Previous month:
August 2016
Next month:
October 2016

12 posts from September 2016

4 Website Operators Settle With New York State Attorney General For Illegal Tracking of Children

Earlier this month, the Attorney General for the State of New York (NYSAG) announced settlement agreements with the operators of several popular websites for the illegal online tracking of children, which violated the Children's Online Privacy Protection Act (COPPA). The website operators agreed to pay a total of $835,000 in fines, comply with, and implement a comprehensive set of requirements and changes.

COPPA, passed by Congress in 1998 and updated in 2013, prohibits the unauthorized collection, use, and disclosure of children’s personal information (e.g., first name, last name, e-mail address, IP address, etc.) on websites directed to children under the age of 13, including the collection of information for tracking a child’s movements across the Internet. The 2013 update expanded the list of personal information items, and prohibits covered operators from using cookies, IP addresses, and other persistent identifiers to track users across websites for most advertising purposes, amassing profiles on individual users, and serving targeted behavioral advertisements.

The NYSAG operated a program titled "Operation Child Tracker," which analyzed the most popular children’s websites for any unauthorized tracking. The analysis found that four website operators include third-party tracking on their websites -- which is prohibited by COPPA -- and failed to properly evaluate third-party companies, such as advertisers, advertising networks, and marketers. The website operators and their properties included Viacom (websites associated with Nick Jr. and Nickelodeon), Mattel (Barbie, Hot Wheels, and American Girl), JumpStart (Neopets), and Hasbro (My Little Pony, Littlest Pet Shop, and Nerf).

Regular readers of this blog are familiar with the variety of technologies and mechanisms companies have used to track consumers online: web browser cookies, “zombie cookies,” Flash cookies, “zombie e-tags,” super cookies, “zombie databases” on mobile devices, canvas fingerprinting, and augmented reality (which tracks consumers both online and in the physical world). For example, the web browser cookie is a small text file placed by a website on a user’s computer which is stored by the user’s web browser.  Every time a user visits the website, the website retrieves all cookies files stored by that website on the user’s computer. Some website operators shared the information contained in web browser cookies with third-party companies, such as marketing affiliates, advertisers, and tracking companies. This allows web browser cookies to be used to track a user’s browsing history across several websites.

All of this happens in the background without explicit notices in the web browser software, unless the user configures their web browser to provide notice and/or to delete all browser cookies stored. The other technologies represent alternative methods with more technical sophistication and stealth.

The announcement by the NYSAG described each website operator's activities:

"Viacom operates the Nick Jr. website, at www.nickjr.com, and the Nickelodeon website, at www.nick.com... The office of the Attorney General found a variety of improper third party tracking on the Nick Jr. and Nickelodeon websites. These included:

1. Many advertisers and agencies that placed advertisements on Nick Jr. and Nickelodeon websites introduced tracking technologies of third parties that routinely engage in the type of tracking, profiling, and targeted advertising prohibited by COPPA. Viacom considered several approaches to mitigate the risk of COPPA violations from these third parties, including removing adult advertising from a child-directed section of the Nick Jr. website and monitoring advertisements for unexpected tracking... However, Viacom did not timely take either approach and did not implement sufficient safeguards for its users.

2. Some visitors to the homepage of the Nick Jr. website were served behavioral advertising and tracked through a third party advertising platform Viacom used to serve advertisements. Although Viacom considered the homepage of the Nick Jr. website to be parent-directed, and thus not covered by COPPA, the homepage had content that appealed to children. Under COPPA, website operators must treat mixed audience pages as child-directed..."

Mattel logo The NYSAG also found:

"... 26 of Mattel’s websites feature content for young children, including online games, animated cartoons, and downloadable content such as posters, computer desktop wallpaper, and pages for young children to color... The office of the Attorney General found that a variety of improper third party tracking technologies were present on Mattel’s child-directed websites and sections of websites. These included:

1. Mattel deployed a tracking technology supplied by a third party data broker across its Barbie, Hot Wheels, Fisher-Price, Monster High, Ever After High, and Thomas & Friends websites. Mattel used the tracking technology for measuring website metrics, such as the number of visitors to each site, a practice permitted under COPPA. However, the tracking technology supplied by the data broker introduced many other third party tracking technologies in a process known as “piggy backing.” Many of these third parties engage in the type of tracking, profiling, and targeted advertising prohibited by COPPA.

2. A tracking technology that Mattel deployed on the e-commerce portion of the American Girl website, which is not directed to children or covered by COPPA, was inadvertently introduced onto certain child-directed webpages of the American Girl website.

3. Mattel uploaded videos to Google’s YouTube.com, a video hosting platform, and then embedded some of these videos onto the child-directed portion of several Mattel websites, including the Barbie website. When the embedded videos were played by children, it enabled Google tracking technologies, which were used to serve behavioral advertisements.

JumpStart logo Regarding JumpStart, the NYSAG found:

"... several improper third party tracking technologies were present on the Neopets website, both for logged-in users under the age of 13 and users who were not logged-in. These included:

1. JumpStart failed to configure the advertising platform used to serve ads on the Neopets website in a manner that would comply with COPPA. As a result, users under the age of 13 were served behavioral advertising and tracked through the advertising platform.

