The FTC alleges that Uber claimed on its website that uberX drivers’ annual median income was more than $90,000 in New York and over $74,000 in San Francisco.
The FTC alleges, however, that drivers’ annual median income was actually $61,000 in New York and $53,000 in San Francisco. In all, less than 10 percent of all drivers in those cities earned the yearly income Uber touted.
The FTC also alleges that Uber made high hourly earnings claims in job listings, including on Craigslist, but that the typical Uber driver failed to earn those advertised hourly amounts in various cities.
The complaint also alleges that Uber claimed its Vehicle Solutions Program would provide drivers with the “best financing options available,” regardless of the driver’s credit history, and told consumers they could “own a car for as little as $20/day” ($140/week) or lease a car with “payments as low as $17 per day” ($119/week), and “starting at $119/week.”
Despite Uber’s claims, from at least late 2013 through April 2015, the median weekly purchase and lease payments exceeded $160 and $200, respectively, the FTC alleges.
Uber failed to control or monitor the terms and conditions of the auto financing agreements through its program and in fact, its drivers received worse rates on average than consumers with similar credit scores typically would obtain, according to the FTC’s complaint.
In addition, Uber claimed its drivers could receive leases with unlimited mileage through its program when in fact, the leases came with mileage limits, the FTC alleges.
Jessica Rich (Director of the FTC’s Bureau of Consumer Protection) made these comments in the News Release:
Many consumers sign up to drive for Uber, but they shouldn’t be taken for a ride about their earnings potential or the cost of financing a car through Uber.
This settlement will put millions of dollars back in Uber drivers’ pockets.
Uber’s confession is significant and hopefully will influence other companies who make fraudulent claims to potential workers
Click here for the original article.
]]>Roughly 6.4 billion things will be connected to the Internet in 2016, at a rate of 5.5 million new things per day, according to Gartner. More than 20 billion devices will be in use by 2020.
As a result, everyone must be more cognizant of cyber-risks, including risks to businesses; utilities; heating, venting and air conditioning systems; autos; and homes.
The IoT is at risk of being ensnared in a tangled web of legal and security issues, as I noted in a column last year.
The FBI recently gave us another wake-up call via a Public Service Announcement on the Internet of Things’ vulnerability to cybercrime.
We’re Surrounded
Criminals “can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety,” reads the FBI PSA.
Following is a synopsis of some of the IoT’s risk areas, according to the FBI PSA.
IoT Health Risks: It now is common for medical devices to monitor people who are ill, and some actually dispense medication on a prescribed basis. Cybercriminals could “possibly change the coding controlling the dispensing of medicines or health data collection.” This is a life-or-death risk.
Baby Monitors and Day Care Centers: Closed circuit television and other devices constantly watch children, whether they are sleeping in a nursery or at play in a day care center. What if cybercriminals were to take control of these monitoring devices and stream video of young children?
Automated Devices at Home and Work: Cyberattacks may be directed at “security systems, garage doors, thermostats and lighting,” which potentially would allow criminals to “access the home or business network and collect personal information, or remotely monitor the owner’s habits and network traffic.”
IoT in Gas Pumps: Think about the amount of damage that could result from a cyberattack on gas pumps. Cybercriminals “could cause the pump to register incorrect levels, creating either a false gas shortage or allowing a refueling vehicle to dangerously overfill the tanks, creating a fire hazard, or interrupt the connection to the point-of-sale system allowing fuel to be dispensed without registering a monetary transaction.”
As the IoT device list grows, cyberattacks surely will keep pace. It is in your best interest to heed the warning of the FBI. Share the PSA with your employees, friends and colleagues.
Also, it is important to report cyberattacks to the Internet Crime Complaint Center, or IC3, which is a partnership of the FBI and the National Center for White Collar Crime. The IC3 collects data on criminal acts to try to find patterns of cybercrime, of which IoT crime is just one facet.
Cybersecurity for the Future?
