Previous month:
February 2013
Next month:
April 2013

14 posts from March 2013

The Top 5 Places You Should Never Use Your Smart Phone

Social Times recently listed the top five places consumers should not use their smart phone. The top two places:

  1. Business meetings with clients
  2. In-person job interviews

Gee, you'd think that people would know better. Places I would add to the list: 6) in school, especially during an exam; 7) during wakes and funeral services; and 8) your doctor's office (especially when they post signs telling patients to turn off their mobile devices). There's just too much sensitive equipment nearby.

Follow the above link to read the entire list. What places do you believe consumers should turn off their mobile devices?


Data Breach At Schnucks Supermarkets Affects Customers And Their Banks

St. Louis-based KSDK television reported a data breach at Schuncks supermarkets. The supermarket chain isn't yet sure exactly where (e.g., which stores) and how the breach occurred (e.g., in the store or with a debit/credit card processor). The breach occurred about a week ago.

Schnucks operates stores in Missouri, Illinos, Iowa, and Indiana. Customers have already seen unauthorized charges on their debit/credit cards. A representative from Montgomery Bank reported that about 600 of their accountholders have already filed fraud claims. Some customers wonder why the store has not posted alerts in its stores, so shoppers can use cash instead:

“They’re just letting people use their cards and not saying anything.”

Reportedly, the retailer has hired a forensics technology firm to assist it with a breach investigation. It sounds to me like the company' was caught unprepared and its post-breach response needs improvement. Customers need to be notified prompty to take appropriate action to avoid or minimize identity theft and fraud.


Facebook Becomes More Annoying

This morning, I decided to clean out my personal Facebook email folder. I use Facebook.com for two reasons: 1) connect with friends, family, and former co-workers; and 2) a business page for this blog to connect with readers. The Facebook mail I deleted was for #1.

If you use Facebook.com, it is important to manage your email inbox, since you probably have received Facebook email from both people you are connected to and business pages you have "liked." I found the process to delete old Facebook emails both time-consuming and difficult. Unlike traditional email software, the Facebook email interface forces members to delete one conversation at a time:

Deleting Facebook email one conversation at a time

So, what should have taken at most 2 minutes, took almost 20 minutes. After deleting old conversations in my Facebook inbox, then I had to switch to the Facebook archive folder and repeat the deletion process:

Remember to delete old email in your Facebook Archive folder too

I find this user interface unnecessarily difficult and time consuming. (Deleting Facebook email is even more tedious and time consuming if you delete items one message at a time. Who would choose that form of self torture?) Perhaps, making it difficult for you to delete your information is a key part of Facebook's "Big Data" strategy to retain as much of its members' content for as long as possible. Facebook frequently hides tasks in unlabeled drop-down menus, and/or in multiple locations you wouldn't expect.

Combine this with the new ads that appear directly in your Facebook News Feed (e.g., Facebook calls them "Suggested Pages," but an ad is an ad by any name -- and some users report this as spam!), and the service has become much more annoying. And, it seems that Facebook plans to deliver more ads in members' News Feeds in the future.

Of course, the folks at Facebook would love for you to use only Facebook email, and stop using traditional email. Last year, without asking Facebook switched the default email addresses in its members' profiles from your traditional email address to your new Facebook email address. Check your Facebook profile. I'll be you didn't notice that.

I switched back the default email address in my Facebook profile, since I still use traditional email. It is important to me to not use any single company's service for all of my online activities. To do that would be for me to give up my power as a consumer. No walled gardens for me. That's why I also use DuckDuckGo -- to escape from being trapped in the search engine filter bubble.

If you use Facebook email, what are your opinions of it? Share below.


Payment Processors: A New I've Been Mugged Topic

When consumers purchase a product or service with some form of plastic (e.g., credit cards, debit cards, prepaid cards) and their mobile device, usually several companies are involved in completing that transaction: getting the money to the retailer (online or brick-and-mortar). While many consumers may believe that only their bank is involved in processing the transaction, the reality is that more companies are often involved.

One type of company involved are payment processors, companies that process these financial transactions. Sometimes these payment processor companies experience data breaches where sensitive customer information is lost or stolen. With recent events in the banking industry, and the spread of prepaid debit cards, this new topic can help you more easily read about and understand what is happening within the banking and retail industries.

I have tagged this new topic retroactively to archived blog posts, so you read and understand the types of information available. See the new "Payment Processors" topic. I hope that you find it useful.


Google To Terminate Google Reader On July 1, 2013. How To Find A Replacement

RSS icon On Wednesday of this week, Google announced that it will terminate Google Reader, a Cloud-based RSS feed reader application, on July 1, 2013. Google Reader stated in 2005.

For many consumers including readers of this blog, RSS feed readers are an efficient way to consume news content. Readers of this blog have several options. All blog posts are announced in an RSS feed. Plus, every post in this blog includes an RSS feed with comments by readers. This makes it easy to monitor replies to a comment you submitted.