2. JumpStart integrated a Facebook plug-in into the Neopets website... Facebook uses the tracking information for serving behavioral advertising, among other things, unless the website operator notifies Facebook with a COPPA flag that the website falls is subject to COPPA. JumpStart did not notify Facebook that the Neopets website was directed to children."

Hasbro logo For Hasbro, the NYSAG found:

"... several improper third party tracking technologies were present on Hasbro’s child-directed websites and sections of websites. These included:

1. Hasbro engaged in an advertising campaign that tracked visitors to the Nerf section of Hasbro’s website in order to serve Hasbro advertisements to those same users as they visited other websites at a later time, a type of online behavioral advertising prohibited by COPPA known as “remarketing.”

2. Hasbro integrated a third-party plug-in into many of its websites, that allowed users to be tracked across websites and introduced other third parties that engaged in the type of tracking, profiling, and targeted advertising prohibited under COPPA.

It is important to note that Hasbro participated in a safe harbor program. A website operator that complies with the rules of an FTC-approved safe harbor program is deemed in compliance with COPPA. However, safe harbor programs rely on full disclosure of the operator’s practices and Hasbro failed to disclose the existence of the remarketing campaign through the Nerf website."

The terms of the settlement agreements require the website operators to:

  1. Conduct regular electronic scans for unexpected third party tracking technologies that may appear on their children’s websites. Three of the companies, Viacom, Mattel, and JumpStart will provide regular reports to the office regarding the results of the scans.
  2. Adopt procedures to evaluate third-party companies before they are introduced onto their children’s websites. the evaluation should determine whether and how the third parties collect, use, and disclose, and allow others to collect, use, and disclose, personal information from users.
  3. Provide notice to third parties that collect, use, or disclose personal information of users with information sufficient to enable the third parties to identify the websites or sections of websites that are child directed pursuant to COPPA.
  4. Update website privacy policies with either, a) information sufficient to enable parents and others to identify the websites and portions of websites that are directed to children under COPPA, or b) a means of contacting the company so that parents and others may request such information.

Kudos to the NYSAG office and staff for a comprehensive analysis and enforcement to protect children's online privacy. This type of analysis and enforcement is critical as companies introduce more Internet-connected toys and products classified as part of the Internet of Things (ioT).


Wells Fargo Tries To Do The Right Thing For Its Customers

Wells Fargo logo After the massive $185 million fine for its phony accounts scam, Wells Fargo bank is trying to do right by its customers. The bank published this statement with promises:

"Steps we have taken to ensure our Community Bank sales culture is wholly aligned with our customers’ interests include: 1) Eliminating product sales goals for all retail bankers to make certain nothing gets in the way of doing what is right for our customers; 2) Sending customers a confirmation email within one hour of opening any deposit account and an acknowledgement letter after submitting a credit card application; 3) Contacting all deposit customers across the country to invite them to review their accounts with their banker and calling the credit card customers identified in the review to confirm whether they need or want their credit card; 4) Expanding the remediation review to 2009 and 2010; and 5) Conducting an independent, enterprise-wide review of our sales practices."

There is more. A September 27th news release by Wells Fargo stated:

"The Independent Directors of the Board of Directors of Wells Fargo & Company (NYSE: WFC) today announced that they have launched an independent investigation into the Company’s retail banking sales practices and related matters. A Special Committee of Independent Directors will lead the investigation, working with the Board’s Human Resources Committee and independent counsel Shearman & Sterling LLP. Chairman and CEO John Stumpf, a member of the Board, has recused himself from all matters related to the Independent Directors’ investigation and deliberations.

The Independent Directors have taken a number of initial steps they believe are appropriate to promote accountability at the Company. They have agreed with Mr. Stumpf that he will forfeit all of his outstanding unvested equity awards, valued at approximately $41 million based on today’s closing share price, and that he will forgo his salary during the pendency of the investigation. In addition, he will not receive a bonus for 2016. Carrie Tolstedt, until recently Head of Community Banking, has left the Company, and the Independent Directors have determined that she will forfeit all of her outstanding unvested equity awards, valued at approximately $19 million based on today’s closing share price. Ms. Tolstedt will not receive a bonus for 2016 and will not be paid severance or receive any retirement enhancements in connection with her separation from the Company. She has also agreed that she will not exercise her outstanding options during the pendency of the investigation. These initial actions will not preclude additional steps being taken with respect to Mr. Stumpf, Ms. Tolstedt or other executives as a consequence of the information developed in the investigation."

