Previous month:
February 2011
Next month:
April 2011

16 posts from March 2011

Consumer Paid For Service Contract And Sears Fails To Provide Home Repair Service

This blog has always advocated for consumers. Today's blog post is about the experiences a friend has had with extremely poor home appliance repair service.

In July 2009, Ilene purchased a boiler from Sears Home Improvement with a Master Service contract (including repairs through 2015), for steam heat for her home. When Ilene tried to use the boiler for steam heat in the fall of 2009, it failed to start. Ilene's experience:

"In July of 2009, I bought a boiler from Sears Home Improvement along with a service contract. The first time I fired up the boiler to heat the house [in the Fall of 2009], it failed to work. I called the appropriate number to get service and was told that there were no contractors in my area and they would have to locate someone. I called several more times in the next few days and after 4 days of living in the cold, I called my plumber who not only fixed the problems, but also told me the installers had failed to skim the system and do several other things that were according to code."

Ilene added:

"Sears did send someone to inspect the boiler installation. He admitted to me there were flaws in the installation and said Sears was no longer using that contractor. Nevertheless, when I asked Sears to pay the plumber's bill, they refused, saying they had not authorized me to call my plumber. This caused me to sue in Small Claims Court."

Ilene sued Sears in Small Claims Court in March 2010, and won a settlement of $500. (Don't mess with seniors!) However, the court process cost her a filing fee and a day's lost pay. You'd think that after this experience, Sears would correct any gaps in its residential repair service. Apparently not by March 2011:

"On March 17, the boiler stopped working and after making sure it was not a fuse or thermostat problem, I called Sears Home Improvement for service. I was put on hold for over ten minutes (twice) and hung up convinced this was a deliberate evasion tactic. I was not called back until 5 days after I had lost heat, one day after my plumber had restored it. I was so angry, I told [Sears] it was fixed and I was going to sue them again."

Ilene lives in Cambridge, Massachusetts -- near Boston, a major metropolitan area. She wants to know why Sears sold her a service contract if they don't have any reliable contractors where she lives. And, Ilene also wants Sears to honor the Master Service contract she paid for.

In New England, it is often cold during March, with daytime temperatures in the 30's and low 40's -- colder nights with temperatures below freezing. As a senior citizen who has family living with her, and who recently had hip surgery, a working boiler for heat is critical.

Understandably, Ilene feels like she has been mugged by Sears:

"They certainly are not the same reputable Sears I grew up with!!"

Obviously, a consumer should not have to sue a retailer to get resolution. It seems unbelieveable that Sears cannot arrange reliable repair service for consumers living in a major metropolitan area in the Northeast.

According to The Consumerist blog, at least one other New England resident also went without heat during March after Sears failed to send a repair technician. Seven days without heat is too long. Repair service failures like this are unacceptable in cold weather regions.

It would seem that Ilene's experience of failing to get home boiler repair service from Sears is not an isolated event.

After some online searching, I noticed that while the Sears Home Services Twitter page is active, the Sears Home Appliances Twitter page appears to have been abandoned (with its last tweet dated May 2010). The Consumerist blog advised consumers to:

"... contact the Sears Cares executive customer service line, which can be reached at searscares@searshc.com."

Ilene asked for my help. First, I suggested to Ilene that she write to her U.S. Congress House representative and to her Massachusetts House representative about the repair service failures. Second, on Ilene's behalf to get Sears' response to this repair service failure, I sent an email inquiry to Sears on Sunday, March 27. While I did not receive a reply, a Sears representative called Ilene on Tuesday, March 29. According to Ilene:

"I was contacted by a representative from Sears as a result of your inquiry. She had reviewed the record and said Sears, "had definitely dropped the ball". She is doing further investigation, but acknowledged that I had a Masters Contract to cover repairs. I have an expectation that Sears will pay the bill to repair the boiler and hopefully to replace the pipe clogged up with sludge. Thank you so much for your assistance!"

You can contact the Sears representative, Stephanie, at 1(800) 573-8431, extension 11032.

Has anyone else experienced home repair service problems like this from Sears? If so, what did you do to correct the problem?