If you are looking for RSS feed reader software alternatives, there are several. Some resources to help you find a replacement:

What replacement RSS feed reader did you choose?


The Companies Involved In Payment Transactions When Consumers Buy Items

When consumers pay for products and services, today they have a wide variety of options. To make these options work, a variety of companies are involved behind the scenes in the payment transactions: the companies money and information flow through after a consumer purchases something at the checkout register. Consumers may not realize the wide variety of different companies involved.

Companies involved in the payment transactions flow often have their onw privacy policy, and data collection of consumers' sensitive information -- driven by their agreement with the retailer or bank. And, each company involved may experience data breaches where consumers' sensitive information is exposed or stolen:

  Payment Method
Company Type
CashCredit CardDebit CardRetailer's Prepaid Card (1)
Bank Prepaid Card (2)
Prepaid Card: FSA (3)
Smart Phone
Brick-&-mortar retail store No Yes Yes Yes Yes Yes Yes
Online retail website n/a Yes Yes Yes Yes Yes n/a
Retailer's partners &/or affiliates (4)
n/a Yes Yes Yes Yes Yes Yes
Your bank n/a Yes Yes n/a Yes Yes Yes
Retailer's bank n/a Yes Yes Yes Yes Yes Yes
Payments Processor (5) No Yes Yes Yes Yes (6)
Yes Yes
Your Employer n/a n/a n/a n/a Yes Yes Yes
Healthcare Vendor (7)
n/a n/a n/a n/a No Yes n/a
Wireless Provider n/a n/a n/a n/a n/a n/a Yes
Mobile Device Manufacturer n/a n/a n/a n/a n/a n/a Yes
Mobile Device Operating System Developer (8) n/a n/a n/a n/a n/a n/a Yes
Mobile App Developer (8) n/a n/a n/a n/a n/a n/a Yes
App Store
n/a n/a n/a n/a n/a n/a Yes

Footnotes:

  1. Includes gift cards offered by retailers that are good only at that retailer's stores.
  2. Includes general-purpose prepaid cards usually offered by banks
  3. Includes prepaid cards used by employers to adminster healthcare Flexible Spending Accounts
  4. Includes outsourced vendors that administer a retailer's email marketing programs, cloud-based storage services, customer relationship management databases, mobile marketing services, product fulfillment, and/or data mining services; plus companies that perform co-marketing campaigns
  5. The bank and/or company that processes the debit/credit card transactions
  6. Applies to employers that pay employees via a payroll debit cards
  7. Some employers outsource the administration of their healthcare Flexible Spending Account (FSA) program to an external vendor, and issue participating employees a special prepaid card
  8. The company that develops and maintains this software mobile devices

What do you think about the above chart?


The State Of Texas Made $2.1 Million In 2012 Selling Drivers Personal Information

The CBS television network affiliate in the Dallas/Ft. Worth area reported that the State of Texas made $2.1 million in 2012 by selling the personal information of Texas drivers. Who buys this information collected by the Texas Department of Motor Vehicles:

"CBS 11’s I-Team Investigator Mireya Villarreal discovered nearly 2,500 agencies or businesses purchased the DMV’s data in some form last year. On this list there are towing companies, collection agencies, insurance companies, hospitals, banks, schools, city governments, and even private investigators."

The Driver Privacy Protection Act (DPPA) limits who can buy this information and what they can do with it. The report also highlighted the situation that Texas drivers cannot opt out of these sales.

CBS 11 provided a spreadsheet file which listed the companies that purchased information about Texas drivers. I spent some time reviewing the spreadsheet file and found:

  • What happens in Texas doesn't stay in Texas. Companies from 30 different states purchased the information about Texas drivers
  • Information about Texas drivers is popular. About 2,450 companies purchased information from at least 12 different business types
  • Expected the unexpected. Businesses that purchased driver data included some you'd expect (e.g., auto dealers, banks, finance companies, title services), but also some you might not expect. The list of business types included auto actions, auto dealers, banks/credit unions, city agencies, collection agencies, finance companies, private investigators, salvage yards, title services, universities and colleges, and wrecker services
  • Other who? The "Other" business type seemed to include some interesting organization names from the legal, oil, healthcare, software, and telecommunications industries; plus federal government agencies and some high schools.

The report did not mention the number records each company purchased, the total number of records purchased, or who the largest purchasers were. Knowing this would have enabled a deeper analysis. Then, you could compute an implied value to an average Texas driver's record.

The best comparison I can make is that the State of Florida made about $63 million in 2010 by selling drivers information, with an average value per record of about $ .01. This makes one wonder if Texas government officials did a poor job of selling driver information, or Florida government officials did an exceptional job.

While I didn't see in the Texas list of purchasers the high-profile names of data brokers from the Florida sales, I assume that intermediaries were used.