Conducting an investigation? That means the bank's senior executives still don't know what happened, or may still be happening -- or even worse, some executives know and haven't admitted important facts. Is this a bank to do business with? John Chiang, the Treasurer for the State of California announced on Wednesday that the State has suspended doing business with Wells Fargo for 12 months. Chiang issued this explanation:

"... the Treasurer oversees nearly $2 trillion in annual banking transactions, manages a $75 billion investment pool, and is the nation’s largest issuer of municipal debt... The Treasurer announced in a letter to Wells Fargo Chairman John G. Stumpf and board members that he has ordered the suspension of Wells Fargo’s participation in its most highly profitable business relationships with the State of California. Those sanctions include: i) Suspension of investments by the Treasurer’s Office in all Wells Fargo securities; ii) Suspension of the use of Wells Fargo as a broker-dealer for purchasing of investments by his office; and iii) Suspension of Wells Fargo as a managing underwriter on negotiated sales of California state bonds where the Treasurer appoints the underwriter... These sanctions take effect immediately and will remain in place for the next twelve months. Wells Fargo is expected to comply with all of the terms of the consent orders it has entered with the Consumer Financial Protection Bureau, the Los Angeles City Attorney, and the Office of the Comptroller of the Currency... The letter warns the bank that if it fails to demonstrate compliance with the Consent Orders or evidence surfaces that Wells Fargo has engaged in the same behavior it will face tougher sanctions up to and including complete and permanent severance of all ties between the Treasurer’s Office and Wells Fargo..."

Hopefully, the board will assess more penalties upon Stumpf, Tolstedt, and senior bank executives. The penalties mentioned above seem woefully insufficient, since they penalize the executives in 2016 for activities that perpetuated during the last five years.

The bank's statement was also silent about important issues: a) remedies for customers whose credit ratings were damaged by the phony new accounts, and b) compensation for customers for lost interest revenues when their money was withdrawn from interest-bearing accounts to set up the phony new accounts.

The bank's news release included this statement by Stephen Sanger, Lead Independent Director:

"... We will conduct this investigation with the diligence it deserves -- and will follow the facts wherever they lead. Our thousands of outstanding team members and millions of loyal customers and shareholders deserve no less. Based on the results of the investigation, the Independent Members of the Board will take such other actions as they collectively deem appropriate, which may include further compensation actions before any additional equity awards vest or bonus decisions are made early next year, clawbacks of compensation already paid out, and other employment-related actions. We will proceed with a sense of urgency but will take the time we need to conduct a thorough investigation. We will then take all appropriate actions to reinforce the right culture and ensure that lessons are learned, misconduct is addressed, and systems and processes are improved so there can be no repetition of similar conduct."

While clawbacks into executives' compensation during prior years sounds good, the key takeaway seems to be: the board still does not know what is happening in its bank, nor what corrective actions to implement beyond the promises listed above. And it can't rely on Stumpf to tell them. Stumpf should be fired immediately for not keeping the board informed. Same for Tolstedt. In a perfect world, both would be in prison. Fraud is fraud.

What are your opinions about Wells Fargo? Would you do business with the bank?


News About The Massive Data Breach At Yahoo Isn't Pretty

Yahoo logo The news about Yahoo's massive data breach seems to be getting worse. The Oregonian reported:

" "Data breaches on the scale of Yahoo are the security equivalent of ecological disasters," said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter. A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous. Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time..."

Apply those success rates to half a billion stolen credentials and criminals have plenty of opportunities to break into consumers' online accounts. And, this list of seven ways the breach has exposed consumers to online banking fraud is definitely accurate.

The tech company's stock has dropped 4 percent since September 22. During an interview, Tim Amstrong, the head of Verizon's AOL would not comment about whether Verizon might renegotiate its $4.8 billion purchase price cash offer for Yahoo's core business. Experts have speculated about whether or not the breach might trigger the "material adverse effect" clause in the purchase transaction.

Tech Week Europe reported:

"Cybersecurity specialist Venafi conducted research into how well Yahoo reacted to the breach, in particular the cryptographic controls Yahoo still has in place, and said the results were “damning.” Researchers said Yahoo had still not “taken the action necessary to ensure they are not still exposed and that the hackers do not still have access to their systems and encrypted communications.” Furthermore Venafi warned that “Yahoo is still using cryptography (MD5) that has been known to be vulnerable for many years now.” "

On Monday, U.S. Senator Mark R. Warner (D-VA) requested that the U.S. Securities and Exchange Commission (SEC) investigate Yahoo and its executives. Senator Warner said in a statement:

"Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications," wrote Sen. Warner, a former technology executive. "Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it."

Senator Warner called on the SEC:

"... to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems. Additionally, since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature,

Also, six U.S. Senators sent a letter on September 27 to Marissa Meyer, the Chief executive Officer at Yahoo, demanding answers about precisely how and why the massive breach went undetected for so long. The letter by Senators Richard Blumenthal (D-CT), Al Franken (D-MN), Patrick Leahy (D-VT), Edward J. Markey (D-MA), Elizabeth Warren (D-MA), and Ron Wyden read in part:

"We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans' data may have been compromised for two years. That is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of Americans in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps to be taken to protect that information."

Indeed. Consumers have these reasonable and valid expectations. The letter demands that the tech company provide a briefing to the Senators' staffs with answers to a set of eight questions including a detailed timeline of events, specific systems and services affected, steps being taken to prevent a massive breach from happening again, and how it responded to any communications and warnings by government officials about state-sponsored hacking activity.

Elizabeth Denham, the Information Commissioner of the United Kingdom (UK), released a statement on September 23 demanding answers from Yahoo:

"The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be. The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that today. We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected..."

