The FCC and a handful of state attorneys general have created an unprecedented enforcement partnership to go after internet service providers that violate consumers’ data privacy and security.

Currently, the Federal Trade Commission has authority over broadband data privacy and security issues, but the Federal Communications Commission’s Democratic majority is in the process of bringing the internet under its regulatory authority by reclassifying broadband access as a Title II telecommunications service subject to its regulation.

FCC chair Jessica Rosenworcel said the agency is formalizing the cooperation with attorneys general in Illinois, Pennsylvania, Connecticut and New York, all Democrats, through a memorandum of understanding (MOU) with each.

Under the agreements, the Democratic-headed FCC and the Democratic AGs will coordinate investigations and prosecutions and share resources and expertise.

“I am thankful to these four partners for prioritizing interagency cooperation, and we welcome other state leaders to join us in this effort to ensure we work together to protect consumers and their data,” Rosenworcel said of the partnership.

“These strategic partnerships … will allow us to maximize our efforts to address risks arising from the misuse or mishandling of sensitive data we entrust with service providers and the continued threats posed by cybercriminals and foreign adversaries,” FCC Enforcement Bureau chief Loyaan Egal said.

The move means states that want to launch investigations into ISPs will get the FCC Enforcement Bureau staff's expertise, as well as help with things like subpoenas.

Rosenworcel pointed to the success of its new state AG partners in cracking down on robocalls, and looks to leverage that effort in policing ISP conduct when it comes to data protection, privacy and security.

The FCC’s participation will be coordinated through its Privacy and Data Protection Task Force.

Outcomes based ad platform LoopMe said that Wenda Harris Millard, vice chairman of MediaLink, and John Montgomery, executive VP of brand safety at GroupM have been added to LoopMe’s Data Advisory Board.

The executives will provide insights and expertise on handling and using data in a safe manner for effective cross-platform marketing campaigns.

“We are honored to have Wenda and John join our Data Advisory Board – they both have had impressive impact in the advertising industry,” said Stephen Upstone, founder and CEO of LoopMe. “In collaboration with the rest of our talented advisory board members, we welcome Wenda and John’s expertise as we apply data and AI to deliver incremental advertising performance from mobile video and CTV ads across our core business, growing marketplace and measurement suite.”

The LoopMe Data Advisory Board was founded in May 2019 to help brand advertising get measured and optimized against its objectives as as definitively as performance advertising does.

“I am thrilled to join LoopMe’s Data Advisory Board,” said Millard. “Throughout my career, I’ve focused on understanding marketers’ needs, and I believe LoopMe’s unique blend of data, technology and media to drive measurable uplift across business outcomes will continue to solve the key challenges that brands face today.”

“I am impressed by LoopMe’s leadership in providing quality audience measurement to advertisers, including a promise to brand and agency clients that their ads would not appear alongside hateful and inflammatory content,” said Montgomery. “We need to employ a more granular and transparent approach to digital marketing, and I look forward to working in partnership with LoopMe to advance this important initiative.”

Millard and Montgomery join a group of advertising industry heavyweights serving on the LoopMe Data Advisory Board, including Rishad Tobaccowala (former Publicis CGO); Eric Eichmann (Spark Networks CEO, former Criteo CEO); Iain Jacob (CEO, chair, NED); Lynda Clarizio (former president, Nielsen US Media); Mainardo de Nardis (former Omnicom CEO) and Wanda Young (CMO at Samsung Electronics America). 

A bill reintroduced by Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) would require manufacturers of connected cars to get an owner's opt-in permission to use any information collected by the car for advertising or marketing purposes -- such as triggering a gas pump ad for a local restaurant as the car rolls into the station for a fill-up.

The Security and Privacy in Your Car Act of 2017 (SPY Car Act) would direct the National Highway Traffic Safety Administration and the Federal Trade Commission (which oversees device privacy) to set cybersecurity standards for cars.

In addition to user opt-in for sharing of data, the bill would require "clear and conspicuous notice" to vehicle owners or lessees of the collection, transmission, retention and use of data collected from their cars.

The opt-in would extend to data used for car safety systems. Owner or lessees who decided not to opt in would still get access to navigation tools and other features "to the extent technically possible."

Opting in to data sharing for marketing or ad purposes can't be a condition for the use of any non-marketing related features or functions.

Those car-related provisions track with the FCC broadband privacy rules -- opt in, no marketing quid pro quo -- that Republicans in Congress are trying to overturn, and both Markey and Blumenthal strongly support.

The senators are also reintroducing an aircraft cybersecurity bill.

“Whether in their cars on the road or in aircraft in the sky, Americans should be protected from cyberattack and violations of their privacy,” Markey said of the two bills. “If hackers access the critical systems of a car or plane, disaster could ensue and our public safety could be compromised. We must ensure that as technologies change, our safety and privacy is maintained. I thank Sen. Blumenthal for his partnership on this critical issue.”