After reading the Texas DMV webpage about the DPPA, I felt that this page could do a far better job of informing consumers what is really happening. Other states say little in their websites about the money they make from DPPA sales.

What do you think of your state making money by selling your personal information?


Chicago Transit Authority Riders To Use New Ventra Card Starting This Summer

Ventra logo Last month, the CBS television network affiliate in Chicago reported about a new fare card to be offered this summer in Chicago by the local public transit authority. The news report stated:

"... one of the companies behind the new card gets an F rating from the Better Business Bureau... It will be offered by Money Network, which is owned by First Data. Money Network currently has an F rating with the BBB."

Reportedly, the "F" rating was based on complaints by consumers since 2010. Chicago officials said that the new Ventra fare system will save the Chicago Transit Authority (CTA) about $50 million during its 12-year contract with Money Network.

The new Ventra fare card will be available for Chicago consumers during the summer of 2013. Consumers will have the option to use the Ventra card to pay for CTA fares, or to opt in and also use it as a prepaid debit card to pay for purchases at local retail stores. By 2014, the CTA will migrate fully from the current Chicago Card and Chicago Card Plus payment methods to the new Ventra system. In the future, consumers will also be able to pay using their smart phones.

I visited the Ventra Chicago website to learn more. The website provides some information about this new fare and prepaid card:

"Cards are issued by MetaBank™, Member FDIC, pursuant to license by MasterCard International Incorporated. MasterCard and the MasterCard Brand Mark are registered trademarks of MasterCard International Incorporated."

This means that both the CTA and its riders will be doing business with MetaBank. Consumers that activate the prepaid debit option on their Ventra card will definitely want to know what bank is used, especially if there are problems or need help. (What could go wrong with a prepaid card? Read parts 1 and 2 about a consumer's experience with a healthcare prepaid card.) Since Money Network is a Ventra vendor, it means that Money Network (e.g., First Data Corp.) will likely perform the payment transaction processing.

You never heard of MetaBank? There is a pretty useful summary of MetaBank at the GetDebit website:

Summary of MetaBank at GetDebit.com

After reading the Ventra Chicago website, I also expected to find the full terms and conditions (e.g., contract) that applies when consumers opt-in to use the prepaid debit option with their Ventra Chicago card. In my experience, details matter with any prepaid card. Often, prepaid cards contain minimums, limits, and/or several fees (e.g., to load money onto the prepaid card, or make cash withdrawals at certain bank ATM network machines). Additional fees may apply if you use the prepaid card at a different ATM network.

In January, this blog reviewed the new AAA card. Like the coming Ventra Chicago card, AAA members can use their new AAA card as an identification card for towing services and discounts, or opt in and activate the prepaid debit option to use the card to make purchases at retail stores. The new AAA prepaid card has a $25.00 minimum to load money onto it, and a maximum monthly limit of $2,500 (or a $10,000 max with direct deposit). With the new AAA prepaid card, each month only the first ATM cash withdrawal is free, and all other ATM withdrawals cost $2.00 each. And, you have to use it at American Express network ATM machines.

I wanted to see if there were similar conditions with the new Ventra Chicago card, but the website didn't say. This is the type of information informed consumers look for, since there are legal differences and rights consumers have with prepaid cards compared to both credit- and debit cards. Informed consumers want to know their rights and specific rules, especially about replacing the funds on lost/stolen Ventra cards. Hopefully, CTA officials will update the Ventra Chicago website soon with the appropriate detailed information, so Chicago-area consumers can make informed choices.

I visited the BBB website to see if its rating of Money Network had changed since last month. It had and is now rated B+:

BBB rating of Money Network

You don't need to be a rock scientist to see that the Ventra Chicago business model is one that can be replicated with public transit systems in other cities across the country. As each system makes decisions about the payment methods they will use, transparency is critical. It is important for transit systems to provide consumers with as much choice, freedom, and privacy as possible with payment options, while minimizing fees and surcharges.

What else is going on here? As I see it, several things. First, banks are trying to capture more customers by targeting both consumers who don't have a bank account (called the "unbanked" in industry jargon), and consumers have a single bank account (e.g., checking or a savings but not both are called the "underbanked) with prepaid card pitches. Second, banking industry research has found that consumers who have used debit cards and were burned with multiple overdraft fees, now view prepaid cards as a way to avoid high overdraft fees. So, banks have targeted these consumers, too, with prepaid card pitches directly or through intermediaries (e.g., government, employers). These consumers often don't realize the limits, minimums, fees, and surcharges that often are included with prepaid cards.

Third, given current technologies it is fairly easy to make plastic identification cards perform the traditional functions plus act as a prepaid debit card. That's why you now see prepaid cards to receive government benefits, and with employer healthcare FSA programs. Fourth, it is no secret that banks perform huge data collection of consumers' purchases with all types of plastic in your wallet or purse: debit cards, credit cards, and prepaid cards. Banks analyze and sell your purchases with other businesses including data brokers. So, if you want privacy, keep using cash.

