.S. residents about privacy and security. They also reviewed past research to show how consumer attitudes changed over time. 

  • In 1995, 44 percent of consumers were worried “a lot” or “some” about losing privacy due to the internet. 
  • By 2002, 76 percent of survey respondents were uncomfortable about companies collecting data about them. However, 94 percent thought they had a legal right to see what data the company collected about them from a website. 
  • Fast forward to 2019; 65 percent of consumers said they do not believe their personal information is kept private. 

In the Consumer Reports research published in October, 96 percent of consumers surveyed agreed that more could be done to ensure companies protect consumer information. Other findings include the following: 

  • 68 percent of consumers surveyed believe companies should be required to delete the data they have about someone upon the consumer’s request. 
  • 67 percent of respondents think there should be tougher penalties, like high fines, for companies that don’t protect someone’s privacy. 
  • 63 percent say companies should be required to give consumers access to the data companies have about them. 
  • 63 percent also believe there should be a national law that says companies must get a person’s permission before sharing their information. 

There are now laws, passed in multiple states, that include one or more of the items from the consumers’ privacy wish list above, but a national privacy law remains elusive. 

Built-In Privacy Features 

One finding that did not emerge from either survey on consumer privacy and cybersecurity views was a consensus around what consumers want to happen next to protect their information. Consumer Reports notes that companies are beginning to build products with built-in privacy features. More than 40 percent of consumers say they may be willing to pay companies to stop collecting, sharing and selling their personal information. Right now, that practice is prohibited in California, the state with the toughest privacy law in the U.S.  

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC 

If you receive a breach notice and would like to know how to protect yourself, contact the ITRC at no-cost by calling 888.400.5530 to speak with an expert advisor. You can also live-chat with an advisor on the company website. Also, download the free ID Theft Help App to access advisors, data breach resources, a case log and much more.  

Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.   


Read more of our latest information & educational resources below

Unsubscribe Email Scam Looks to Trick Consumers

Social Media Scams are on the Rise as More People Use the Platforms to Connect

Phishing Attack Report Reveals Microsoft is the Top Spoofed Brand and Other Data Breach News

There are many unanswered questions about the coronavirus impacts in the United States, some of which center around how schools will reopen for the fall term. K-12 school districts in many areas are scheduled to resume classes in a matter of weeks. However, what the learning environment will look like has yet to be determined in many cases. With that said, there are a lot of concerns about how schools might implement distance learning on a large scale.

One concern that parents, teachers, administrators and technology leaders face is how to protect students’ personally identifiable information (PII) in an online environment. Child identity theft is a serious problem and educational institutions have been a target for hacking due to the vast amount of personal student data their servers store. A child’s identity credentials are seen as extremely valuable to identity thieves, primarily because of the long period of time where their use by the thieves can go undetected.

Parents are considering the option of continuing to keep their students distance learning, but internet safety tips for kids using online platforms will become even more important as more students (especially K-12) utilize digital education for a longer period of time. However, with so many different online platforms being used by schools of different sizes and needs, there could still be an increased risk of student data being exposed or stolen in a data compromise and then used to create synthetic identities or sold for marketing purposes.

In one example from 2019, an online education provider in the U.S. suffered an accidental overexposure when a database of possibly more than 19,000 students’ information was left unsecured. Anyone with an internet connection was able to see the data for more than a week before it was taken down and password protected. It is still not known if anyone accessed the information while it was exposed.

As the new school year takes shape, it will be vital that administrators and IT professionals put safeguards in place to prevent unauthorized access to student records, employee files and other sensitive materials. Understanding the laws that are already in place is important in helping schools avoid costly mistakes. In California, the state’s privacy and cybersecurity law (CCPA) requires businesses and organizations to safeguard consumer data against data breaches and accidental events. Companies are also required to obtain parents’ authorization when collecting data on any child under 13 years of age, as well as have permission from the parents and student if the child is between 13 and 16 years old. The U.S. government’s Children’s Online Privacy Protection Act (COPPA) also gives parents some control over what personal information companies can collect on their children under the age of 13.

The next step may be in limiting the type of information that schools gather, such as Social Security numbers or health insurance and Medicaid identification numbers. Another important child privacy step will be ensuring that all personnel who have access to stored data know how to secure it. As some educators switch to wearing multiple hats this fall, they must be well-trained on how to use the platforms their school systems have adopted.