Some consumers aren't waiting for lawmakers. The Mercury News reported:

"... a class-action suit accusing the Sunnyvale tech firm of putting their finances at risk and failing to notify them earlier about the breach. “While investigating another potential data breach, Yahoo uncovered this data breach, dating back to 2014,” the lawsuit, filed Thursday in U.S. District Court in San Diego, said. “Two years is unusually long period of time in which to identify a data breach.” On Friday in U.S. District Court in San Jose, a second class-action suit was filed over the hack. Plaintiff Ronald Schwartz, of New York, claims his personal information was stolen. His suit calls Yahoo’s treatment of users’ data “grossly negligent” and alleges that circumstantial evidence indicates “Yahoo insiders” knew of the breach “long before it was disclosed.” "

Reportedly, one of the plaintiffs has already experienced financial fraud as a result of identity theft from the data breach.


Yahoo Confirms Massive Data Breach. Unclear If Users At Its Outsourcing Clients Were Also Affected

Yahoo logo After reports about a rumored announcement, Yahoo confirmed late on Thursday a massive data breach affecting half a billion users -- 500 million persons. Yahoo believes the breach was performed by a "state-sponsored actor."

Data elements exposed and stolen during the breach include full names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, security questions and answers. The breach dated back to 2014. This is very serious, and by far the largest breach ever. The data elements stolen facilitate spam and a variety of scams; plus access to email contacts such as clients, customers, and patients.

Yahoo's breach announcement stated:

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter..."

Yahoo is in the process of notifying affected persons. Affected users should change their passwords, security questions, and answers.

The breach announcement did not state if users at outsourcing clients were affected. Other companies and entities can outsource their e-mail services to Yahoo, or to other e-mail providers offering similar services. One such company appears to be AT&T. The "AT&T Email Basics" page (see image below) references a co-branded AT&T-Yahoo website for AT&T customers to check their e-mail.

AT&T Email Basics page references Yahoo site for email. Click to view larger version I reached out to AT&T for a comment. A reply was not received by press time. If its email users were affected by the breach, then those users will probably want to know who is going to assist them, and what assistance will be offered.

Given the pending acquisition of Yahoo by Verizon, several AT&T customers already discussed in an online forum concerns about what might happen to their e-mail service operated by a competitor. (Verizon said on Thursday it learned about the breach two days ago.) If users at outsourcing clients were also affected by the breach, then this might add to their uncertainty.

If you received a breach notice from Yahoo, what is your opinion of the response?


Viking River Cruises Ship Collides With Bridge Killing 2 Crew Members

View of the top deck of Viking ship with the wheelhouse in the up position. Click to view larger version Earlier this week, Viking River Cruises announced that one of its ships struck a bridge Sunday while sailing the Rhine-Main-Danube Canal in Germany:

"Viking Freya experienced an accident in Erlangen, Germany early Sunday morning. Viking Freya’s wheelhouse collided with the bridge in Erlangen. Two crew members of the ship were in the wheelhouse and died as a result of injuries sustained during the collision. No other crew members or guests were injured, and all guests have been transported to local hotels..."

View of lowered handrails and partially lowered wheelhouse on a Viking ship. Click to view larger version The above photo (click to view larger version) shows the top deck of another Viking ship with the wheelhouse in the "up" position. For low bridge clearances, the wheel house lowers inside the ship. Also, the crew lowers all railings on the top deck, and passengers are prohibited from that area. The photo on the left shows lowered handrails and a partially lowered wheelhouse.

The Metro UK reported (with photos) that the ship struck the bridge about 1:30 AM. The two crew members killed were from Hungary. None of the 181 passengers were injured. All passengers and 49 crew members were transferred to local hotels. Passengers were able to board another Viking ship in Passau, Germany to continue their journey to Budapest. While the Viking Freya is out of service for repairs, the Viking Bestia ship will substitute for future 2016 sailings.

During my Viking cruise in September 2014 from Amsterdam to Budapest, I noticed that there wasn't much clearance under some bridges; perhaps 5 to 7 feet between the top deck and the bottom of several bridges. See the photo below.

View of low clearance between a Viking ship and a bridge. Click to view larger version Clearly, something went awfully wrong on the Freya. This was terrible, sad news.


Wells Fargo Bank Fined $185 Million For Unlawful Sales Practices. Questions Remain

Wells Fargo logo Last week, the Consumer Financial Protection Bureau (CFPB) announced a settlement agreement where Wells Fargo will pay $185 million in fines for alleged unlawful sales practices during the past five years. While many news outlets have reported about the fines and fired employees, many unanswered questions remain.

The CFPB announcement described how the fraud worked:

"Spurred by sales targets and compensation incentives, employees boosted sales figures by covertly opening accounts and funding them by transferring funds from consumers’ authorized accounts without their knowledge or consent, often racking up fees or other charges... thousands of Wells Fargo employees illegally enrolled consumers in these products and services without their knowledge or consent in order to obtain financial compensation for meeting sales targets..."