The FBI’s identification of risks suggests that criminals around the world might see vast cyberopportunities with the IoT — and in particular, with companies that have Bring Your Own Device programs, since many employers have little or no control over what employees do with the devices they bring.
Microsoft has announced new security efforts with its Windows 10 IoT Core, focused on offering enterprise-grade security to IoT and targeted small “embedded devices that may or may not have screens.”
Dell reported the results of a mobile security survey that suggests businesses are getting the message about how important it is for them to do a better job in supporting security for BYOD.
Other companies are trying to stay ahead of cybercrime as well. Believe it or not, GE, AT&T and Texas Instruments, among others, this spring sponsored a hackathon, dubbed “Hack the Home,” in the spirit of spurring innovation. More than 200 teams competed for more than US$60,000 in cash and other prizes.
Events like the hackathon help guide businesses to design better technologies to protect homes connected to the IoT. Let’s hope they succeed.
]]>Almost every day there are reports of cyberintrusions, attacks and related security breaches. If your company does not have the right insurance, it could be even more of a disaster. For example, according to regulatory filings, at the time of Target’s cyberbreach in 2014, it had about US$100 million in insurance coverage with a $10 million deductible, but that did not even make a dent in the estimated losses of $1 billion.
What company can afford not to have insurance for a potential cyberdisaster? Let’s look at some protective measures that can be taken to safeguard your business.
As a practical matter, you or your chief risk officer should examine your current insurance policies to see if you have insurance protection for these cyberrisks
Of course, each business has its own insurance needs, so you will need to make your own decisions about the right coverage. For instance, if your company is in the healthcare industry, specific coverage for HIPAA data should be included.
Inspect Your Policies
Some insurance companies offer cyberprotection as an add-on policy to general commercial liability, while other insurance companies include cyberprotection in policies for cybercrime.
It would be wise to take a look at what coverage your company has, what is available, and make sure you do have cyberinsurance coverage.
Whether cyberinsurance is deemed a part of certain GCL policies is the subject of a declaratory judgment complaint brought by Travelers Indemnity Company in the U.S. District Court in Connecticut in October 2014. The Complaint alleged that P.F. Chang’s restaurant chain did not have cybercoverage with Travelers. Because there was no cybercoverage, Travelers claimed “that it is not obligated to defend or indemnify P.F. Chang’s…under GCL insurance policies issued by Travelers.”
It appears that Travelers filed the claim for two reasons. First, P.F. Chang’s had filed a claim for insurance coverage under its Travelers GCL policy for a cyberbreach involving seven million customers’ credit and debit cards. Second, class action cases were brought by P.F. Chang’s customers in several states, accusing P.F. Chang’s of failure to prevent the breach, and breach of implied contract.
Interestingly, the breach itself began on Sept. 18, 2013. However, P.F. Chang’s was unaware of the breach until nine months later, on June 10, 2014.
It will be interesting to follow this case to see how the Court views the CGL coverage.
Examples of Cyberinsurance Coverage
AIG, one of the largest insurance companies in the world, offers CyberEdge, which provides coverage for security or data breach losses as follows:
Travelers, another large insurance company, offers CyberFirst, which includes a number of related insurance coverage provisions:
How to Assess a Cyberincident
Most IT leaders plan for cyberattacks by constructing firewalls and installing related security hardware and software. However, with the widespread proliferation of malware, companies are finding that their IT infrastructure has been attacked, customer data has been compromised, the IT system is being held for ransom and assets are missing. This obviously puts a burden on the IT leadership — CIOs, CISOs and CTOs — to do an immediate assessment of what transpired:
Following the assessment, companies may need to report to customers, as well as to their own employees, under a variety of laws in 47 states. Plus, in addition to everything else that violoated companies must do, if credit card or banking information has been compromised, they may have a legal duty to provide credit protection services for up to one year. This happens more often than people want to know.
