ChoicePoint Settles With The FTC About Its Data Breaches and Security Lapses

I'd written previously about my less than consumer friendly experiences with ChoiceTrust, a service from ChoicePoint, Inc.. Recently, the U.S. Federal Trace Commission (FTC) announced a settlement by ChoicePoint, Inc. after the company's past data breaches and data security lapses:

"In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention. The FTC alleged that if the security software tool had been working, ChoicePoint likely would have detected the intrusions much earlier and minimized the extent of the breach. The FTC also alleged that ChoicePoint’s conduct violated a 2006 court order mandating that the company institute a comprehensive information security program reasonably designed to protect consumers’ sensitive personal information."

Gee, that's extremely poor management. First, the company fails to implement every security feature it had already established. Second, its actions violated a previous court order about data security. How arrogant can a company act?

ChoicePoint's settlement included actions to:

"... strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information... This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000."

Was this fine sufficiently large enough? In my opinion, no.

Will ChoicePoint do the right thing and maintain adequate protections for the consumer data it stores and sells? Will it comply with applicable Red Flag rules by the FTC in 2010? Time will tell. I'm not holding my breath.

I'd love to be able to pull my C.L.U.E. insurance reports and records from Choicetrust, but we consumers don't have that option. Due to ChoicePoint's cozy relationship with the government, the company enjoys a near-oligopoly status regarding C.L.U.E. insurance reports. This is a good example of a "free market" sham. Same for the credit-reporting agencies.

At some point, this crap has to end.

Banks Consider Large Annual Fees For Credit Cardholders Who Pay Off Balances

Do you have flawless credit? Do you pay off your credit card balances in full and on time every month? Watch out, you could get "mugged" by your bank.

CBS TV 2 in New York reports that Bank of America and Citigroup are considering annual fees of $29 to $99 per year for credit cardholders who pay off their balances every month in full and on time:

"Bank of America started notifying customers that they will be charged a new annual fee of $29 to $99... Bank of America said in a statement: "At this point we're testing the fee on a very small number of accounts and haven't made any final decisions." Citigroup is also trying out an annual fee with some card holders, and analysts expect more banks to follow their lead. The banks are starting to charge fees to reliable customers in response to a slew of new credit card industry regulations that will limit when banks can hike interest rates."

Consumers who don't accept the higher annual fees must close their credit card account and shop around for a new credit card at another bank.

I find the arrogance of this astounding. If the bank is serious about testing consumer reaction, all they need to do is read the comments by readers on prior I've Been Mugged blog posts about the higher interest rates announced back in February. The banks must be desperate for revenue to cover poor decisions they made about bad debts and risky investments.

FTC Delays "Red Flag" Enforcement Again

Once again, at the request of members of Congress, the Federal Trade Commission (FTC) has delayed the enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors.

The prior enforcement date had been November 1, 2009. In May of 2009, the FTC changed the enforcement date from May 1, 2009 to August 1, 2009.

As part of the Fair and Accurate Credit Transactions Act, Congress directed the FTC and other agencies to develop regulations requiring financial institutions and creditor companies to address identity theft. The resulting regulations require these companies to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- commonly called "Red Flags" -- that could indicate identity theft.

The FTC regulations are pretty specific about the types of companies covered by these new identity-theft regulations:

"The Rule defines a “financial institution” as: 1) a state or national bank, 2) a state or federal savings and loan association, 3) a mutual savings bank, 4) a state or federal credit union, or 5) any other entity that directly or indirectly holds a “transaction account” belonging to a consumer. “Transaction accounts” are deposits or accounts from which a consumer can make payments or transfers to third parties. Banks, federally chartered credit unions, and savings and loans come under the jurisdiction of the federal bank regulatory agencies or the National Credit Union Administration and should check with them for guidance. The FTC’s jurisdiction extends to state chartered credit unions and other institutions that hold transaction accounts – for example, mutual funds that offer accounts with check writing or debit card privileges or other businesses that offer accounts where consumers can make payments or transfers to third parties. Under the Rule, the definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. The definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing... In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. For example, a third-party debt collector..."

