California AG Issues Report With Privacy Guidelines For Mobile App Developers

Earlier this monthy, California Attorney General Kamala D. Harris issued privacy guidelines for mobile app developers and other companies in the mobile industry to better protect consumers. The new guidelines are part of the State's Privacy Enforcement and Protection Unit. Why the California AG devloped these guidelines:

"... 85 percent of American adults have a cell phone, 45 percent a smart phone, 61 percent a laptop, 25 percent a tablet computer, and 18 percent an e-book reader. Over half of adult cell phone owners use the Internet on their phones, twice the rate in 2009. And nearly one third of cell owners report that their phone is the primary, or only, way they access the Internet... there are more than a million apps available on the primary mobile platforms, and more than 1,600 new apps are added daily... many mobile apps did not provide users with privacy policy statements at all..."

And, experts expect millions of consumers will be affected by mobile threats and mobile malware. This is not a surprise since mobile devices uniquely combine several types of valuable information on a single computer: personal and business email, business documents, personal and business contacts, calling history, text messages, passwords for social networking sites, video, photos, audio, browser history, app history, and your GPS locations by date and time.

The general guidelines:

"For App Developers:
1. Start with a data checklist to review the personally identifiable data your app could collect and use it to make decisions on your privacy practices.
2. Avoid or limit collecting personally identifiable data not needed for your app's basic functionality.
3. Develop a privacy policy that is clear, accurate, and conspicuously accessible to users and potential users.
4. Use enhanced measures -- "special notices" or the combination of a short privacy statement and privacy controls -- to draw users' attention to data practices that may be unexpected and to enable them to make meaningful choices.

For App Platform Providers:
1. Make app privacy policies accessible from the app platform so that they may be reviewed before a user downloads an app.
2. Use the platform to educate users on mobile privacy.

For Mobile Ad Networks:
1. Avoid using out-of-app ads that are delivered by modifying browser settings or placing icons on the mobile desktop.
2. Have a privacy policy and provide it to the app developers who will enable the delivery of targeted ads through your network.
3. Move away from the use of interchangeable device-specific identifiers and transition to app-specific or temporary device identifiers.

For Operating System Developers:
Develop global privacy settings that allow users to control the data and device features accessible to apps.

For Mobile carriers:
Leverage your ongoing relationship with mobile customers to educate them on mobile privacy and particularly on children's privacy."

For each general guideline, the document contains specifics. California led the nation with data breach notification laws to inform and protect consumers. The new guidelines, while not legally binding, are consistent with this leadership.

Items I hoped the guidelines would have contained, but didn't:

• Don't build apps that upload consumers' entire address books. You don't need all of their information. You may want it, but you don't need it. A small porton of their contacts use your app.
• Data plan consumption estimates. Auto manufacturers provide consumers with mileage estimates (e.g., city, highway) for their products. App developers should provide similar estimates (e.g., low use, high use) if their apps are bandwidth hogs or operate frequently in the background
• Use plain English whenever possible for privacy statements and terms of usage statements
• Streamline and consolidate privacy statements whenever possible. Currently, consumers must read and wade through at least six privacy statements
• Be transparent and explicit about how you treat metadata with documents, videos, and photos. Consumers have a right to know what metadata elements you use, delete, and add to their assets.
• Be transparent and explicit with the list of affiliates or partners you share consumers' personal information with. That includes cloud vendors.
• Be explicit about the assistance (if any) you provide uses when your app is hacked, or when the transacton flow that supports your app is hacked.
• For additional services, consumers must opt in and register. Don't auto include consumers
• Guidelines for banks. Some banks develop apps and are covered. Others are part of the transaction flow that enables the app (e.g., payments)

Download the "Privacy On The Go" report (Adobe PDF, 2.27 Mbytes) by the California Attorney General.

Lawsuit Claims Instagram Performed Data Collection, Retention, And Tracking Via Its Mobile App Without Notice Or Users Consent

While Instagram, the popular photo-sharing website, made a fast retreat last month after releasing new Terms of Service and Privacy policies, it appears that there are more issues. During the holidays last month, a class-action lawsuit was filed against Instagram claiming unauthorized data collection, retention, and tracking via the photo sharing site's mobile app.