Report the Cyberincident — It May Be a Crime
Of course, it is important that the U.S. government learns about all cyberincidents so they can investigate in order to find the bad guys. The incidents should be reported to the Internet Crime Complaint Center which is a partnership between the FBI and the National White Collar Crime Center. The IC3 defines Internet crime:
…as any illegal activity involving one or more components of the Internet, such as websites, chat rooms, and/ or email. Internet crime involves the use of the Internet to communicate false or fraudulent representations to consumers. These crimes may include, but are not limited to, advance-fee schemes, non-delivery of goods or services, computer hacking, or employment/business opportunity schemes.
If your company has a cyberintrusion, consult your lawyer first to be sure you take the appropriate steps, including making a timely cyberinsurance claim.
]]>Malware is running rampant on the Internet, affecting smartphones, tablets and personal computers. Relatively new malware allows bad guys to encrypt devices until a ransom is paid. Usually the ransom is required in bitcoin, rather than U.S. currency, as it cannot be traced.
What are the legal and other risks associated with ransomware?
Ransomware is largely directed at personal devices and small businesses, particularly since larger companies tend to have better Internet hygiene for their devices — like regular backups and requiring that passwords be stored in a safe place rather than on a device.
Following are just a few examples of the data at risk from ransomware, which can plague you if you cannot immediately cleanse your device, or set up a new one and restore your data with an up-to-date backup:
How Can You Protect Yourself?
First, take steps to avoid ransomware in the first place. It is, after all, malware. So, do not click on attachments or go to websites if you are not sure of the sources.
Second, get a good app for your smartphone or tablet, and a software program to protect your personal computer in real time. Be good to your devices: Install security tools and regularly run scans. If you think your smartphone or tablet has been infected with malware, think twice about plugging it into your computer.
Third, back up your hard drives to the cloud or to a portable hard drive. Of course, cloud storage has its own set of risks. For example, when you use a free cloud service, you run the risk that your data may not be available when you need it.
What Exactly Is Ransomware?
Ransomware is specialized malware that “immediately makes its presence known by encrypting files and demanding payment for the keys to unlock them.” The Department of Homeland Security (DHS) issued an alert last fall that includes this description:
“Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of [100-300 US dollars], and is sometimes demanded in virtual currency, such as Bitcoin.
“Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.”DHS discourages paying the ransom:
“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.” Notwithstanding DHS’ advice, the Dickson County (Tennessee) Sheriff subsequently paid a $500 bitcoin ransom to get back files on a corrupted computer, after consulting the Tennessee Bureau of Investigation and the FBI. Paying the ransom, they concluded, was the best way to deal with the problem at hand.
Ransomware Reports
Dell SecureWorks last summer issued a report about CryptoWall Ransomware. Between March and August 2014, “nearly 625,000 systems were infected with CryptoWall. In that timeframe, CryptoWall encrypted more than 5.25 billion files,” it states.
This type of ransomware is run by botnet operators, so there is no pattern to suggest which victims might be targeted for attacks.The report notes the following:
“Ransoms ranging from $200 to $2,000 have been demanded at various times by CryptoWall’s operators. The larger
ransoms are typically reserved for victims who do not pay within the allotted time (usually 4 to 7 days). In one case,
a victim paid $10,000 for the release of their files.”
Bromium recently released a report entitled “Understanding Crypto-Ransomware — In- Depth Analysis of the Most Popular
Malware Families.” Its introduction makes the following observation:
“This threat is called crypto-ransomware (ransomware) and includes at least a half-dozen variants, including CryptoLocker and CryptoWall. Ransomware shows no sign of abating since traditional detection-based protection, such as antivirus, has proven ineffective at preventing the attack. In fact, ransomware has been increasing in sophistication since it first appeared in September 2013, leveraging new attack vectors, incorporating advanced encryption algorithms and expanding the number of file types it targets.”
In Conclusion
Ransomware is a rapidly growing problem, and there is not yet a solution.
Until a solution to fully protect against malware is found, traditional advice still applies: Protect your computers and other devices with antimalware apps and software, back up regularly, and store your passwords in a safe place.
]]>