In April of 2009, the FTC launched a Web site to help small and medium-sized businesses comply with the new Red Flag regulations. A U.S. District recently ruled that attorneys are exempt form the new regulations. A different set of regulations apply to hospitals and health care firms.

During the coming weeks and months I will explore the Red Flag rules more closely since the new enforcement data is an opportunity for consumers to demand more from companies that store and user their sensitive personal information. The opportunity is for consumers to be able to ask a company they are considering doing business with for a written statement of how that company protects their sensitive personal data.

Will the June 2010 date hold? Who knows. The FTC's pattern of delays suggests probably not. As this issue moves forward, the I've Been Mugged blog will report about it.

Truly Luckless Consumers

Hotel Safe Scam

The BBC News recently reported about the habits of a con man and thief:

"... his scams have tended to take place in luxury hotels around the world. Typically, he would arrive at a hotel, claim to be a guest, and then tell security that he had forgotten the combination code to his safe. When hotel staff helped him to open the safe, he would pocket the contents and make his escape."

Don't hotel staff ask for identification (e.g., Passport, driver's license) before opening up a safe? Doesn't the management of the luxury hotels train their staff about effective security methods?

Violent Criminals Switch To Medicare Fraud

This is not good news. Breitbart reported:

"... Mafia figures and other violent criminals are increasingly moving into Medicare fraud and spilling blood over what once a white-collar crime... For criminals, Medicare schemes offer a greater payoff and carry much shorter prison sentences than offenses such as drug trafficking or robbery... Medicare scammers typically make their money by billing Medicare for medical equipment and drugs that patients never receive—and never needed. Some pay homeless people on Los Angeles' Skid Row for Medicare or Social Security numbers to use in fake billing invoices. Others intimidate elderly victims to use their Medicare numbers, federal authorities say."

This shift suggests that many local governments and cities need to stiffen the penalties and prison time for identity theft, Medicare, and related fraud crimes:

"Most Medicare schemes are based in cities such as Miami, Los Angeles, Detroit and Houston... A Medicare scammer could easily net at least $25,000 a day while risking a relatively modest 10 years in prison if convicted on a single count. A cocaine dealer could take weeks to make that amount while risking up to life in prison."

Understanding How Secure Your Medical Information Is And Who Has Access To It

Like most people, I have recently started reading about electronic health records (EHR) and how secure my medical information is. The list of abbreviations and acronyms can be confusing. For example, there are subtle but important differences between the terms: EHR, Personal Health Record (PHR), and Electronic Medical Record (EMR).

You may find this overview article from PrivacyGurus.com helpful with understanding the current state of privacy about your medical information:

"Long-standing laws in many states and the age-old tradition of doctor-patient privilege have been the mainstay of medical privacy protection for decades. But in the 21st century, those privileged to your medical information have increased in number - and not always for the better. The extent of privacy protection given to your medical information often depends on where the records are located and the purpose for which the information was compiled. That means that the laws that cover privacy of medical information vary by situation. Confidentiality is likely to be lost in return for circumstances like insurance coverage, an employment opportunity, your application for a government benefit, or an investigation of health and safety at your work site. That means that you may have a false sense of security based on the highly touted Health Insurance Portability and Accountability Act (HIPAA)."

I found this particularly important:

"... a wide range of people, both in and out of the health care industry, share your medical information, often because you’ve agreed to it. One is the Medical Information Bureau (MIB), which is a central database of medical information of approximately 15 million Americans and Canadians. About 600 insurance firms use the services of the MIB primarily to obtain information about life insurance and individual health insurance policy applicants. The MIB is a consumer-reporting agency subject to the federal Fair Credit Reporting Act (FCRA) and doesn’t fall under HIPAA. It functions more like a credit score for health. The MIB does not have a file on everyone. But if you have an MIB file, you will want to be sure it is correct. You can obtain a free copy once a year by requesting it from their website or by calling (866) 692-6901."