My advice to consumers is this: anytime a bank or company serves up a strong "convenience" pitch with a prepaid debit card, take the time to read closely the contractl details (e.g., often called the Terms and Conditions), the schedule of fees, and the privacy policy. Those documents will indicate what protections and rights you have (or don't have), and the costs. And, there are five things you should know about prepaid cards.

What is your opinion of Ventra Chicago? Of MetaBank? Of Money Network?


The Mugshot Industry. Accurate Information That Is Beneficial For Consumers?

Thursday night, ABC Nightline reported about problems consumers encountered with the mugshot industry -- websites that publish online photos of citizens arrested by law enforcement. While there have been very public, high-profile cases of celebrities' mugshots, the reality is that many consumers have been affected.

You've never heard of the mugshot industry? Neither had I until this Nightline report:

"Here's how it works, the sites legally download the latest mug shots from police web sites [that] published the faces of alleged lawbreakers on the Internet. And then often charge the accused of -- sometimes hundreds of dollars to pull all the photos..."

That's right. The sites charge consumers a fee, sometimes called a "take-down fee," to remove their mugshot photos. There are several problems with this. First, after paying one website to remove their mugshot photo, many consumers find that their mugshot photos re-appear on another website. Second, many sites don't consistently remove mugshot photos of consumers wrongfully arrested or found innocent by a court:

"... Sofia on Roddy says that was not her experience dealing with other companies she says she explained over and over again how she was the victim. And how the photos were preventing her from obtaining employment. And she provided these court document showing that prosecutors cleared her case. This was a wrongful arrests. And the case was dismissed by the state attorney's office. But her picture remains published..."

That does not sound good at all. According to ABC Nightline, there are 60 such mugshot websites. I searched online and easily found several within five minutes:

Some sites focus on a specific city or country, while others include several states and/or geographic areas. I am sure that some sites operate responsibly. Some are operated by newspapers. Why is this industry growing quickly? The ABC Nightline report interviewed one mugshot website operator, who admitted:

"Think of how many people have been arrested. Now put a small service fee on data -- of people and you can see why the industry is sort of taken off..."

Some consumers are fighting back. First, there is at least one blog about the mugshot industry. Increasing awareness among consumers is always good.

Second, in Florida legislators introduced a new bill (HB 677) to require mugshot website operators to automatically take down photos when consumers are found not guilty, or the charges were later dropped. That seems to be a very appropriate common-sense law.

Third, there is a class-action lawsuit in Ohio against several mugshot websites. According to Findlaw, the lawsuit claims:

"... these mugshot websites violate a person's right to publicity... to control how their own names and likenesses are used in the public domain, similar to how someone would own a copyright or patent... these mugshot websites may not publish such photos for the sole purpose of profiting off them, the lawsuit claims. The suit asserts that the websites' primary purpose for publishing these mugshot photos is so that those charged with a crime will pay money to remove their pictures."

The credit reporting industry is catching some most-deserved criticism about high error rates in credit reports. Plus, a couple federal laws govern and dictate a consistent process for consumers to report and challenge errors in credit reports. Accuracy seems important for the mugshot industry. HB 677 is a good start, but that is only one state. Issues with the mugshot industry are likely to continue until consumers pressure their elected officials for improved laws that better balance the privacy rights of consumers with the publishing rights of mugshot websites.

Watch the ABC News/Nightline report. And, learn more about the class-action lawsuit in Ohio.

What do you think of the mugshot industry? If you have been affected by, or paid a take-down fee to a mugshot website, what was your experience?


Disney Cruise Ship Child Care Staff Lose Young Child. Frantic Search Ensues

Disney Cruise Line logo At his blog, Brent Csutoras shared a frightening story about how his child was lost during a Disney cruise while under the supervision of daycare staff. Brent wrote:

"In January, we decided to take our two children on a Disney Wonder cruise... While on board, we left our 3 year old son, in their child care facility, the Oceaneer Club (for children aged 3 to 12). We were happy to see they had a wrist band tracking system, which could identify where a child was on the ship at any time and alert staff if the band went outside the area he was supposed to be in. So you can imagine our fear, shock, outrage and panic when we came back after an evening with friends, to find our child missing from their child care facility."

And, what happened with that high-tech wristband tracking? It's similar technology to what Disney plans to use in its land-based theme parks. It failed to work:

"... the next step was to check the tracking band system, which would pinpoint my son’s location. We walked over to the computer and as they pulled it up, everyone got very quiet. The screen showed my son’s band as ‘UNREADABLE’!!!."

After searching frantically for about 45 minutes, Brent's child was found sleeping under a "tunnel of chairs" in the child care center.