5 Things Consumers Must Do If Your Computer Is Infected With Malware

Don't get "mugged" by a computer virus. If your laptop or desktop computer is infected with malware, or if you think your computer might be infected, the Federal Trade Commission 's OnGuard Online website advices consumers to perform these five actions:

1. Stop shopping, banking, and other online activities that involve user names, passwords, or other sensitive information.

2. Confirm that your security software is active and current. At a minimum, your computer should have anti-virus and anti-spyware software, and a firewall.

3. Once your security software is up-to-date, run it to scan your computer for viruses and spyware, deleting anything the program identifies as a problem.

4. If you suspect your computer is still infected, you may want to run a second anti-virus or anti-spyware program – or call in professional help.

5. Once your computer is back up and running, think about how malware could have been downloaded to your machine, and what you could do to avoid it in the future.

Some clues or signs that your computer is infected with malware:

  • Your computer slows down, doesn't work properly, and displays error messages frequently
  • Your computer Won't shut down or won't restart
  • Your computer displays many pop-up ads, even when you're not surfing the Internet
  • Your computer displays Web pages or runs software programs you didn't intend to use
  • Your computer sends e-mail messages that you didn't write.

Me? I use a comprehensive anti-virus software that contains anti-virus, anti-spyware, and a firewall. All three are active 24/7/365. My anti-virus software updates daily and I do a full scan of my computer's hard drive(s) at least once weekly.

With all of that, I am still cautious about the websites I visit and the links I click on; especially in social networking sites, since so many peoples' accounts have been hacked.


Briar Group Restaurants Settles 2009 Data Breach For $110K

Briar Group LLC logo In a press release yesterday, the Massachusetts Attorney General's office anounced a settlement with the Briar Group LLC restaurants for a 2009 data breach where the company failed to take reasonable steps to protect customers debit and credit card information:

"According to the lawsuit, filed in Suffolk Superior Court, the Briar Group experienced a data breach in April 2009, when malcode that was installed on Briar’s computer systems allowed hackers access to customers’ credit and debit card information, including names and account numbers. The malcode was not removed from the Briar Group’s computers until December 2009. Further, the complaint alleges that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share commons usernames and passwords; failed to properly secure its remote access utilities and wireless network; and continued to accept credit and debit cards from consumers after Briar knew of the data breach."

The Briar Group LLC ownes and operates several popular restaurants including Ned Devine's, the Green Briar, and The Harp, and Solas. The judgment, signed on March 28, 2011, requires the company to pay $110k in civiil penalties to the Commonwealth, and to comply with both Massachusetts data security regulations and Payment Card Industry Data Security Standards (PCIDSS). All restaurants in the company must also develop a security password management system and implement data security measures to comply with PCIDSS standards, including a Written Information Security Program (PDF document). 

Consumers need to know that retailers adequately protect their banking information as required by law. Congratulations to the Massachusetts Attorney General's Office.


Police Bust Debit Card Skimming Thieves In Mountain View California

I like to acknowledge the efforts of law enforcement to fight identity theft and fraud. Earlier this month, the Santa Clara County District Attorney's Office charged Boris Tumasyan, 24, and Sarkis Sarkisyan, 23, from Glendale, California with operating a debit/credit card skimming operation.

On December 6,, a gas station employee first found the skimming device attached to a circuit board inside a gas station pump, after opening the pump to investigate an error message. To catch the thieves, local law enforcment attached an alarm to notify them when the gas station pump was opened.

"Tumasyan and Sarkisyan were arrested on December 17, 2010 after the alarm was triggered. Officers searched their van and found keys that opened the gas pump and address information for several other area gas stations. Further investigation by REACT – a Bay Area high-technology and identity theft task force – found six identical skimmers hidden inside gas pumps at five locations in Mountain View and Los Altos. REACT conducted a forensic examination of those skimmers and found over 3,600 individual credit card numbers."

Debit/credit cardholders were fortunate in that local law enforcement caught the thieves before they could retrieve and use the stolen card information. This type of crime is impossible for consumers to detect because the skimming device is installed out of sight and inside the gas station pump.

