ANA Admits This Week to Data Breach it Knew about While Fighting Breach Notification Legislation in December

The Association of National Advertisers (ANA) admitted this week that it had suffered a data breach last August through October (2018), about which it learned last October (2018), but which it only advised those affected this week (the last week of January, 2019). Consider these dates when also considering the fact that just last month (December 2018, two months after ANA knew about the data breach) ANA was pushing back, hard, against legislation regarding more stringent requirements for – wait for it – notification of data breaches.

Said the ANA, in December, regarding Massachusetts’ proposed HB4873 which at the time called for the removal of the so-called ‘harm trigger’ “As presently drafted without a ‘harm trigger,’ HB 4873 would require unnecessary and repetitive notifications for non-harmful data incidents that will cause Massachusetts residents to ignore all notifications over time, ultimately putting them at greater risk.”

The removal of the harm trigger would mean that companies would be required to notify consumers of a data breach even if it did not appear that there would be harm to the consumer. (Ironic note: The ANA data breach, about which they didn’t notify affected individuals for three months, includes social security numbers – which under no stretch of the imagination can be considered ‘non-harmful’.)

The ANA went on to say that “Similarly, the requirement for ‘rolling’ notifications for data breaches require entities suffering a breach to notify consumers immediately after discovery and require continued, repetitive notifications into the future—even if the breach poses no risk of harm,” and that the bill “imposes an unnecessary and costly burden on companies seeking to identify, investigate and remediate the causes of a breach” and “would severely impact companies with increased class action litigation risk from consumers that will not suffer a negative impact from a non-harmful breach.”

Read Internet Patrol Articles Right in Your Inbox as Soon as They are Published! Only $1 a Month!
Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
Or get notified of new Internet Patrol articles for free!

Now remember, this was their statement in December against this legislation that would tighten up breach-reporting requirements, when they had known about the data breach for two months, even though they only notified affected consumers just this week, three months after they became aware of the breach, and at least a month after fighting to not have notification requirements tightened.

So here is what the ANA sent out on January 24, 2019 – by U.S. mail (not by email, which is also puzzling):

 

We are writing to tell you about a data security incident that may have exposed some of your personal information. We take the protection and proper use of your information very seriously. For this reason, we are contacting you directly to explain the circumstances of the incident.

What happened?

On October 26, 2018, the Association of National Advertisers, Inc. (ANA) learned of suspicious activity indicating a possible data security incident. A forensic investigation revealed that an unauthorized user had gained access to the business email account of an ANA employee through what is known as a “phishing” attack. The intruder accessed the employee’s account from August 10, 2018 to October 29, 2018 and had the ability to download the contents of the employee’s business mailbox during that time. The ANA has cooperated with law enforcement regarding the security incident. That cooperation did not delay this notification.

{Ed. note: So just what did delay that notification – past the point of the ANA objecting to legislation having to do with, you know, notify people of a data breach, objecting while they had known about this breach – about which they didn’t notify those affected, for two months?}

What information was involved?

The compromised mailbox included your name and social security number The ANA does not know if this information has been used for a fraudulent purpose.

Are we the only ones outraged by this timeline?

Get notified of new Internet Patrol articles!
Summary
ANA Admits This Week to Data Breach it Knew about While Fighting Breach Notification Legislation in December
Article Name
ANA Admits This Week to Data Breach it Knew about While Fighting Breach Notification Legislation in December
Description
The Association of National Advertisers (ANA) admitted this week that it had suffered a data breach last August through October (2018), about which it learned last October (2018), but which it only advised those affected this week (the last week of January, 2019). Consider these dates when also considering the fact that just last month (December 2018, two months after ANA knew about the data breach) ANA was pushing back, hard, against legislation regarding more stringent requirements for - wait for it - notification of data breaches.

Leave a Reply

Your email address will not be published. Required fields are marked *