To perpetuate the unlawful activities, employees allegedly created bogus email accounts, and both issued and activated debit cards associated with the secret accounts. Then, employees also created PIN numbers without customers' knowledge nor consent:

"... employees opened roughly 1.5 million deposit accounts that may not have been authorized by consumers. Employees then transferred funds from consumers’ authorized accounts to temporarily fund the new, unauthorized accounts. This widespread practice gave the employees credit for opening the new accounts, allowing them to earn additional compensation and to meet the bank’s sales goals... employees applied for roughly 565,000 credit card accounts that may not have been authorized by consumers. On those unauthorized credit cards, many consumers incurred annual fees, as well as associated finance or interest charges and other fees..."

The Consent Order (Adobe PDF) described the unlawful sales activities in greater detail:

"[Wells fargo's] analysis concluded that its employees opened 1,534,280 deposit accounts that may not have been authorized and that may have been funded through simulated funding, or transferring funds from consumers’ existing accounts without their knowledge or consent. That analysis determined that roughly 85,000 of those accounts incurred about $2 million in fees, which [Wells Fargo] is in the process of refunding... [Wells Fargo's] analysis concluded that its employees submitted applications for 565,443 credit-card accounts that may not have been authorized by using consumers’ information without their knowledge or consent. That analysis determined that roughly 14,000 of those accounts incurred $403,145 in fees, which Respondent is in the process of refunding. Fees incurred by consumers on such accounts included annual fees and overdraft-protection fees, as well as associated finance or interest charges and other late fees..."

The numbers are shocking: 1.5 million secret checking accounts created; $2 million in fees generated by 85,000 secret checking accounts generated; 565 thousand secret credit-card accounts; $403 thousand in fees generated by 14,000 secret credit-card accounts; and 5,300 employees fired due to the unlawful sales activities.

The Consent Order also stated:

"... (3) enrolled consumers in online banking services that they did not request... 12. Respondent’s employees used email addresses not belonging to consumers to enroll consumers in online-banking services without their knowledge or consent..."

This suggests that the employees knowingly attempted to circumvent the bank's internal systems designed to provide alerts and confirmation messages to customers about new accounts, and perhaps, targeted customers who weren't Internet-savvy or were perceived to be less likely to notice changes. That raises ethical issues. Also, 12 percent of consumers are "under-banked," the industry term for people with a bank account, but don't have both savings and checking accounts (and use some other payment method outside the banking system). If that ratio applies to the bank's customers, then this group was targeted, too. About 43 percent of consumers with both smartphones and bank accounts use online banking services. So, the 57-percent group of non-users were targeted, too.

Terms of the settlement agreements require the bank to pay full restitution to all victims, pay a $100 million fine to the CFPB’s Civil Penalty Fund, hire an independent consultant to review its procedures to prevent improper sales practices, pay a $35 million penalty to the Office of the Comptroller of the Currency (OCC), and pay $50 million to the City and County of Los Angeles. Additional terms require the bank to hire within 45 days of the Consent Order a consultant to independently audit the bank's processes.

Within 180 days after hiring a consultant, a written report reviewing of the bank's processes must be submitted to the bank's board of directors. Within 90 days after that, the Board and consultant must develop a compliance plan to correct problems and explain why each action is the plan is accepted or rejected. The compliance plan must be submitted to the CFPB for review.

The settlement terms suggest that the banks internal controls may be unreliable, employees and management were unreliable, or both. Context matters.

During the past five years while the unlawful sales activities occurred, Wells Fargo paid in 2011 an $85 million civil penalty to settle allegations that its employees steered potential prime borrowers into more costly subprime loans and separately falsified income information in mortgage applications. In 2015, Wells Fargo was one of four banks that paid $2.7 million to settle allegations of violations of Massachusetts foreclosure law and the Massachusetts Consumer Protection Act by illegally foreclosing upon Massachusetts residents’ homes when the banks lacked the legal authority to do so. Last month, the bank was fined $3.6 million for illegal practices while servicing private student loans.

Some customers noticed the unauthorized accounts, complained, and have moved their money to other banks or to credit unions. Wells Fargo issued a statement which said it had already prepared $5 million to refund to customers:

"The amount of the settlements, which Wells Fargo had fully accrued for at June 30, 2016, totaled $185 million, plus $5 million in customer remediation... Wells Fargo is committed to putting our customers’ interests first 100 percent of the time, and we regret and take responsibility for any instances where customers may have received a product that they did not request. Our commitment to addressing the concerns covered by these agreements has included:
- An extensive review by a third party consulting firm going back into 2011, which we completed prior to these settlements. The review included consumer and small business retail banking deposit accounts and unsecured credit cards opened during the period reviewed;
- As a result of this review, $2.6 million has been refunded to customers for any fees associated with products customers received that they may not have requested. Accounts refunded represented a fraction of one percent of the accounts reviewed, and refunds averaged $25;
- Disciplinary actions, including terminations of managers and team members who acted counter to our values;
- Investments in enhanced team-member training and monitoring and controls;
- Strengthened performance measures that are tied to customer satisfaction, loyalty and ethics; and
- Sending customers a confirming email within one hour of opening any deposit account, and sending an application acknowledgement and decision status letter after submitting an application for a credit card.”