The complaint alleges that Instagram uploaded via its mobile app users' entire address books, accessed and modified both the geolocation and meta data in users' photos uploaded, collected and stored users' fine geolocation data, accessed users' data stored within Amazon-provided cloud-based services, and distributed users' sensitive personal data to third-party companies without notice nor consent. The complaint alleged that Instagram:

"... used Plaintiff's and Class Members' computing devices to access, use, disclose, retain, and store personal information ("PI"), personal identifying information ("PII"), and/or sensitive identifying information ("SII") derived in whole, or part, from Plaintiff and Class members' computing devices' contact address book, aggregating such data derived from the unauthorized access to, and use of Plaintiff and Class members' photo metadata, for purposes not granted..."

There is more. The complaint also states that the plaintiffs:

"... were unaware of the harm that would be imposed... including use, retention, and storage of their computing devices contact address data, installation of geo-tags for tracking, the misappropriate of their Mobile Device resources and bandwith... [the plaintiffs] had not knowledge that contact book data was obtained and stored on Defendant's servers and/or third-party servers, such as on Amazon EC2's remote servers and was stored in an unreasonably insecure manner contrary to accepted standards... [the plaintiffs] did not consent to having their data collected by Defendant. Had [the plaintiffs} known of Defendant's practices, they would not have downloaded its app..."

Of course, mobile apps that consume large amounts of consumers' data plan minutes are undesirable, and consumers should be provided with warnings by these apps. The suit was filed December 27, 2012 in Northern California District Court by attorneys Parisi & Havens LLP, Strange and Carpenter LLP, and the Law Office of Joseph H. Malley, P.C.. Recently, Facebook purchased Instagram in 2012 for $1 billion.

While reading the complaint, I recognized Malley's name, since he is often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, these attorneys know what they are doing.

For the lead plaintiff, Steven Gutierrez, the alleged data collection, retention, and tracking by Instagram affected his minor child and warnings weren't timely enough for consumers who registered and installed the Instagram app early on:

"... ignoring the intent of [the plaintiffs] that used Defendant's application to up upload and/or take photos using Defendant's application and also creating a digital dataset, link to their exact location, posted to a publicly accessible form that revealed their exact fine GPS settings, violating not only their privacy rights, but also posing a security risk, as evidenced by Plaintiff Steven Gutierrez, with his one year old daughter, pictured above, that included within the photo's metadata, the exact location where the picture was taken, his home, and a detailed map of the home's exact location... Defendant failed to adequately disclose, or obtain permission for such activities, evidenced by failing to provide a Terms of Service or Privacy Policy within its application or website for a period in excess of a year after its initial operation... Defendant's access to, deletion, modification, and use of Plaintiff and Class Members' metadata within their photos, was without notice or authorization, and is evidenced by an analysis of the photo metadata at various stages. In order to view such activity, a software program is required, such as the one at [Jeffrey's EXIF Viewer]... Defendant's alteration of the digital content's metadata, in addition to the inclusion of fine GPS actual coordinates, provided a Unique Identifier..."

Photo metadata includes a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata, a company can tell a lot about you, your purchases, and your lifestyle.

If Instagram adds fine geolocation data to photos after upload, then this is very troubling. For privacy reasons and safety, many consumers turn off the camera setting on their smart phones that automatically adds GPS data to each photo and video taken. By re-adding this geolocaton data later to photos/videos uploaded, Instragram is overriding and ignoring users' privacy choices, and enabling tracking of consumers in the real world.

The complaint is rich with detail. Of course it provides background information on the Instagram service, its mobile apps, and usage terms/policy. The complaint also includes information about the public outcry about the new usage terms/policy which it later reversed, smart phone technologies, online tracking, cloud computing, photo metadata, and U.S. Congressional correspondence about app privacy. About the data collection, the complaint states:

"Defendant did not deny it had obtained Plaintiff's and Class Members' contact address data, but attempted to diminish the impact of its public relations nightmare by providing an immediate "Mea Culpa," of sorts, staying out of the press, and quietly adding a new pop-up requesting user authority to obtain contact address data information all users... Defendant's public response that it's activities were a common practice was without merit upon review of the app store guidelines..."

For consumers, letting mobile apps upload your entire address book is a bad idea for several reasons. First, the contact data is valuable to spammers and identity criminals because both issue fake messages (e-mail or text) pretending to be a relative or friend to trick consumers to making payments or disclosing other sensitive data. Second, many consumers use their smart phones for both business and pleasure. That means, the data collected contains valuable business contacts, useful to both advertisers and spies -- a corporate espionage risk.

I really like how the complaint describes in great detail the damages with specific dollar amounts for affected smart phone users. The lawsuit also highlights the issue of who ultimately controls image (e.g., photograph, video) metadata -- the consumer or the social networking service.