As I have written before, to avoid getting "mugged" at gas station pumps, consumer must protect their PIN. Experts advise that consumers should:

  1. Pay at the pump using the "credit" option and not the "debit" option. This provides you with greater protections, liability limited to $50, and you don't use your PIN. Plus, you receive loyalty points if your credit card has a loyalty program.
  2. If you want to pay using the "debit" option, don't pay at the pump. Go inside the gas station and pay at the cashier's window with your debit card. If a "signature debit" is available, use that option instead of your PIN.
  3. If things look sketchy, pay with cash since that never discloses your bank account information.

What do I do? I pay with cash, especially if I am at a gas station I don't shop at regularly. It is impossible to tell if a gas station pump has been tampered with or not. I use my debit card only at my bank's ATM machines.

Congratulations to local law enforcement.


TripAdvisor Data Breach Includes Stolen Email Addresses

TripAdvisor logo On Thursday March 24, TripAdvisor informed its customers of a data breach where customers' email addresses were stolen. In an e-mail message to its customers, TripAdvisor Co-founder and CEO, Stevbe Kaufer, wrote:

"This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor's member email list. We've confirmed the source of he vulnerability and shut it down. We're taking this incident very seriously and are actively pursuing the matter with law enforcement. How will this affect you? In many cases, it won't. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident."

So, TripAdvisor learned about the breach on March 19. According to the breach notice, while the security hole has been repaired, TripAdvisor is still investigating the incident.

This breach notice is a mix of good and not-so-good. First, it is good that TripAdvisor notified its customers quickly. Notification definitely is the right thing to do. Unfortunately, many companies wait several months before notifying breach victims.

Second, since TripAdvisor doesn't store financial information, like credit card numbers or bank account details, the damage appears minimal. Third, TripAdvisor created an FAQ page to help breach victims.

After a breach, a frequently-asked questions is helpful, especially for consumers who haven't experienced a data breach before and know little about the risks and what to do next. More companies should create an FAQ page to help their customers after a data breach.

The not-so-good is that the breach notice is short on details. The breach notice didn't state when the breach occured or the duration of the breach. Nor did it describe the nature of the breach. Some experts speculated that the breach was the result of an SQL injection attack, a popular method by hackers and identity thieves.

The breach notice mentioned a "portion" of members. A portion could include two percent or 92 percent. Details matter. All of these details are critical towards helping customers as informed shoppers.

TripAdvisor's breach notice should have included more details, especially about the nature of the breach or computer hack. It is hard to judge the breach notice's accuracy when details about the vulnerability and hack weren't disclosed.

Hopefully, during the coming days and weeks TripAdvisor will disclose more details about its breach.


Banks Collect And Sell Data About Their Cardholders' Purchases

You may not know it, but your credit card issuer makes money by selling data about the purchases made by its cardholders: you and me. WBZ TV, the CBS affiliate in Boston, broadcast an interesting segment Tuesday evening about how banks and credit card issuers make money by selling what they know about their card holders:

"Every time you use your credit card, your bank or credit card company is watching and taking notes. It looks at where you shop, how often you shop, what you’ve purchased..."

I advise consumers to watch the telecast at the WBZ-TV website.

So, what does your credit card company know about you? Think about everything you charged during the past month. During the past 6 months. Groceries. Clothes. Vacation. Personal hygiene. Liquor. Auto repair bill. Junk/fast food. Movies. Bar food and drinks. Doctor copayments. Medicine. Political donations. Cash advances at a casino.

The collection includes the amounts of your purchases and where you made these purchases, too. The collection includes both purchases made online and at brick-and-mortar stores. The collection happens regardless of whether your are a member of a loyalty/rewards program.

Being an informed shopper means knowing all of this. Something to remember the next time you see one of those cute telelvsion ads promoting the convenience of using plastic.

Some consumers see targeted advertisements online when the view and pay their monthly credit card bill. Those targeted ads are based on the prior purchases you made with your debit/credit card,

There are some things I want my credit card company to know well about me. I do want my credit card company to know enough about me to spot fraudulent purchases that are outside my normal purchase area or dollar amounts. So, a certain amount of data collection is good.

If this data collection about card purchases bothers you, experts warn that you can opt-out of some, but not all of the data sharing. Read the privacy statement online at your credit card issuer's website, or the privacy statement enclosed with your last credit card statement. If you want your purchases to remain entirely private, use cash and don't use your debit/credit card.