Few companies in the cable and telecommunications industries have escaped the cyber attacks that continue to wreak havoc on just about every layer of the supply chain.

Varying degrees of security breaches at Comcast, Cox Communications, Time Warner Cable and other cable providers have raised the red flag in the cybersecurity space and prompted a new mantra: Now is the time to raise the level of security.

“A fundamental evolution is taking place and the security implications are numerous,” Michela Menting, research director at consulting firm ABI Research, said. “Above all are the issues raised by the transition to all-[Internet protocol] networks, which are already highly exploited by threat actors and will be a boon for malicious cyber-agents — and all sectors are vulnerable.

“Investment in security services and corresponding hardware and software is not something they can ignore or put off , except at great cost to their services, reputation and client base,” she said.

Cybersecurity concerns have become so paramount that in its Charter Communications-Time Warner Cable merger order, the Federal Communications Commission required Charter to submit a plan to manage its increasing security risks during the transition.

And according to the Hewlett Packard Enterprise/Ponemon Institue “2015 Cost of Cyber Crime” study, hacking attacks cost U.S. firms, on average, some $15.4 million a year. Globally, U.K. insurance firm Lloyds estimates that cyber-attacks are costing businesses a staggering $400 billion a year.

There’s also the shaken confidence of clients and subscribers about the safety of their data. And not everyone is convinced the cable industry is prepared for any attacks.

“Cable networks are archaic in many respects, as they extend the life of existing systems, and frankly, the security posture of networks and the less time spent on security leads to a lot of holes,” Chris Simkins, CEO and co-founder of supply chain analysis and risk management firm Chain Security, said.

PricewaterhouseCoopers (PwC), a consultancy moving deeper into the cybersecurity space, believes cable companies are getting the message that shoring up their networks should be of the highest priority.

“There’s a lot going on with MSOs and we’re seeing the awareness lev el rising,” Mark Lobel, a principal in PwC’s U.S. advisory practice and Cybersecurity Technology, Information, Communications & Entertainment leader, said. “But cybersecurity is like a chess game with no kings, and trying to stay ahead of who’s across the board.”

And just who is across the board?

“There are many threat vectors,” Irfan Saif, a principal in Deloitte’s Cyber Risk Services practice, said. “There are service-disruption actors, those looking at the backbone to propagate malware and those who want to compromise customers. It’s a broad range of threat actors and companies must be cognizant of them all.”

That will require a holistic approach, Saif noted. “You must understand what behavior is considered normal and what indicates a threat of attack and what are the crown jewels that require higher-grade protection.”

Cisco Systems, another player in the cybersecurity space, concurred with Saif’s assessment.

“The best approach is a holistic look at security and where each layer builds on top of each other — firewalls, advanced malware protection, email and core technologies like conditional access, DRM and anti-piracy technology — a breadth of security,” Cisco senior product and solutions marketing manager Sam Rastogi said.

Another less glamorous threat, but just as dangerous, comes from the inside.

“Employees or vendors with access to information is a growing concern,” Rastogi sad. “Who’s accessing information and how, and is there abnormal activity? A risk-based program with alerts, authentication measures and more will give companies more insight.”

CableLabs, the cable industry’s research and development consortium, is accelerating its cybersecurity activity with two initiatives: It’s working with the Wi-Fi Alliance to ensure links to hotspot access points are secure, and it’s reaching more deeply into home managed access points.

“The level of engagement is very high and there are real questions being asked,” The mindset is changing,” CableLabs principal security architect Steve Goeringer said.

That’s a good thing, said Rick Michaels, CEO of CEA, a cable industry-focused investment bank. “It’s one thing that cable is carrying 60% of the Internet traffic, but now there are data centers and multiple services with different touch points in cable. Cybersecurity should be of paramount interest to the cable industry.”

Most cable companies are understandably reluctant to discuss their cyber security strategies. Comcast, which in March hired Noopur Davis as senior vice president of product security and privacy, offered a statement from Myrna Soto, senior vice president and global chief information security officer: “We’ve committed extensive resources with a focus on risk management and built resilient and smarter networks with many security layers that are monitored continuously. Using automation, tooling and analytics is key.”

Arris, another key equipment supplier to cable networks, said in a statement (in part): “Security remains a top priority at Arris, as it does for all manufacturers of Internet and network-connected devices” and that it “employs a variety of protective measures to help ensure the safe and reliable operation of our devices including, but not limited to, DOCSIS compliance, vulnerability scanning, and monitoring programs.” It works “actively with security organizations and our service provider customers to identify and quickly resolve any potential vulnerabilities to protect the subscribers who use our CPE devices.”

Breaches cut across both residential and business markets, added Sander Smith, president of Sericon Technology.