The U.S. Department of Health & Human Services (HHS) federal agency operates the official HIPAA privacy web site. Several medical experts contribute to the unofficial HIPAA.com site, where you can browse the list of personal data items of consumers protected by HIPAA.

Debt Collection Scams And Identity Theft: How To Avoid Both

Last week a friend, Mary Grace, sent an e-mail message asking if I had:

"... heard of NCO Financial Debt Collectors? I got an automated call and when I called the number back it was busy. I called their main 800 number off of their website and they asked me for my social and name - they would not give me any information on the reference number that was left on the automated message. I did not give them my name or my social and ended up hanging up on the rep because he could not identify why they called me stating there were many names associated with the reference number and he needed my information to understand why they called."

I hadn't heard of NCO Financial Debt Collectors. There is a valid collections company with a similar name: NCO Group (a/k/a NCO Financial Systems. The call sounded sketchy since the reference number didn't identify Mary Grace specifically. I told her to contact the Better Business Bureau (BBB), and contact the U.S. Federal Trade Commission (FTC). I assured her that she was correct to not disclose her Social Security Number and other sensitive personal information without first getting written proof of the debt.

In her e-mail message, Mary Grace also wrote that she had:

"... called AT&T to check on the 888 number the automated message left and [the AT&T customer service representative] said it was probably an outbound number only and that he hears these kinds of calls all the time but can not give any advice because of legal reasons."

Yes, this debt collection call was definitely sounding like a scam.

Mary Grace couldn't think of any company she owed money to, as she is very good with her credit. Perhaps she had a debt at Cedars-Sinai Medical Center due to a recent surgery, but theyhadn't contact her.

Since Mary Grace lives in California, I suggested that she check the State of California attorney general's web site for advice about her rights and how to deal with debt collection phone calls and collection agencies. Every state has an attorney general (AG), and the AG's web site usually describes the rights consumers have and what constitutes harassment by a debt collector.

While California state law allows debt collectors to supply information about bills they are collecting to credit reporting agencies, the collection agency cannot threaten a consumer with this unless it is already a customer of the reporting agency. The collection agency must tell the reporting agency whether any dispute has been filed, and it must update the consumer's record to show when the debt is paid.

I did some light research and found that there tend to be two types of debt collection scams:

• Fake debt collection agencies
• Valid debt collection agencies with fake debts

The first type usually includes a scam artist calling with fake debts. The scammer is trying to trick consumers into revealing over the phone their sensitive personal data: Social Security number, bank account information, and so forth. Disclosing any of this could lead to identity fraud.

How do the collections scammers get consumers' name and address information? Any number of ways: from combing through online white pages web sites, or purchased on the black market from with data resold by thieves after a data breach.

If you receive a debt collection call, experts advise consumers to demand written proof of the debt. Tell the caller that you only reply to debts submitted in writing with written proof. If the scammer does send a letter via postal mail of a debt you know is fraudulent, then you have written proof of the scam.

The second type of scam is a little trickier. Sometimes a valid debt collection company is calling with a valid debt that they think is yours, but really belongs to another person. Perhaps you changed your phone number recently, and the collections agency has confused you with the prior owner of the phone number. Perhaps you moved recently and the collection agency has confused you with the prior resident at our current address. A less than honorable collector wants to collect money and may pressure the person they contact into paying.

Either way, the best response is to demand that the debt collection caller fully identify their company. Then, demand written proof via postal mail that the debt is yours. Ask the caller for a phone number so you can call them back. Scammers hate this and will serve up a variety of excuses why you can't call them back.

In this case, Cedars-Sinai sent a bill to Mary Grace's old address, even though the medical center also had her current address on file. The medical center then sent the unpaid debt to two valid collection agencies... a case of one internal department failing to communicate with another department.