Gas Station Pumps And the 'Clear' Button Email: A Real Solution?

Recently, a friend forwarded to me the email message below and asked if the solution suggested was valid. Perhaps you have seen this email too:

Subject: USE THE "CLEAR" BUTTON Using credit/debit card?

Read this note very carefully. I did not know about the clear button, but I will be pushing the clear button before I swipe my gas or debit card.

People are getting really desperate due to the constantly rising gas prices. A friend just told me about something that happened to one of his coworkers.. She used her credit/debit card to purchase gas at the pump (like most of us do). She received her receipt like normal.

However, when she checked her statement, there were 2 $50.00 charges added in addition to her purchase. Upon investigation, she found out that because she did not press the 'clear' button on the pump, the employee inside the store was able to use her card to purchase his/her own gas!

To keep this from happening, after you get your receipt, you must press the 'CLEAR' button or your information will be stored until the next customer inserts their card. Be sure to tell all your friends/family so that this doesn't happen to them. I had never noticed the clear button but I got gas the other day and sure enough it is there. I shall be using it from now on.

My response to my friend was that while the CLEAR button might prevent the next customer from using your debit card information, the CLEAR button is not a rreliable identity-theft prevention solution when using your debit/credit card at gas station pumps. Why? Because the identity criminals insert skimming devices inside gas station pumps. The skimming device reads and steals your card account information and personal identification number (PIN), and then transmits the data wirelessly to thieves nearby with a laptop. Gas station pumps are easy targets because the pumps are unattended for long periods of time when the gas station is closed.

So, you can press the CLEAR button a hundred times and that is not going to protect you against a tampered gas station pump with a skimming device inside.
 
Same thing if the skimming device is on the outside of a bank ATM machine: usually covering the card slot. The skimming device collects debit card account information and transmits the stolen data wirelessly to the criminals nearby with a laptop. If the skimming device can’t record your PIN number, then the thieves also install a tiny video camera above the bank ATM machine (or gas staton pump) to record your PIN via video. The thieves later match the PINs to accounts, make clones of the victims' debit cards with the stolen information, and then use the cloned debit cards to drain victims' checking accounts.
 
Recently, some criminals installed the skimming device inside the door jam when you use your debit card to open the bank ATM booth.
 
As I have written before, to avoid getting "mugged" at gas station pumps, consumer must protect their PIN. Experts advise that consumers should:
  1. Pay at the pump using the "credit" option and not the "debit" option. This provides you with greater protections, liability limited to $50, and you don't use your PIN. Plus, you receive loyalty points if your credit card has a loyalty program.
  2. If you want to pay using the "debit" option, don't pay at the pump. Go inside the gas station and pay at the cashier's window with your debit card. If a "signature debit" is available, use that there instead of your PIN.
  3. If things look sketchy, pay with cash since that never discloses your bank account information.

What do I do? I pay with cash, especially if I am at a gas station I don't shop at regularly. It is impossible to tell if a gas station pump has been tampered with or not. I use my debit card only at my bank's ATM machines.

About email: if you receive an email with a suggested solution, it is always wise to check the authenticity at a website like Snopes.com. Not everything you receive in a nicely typed e-mail message is true. Snopes.com explains and debunks email hoaxes about various topics including gas station pumps.


The Four Pillars of Online Data Privacy

A few weeks ago, I blogged about personal identity information values -- shopping and acting online consistent with what you deem important. eGov precently published comments by the European Union (EU) Justice Commissioner, Vivianne Reding, about privacy for individuals. Reding's view of privacy for individuals in an online digital world includes four pillars:

1. The “right to be forgotten” - a combination of consumers' right to withdrawn or opt-out of any data collection efforts by companies, and the burden on companies to prove first that they have a need to archive and store the sensitive personal information of consumers they have already collected.

2. "Transparency" - to build consumers' trust, companies should fully disclose and inform consumers about what personal data they collect about consumers and why, how they use the personal data collected, the names of all third-party companies they share personal data with, the rights of consumers for remedies when consumers' rights are violated, and the risks with the personal data companies ask consumers to share.

