The House of Representatives voted 215 to 205 to overturn a yet-to-take-effect regulation that would have required Internet Service Providers to get consumers’ permission before selling their browsing data. Last Friday the Senate voted 50-48 to do the same. Both votes broke strictly along party lines. According to a White House statement, the President is expected to sign the rollback.
SLPowers believes this has important implications for your company and its employees.
Background on the regulation
ISPs collect huge amounts of data on the websites people visit, including medical, financial, and other personal information. Last October, the Federal Communications Commission (FCC) approved a regulation that would require ISPs to ask permission before selling that information to advertisers and others, a so-called opt-in provision. That regulation was slated to go into effect in December of 2017, but other provisions of the FCC ruling had been looming much closer on the horizon. One requiring ISPs to take “reasonable” steps to protect customers’ information from theft and data breaches was supposed to have taken effect on March 2, but the FCC’s newly Republican majority halted its implementation. Another provision related to breach notification was scheduled to become law in June. That is no longer the case.
The arguments FOR and AGAINST
Republicans argued that the Federal Trade Commission (FTC) has jurisdiction to regulate privacy, not the FCC. Allowing both agencies to regulate different segments of Internet usage would create confusion within the online ecosystem and ultimately harm consumers. Edge providers like Google and Facebook are already regulated by the FTC, under less stringent guidelines than the pending FCC rules would have imposed. The pro-rollback argument stressed that if allowed to take effect in December, the regulations would effectively pick winners and losers, benefiting certain companies (edge providers) over others (service providers). This vote effectively “levels the playing field,” allowing both kinds of companies to compete under the same privacy guidelines, and restrains the “overreach” of federal regulatory agencies.
Democrats argued that the rollback of the FCC’s opt-in privacy provisions would mean that sensitive information, including health and financial information, and information about one’s children, could now be sold without the knowledge or consent of the ISP subscriber. Unlike the users of an edge provider, who could switch from Google to Bing if they don’t like Google’s privacy policies, ISP subscribers frequently have no choice in carriers, especially in underserved rural areas. The anti-rollback argument stressed that the pending FCC provisions wouldn’t prevent ISPs from monetizing customer data. They simply would require ISPs to inform consumers about how their data would be used and get customer consent before selling the most sensitive data. This vote was “a violation of privacy,” one that “blows a gaping hole” in federal privacy protections.
What your employees should know about Internet privacy
At SLPowers, we believe in the power of employee education.
We know that knowledgeable, threat-savvy employees make your company’s information safer and your workplace more productive. We’ve also learned that the most effective way to raise their level of organizational security awareness is to give them the knowledge they need to make their personal information more secure.
To that end, they should know that in order to protect their browsing history from their ISP, they need to encrypt their Internet traffic. There are only three methods of accomplishing that: VPN services, Tor browsers, and HTTPS.
VPNs, or Virtual Private Networks, use encryption technology to create essentially private connections over the very public Internet. Browsing sessions are encrypted on each end of the virtualized tunnel, which means an ISP can see that someone is using a VPN, but that’s all they’ll see. But be careful that your employees don’t read this and attempt to access your corporate VPN for all manner of family and personal use. Instead, invite them to investigate any of the dozens of consumer VPN products on the market at affordable price points. For starters, they can check out IPVanish and ExpressVPN, both of whom provide effective VPNs for home use.
The Tor network was designed to allow users to browse the Internet anonymously. By downloading a Tor browser, users navigate through a complex system of routers and hops, designed to shield their identities within any browsing session. But the browsing could be slow, and while the network itself has proven nearly impossible to hack, the browsers are vulnerable to man-in-the-middle attacks that can put a user back to square one. And because the technology is used for all manner of unsavory and illegal pursuits (human trafficking, child pornography, etc.), using it could make you a target of investigation.
By now, most consumers know enough to look for the HTTPS tag, or the lock icon, in their browser window before entering banking or credit card information on the web. But the encryption built into an HTTPS session can be found on many web locations, not just e-commerce sites. Using HTTPS will not prevent your ISP from knowing you visited a particular website, but it will prevent them from knowing what internal pages you visited once you arrived there. And when it comes to protecting the privacy of your employees, that could really matter.
What you can do
As mentioned above, we’ve discovered that the best way to make your workplace more security-aware is to give your employees the tools they need to make the online portions of their personal lives safer.
But because the cybercrime landscape changes constantly, security education cannot be a one-time undertaking. Rather, ongoing learning, peppered with timely periodic updates, provide the best recipe for heightened security awareness.
2. Identity theft is a threat to every employee, but it is an important concern for your business as well.
It is more efficient for cyber thieves to steal dozens (or hundreds) (or thousands) of identities at once than it is to acquire them individually. Your workplace maintains records of people’s addresses, their dates of birth, Social Security numbers, and bank accounts (for direct depositors). They deserve to be protected.
You need a state-of-the-art firewall, with all advanced security features activated, especially its Data Loss Prevention capabilities. This firewall should be actively managed and monitored around the clock. Its logs should be checked daily to recognize anomalies, and potentially suspicious events need to be correlated with activity in other parts of your network.
Security Essentials by SLPowers was designed to leverage our investment in security and monitoring technology, our 30+ years of experience, and a full staff of security specialists, on your behalf. Our mission is to make Enterprise-class security affordable for smaller and medium-sized organizations, and to prove it to you every month.
And we’ve designed an end-user security education program that combines interactive and memorable live learning with ongoing e-learning modules. This program meets compliance requirements, and many of our clients have made it a requirement for onboarding new employees.
We hope you’ve enjoyed this edition of the Watch Out Wednesdays newsletter, and found its perspective worthwhile.Keep an eye out for another edition next week.
SLPowers provides small businesses with affordable security and compliance solutions that were previously only within reach of large enterprises. In other words, we make technology safe for small businesses. For more than 30 years, we’ve provided our clients with secure and stable computing environments, so their business could thrive.
If you’re in a regulated industry, we encourage you to consider transferring the compliance burden to our experts, who do this every day.
There really is a drama-free way to approach compliance and information security. Shoot us an email, or pick up the phone, and we’ll show you the difference.