This story is horrendous. I am a parent, plus my wife and I have sailed on about 19 cruises on several cruise lines: Carnival,Celebrity, Costa, Holland America, MSC, Norwegian, Princess, and Royal Caribbean. We've sailed the Caribbean (West, South, and East), the Hawaiian Islands, Bermuda, the Panama Canal, Alaska, and the Eastern Mediterranean. While we have not sailed yet on Disney, we are very familiar with the cruising vacation experience. I would classify Brent's experience on the Disney Wonder an epic customer-service failure:

  • Clearly, the wristband technology, which should have worked, didn't and failed.
  • Clearly, the lighting in the daycare space was insufficient
  • Responsible cruise ship daycare staff should know where their children are, and not rely on wristbands to locate children. An on-board power failure could render that technology useless.
  • While cruise ship staff emphasized that they had a process for lost/missing children, it was not apparent nor clearly explained to the parents.
  • The ship seemed very reluctant to perform a public announcement. While they probably didn't want to alarm other passengers, the needs of a lost child outweigh that concern.

By law, cruise ships must perform safety drills before departing the embarkation port, or at sea soon after departure. This helps passengers what to do in case of an emergency.

Brent's story highlights the need for parents to apply the same level of importance to daycare services and safety, so they know what to do and where to go for their children during or after an emergency.

Disney's response, as Brent explained it, seems shortsighted and insufficient -- especially since the stranded Carnival Triumph cruise ship is fresh in many consumers' minds. After that mishap, some passengers have sued Carnival. Frankly, Disney's poor response to Brent and his family seems to risk losing future business:

"Considering I have two little boys, we would most certainly have booked other Disney vacations and cruises in the years to come. But this experience—the loss of my son, the poor response to the crisis aboard ship, and the uncaring, calculated corporate response afterward—has changed all that... Where is the Disney ‘magic’? For me, it’s been lost. Where is the customer service Disney is supposed to be known for? Nonexistent."

I suggest that Brent submit a cruise review to several cruising industry websites that consumers visit, such as Cruise Critic, Cruise411.com, and Cruise-Addicts.com. For parents who are considering a future cruise ship vacation with their children, I suggest that you:

  1. Before booking a cruise, read the safety materials in the cruise lines' websites
  2. After booking a cruise, read the safety materials in your cruise documents before your vacation. The cruise line or your travel agent will send these documents
  3. After boarding the cruise ship, meet with the daycare staff and have them show a successful test of any wristband or other technology used to track young children
  4. After boarding the cruise ship, review with daycare staff the safety procedures involving lost/missing young children before you drop them off at daycare, so you know what the process is and what to do during or after an emergency

In 2003, my wife and I sailed with our children, who were teenagers at that time. Before leaving on vacation, we reviewed with them the ship's safety rules, which we expected them to comply with 100%. Although rare, some adults have fallen overboard during cruises. A young woman wrote fake bomb-threat notes to divert a cruise ship so she could return home sooner to her boyfriend.

For cruise ship vacation, I think that this is a good rule of thumb: act and plan accordingly, because the knuckleheads you encounter on land you may also encounter at sea.


Asurion Expands Service Offering With Malware Protection For Smart Phones

Asurion, a provider of mobile device insurance services, announced yesterday that it will provide Walmart MobileCarePlus customers with free Asurion Mobile Security software. The Asurion security software is available in the respective app stores for Android and Blackberry smart phone users. According to the announcement:

"The Asurion Mobile Security solution regularly scans messages, pictures, installed applications and files on a customer's phone to identify and eliminate the latest viruses and malware, many of which can access private information and harm the mobile device itself. Safe browsing alerts users before visiting web sites which may compromise their phone's security and in the event a protected phone is misplaced, locate features can trigger an audible alarm, making recovery much easier... During the last two years, 48 percent of high school and college age students required a replacement device due to loss or damage."

For lost or stolen smart phones, the security service also includes a remote wipe feature to prevent thieves from accessing sensitive data and contacts on your smart phone.

This blog has warned mobile device users to add anti-malware software to their devices. Security software is available from a variety of vendors. If you are considering insurance for your mobile device, then read this first to help decide what's best for you.


The Words Organizations Use In Their Data Breach Notices

What words do organizations use frequently in breach notification letters and announcements? To better understand this, I used the Wordle tool to create word clouds from several actual, high-profile breach notifications during the past six months. The tool gives more prominence to words that appear more frequently.

Some breach notices were blog posts, some were press releases, some were web pages in a small website specifically about that data breach, and others were letters shared with state agencies, as required by law in some states. I wanted to see what words were frequently used and any variations.