That last item is troubling. It suggests that the bank's existing processes didn't provide confirmation emails within one hour, or did so inconsistently, or failed to do so entirely. Both traditional and online banking customers deserve prompt, consistent confirmation notices. This suggests that the bank's system may not be state-of-the-art.

During my career, I built websites in a variety of industries, including financial services, with usability best practices. Well built sites (and apps): a) provide immediate, consistent confirmation email and messages, b) provide postal confirmations for customers without email or online banking services, c) send confirmation emails to both new and old email addresses when there are changes, d) display confirmation messages (about any profile changes) to online customers after sign-on, and e) provide online customers with the option to consolidate multiple accounts (e.g., mortgage, educational loan, checking, savings, money market, credit line, credit card, etc.) under a single sign-on.

If the bank's online site and systems contained these tasks and features but were deactivated, then it suggests broader problems beyond the sales department. If the tasks weren't built or were partially built, then hopefully the compliance report and/or the CFPB review will address them.

Kudos to the CFPB, the OCC, and local Los Angeles government for holding Wells Fargo accountable; and for a correction plan with a detailed schedule and deadlines. It seems unwise to trust the bank to correct things on its own. Yet, many questions remain unanswered:

  1. What other tasks in the user experience (e.g., new account, new/edited/additional email address,  new/edited account profile elements, etc.) did the bank's systems fail to provide prompt, consistent confirmation messaging to customers (e.g., traditional offline, online banking)?
  2. How exactly did these illegal sales activities and secret accounts go undetected for so long?
  3. What was the average lifespan of a secret account? Were they permanent? Or were they temporary -- open long enough for employees to collect the compensation, and then closed? If the latter, it is disturbing how internal systems failed to notice the account churn.
  4. What percentage of the fired employees were managers? And, will more employees be fired?
  5. Will the bank "claw-back" bonuses from employees (e.g., fired, still employed) who benefited from the unlawfully sales activities? And why or why not?
  6. Were any fired employees prosecuted? And why or why not?
  7. The restitution amounts seem to focus upon only fees. If the bank's employees transferred their money from interest-bearing accounts to set up the secret credit card and checking accounts, then some customers lost interest. This seems likely since we know that 12 percent of consumers are under-banked (e.g., have a checking or savings account, but not both). Did the bank conduct a forensic audit to determine the customers and lost interest amounts? That could be substantial over five years with compounding. Then, the $5 million restitution amount set aside would be insufficient.
  8. Are any of the fines tax deductible? Prior wrongdoing by banks often resulted in fines that were tax deductible. This meant the banks wrote off the fines to decrease their taxes, and taxpayers took it on the chin to make up any tax revenue shortfalls. That's not right, since taxpayers didn't commit any unlawful acts.

What are your opinions? If you are a Wells Fargo customer, what was your experience? What questions do you have?


Proposed Legislation in Michigan For Driverless Cars

The Stanford Center For Internet & Society (CIS) analyzed several draft driverless-car bills under consideration by legislators in Michigan. The analysis highlighted the issues and inconsistencies by the proposed legislation. First, the good news. While SB 995 repeals existing laws that ban driverless cars, it:

"... would return Michigan law to flexible ambiguity on the question of the legality of automated driving in general. The bill probably goes even further by expressly authorizing automated driving: It provides that "[a]n automated motor vehicle may be operated on a street or highway on this state," and the summary of the bill as reported from committee similarly concludes that SB 995 would "[a]llow an automated motor vehicle to be operated on a street or highway in Michigan." (This provision is somewhat confusing because it would be added to an existing statutory section that currently addresses only research and testing and because it would seem to subvert many restrictions on research tests and "on-demand automated motor vehicle networks.") Regardless, this bill would also exempt groups of closely spaced and tightly coordinated vehicles from certain following-distance requirements that are incompatible with platooning."

Platooning is a method for several driverless vehicles to operate together on highways with less space in between, than otherwise. Advocates claim this maximizes the capacity of highways. What does this mean for safety? Do consumers want platooning? Can drivers opt out? If platooning is allowed, then the driverless vehicle you ultimately buy must be outfitted with that software feature.

The drawbacks of the draft legislation:

"... The currently proposed language could mean that automated driving is lawful only in the context of research and development and "on-demand motor vehicle networks." Or it could mean that automated driving is lawful generally and that these networks are subject to more restrictive requirements. It could mean that any company could run a driverless taxi service, including motor vehicle manufacturers that might otherwise face unrelated and unspecified legal impediments. Or it could mean that a company seeking to run a driverless taxi service must partner with a motor vehicle manufacturer -- or that such a company must at least purchase production vehicles, the modification of which might then be restricted by SB 927 and 928 (see below). It could also mean that municipalities could regulate and tax only those driverless taxi services that do not involve a manufacturer..."

And:

"... SB 995 and 996 understandably struggle to reconcile an existing vehicle code with automated driving. Under existing Michigan law, a "driver" is "every person who drives or is in actual physical control of a vehicle," an "operator" is "a person, other than a chauffeur, who "[o]perates" either "a motor vehicle" or "an automated motor vehicle," and "operate" means either "[b]eing in actual physical control of a vehicle" or "[c]ausing an automated motor vehicle to move under its own power in automatic mode," which "includes engaging the automated technology of that automated motor vehicle for that purpose." The new bills would not change this language, but they would further complicate these concepts in several ways..."

