Server and protect: FTC attorney offers tips on how to handle cybertheft

July 6, 2017
Identity theft among most common complaints filed.

An attorney for the Federal Trade Commission (FTC) calls personal information-targeted by cyber thieves-the "new oil, the new gold" in our economy.

Katherine E. McCarron, an attorney in the FTC's division of privacy and identity protection, presented at Optometry's Meeting® in June on resources that can protect consumers, including doctors of optometry and their staffs, from data breaches of their business and personal data. 

Identity theft is among the top and most widespread complaints her division receives, McCarron said during her presentation. That's because the information has cash value-it can be used to file a fraudulent tax return, apply for a line of credit or open a bank account.

"That is why your personal information is so valuable to people who would like to use it and why consumers need to take special steps to protect their personal information," she added.

She offered this high-level strategy for protecting information:

  • Take stock

  • Scale down

  • Lock it

  • Pitch it

  • Plan ahead  

McCarron then detailed lessons learned from the more than 50 data security cases handled by the FTC.

Useful FTC resources if credit is breached

The FTC attorney strongly recommended that consumers access important and actionable resources at IdentityTheft.gov . At the site, consumers can report a theft, create a recovery plan and create other documents that can make process go more smoothly in the case of a cybertheft. That includes a strongly worded, pre-populated letter to file with the company where the fraud occurred. The letter might ask the company to remove the fraudulent charges, not to report the debt to a credit reporting agency because it's not your debt, place a fraud alert, or credit freeze on the account.

All the resources are available online and in print at bulkorder.ftc.gov .

"The website will take you through (a process) asking for specific details and then use those details you provide to create an identity theft affidavit," McCarron said, noting that the affidavit can be used to file a formal police report if an individual chooses to go that route. "This is a document you can use to help exercise a number of your rights under statutes that are in place to protect consumers and help them repair their credit after an identity theft occurs.

"It's a lot easier to recover from identity theft if you have a plan," she said.

If fraudulent charges or other suspicious financial activity are suspected, go to annualcreditreport.com . Reports are free on the website, she said.

"You can use that annual credit report to dispute charges," McCarron said.

Ounces of prevention

McCarron also listed 10 actionable steps to prevent a breach of patients' and personal information.

Among them:

  • Start with security: Have a plan in case a breach occurs. Don't collect personal information you don't need and only hold onto it as long as you have a legitimate business need.

  • Control access to data sensibly.

  • Require secure passwords and authentication. Don't use commonly used passwords such as 1,2,3,4, 5, 6... The FTC recommends people use "pass phrases" and substituting numbers and special characters for letters (an ampersand for an 'a' or a '3' for an 'e'). An example of a pass phrase that would throw off cyberthieves, but would be easy to remember, might be "myfavoritefoodischocolate" but with special characters. She also suggested using different passwords on accounts. An effective way of preventing "credential stuffing," she said, is multi-factor authentication.

  • Store sensitive personal information securely and protect it during transmission.

  • Segment your network and monitor who's trying to get in and out.

  • Secure remote access to your network.

  • Apply sound security practices when developing new products.

  • Make sure service providers implement reasonable security measures.

  • Put procedures in place to keep your security current and address vulnerabilities if they arise.

  • Secure paper, physical media and devices (cellphones and laptops).

Learn more by watching a video of McCarron's presentation. 



AOA advocates for data privacy, data breach resolution  

Optometry continues to contend with a data breach dogging countless doctors and optometry students since this past fall when reports of unsolicited, fraudulent applications for Chase Amazon.com Visa cards came to light. At the direction of the AOA's Board of Trustees , the AOA apprised federal authorities of the breach, including the U.S. Attorney General's Office and Department of Justice. Additionally, the AOA called for a united front among affiliates and others, asking optometric testing organizations and state boards of optometry to immediately discontinue use of Social Security numbers (SSNs) as personal identifiers. This petition resulted in the National Board of Examiners in Optometry eliminating the use of SSNs in favor of "OE Tracker numbers." The source of the data breach from last fall has not been determined.

Related News

Making the grade

Paraoptometric gives Remote Proctored Testing a passing grade for its convenience. Learn more about remote testing for paraoptometric certification.

Does your malpractice insurance provider measure up?

A Q&A with Kevin Johnson, program executive at Lockton Affinity, on how doctors of optometry can make sure they get the coverage they need.

3 ways to honor staff for Paraoptometric Appreciation Month

September marks Paraoptometric Appreciation Month, the only formal observance dedicated to honor optometric practice staff. Learn how doctors can celebrate their staff and paraoptometrics can advance their careers.