A word cloud from the February 2013 breach notice by Twitter:

Word cloud for the Twitter.com breach notice

 

A word cloud from the February 2013 breach notice by GE Capital Retail Bank (Adobe PDF):

Word cloud for the GE Capital Retail bank breach notice

A word cloud from the February 2013 breach notice by Walgreens drug stores (Adobe PDF):

Word cloud for the Walgreens breach notice

A word cloud from the January 2013 breach announcement by the Experian credit reporting agency (Adobe PDF):

Word cloud for the Experian breach notice

A word cloud from the January 2013 breach announcement by Zaxby's restaurants:

Word cloud for the Zaxbys breach notice

A word cloud from the November 2012 breach notice by Pinnacle Foods:

Word cloud for the Pinnacle Foods Group breach notice

A word cloud from the November 2012 breach notice by Nationwide Insurance:

Word cloud of the Nationwide Insurance breach notice

Clearly, there is a lot of variety. Some words (e.g., information, report, credit, security) appear frequently within and across breach notices. Some breach notices feature the company name prominently while others don't. While the words may vary, basic information about the breach is presented pretty consistently: organization name, relevant dates, the types of individuals affected (e.g., members, employees, students), and what that organization calls the notice.

A lot of this is mandated by state breach notification laws. Depending upon local laws, the notification may be sent to affected individuals, a public notice, or both.

The content that varies seems to be the amount of detail disclosed about he cause of the data breach, and the resources for breach victims. The resources vary based on the type of data stolen. For example, when consumers' Social Security numbers have been stolen. the notices frequently mention the major credit reporting agencies. This is what I have seen frequently in both breach notices I have received and others I have read.

An exception seems to be the GE notice which only mentions a single credit reporting agency. Sometimes, the resources to help breach victims are in a separate document or website page. So, this will affect the words used in the actual breach notice.

Sadly, the credit reporting agencies experience data breaches, too. Since they specialize in information about individuals, you might think that they don't experience data breaches, but they do. The FTC has studied the accuracy of credit reports, and many people feel that credit reporting agencies should do a lot more to fix the errors in their consumer credit reports.

What do you think of data breach notices? How many breach notices have you received?


Michaels Stores Provide Policies And Class Action Notice On Sales Receipts

My wife and many of her friends like to quilt. They regularly visit retail stores and quilt shops for quilting supplies. This past weekend, my wife visited a Michaels store in Massachusetts. After paying (with cash) for her purchases, she received the following sales receipt:

Sales receipt from a Michaels store with policy information

The sales receipt mentions the store's coupon, exchanges, and returns policies, plus a recent class action lawsuit. The Michaels sales receipt says:

"Dear Valued Customer:

Our coupon policy is to accept one coupon per customer per day. Certain exclusions apply. Please review the exclusion on the coupon and speak with the manager on duty for any questions you may have. Thank You.

To return or exchange an item, customer is required to present a valid photo ID that will be swiped/recorded at the time of the return or exchange for return authorization purposes only. Receipt required within 60 days for refund on most products. Alternate rules apply to books, magazines, and technology and custom products. Returns without receipt will receive Store Return Card. Refunded amount will be the lowest sales price of the item within the last 90 days. Return polices are available at Michaels.com and in store."

One coupon per customer per day? That sounds very stingy and customer unfriendly, as if the store really doesn't want to accept any coupons. And, why use the sales receipt to deliver policy information? This seems customer unfriendly. I've seen promotions and contest information on sales receipts, but not detailed policy information. Simply, print the complete information on regular 8.5 x 11 inch sized paper which is more legible; and insert in each customer's bag. Plus, some customers prefer or require large-print notices.

If you compare the returns/exchanges language on the sales receipt to the store's online Return Policy for US residents (there is a separate Return Policy for Canadian residents), you will find that the online policy has additional language. Customers should not assume that the sales receipt mentions the entire return policy.

More importantly, I want to know why Michaels' return/exchange policy requires the scanning and retention of consumers' identification documents (e.g., driver's licenses, state-issued ID's, passports, and military ID's) even when customers have a receipt. This seems customer unfriendly. When a store requires a document like a driver's license to process a return or exchange, the store collects everything on that document: your address, Driver ID number, height, weight, hair and eye color, and birth date.

Does Michaels really need all of this information (e.g., my weight, eye and hair color) to process a return with a valid receipt? This data collection is legal when performed for fraud prevention. There seems to be nothing stopping retailers from using the data collected for other purposes, such as data mining and marketing.

If a consumer has a receipt, that should be all that is necessary. I did some brief checking and at least one' competitor, Jo-Ann Fabric & Craft Stores, does not require IDs for in-store product returns. Smaller local and mom-and-pop fabric/crafts stores probably have more customer-friendly policies, too.

The sales receipt does not mention a privacy policy. It should, since Michaels does have a privacy policy online at its website, with specific additions for residents of California, Nevada, Vermont, and Canada. However, that online privacy policy does not seem to mention its data retention and sharing polices with ID information collected via returns or exchanges.