3. "Privacy by default" - in too many instances companies build websites with privacy controls that are so complicated and convoluted that consumers can't effectively make their personal data private. In these websites, there really isn't any privacy and the websites' privacy controls don't reflect consumers' true consent. Reding believes that this situation must change, and that private should mean private.

4. "Protection by data location" - privacy standards for EU citizens should be consistent regardless of where consumers' personal data is stored. For example, if an EU resident's personal data is collected and stored by a U.S.-based company, then that company must comply with EU privacy standards, not U.S. privacy standards.

All of these pillars make perfect sense to me, but I see the fourth pillar being particularly tough. It's logical extension would force a website operator to konw, track and comply with a multitude of countries' varying privacy policies. My impression is that many corporate executives would be unhappy with having to work within the boundaries of all four pillars (not just the fourth), when they usually don't have to today.

I especially agree with Reding about the risks stated in the second pillar. Explanations about risks from sharing personal data apply to all consumers, but especially to youth who don't yet understand how business works and how companies use personal information. The risks and consequences should be explained to consumers about personal data that companies may make public permanently that consumers cannot make private again.

Over at the Guardian UK, columnist Mayes contests Reding's second pillar:

"But does the "right to be forgotten" really have a sound basis? In British law there is no right to be forgotten, but there are a host of laws to protect your identity and personal data... But to say there should be a right to be forgotten is to say we can live outside society. We can't."

To me, it's not about living "outside of society." For a lot of perfectly valid reasons, a consumer may decide to live off the grid, or entirely off-line. It is about consumers' control; the ability to control when and where your sensitive personal information is archived. Without the second pillar, there is no real control for consumers.

What do you think of these four pillars?


Missouri State University Data Breach

Earlier this month, Missouri State University announced a data breach that affected 6,030 students in its College of Education. During October and November 2010, students' names and Social Security numbers were posted on an unsecure server connected to the Internet.

The affected students studied at the College of Education during 2005 through 2009. Reportedly, the university learned about the breach on February 22, 2011 when a person contacted the university about the breach.

As a result, the univeristy has disciplined the employee who posted the information online, worked with Google to remove the sensitive data from the search engine's web servers, provided affected consumers with complientary identity-theft insurance, and reported the breach to the Missouri Attorney General's office as required by law.

 


A Second Data Breach at Health Net Affects 1.9 Million Consumers

On Monday of this week, Health Net announced a data breach and the company's ongoing investigation into lost/stolen server drives from its data center in Rancho Cordova, Calif. According to the press release:

"This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information."

This is interesting for several reasons. First, the Health Net press release didn't disclose either the number of lost/stolen server drives, nor the number of consumers' records lost/stolen. That's usually a bad sign that the breach is a huge one. The California Department of Managed Health Care (DMHC) issued a statement (43k bytes; PDF document) that the Health Net breach included 1.9 million current and prior Health Net customers nationwide, including:

"... more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare."

The DMHC is rightly concerned and conducting its own investigation. The DMHC statement also said that nine (9) Health Net server drives were missing.

Second, the above Health Net press release mentioned the name of an IT outsource vendor I recognized, IBM. I have had some direct, personal experience with an IBM breach. And IBM's involvement in the Health Net breach has a twist of irony.

After its 2007 data breach, IBM never disclosed what actions it took, if any, with the outsource vendor it hired to ship its backup computer data tapes to an off-site facility. Did IBM fire its vendor, or were specific vendor's employees disciplined or terminated? We never learned what happened. Now, to use a common expression, "the shoe is on the other foot" as IBM is the vendor involved in its client's data breach.

Third, this is the second huge data breach at Health Net. In November 2009, Health Net suffered a huge data breach. That 2009 data breach included hard drives, too, where the sensitive personal data lost/stolen included the Social Security numbers, medical records and health information dating back to 2002 of 1.5 million past and current customers in several states. During the last few months, Health Net paid fines to several states to settle the 2009 breach. Several states' attorney generals alleged that the 2009 breach violated the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), and some states' local laws.

Fourth, ABC News focused its coverage on the delayed notification. Apparently, Health Net learned about the missing server drives in February, notified the California Attorney General's office on March 4, and then notified the public on March 14. The delay in notificaton was part of the rationale for the settlement fines Health Net paid as a result of its 2009 data breach.