View the Gutierrez et. al. vs Instagram Inc. complaint (Adobe PDF, 1.8 Mbytes). Learn more about:

• Amazon Web Services
• How Facebook handles photo metadata
• A new web app by students at Rutgers University that combines Google Street View with GPS metadata from photos uploaded to Instagram to track where photos were taken

6 States Now Ban Employers From Snooping On Your Social Networking Accounts

NBC News reported on Tuesday that six states now have laws making it illegal for employers to request login credentials (e.g., ID and password) to your social networking accounts. The states include California, Delaware, Illinois, Maryland, Michigan, and New Jersey.

The laws in California and Illinois went into effect on January 1, 2013. In the Spring of 2012, Maryland was the first state to ban employers from accessing consumers' social networking accounts.

Congratulations to lawmakers in these states for passing sensible legislation. If you live in a state doesn't have such a law, contact your elected officials today and demand action.

California AG Files Lawsuit Against Delta Airlines For Mobile App

Earlier this month, the California Attorney General (AG) announced a lawsuit against Delta Airlines regarding the company's mobile app for failing to comply with the state's Online Privacy Protection Act:

"The complaint alleges that since at least 2010, Delta has operated a mobile app called “Fly Delta” for use on smartphones and other electronic devices. The Fly Delta app may be used to check-in online for an airplane flight, view reservations for air travel, rebook cancelled or missed flights, pay for checked baggage, track checked baggage, access a user’s frequent flyer account, take photographs, and even save a user’s geo-location. Despite collecting substantial personally identifiable information such as a user’s full name, telephone number, email address, frequent flyer account number and pin code, photographs, and geo-location, the Fly Delta application does not have a privacy policy."

In November of this year, the California Attorney General's office notified several mobilde device app developers that their apps were in violation of the state's privacy law. The consequences for a non-compliant app includes $2,500 for each violation.

California Attorney General Notifies Developers Of Mobile Apps In Violation Of State Privacy Laws

Earlier this week, the State Of California Attorney General (AG), Kamala Harris, announced that her office had begun notifying mobile device app developers that were in violation of state privacy laws:

"The companies were given 30 days to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information. Letters will be sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms."

Last week, the California AG had notified United Airlines about its mobile app. Other companies warned include Delta Air Lines and OpenTable Inc..

The letters are part of enforcement of the California Online Privacy Protection Act, which requires operators of online services (e.g., mobile device apps and apps at social networking sites) that collect personally identifiable information from California residents to conspicuously post a privacy policy. Operators not in compliance face fines of up to $2,500 for each download of a non-compliant app.

Reportedly, non-compliant app developers and app store operators could also be prosecuted under the California Unfair Competition Law and/or False Advertising Law, with fines up to $500,000 per use of a non-compliant app.

This should not be a surprise, given the law and given the February 2012 global agreement between the California AG and several technology companies -- Amazon, Apple, Google, Hewlett-Packard, Microsoft, Amazon, and Research In Motion -- to require mobile app developers to post privacy policies.

This is really good news for consumers who have become increasingly reliant upon mobile devices. Past studies have documented sporadic and poor access to privacy policies by mobile device apps both before and after installation. Once again, California leads the way in protections for consumers.

California AG Asks United Airlines To Provide A Privacy Policy With Its Mobile Device App

Recently, Kamala Harris, the Attorney General for the State of California, posted the following on her Twitter feed:

"@KamalaHarris Fabulous app, @United Airlines, but where is your app’s #privacy policy? http://1.usa.gov/SWGCTm"

A quick scan of United Airline's twitter feed did not find a reply by the airline to the AG's request. Harris' request refers to a 2004 law in California requiring website operators that collect consumers' personal information to post a privacy policy on its website. While that law predates mobile device apps, Harris' request highlights an important privacy and data security situation. Prior studies have documented privacy abuses by mobile device apps, and either lacking or sporadic access to apps' privacy policies both before and after a user installs an app.

Of course, a privacy policy won't prevent a data breach nor prevent abuse of consumers' sensitive personal information, but it is an important disclosure tool, like food labels, to help consumers:

• Understand what data is collected, archived, and shared with other companies by a product or service,
• Utilize any opt-out or opt-in service settings,
• Begin to evaluate whether or not a company complies with its own privacy policy, and
• Compare data security offerings between competitive products or services

One could argue that given the privacy abuses, privacy policies are even more important for mobile device users. With a traditional desktop or laptop device, there is usually to parties involved: the consumer and the website he/she is visiting. With mobile devices, there are more parties involved: the mobile device manufacturer, the mobile device operating system developer, the app developer, the telecommunications provider, and the app store. It's critical for consumers to know which party's privacy policy applies; and an opportunity to streamline,, consolidate, and reduce the number of privacy policies.