For parents, there are many internet safety tips for kids they can teach their students when it comes to online security:

  • Parents should be mindful of what websites their kids visit and teach them about what types of information are okay to enter online
  • Parents are encouraged to help their kids be aware of the dangers of clicking links or downloading files, as these can contain viruses and malware
  • Parents should make sure all of their kids’ online interactions occur with a known and trusted individual to lessen the opportunity for social engineering
  • Parents can enact the strictest privacy control settings available on both their child’s computer, mobile devices and browsers they use

Anyone with questions about child identity theft, distance learning security or internet safety tips for kids can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

It is more important than ever that consumers use strong security questions with strong security answers on their online accounts. With most people home due to the COVID-19 pandemic, more consumers are required to shop online to do their food and household purchasing. That means a lot of online accounts have been and will continue to be created. One common step in creating an online account is picking a security question in case the creator of the account cannot remember their password. It is meant to be another layer of security for the authentication process.

While this alternative way of identifying customers can be very useful, it could also put more personal information at risk of compromise should the company fall victim to a data breach. For example, if someone selected “What are the last four digits of your Social Security number?” as their security question and provided that credential as the answer and the company’s online user database was breached, hackers could have that piece of personal information to use to flesh out more details of the person’s identity credentials.

However, there are things people can do to keep themselves safe while using strong security questions as another form of authentication.

When creating an answer to a security question, the response doesn’t have to be the exact answer. In fact, the Identity Theft Resource Center would encourage people that are signing up for online shopping, and other non-sensitive online accounts, to provide alternative answers. Doing so creates a strong security answer because it would be nearly impossible for anyone to research or guess. For example, if “What is my mother’s maiden name?” was selected as a security question, using an alternative like their mother’s nickname or some other name doesn’t give away a very valuable component of your security question. The answer should be stored in a password manager or on a piece of paper that is securely locked away.

With that said, creating alternative answers to security questions should only apply when someone is creating an account for a business or institution that doesn’t require highly sensitive information to verify their identity. If someone was creating security questions and answers for an account with a bank, lending institution or medical provider that uses that information to authenticate the user’s identity, they would want to provide accurate answers because the answers could be used to verify identity.

Some other tips to keep in mind while trying to pick strong security questions include:

  • Select a security question that cannot be guessed or researched over the internet, social media profiles, etc.
  • Select a security question that will not have to be changed over time
  • Select a security question that is easy to answer, but not obvious to others or easily researched
  • Select a security question with a precise answer that does not create confusion

Users should make sure they are selecting strong security questions that will keep them safe. They should not be afraid to use alternatives for the answer if it will protect identity credentials. People should also make sure their answers are as strong as their passwords. People can do their part to protect themselves and shop online for all the things they need to get through the COVID-19 pandemic, and beyond.

For more information about protecting your online accounts, contact the Identity Theft Resource Center to live chat with an expert advisor or call toll-free at 888.400.5530.


You might also like…

 

Schools, businesses and individuals are making drastic changes right now due to concerns surrounding COVID-19. Some of the protective measures, such as social distancing and self-isolation, translate to technology picking up the slack to keep businesses and education moving forward. However, that is leading to privacy issues particularly around kids using technology not originally intended to be utilized in the new manner many have taken to using some platforms.

One platform stepping in to fill the need is Zoom, a videoconferencing tool that allows users to talk, video chat, instant message and even screen-share in real-time. This long-time business tool is now being used for everything from online classes to social get-togethers, but malicious users have already figured out how to crash virtual meetings.

A new practice, known as “zoom-bombing,” happens when an uninvited user works their way into a user’s Zoom session and causes a disruption. Reports so far have included “bombers” dropping in and writing racial slurs across the screen, posting pornographic images for all the viewers to see and more.

Zoom was created to allow businesses to communicate quickly, effectively and on-the-go. Because of that, creating an account was set up to be very simple and does not require much authentication. Now that more people are using the platform, including teachers for grades K-12, and finding creative uses for this tool, the concern about privacy, and especially that of children, is even more real.

In fact, some Zoom conferences hosting children have already been compromised. Recently a Zoom conference with students from the Orange County Public School System in Florida was disrupted after an uninvited guest exploited himself to the class. In Boston, a group of students shared inappropriate content.

Zoom is working on a fix that will help stop intrusions and increase security, particularly child privacy, making it important that users download any updates issued by Zoom. Before using the platform, users can also take precautions by changing the default security settings. That includes updating the use of a password to enter the conference, using the “waiting room” feature to screen participants and only allowing authenticated users to join the meeting.

Users can also be more aware of how they are engaging with other people with their Zoom accounts. Ultimately, the platform relies on each user making smart decisions about how they are sharing their meeting rooms. Some child privacy aspects to consider:

  • Making sure to not share meeting invites with others on public profiles, such as inviting others to attend on social media
  • Teachers hosting Zoom meetings are encouraged to change the platform’s default settings before each session

This is an important reminder that this type of technology, especially platforms that function online and are accessible by other users, can have serious privacy ramifications. As many public schools and activity groups are now using Zoom to interact with children, it is even more important that users understand how to protect themselves. Parents should make it a habit to remain nearby while their children are on Zoom in order to end the session immediately if something unexpected takes place.