Fifth, the Connecticut Attorney General's office has demanded that Health Net provide identity-theft and credit protectons for 25,000 Connecticut residents affected by the data breach. In its breach announcement, Health Net has hired Debix (again) to provide two years of complimentary identity-theft and credit protection for breach victims.

Sixth, the nationwide impacts of the Health Net data breach are jsut becoming known. About 40,000 consumers in Washington state have been affected. I expect more states' regulatory agencies and/or attorney generals to issue statements about the impacts in their states.

After such a huge data breach in 2009, you'd think that the executives at Health Net would "get it," implement tightened data security, and implement both new data security policies and employee training to prevent another massive data breach. Well, another massive breach happened. As a wise person once said, actions speak louder than words.

I am hoping that the consequences for Health Net executives include much more than fines. Executives need to be fired and/or jailed. What do you think? What action, if any, should Health Net take with its outsource vendor, IBM?


German Government Proposes New Data Breach Notification Law

In its "Privacy and Information Security Law" blog, the Hunton and Williams law firm announced that the German government has proposed a new data breach notification law:

"... telecommunications companies must report data breaches to the Federal Network Agency (the Bundesnetzagentur or “BNetzA”), and the Federal Commissioner for Data Protection and Freedom of Information. In the event the rights or protected interests of subscribers or other persons are affected by the data breach, such individuals also must be notified without undue delay."

While the notification of affected consumers is not required if the data is encrypted, the BNetza retains the right to require any telecommunications companies to notify consumers regardless of the data security protections in place at the time of the breach.

The new breach notification rules are part of broader changes under the European e-Privacy Directive, scheduled to go into effect in May of 2011. Other changes in these new European Union directives include tightened rules about how companies treat, collect consumers' data, and obtain consent with consumers' web browser cookies.


Facebook Comments Plugin: To Switch Or Not?

Like many bloggers, I want readers to easily comment on bog posts and keep out the spammers. It is a tricky balance to achieve. Like many bloggers, this blog requires commenters to enter a name, email and website address. Despite these rules, including the Terms of Service policy, spammers continue to submit off-topic comments that are clearly advertising and unrelated to the blog post topic.

To effectively keep out the spammers, some bloggers have turned to the Facebook Comments Plug-in as a solution to verify users and to screen out the spammers. Some notable blogs like CrunchGear have implemented the Facebook Comments Plug-in -- at least on a trial or temporary basis. Other bloggers have seen their comments traffic decline as Facebook membership has risen. Some bloggers like the new Facebook Comments Plugin -- at least on others' blogs and not yet theirs.

For this blog, I have made the decision not to switch to the Facebook Comments Plug-in. Why? As I see it, the disadvantages outweigh the advantages.

The chief advantage is that Facebook Comments Plug-in requires commenters to use real identities (or at least identities as "real" as they have been created on Facebook). And, I am happy with the current comment system Typepad.com provides. The disadvantages I see of the Facebook Comments Plug-in:

Loss of control and of content: the comments become the property of Facebook. Upon terminating the Facebook Comments Plug-in, I would lose those comments. There are several valuable comment threads in this blog, with some running as long as two years. My readers and I have learned a lot from the comments submitted, and I would never give up this valuable content.

Comprehensive Solution: my preferred commenting solution must be comprehensive and allow users to choose how they want to identify their selves. As TechCrunch noted:

"Facebook comments don’t support Twitter or Google logins. It doesn’t yet allow sites to archive their comments to make backups..."

Readership Usage: this blog has more followers on Twitter than on Facebook. This blog has more followers via e-mail than on Facebook. So, the comments approach must factor in this actual readership usage.

Mistrust: having written repeatedly about Facebook's privacy missteps and class-action lawsuits. I have learned that Facebook will consistently act in its own self-interest. I don't trust Facebook. I trust Facebook to continue to make public at some date members' sensitive person data it had previously deemed private. That abuse is something I would not subject my readers to.

Corporate Blocks: many companies block access to Facebook in the workplace. That alone is probably a deal-killer. Discussions of identity theft, data breaches, and privacy require access to this blog.

Lack of Disclosure: at times, Facebook doesn't disclose to members everything it is doing, like censoring members time line.