A couple days later, I received a follow-up e-mail from Mary Grace:

"... Cedars-Sinai knew I had a stellar record with them. They called the true collection agencies, had them retract my name and restore my credit ratings, and I paid [Cedars-Sinai] directly. I should receive letters from Cedars, and the agencies stating just that. Then I will look at my credit report to ensure that it was restored. Who knew that a phony call could end up exposing all this!"

And, NCO Financial Debt Collectors turned out to be a scam -- a phony debt collection agency. So, if you get a phone call from them, hang up and report it to the BBB and FTC.

Mary Grace's experience provides clear instructions for consumers about how to handle debt collection phone calls:

• Asked the caller to identify their company
• Don't trust the caller at their word. Don't share sensitive personal data over the phone. Demand written proof via postal mail of any debts
• File a complaint with the BBB about any phony debt collector you encounter
• Demanded written proof of paid debts
• Demanded written proof from a creditor of debts sent in error to collection agencies
• Demanded correction of erroneous entries to credit reporting agencies

Why It Is Important Not To Disclose Certain Personal Data on Social Networking Sites

In an earlier post, I wrote about the risks of disclosing your birth date in e-mails and at social networking sites. It's a key piece of personal data for identity thieves and fraudsters. There are more personal data items you should not disclose to avoid identity fraud.

From a recent AARP Bulletin:

"Along with your birth date, your place of birth may help scammers guess most, if not all, of the nine digits of your Social Security number, suggests a recent study published in the Proceedings of the National Academy of Sciences. Those two pieces of information were all that Carnegie Mellon University researchers needed to discover patterns in how SSNs are issued, resulting in impressive success in guessing exact numbers."

The researchers documented how identity thieves could use your hometown information to guess your Social Security number:

"... The first three digits of the SSN are an “area number,” issued according to the ZIP code of the mailing address provided on a Social Security application form. High population states have many area numbers — New York has 85, for example — but Delaware and Alaska have only one... The fourth and fifth digits of the SSN are a location-based “group number”; those digits change periodically, usually in increments of 2. For instance, for people born in 1966 in Oregon, those middle numbers started at 47, and 60 days later, switched to 49. “Because of this, knowing a birth date and hometown makes the first five digits of a SSN the easiest digits to guess... The last four digits, the ones most often used as identifiers on accounts, are issued sequentially. But they’re harder to guess because they depend on how long it took to process a Social Security application..."

So, security experts advise consumers not to disclose both their birth date and hometown information on social networking sites. Now, you know what to do and why.

Smart Online Shoppers

Survey: About Half Of IT Pros Feel Their Company's Web Applications Are Not Secure

This Marketwire press release announced some dismal statistics about the security of companies' Internet applications. A survey ("Making Web Applications Hacker Proof") by eMedia and Cenzic of about 400 IT professionals found that:

• A majority of IT professionals think their Web sites might not be secure,
• 63 percent of companies test the security of their Web applications quarterly or less often
• 28 percent of respondents were unaware that their company had a data breach

Geez. This highlights the fact that too many companies and too many corporate executives do not take data security seriously. It highlights the fact that consumers' (e.g., employees, contractors, former employees, and customers) sensitive personal data is at risk.

Two important Events For Consumers To Avoid Identity Theft

The Better Business Bureau (BBB) announced its Secure Your ID Day events for October 17, 2009. The nationwide event includes free shredding services (for your old checks, junk mail, bank statements, old files, etc.) and educational programs by local BBB's in each state to help consumers avoid identity theft. Browse the Secure Your ID Day site to learn more about events in your area. Canadian residents should visit the BBB Canada site.

This BBB event coincides with the second annual National Protect Your Identity Week events October 17 - 24, sponsored jointly by the the Council of Better Business Bureaus (CBBB) and the National Foundation of Credit Counseling (NFCC). The event site is available in English and Spanish.

I strongly urge consumers to learn more and attend both events.