To increase child privacy, parents are encouraged to talk to their kids about proper online conduct before any virtual meeting. It is also recommended that if someone’s child is going to interact with other children on Zoom, parents should remind their kids that the same rules that apply in the classroom – or other in-person meetings – apply on Zoom.

If people have questions regarding their privacy on social media or accounts, they can live chat with an expert ITRC advisor at no-cost.


You might also like…

Financial Database Leak Leads to Over 500,000 Documents Exposed Online

Canon Data Breach Leads to General Electric (GE) Employee Information Being Exposed

COVID-19 Romance Scams Begin to Make the Rounds

Unbeknownst to many consumers, the country’s most advanced consumer privacy act just went into effect on January 1, 2020. The California Consumer Privacy Act (CCPA) outlines some of the strongest protections for individual consumers and the companies they choose to do business with. However, some early reporting shows that a lot of people are still not aware of the new legislation.

DOWNLOAD OUR NEW CCPA INFOGRAPHIC HERE

CCPA provides new protections in the event of a data breach, new tools for consumers to find out exactly what information a company has collected and sold or shared and more. Under the CCPA, consumers also have the right to delete some personal information and opt-in for children. In the CCPA personal information is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information under the CCPA does not include publicly available information.

 Companies doing business in California — whether they are located there or not, or simply have customers or users who reside in the state — must provide more than just the proof of information they have collected. If an individual consumer does not want their information sold to third parties, the CCPA states they have the right to opt-out and the companies must comply. Failure to comply could result in significant fines, penalties and damage awards of up to $7,500 per consumer.

Image of business with notice of CCPA

That has been a sticking point for a number of businesses, though.

There are questions about how businesses will comply with the do not sell requirements. Some companies are claiming that if they “share” their users’ data with an outside company, they are in compliance. The supporters of the CCPA have said selling or sharing is the same thing, though companies like Facebook, CVS, Indeed and others argue their methods of providing users’ information to outsiders does not violate the CCPA.

Image of Conde Nast disclosure of CCPA

Some of the other responsibilities of businesses include a child opt-in requirement, a website notice requirement, a duty to educate, vendor agreements, third-party transfers and cybersecurity protections to prevent a data breach. In the event of a data breach, consumers can now sue to recover up to $750 in costs per data breach. For more information about consumer rights in the event of a data breach or other CCPA rights, click here.

Image of business disclosure of CCPA

Though the California Consumer Privacy Act went into effect on January 1, businesses have until July 1 to comply before enforcement—and presumably, punitive action—begins. It will be interesting to see both how this plays out for businesses that make a lot of money by selling their customers’ information, and how many other states follow suit with legislation of their own.

Sign Up For Identity Theft and Data Breach News

Sign up for the TMI Weekly to stay in the know about potential threats to your identity/privacy and tips to keep you safe. Our monthly breach alert keeps you posted on the latest trends and activity in the world of breaches.

Free Identity Theft Assistance

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

This news is currently evolving and we will update as announcements are made available.  

You might also like…

Save the date for this year’s Data Privacy Day! In the current always-connected digital age, it can be easy to take privacy for granted. Apps, websites, social media and even games want everything from permission to access our contacts list to invasive amounts of personal information. Even signing up for a new account can mean turning over your name, email address or birth date.

Too often, though, consumers do not stop to think about why an app wants to use your friend’s list or why a game needs access to your device’s photos. We simply click through the terms of use and are wondering later on how hackers stole our data in a data breach or why a company sold our information to third-parties.

StaySafeOnline, which is powered by the National Cyber Security Alliance, will be hosting its annual Data Privacy Day on Tuesday, January 28. This live-streamed event will begin at 1:00 p.m. EST/10:00 a.m. PST and will feature industry experts speaking on a variety of privacy-related topics.

One session of the event will be important to a lot of different stakeholders, that being the discussion of the new California Consumer Privacy Act, which is set to take effect this month. There will also be panels on the effects of the GDPR regulations that have already gone into effect in Europe, as well as discussions on how privacy affects both businesses and individuals in a worldwide-connectivity landscape.

More importantly, one of the goals of Data Privacy Day is to look ahead to what the future of the privacy and cybersecurity landscape might look like. A few years ago we might have never envisioned mobile games that could leak your personal information online or social media apps that buy and sell users’ data as a commodity. Now, with the first days of 2020 already behind us, it is both exciting and a little unnerving to imagine what privacy will really mean in the coming decade. To participate in the online live stream of Data Privacy Day 2020, visit StaySafeOnline.org and click on the Data Privacy Day tab.

You might also like…

2020 Trends for Identity Theft, Data Privacy, and Cybersecurity

Begin Your 2019 Tax Filing to Thwart Tax Return Fraud

Don’t Get Grinched by the Ellen Facebook Scam