Extensive Tracking: in a prior post i wrote about how Facebook Social Plug-ins perform tracking around the Web. The commenter verification advantage is not enough to subject my readers to more tracking by Facebook.

Buggy Interface: having used Facebook for several years, I have noticed many bugs and errors. I am not going to subject my readers to that.

On supposed benefit of the Facebook Comments Plug-in is that it will bring more readers, and commenters, to your blog. This blog has been optimized for search/SEO, so getting new readers has not been a problem. Currently, monthly readership is about 19,000 page views monthly, an increase of greater than 45% compared to a year ago.

To summarize, any plug-in solutions have to be consistent with my identity information values.

As always, I value my readers' opinions and comments. Let me know below what you think about the Facebook Comments Plug-in.


Report: Health Care Industry Privacy, Security, and Data Breaches

Last month, the Deloitte Center for Health Solutions released a new report, "Privacy and Security in Health Care: A Fresh Look." The report identified the risks about privacy and security breaches within the health care industry, and recommended solutions for health plans, information technology vendors, and both federal and state health agencies.

The report found several reasons for increased risks:

  • Lack of internal resources (human resources and capital)
  • Lack of internal control over patient information
  • Lack of upper management support
  • Outdated policies and procedures
  • Inadequate training of staff and personnel

According to Paul Keckley, Ph.D., and executive director of the Deloitte Center for Health Solutions:

"Medical fraud is a serious issue, and 67 percent of consumers we polled believe fraud has a major influence on driving up the overall cost of healthcare."

The Health Insurance Portability and Accountability Act (HIPAA), enacted in April 2003, requires health care organizations to report data breaches of 500 or more records. Deloitte analyzed the breaches by organization type:

  • 71% - Health Care Provider
  • 16% - Health Plan
  • 14% - Hybrid Entity

About one-third of all health care breaches result in medical identity theft; patients' health records were used by identity criminals. Deloitte also analyzed the data breaches by equipment type:

HIPAA breaches by equipment type. The Deloitte Center for Health Solutions

An important summary:

"The total economic burden created by data breaches in the health care industry is nearly $6 billion annually. The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580."

Located in Washington, D.C., the Deloitte Center for Health Solutions is the health services research unit of Deloitte LLP, the accounting and consulting company.The unit provides research for various Deloitte operations. Its research activities focus on three areas:

"1. Health policy and health reforms in the U.S. health care system;
2. Disruptive innovations that result in innovative solutions to improve efficiency and effectiveness, and
3. Consumerism, incorporating how end users of health goods and services think and behave."

The report does a good job of explaining the status of various legislation (e.g., HIPAA, ARRA, Red Flags, HITECH) about data security for the health care industry. The report also provides a glossary of terms.

Given the risk factors, the ongoing history of data breaches, and the rapid pace of change with new technologies (e.g., mobile devices), I don't see this situation improving quickly nor soon. To learn more, download the Deloitte Center report (595k bytes, PDF).


Mass General Pays $1 Million Fine For Data Breach

Last week, the Department of Health and Human Services (HHS) announced that it had reached a settlement with the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General). Mass General agreed to pay the U.S. Government $1 million:

"... to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule..."

The "potential violation" is from a March 2009 data breach which included:

"... the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS... Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule."

The impermissible disclosure of PHI included the loss of:

  • Documents containing patient schedules with names and medical record numbers for 192 patients,
  • Billing forms containing the name, date of birth, medical record number, health insurer, policy number, diagnosis, and name of providers for 66 of the 192 patients

A Mass General employee left the records on a subway train while commuting to work. The records were never recovered. As part of the settlement, Mass General signed a Resolution Agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients.


Infected Droid Apps Create Havoc

InfoSecurity magazine reported this morning:

"Google has removed 55 apps from its Android Market after tens of thousands of users downloaded applications that were infected by the DroidDream trojan, according to numerous news reports. The list of infected Android applications include Chess, Super Guitar Solo, Bowling Time, Super History Eraser, and Photo Editor."

Typically referred to as "root access," this malware can take over a consumers mobile device. The malware was packed inside legitimate apps. The apps can open a "back door" so that the malware downloads even more bad software onto the mobile device.