Given its return/exchange policy, I want to know how long Michaels retains ID information and what other companies (by name) it shares that ID information with -- items a privacy policy typically state. Without a statement in its privacy policy, a retailer can do anything with that data collected. This ID information is very sensitive data. Customers need to know how long a store retains this information and who it is shared with. Otherwise, consumers cannot make an informed choice.

The sales receipt also says (links enabled):

"Michaels Data Breach Class Action (for more information, please go to www.michaelsdatasettlement.com)

Michaels has settled a lawsuit that allowed certain of its customer suffered damages as a result of a data breach at selected Michaels stores between January 1, 2011 and May 12, 2011. Michaels denies all of the claims."

Unfortunately, that last sentence is vague. It refers to claims alleged in the lawsuit and not claims submitted by data breach victims seeking reimbursement for damages. In May 2011, Michaels stores warned customers in Illinois, New Jersey, California, and 15 other states about the data breach. Criminals had reportedly tampered with in-store PIN pads in checkout lines (e.g., skimming) to steal debit and credit card data. Reportedly, 90 PIN pads were initially affected, but the retail chain later replaced about 7,200 PIN pads. About 94,000 consumer accounts were affected.

Browse the list of Michaels stores (Adobe PDF) affected by the data breach. The list included several stores in Massachusetts in Braintree, Burlington, Danvers, Everett, and Hanover. Customers can also visit the Consumer Notices page at the Michaels.com.

Skimming is a worldwide identity theft and fraud problem. Besides supermarkets and retail stores, criminals target bank ATM machines, gas station pumps, and contact-less (e.g., RFID) payment methods. Several states, including California and Washington, have already banned RFID skimming. Stolen debit card and PIN data gives thieves direct access to consumers' checking bank accounts.

The sales receipt also says:

"You are included in the class if you shopped in this Michaels store or in other selected Michaels stores during that period and your Payment Card was swiped on a PIN Pad terminal from which credit or debit card information was stolen. A complete list of affected Michaels stores can be found at www.michaelsdatasettlement.com. Customers whose credit or debit card information was stolen may receive monetary payment for documented unreimbursed monetary damages and/or credit monitoring services. To request such relief, you must submit a claim postmarked by May 25, 2013.

Unless you exclude yourself from the class by March 5, 2013, you will give up the right to ever sue Michaels about the legal claims the settlement resolves. If you stay in the class, you may object to the settlement by March 5, 2013.

The Court will hold a hearing on April 4, 2013, to consider whether to approve the settlement and payment of attorneys' fees and expenses. You may ask to appear and speak at the hearing."

The settlement agreement includes a $600,000 payment by Michaels stores, which could increase to $800,000 depending upon the volume of claims and reimbursements. If the entire $600,000 is not used, then the remainder will be donated to the Starlight Childrens Foundation, which works with seriously ill children.

I'm glad that my wife paid with cash. I hope that she buys her quilting supplies elsewhere in the future, and doesn't have to return or exchange any of her purchases made at Michaels stores.

Report: It Takes Months For Organizations To Detect And Resolve Data Breaches

I started writing this blog after a data breach at a former employer exposed my sensitive personal information. The consequence was that I had to take action due to a former employer's sloppiness.

Given that history, a new report by the Ponemon Institute, and sponosred by Solera Networks, caught my attention. The report included results from a study of data breaches in organizations to understand the differences between malicious and non-malicious data breaches, plus any lessons learned from the post-breach and forensic investigations.

Typically, after a data breach organizations' IT departments investigate independently or with the assistance of an outsourced technology consultant, the data breach. That investigation includes the cause of the breach, the specific computer systems and/or networks compromised, the number and types of records accessed (e.g., current employees, prior employees, contractors, students, etc.), and the specific data elements (e.g., names, street addresses, bank account numbers, Social Security numbers, e-mail passwords, etc.) accessed and/or stolen. By understanding what happened, organizations, in theory, can better secure their computers and networks from future data breaches.

The Ponemon study used the following definitions for data breach types:

"... we define a non-malicious breach as a system error, employee negligence or third-party snafu and a malicious breach is defined as one involving the theft of information assets by a criminal insider or [external hacker]..."

I found the results fascinating for several reasons. In my personal experience, my former employer's breach included data tapes shipped via a third-party vendor which never arrived at the off-site storage facility. This affected my privacy along with that of both current and other former employees.