I encourage you to read the long list of complications in the CIS analysis. Another key issue:

"Consider the provision that "an automated driving system ... shall be considered the driver or operator ... for purposes of determining conformance to any applicable traffic or motor vehicle laws." This provision says nothing about who or what the driver is for purposes of determining liability for a violation of those laws, particularly when there is no crash. SB 996 does provide that "a motor vehicle manufacturer shall assume liability for each incident in which the automated driving system is at fault," subject to the state's existing insurance code..."

The proposed legislation is important for several reasons. Besides platooning and the list of complications, it decides: a) which types of companies can operate driverless-car networks, b) who is liable and under what conditions, and c) who can repair driverless cars. All items affect consumers rights. A narrow definition of "A" (e.g., only automakers) would mean fewer competitors, and probably higher prices due to a lack of competition. Similarly, a narrow definition of "C" could mean fewer options and choices for consumers, with higher repair prices. Liability must be clear for instances when a driverless vehicle violates road laws; and especially when there is a crash and/or fatality.

Consistency and clarity matter, too. The final legislation and definitions also should be forward-thinking. It's not just driverless vehicles but also remotely-operated vehicles. Companies want remotely-operated ships on the oceans, and remotely-operated trucks are already used off-road for mining purposes. It seems wise to anticipate that off-road use will probably migrate to roads and highways.

Clearly, the proposed legislation in Michigan is not ready yet for prime time. This topic definitely bears monitoring.


Oklahoma Closes 37 'Disposal Wells' After Quake. Report Listed Susceptible Areas In 6 States

During the holiday weekend, CNN reported:

"Five months before Saturday's 5.6 magnitude temblor in central Oklahoma, government scientists warned that oil and natural gas drilling had made a wide swath of the country more susceptible to earthquakes.

The U.S. Geological Survey (USGS), in a March report on "induced earthquakes," said as many as 7.9 million people in parts of Kansas, Colorado, New Mexico, Texas, Oklahoma and Arkansas now face the same earthquake risks as those in California. The report found that oil and gas drilling activity, particularly practices like hydraulic fracturing or fracking, is at issue... Saturday's earthquake spurred state regulators in Oklahoma to order 37 disposal wells, which are used by frackers, to shut down over a 725-square mile area... The quake that struck Saturday is at least the second of its size to affect central Oklahoma since 2011."

What are "disposal wells?" A variety of activities produce waste stored using "Class I Disposal Wells:" petroleum refining, metal production, chemical production, pharmaceutical production, commercial disposal, food production, and municipal wastewater treatment. According to the U.S. Environmental Protection Agency (EPA), these Class I wells are further categorized into four types: municipal, non-hazardous, hazardous, and radioactive. The EPA site also explains the other Classes of wells: II, III, IV, V, and VI.

So, a lot of industries besides fracking pump liquids into the ground -- deep into the ground; both to extract resources and to deposit waste.

Given the earthquake activity, the closed wells, and damage to business and residential properties, it seems wise to read the March 2016 report by the USGS, which discussed at the risks and potential for damage from both natural and induced earthquakes:

"The most significant hazards from induced seismicity are in six states, listed in order from highest to lowest potential hazard: Oklahoma, Kansas, Texas, Colorado, New Mexico and Arkansas. Oklahoma and Texas have the largest populations exposed to induced earthquakes."

So, that's a list you wouldn't want to see mention your state. Nor would you want to see your state at the top of the list. The USGS report included maps highlighting specific areas with risks ranging from less than one percent to a 12 percent probability. The report also stated:

“In the past five years, the USGS has documented high shaking and damage in areas of these six states, mostly from induced earthquakes... the USGS Did You Feel It? website has archived tens of thousands of reports from the public who experienced shaking in those states, including about 1,500 reports of strong shaking or damage.” In developing this new product, USGS scientists identified 21 areas with increased rates of induced seismicity. Induced earthquakes have occurred within small areas of Alabama and Ohio but a recent decrease in induced earthquake activity has resulted in a lower hazard forecast in these states for the next year. In other areas of Alabama and small parts of Mississippi, there has been an increase in activity, and scientists are still investigating whether those events were induced or natural."

Lets unpack this. First, risk varies based upon where you live. Second, risk varies with time. The USGS risk models include both one-year and 50-year outlooks. So, the risk in an area may be low during the coming year, but very different (e.g., higher) when considering what might happen during the next 50 years. That sounds a lot like floods. A huge, devastating flood may not happen often -- perhaps once every 50 or 100 years, but when it does... the damage and costs are considerable. Third, you don't need to live near or adjacent to a well to be affected.

Below is the USGS map with 21 susceptible areas:

USGS map with seismic activity during 1980 to 2015. Click to view larger version

Note the areas named: Alice, Ashtabula, Brewton, Cogdell, Dagger Draw, El Dorado, Fashbing, Greeley, Irving, North-Central Arkansas, North Texas, Oklahoma-Kansas, Paradox Valley, Perry, Raton Basio, Rangely, Rocky Mountain Arsenal, Sun City, Timpson, Venus, and Youngstown. The USGS advises persons living in areas with higher earthquake risks to learn how to prepare, and visit FEMA's Ready Campaign website.