“It’s clear that very soon we’ll see consumers filling their home networks with IoT devices, and these devices will be rushed to market with very little thought given to security.”

Yet even with the increase in cyber attacks (PwC reported a 38% increase in 2015 vs. 2014), there is cautious optimism that with emerging cybersecurity innovations, an expanding community of cybersecurity companies and a heightened awareness among service providers, security is being strengthened.

“We’re seeing various levels of maturity in cable and telecom and a raising of awareness in those organizations,” PwC’s Lobel said. “But they can’t lose focus.”

The National Cable & Telecommuications Association is focusing its cybersecurity attention on two areas, senior vice president, science and technology and chief technology officer Bill Check said.

“We are leading the industry’s Cybersecurity Working Group and working with the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC), along with various cybersecurity-related working groups,” he said. “The challenge is to anticipate current and future threats and design systems of early detection and resistance, because cyber-criminals will always look for new exploits.”

The Broadband Internet Technical Advisory Group (BITAG), the nonprofit multistakeholder group focused on broadband network management issues, is working on a report on the technical side of security and privacy in the Internet of Things world.

The report will look at smart phones, tablets and computers, as well as the sensors and monitors being woven into the fabric of daily life.

"Some IoT devices are shipped with security flaws that can put end users at risk and negatively affect their Internet experience, for a variety of reasons," BITAG said in announcing the repot. "To address the technical issues underlying these security and privacy related concerns, BITAG’s technical working group will analyze this topic and issue a report that will describe the issue in depth, highlight technical observations, and suggest appropriate best practices.

Lead editors on the report, which is planned for the fall, will be Jason Livingood, VP of Internet services, for Comcast, and Nick Feamster, computer science professor at Princeton University.

The review will be chaired by BITAG executive director Douglas Sicker.

The announcement comes the same day the issue is getting a deep dive on Capitol Hill. "The Internet of Things: Modernizing Transportation and Infrastructure," is the subject of a hearing in the Senate Surface Transportation and Merchant Marine Infrastructure, Safety and Security.

As an unsavory group, phishing, hacking and malware together comprised the number one cause of data security "incidents."

They caused 31% of all breaches, according to the second annual Data Security Incident Response Report from BakerHostetler, which analyzed more than 300 such incidents the law firm helped manage.

Rounding out the top five causes, in order, were employee actions/mistakes (24%), external theft (17%), vendor-related incidents (14%) and internal theft (8%). Just outside the top five, at 6%, was improper records disposal.

The study found that the average time between a breach and detection was in excess of two months (69 days), and in at least one case well more than a year. Almost a quarter (24%) of the breaches resulted in a regulatory inquiry, and litigation was begun in 6% of the cases.

More than half of the breaches (52%) were self-detected.

WASHINGTON — According to Sen. Richard Burr (R-N.C.), chairman of the Senate Intelligence Committee, the USA Freedom Act will be reintroduced with three amendments, the first essentially a replacement bill with two changes, plus a couple of amendments to that new bill.

The amendments will likely come on Tuesday (June 2), with Burr's hope that the measure can pass Tuesday afternoon.

If the amendments are agreed to, the House will have to revote the bill, which was passed without amendments in that body under the threat that any changes would have killed it.

The National Security Agency’s authority to conduct bulk metadata surveillance under Section 215 of the USA Patriot Act expired on May 31, and will have to wait at least another day before it is revived in a different form in the USA Freedom Act, if it passes, as most expect.

The substitute bill’s amendments would do several things, including requiring telecom companies to give the government six months notice of any change in their data retention policies. One key change the USA Freedom Act makes to the Section 215 authority is that telcos, not the government, will hold the data, and are under no mandate to retain it for longer than the normal business case of 18 months to two years.

A second amendment deals with how telcos query the data when the government asks for it.

The other two amendments would: 1) extend from six months to 12 months the transition from the old method of the government scraping and storing the data to the telephone companies keeping it for query (subject to a court order); and 2) change the language related to filing friend of the court briefs. (Burr would have extended the storage transition to 24 months.)

On the Senate floor, Sen. John Cornyn (R-Texas) said the amendments are "positive, common-sense improvements" that will strengthen the bill, though he would have preferred a full extension of Section 215. He said the bill balances security and privacy as the government works on a longer-term solution.

Burr said the Patriot Act authorities were one of the tools created after the Sept. 11, 2001 terrorist attacks, when an inability to link cellphone calls between terrorists was cited as an intelligence failure that needed correcting.

Burr said he hoped that the House could act and the bill could be approved by end of day Tuesday. In the meantime, the NSA bulk data cannot be queried, given the sunset of the authority.

Time was of the essence so NSA could get ahead of the next potential attack, Burr said. He said the amendments would not "blow up" the legislation.