First, the global results from the Ponemon report:

  • 54% of IT professional respondents said (e.g., Strongly Agree or Agree) that the severity of data breaches has increased during the past 24 months
  • 52% of respondents said (e.g., Strongly Agree or Agree) that the frequency of data breaches has increased during the past 24 months
  • Only 44% of respondents said that their organization has the tools, personnel, and funding to quickly detect data breaches
  • Only 43% of respondents said that their organization has the tools, personnel, and funding to prevent data breaches
  • While 63% of respondents said that understanding the root causes of data breaches has increased data security in their organization, but only 40% said they have the tools, personnel, and funding to determine the root causes of data breaches
  • On average, it took organizations 49 days to detect non-malicious data breaches, and 80 days -- almost 3 months -- to detect malicious breaches. For resolution, it took 83 and 123 days, respectively.
  • Only 39% of respondents that experienced a malicious breach said that they were confident (e.g., Very Confident and Confident) that their organization determined the root cause of the breach

This is not good. It takes a long time to detect breaches, if at all, and a long time to fix them. The most frequent types of data breaches experienced during the past 24 months:

  • 47% - Employee or contractor negligence
  • 32% - System error or malfunctions
  • 24% - External attacks
  • 23% - Third party mistakes or negligence
  • 14% - Malicious insiders

Where the data breach occurred within the organization varies:

Breach LocationMalicious BreachesNon-Malicious Breaches
Within business unit 15% 27%
During transit or transmission to a third-party location 6% 22%
Off-site 30% 20%
Off-site data center 12% 12%
On-site data center 9% 9%
Unable to determine 28% 9%

When the breach was discovered:

When DiscoveredMalicious BreachesNon-Malicious Breaches
Immediately 2% 20%
Within one week 19% 19%
Within one month 29% 28%
Within 3 months 24% 16%
Within 6 months 6% 4%
Within 1 year 4% 2%
Within 2 years 2% 1%
Unable to determine 15% 10%

So, an astounding 15% of the time organizations were never able to determine when malicious data breaches were detected. That's about one out of every six breaches. How malcious breaches were discovered:

  • 28% - Forensic tools and methods
  • 19% - Loss preventiona tool such as DLP
  • 15% - Notification by law enforcement
  • 10% - Automated monitoring
  • 9% - Accidental discovery
  • 6% - Audit or assessment
  • 3% - Legal filing or complaint
  • 3% - Manual monitoring
  • 3% - Notification by partner or third-party
  • 3% - Consumer or customer complaint
  • 3% - Unsure
  • 1% - Other

Second, some country-specific results:

  • 41% of survey respondents from the USA said (e.g., Strongly Agree and Agree) that their organization were ready with the tools, personnel, and funding to prevent data breaches. The average across all countries was about 44%. Organizations in Japan (56%) and Singapore (58%) led the way with prevention readiness.
  • 42% of survey respondents from the USA said that their organization were ready with the tools, personnel, and funding to quickly detect data breaches. The average across all countries was about 44%. Again, organizations in Japan (55%) and Singapore (57%) led the way with detection readiness.
  • 33% of survey respondents from the USA said that their organization's leaders view data security as a top priority. The average across all countries was about 37%. Again, organizations in Japan (51%) and Singapore (50%) led the way with senior management leadership.

The study included a survey of 3,529 Information Technology professionals in eight countries. 54% of survey participants report directly to the chief information officer (CIO) in their organization. Participants were selected from organizations that had at least one data breach during the past 24 months. The survey included organizations from both the public and private sectors.

Survey respondents by country:

  • 659 - USA
  • 566 - Japan
  • 445 - Brazil
  • 431 - United Kingdom
  • 423 - Canada
  • 395 - Australia
  • 309 - Singapore
  • 301 - United Arab Emirates
  • 3,529 - Total

Third, survey respondents by industry:

  • 18% - Financial Services
  • 11% - Federal and central government
  • 7% - Services
  • 7% - Retail, Internet
  • 6% - Professional services
  • 5% - Industrial products and chemicals
  • 4% - State, province and local government
  • 4% - Communications
  • 4% - Consumer products
  • 4% - Entertainment and media
  • 4% - Hospitality
  • 3% - Defense contractor
  • 3% - Retail, conventional
  • 3% - Technology and software
  • 2% - Energy and utilities
  • 2% - Education and research
  • 2% - Healthcare and medical devices
  • 2% - Pharmaceuticals and biotech
  • 1% Transportation
  • 1% - Other
  • 100% - Total

What is a consumer to take from the results in this report? As I see it:

  1. Data breaches will continue to happen. The bad guys also read reports like this, and determine where the soft or easy targets are.
  2. There is an opportunity for companies and senior executives in the USA to do much better and take a leadership role. Will they?
  3. Outsourcing matters, since about 48% of malicious breaches happened off-site or during transit/transmission with a third party contractor or partner
  4. Despite what senior-level executives say in speeches and press releases about valuing data security, the survey suggests otherwise. Many organizations don't have the necessary tools, personnel, and funding.
  5. Despite what senior-level executives say in breach notification letters after a data breach, they often don't know what happened and won't for a long while, if they ever do. Too many never determine when and what happened.
  6. Informed consumers realize the reality is that you have to protect your sensitive personal data. Don't rely on a employer or former employer to do it.
  7. All of this applies to mobile app developers, app stores, online retailers, and related Internet companies since the study included those industries, too.

Access the complete "Post Breach Boom" Ponemon report here.