According to DarkReading, as many as 500,000 consumers may have downloaded and installed the infected apps. According to DarkReading:

"Google doesn't vet or security-scan apps submitted to its open, community-based app market, but security experts say the invasion of rogue apps could ultimately pressure the search engine giant to add some form of vetting applications before they hit the Market."

All of this places a premium on operators of app stores to continually check apps for security and compliance with the app store's policies, plus stronger anti-virus software protections tat run on consumers' mobile devices.

The headline at PCWorld was, "DroidDream Becomes Android Market Nightmare."

What should consumers do? PcWorld offered five tips for consumers to keep malware off their mobile devices:

  1. Investigate the publisher of the app
  2. Read online review before installing new apps

See the PCWorld article for the full list of tips.


Facebook Decides To Continue And Make Public More Of Your Private Data

The Huffington Post reported on Monday that Facebook has decided to proceed with its plans to share members' home addresses and phone numbers (landline and mobile) with third parties. Facebook announced in January these plans, and then reversed its decision.

At that time, two U.S. Congressional Representatives had submitted their concerns to Facebook in a joint letter. In a lengthy February 23, 2011 response to Representatives Edward Markey (D-Mass.) and Joe Barton (R-Texas), Facebook's Vice President of Global Public Policy wrote (PDF):

"... The permissions framework Facebook has deployed for applications has been described as "providing users with simple but real control over their information," and after a lengthy investigation, the Office of the Privacy Commissioner of Canada concluded that it adequately informs users regarding what (if any) information they are sharing by choosing to use a given application. The framework is predicated on the assumption that, because users will not typically authorize applications that request access to too much information -- indeed, our data show that, on average, each additional category of information an application requests results in a 3% reduction in users click-through rates -- applications will not typically ask for more information than they need to operate... the application is subject to technical limitations that prevent it from gaining access to any information beyond that which the user has authorized..."

Let's drill into this a bit. If it's good enough for Canada, then according to Facebook it should good enough for the USA. Hmmmm, sounds kind of arrogant to me.

I found the phrase "applications will not typically ask for more information..." very interesting. Facebook has audited all of its applications? Or is this based on some random sample? If Facebook has, (and continues to) audited all of its apps, then it should prevent apps from requesting too much information. I was unaware that Facebook completed such extensive auditing. The "technical limitations" was new to me, too. I guess these prior privacy concerns about leaky apps or risky apps were overstated?

Facebook's letter doesn't convince me. I need more proof that this letter that Facebook apps are safe and continue to be safe.Remember, Facebook apps for your mobile device can link your UDID with your phone number and Facebook account.

And, Facebook's claim above about "users will not typically authorize applications..." assumes a mature adult who is aware of the risks of disclosing certain personal information. I doubt this will hold up to scrutiny for children who use Facebook. I doubt 13- or 15-year-old users, "will not typically authorize applications that request access to too much information." Facebook's Terms prohibit use by children younger than 13, but I wonder how effective it is at enforcing that.

Plus, anyone who uses Facebook probably has experienced that there are a dozen different pages and links one must click through and explore to completely lock down your Facebook profile information and privacy. It's not easy. Some links are links, some are buttons, and others are drop-down menus. Not all operate the same way.

Each must be clicked through and opened religiously in order to fully understand and protect your personal data on Facebook. It took me a good 40 minutes to verify all of my Facebook privacy settings based on this CIO article. That's 40 minutes to explore every Facebook privacy nooks, crevices, and crannies. many adults don't do this, and I doubt children will be as thorough, either.

So, while everything Facebook said above in its letter t Representatives Markey and Barton is technically correct, in reality or practice is something probably very different.

Yes, in its Terms and Privacy policies (you read them, didn't you?), Facebook has gained the rights from its members to make changes -- to make public data that was previously private. That doesn't make it right nor acceptable. My advice to Facebook users:

  • Assume that anything you post or "like" on Facebook is public -- if it's not public today, it will be in the future
  • Remove any and all data from Facebook that you don't want public
  • Read the data disclosure policy for any apps you enable
  • Read Facebook's privacy and terms policies
  • Read the privacy policy associated with the Facebook app on your smart phone or mobile device

Or, delete your Facebook account.