A USGS report in 2015 titled, "6 Facts About Human-Caused Earthquakes" described the types of human activities:

"Injecting fluid underground can induce earthquakes, a fact that was established decades ago by USGS scientists. This process increases the fluid pressure within fault zones, essentially loosening the fault zones and making them more likely to fail in an earthquake... even faults that have not moved in historical times can be made to slip and cause an earthquake... There are several purposes for injecting fluid underground. The three main reasons are wastewater injection, hydraulic fracturing and enhanced oil recovery. Within the United States, each of these three activities has induced earthquakes to varying degrees in the past few years. All three types of wells used for these purposes are regulated under the Safe Drinking Water Act with minimum standards set by the U.S. Environmental Protection Agency. Additional regulations vary by state and municipality. Other purposes for injecting fluid underground include enhanced geothermal systems and geologic carbon sequestration."

That same report also mentioned this:

"Fact 5: Induced seismicity can occur at significant distances from injection wells and at different depths. Earthquakes can be induced at distances of 10 miles or more away from the injection point and at significantly greater depths than the injection point."

So, to be affected you don't have to live near or adjacent to a disposal well or injection point. Alert readers will notice that the EPA's classification system for wells and injection points largely mirrors the different types of human activities... which really seem to be mostly corporate activities.

Do you live in or near one of the 21 areas? What are your opinions?


4 States Strengthen Their Breach Notification Laws

The National Law Review summarized breach notification laws strengthened in four states: Nebraska, Nevada, Rhode Island, and Tennessee. The stronger laws include several changes: expanded definitions, encryption, requirements to notify the state's attorney general, and requirements to notify affected persons within forty-five (45) days.

Several states expanded their definitions of "personal information" to better protect consumers:

"Nevada now includes in its definition of “personal information” a medical identification number, a health insurance identification number, and a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that permits access to an online account. Similarly, Rhode Island now counts as “personal information” any medical information, health insurance information, and an email address in combination with any required security code, access code or password that allows access to an individual’s personal, medical, insurance or financial account..."

Some of the expanded definitions made by Tennessee:

"Tennessee broadened its definition of “unauthorized persons” to include an employee of a covered entity who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. Tennessee also removed the word “unencrypted” from its definition of “Breach of the security system” in order to ensure that partial encryption of compromised personal information does not evade the statute."

Read the rest of the changes in the National Law Review article.


Google Pays $5.5 Million To Settle Lawsuit Alleging Safari Browser Privacy Abuses

Google logo Last week, Google settled a long-running class-action lawsuit by agreeing to a $5.5 million payment for ignoring the privacy settings used by Safari browser users. Silicon Beat reported:

"The lawsuit arose out of the 2012 discovery by a Stanford researcher that Google had used a workaround to track Safari users’ web browsing habits. Apple, which owns Safari, had built into it privacy controls that blocked certain cookies, small files that store information that can identify users or track their activities. Google used the improperly harvested user data to dramatically boost ad revenue, the lawsuit suggested. “Behaviorally targeted advertisements based on a user’s tracked internet activity generally sell for at least twice as much as non-targeted, run-of-network ads,” the suit said."

Fortune Magazine reported:

"After Google’s practice came to light, the company agreed to pay $17 million to state attorneys general over privacy violations, and another $22.5 million to the Federal Trade Commission for violating the terms of an earlier settlement. In both cases, Google denied any wrong-doing—an outcome an FTC Commissioner then described as “inexplicable.”

According to the settlement agreement:

"Plaintiffs centrally allege in the Complaint that Defendant Google circumvented Plaintiffs' Safari and Internet Explorer and defeated the default cookie settings of such browsers in violation of federal and state laws. More particularly, Plaintiffs allege that when Plaintiffs and Class Members visited a website containing an advertisement placed by certain Defendants in this case, tracking cookies were placed on Plaintiffs' computers that circumvented Plaintiffs' and Class Members' browser settings that blocked such cookies... The Settlement Class consists of all persons in the United States of America who used the Apple Safari or Microsoft Internet Explorer web browser and who visited a website from which a Doubleclick.net (Google's advertising serving service) from which cookies were placed by the means alleged in the Complaint..."

The terms of the settlement agreement require Google to make payments to counsel and to several nonprofit technology and privacy advocacy groups (instead of class members): the Berkeley Center for Law & Technology, the Berkman Center for Internet & Society at Harvard University, the Center for Democracy & Technology (Privacy and Data Project), Privacy Rights Clearinghouse, and the Center for Internet & Society at Stanford University (Consumer Privacy Project).

The technology giant paid $7 million in 2013 to 38 states to settle unauthorized wireless data collection by Google Streetview cars. Also in 2013, the company admitted its Android operating-system software included code by the NSA. In 2015, Google's holding company dropped the "Don't be evil" motto.

Do no wrong? Apparently, that ship has sailed and isn't returning. "Catch us if you can" might be a more accurate motto.