Now that Harris has highlighted the issue, it is an opportunity for the california legislature to amend its state's laws to include apps; and for legislatures in other states to do the same.

What's your opinion of Harris' request? What's your view of privacy policies for mobile device apps?

States' Attorney Generals Urge Congress To Reject Payday Lender Bill

On Friday, several states' Attorney Generals announced that they had sent a letter to Congressional leaders urging them to oppose HR 6139, known as the Consumer Credit, Access, Innovation, and Modernization Act. The letter read in part:

"Most states have enacted laws and rules to regulate short term lending, including payday loans. Many of these states have chosen to strike a regulatory balance that preserves access to alternative forms of credit while protecting consumers from repeated debt cycles and other pitfalls associated with such products. H.R. 6139 would turn back existing consumer protections... H.R. 6139 would give nonbank financial services providers – including payday lenders, installment lenders, car-title lenders, prepaid-card issuers, check cashers, and others – access to a federal charter issued by the Office of the Comptroller of the Currency. The bill would totally preempt state licensing laws for nonbank financial services providers... In place of state safeguards, the bill would establish only minimal consumer protections... the bill establishes no standards for determining a consumer’s ability to repay. Moreover, the bill would exempt loans with terms of one year or less from the disclosure requirements of the Truth in Lending Act – the universal standard for measuring the true cost of credit – and substitute a cost metric that is confusing and misleading..."

The letter was sent on Friday October 5, 2012 to House Speaker John Boehner, House Minority Leader Nancy Pelosi, Senate Majority Leader Harry Reid, and Senate Minority Leader Mitch McConnell. 41 states' Attorney Generals signed the letter, including Guam and Puerto Rico.

In Congressional testimony during July 2012, the Office of the Comptroller of the Currency (OCC) stated its concerns:

"The effective result of H.R. 6139 would be to create a class of federally chartered companies (National Consumer Credit Corporations, hereinafter referred to as “NCCCs” or “companies”) focused on consumer credit products of the very nature and character that the OCC has found unacceptable based on consumer protection and safety and soundness concerns. In particular, it is our experience that the profitability of many of the types of small dollar, short-term loans that NCCCs would likely seek to offer is dependent on effectively trapping consumers into a cycle of repeat credit transactions, high fees, and unsustainable debt... The bill will result in a decrease in protections for categories of consumers that may be the most vulnerable. We have ample evidence from the recent financial crisis that the goal of enhanced access to financial products and services must be coupled with assurances that those consumers are subject to meaningful consumer protections and that the firms offering those products and services must do so on a prudent, safe, and sound basis. In this regard, the Consumer Financial Protection Bureau (CFPB) has been provided the authority to issue rigorous, uniform, and nationally-applicable consumer protection standards for financial products and services. It is important that the types of products envisioned for NCCCs not be carved out of coverage of CFPB-administered lending standards..."

There are plenty of examples of this cycle of repeat credit transactions, high fees, and unsustainable debt. In February 2009, CBS News reported about the payday lending industry:

"They've now grown into a $59 billion industry. But six states - Arkansas, Georgia, New Hampshire, North Carolina, Ohio and Oregon as well as the District of Columbia - have now effectively banned these loans... there are 24,000 payday lending stores in America - more than Starbucks and McDonald's combined. They provide 19 million American households a quick way to make ends meet... A typical customer takes out about eight payday loans a year..."

CBS News reported in April 2009:

"The payday loan industry, threatened by Congress with extinction, has deployed well-connected lobbyists and hefty sums of campaign cash to key lawmakers to save itself. The strategy has paid off."

This 2011 news report explained how many layday lenders charge unbelievably high interest rates. Last month, the City of San Francisco negotiated a settlement with payday lender Money Mart (a/k/a Loan Mart), which agreed to pay to $7.5 million to reimburse consumers for alleged illegal lending activities and interest rates as high as 400 percent. Consumers eligible to receive reimbursements may receive payments ranging from $20 to $1,800.

The letter caught my interest for three reasons. First, it seems to avoid unnecessarily the CFPB. Second, it mentioned prepaid-card issuers, which this blog has covered extensively. Banks and non-bank prepaid-card issuers have targeted the same market as payday lenders: consumers who have a checking or savings account and not both (e.g., underbanked), or who have neither (e.g., unbanked). About 8 percent of U.S. households are unbanked, and 20 percent are underbanked. Unbanked and underbanked households are typically non-Asian minorities, low-income, young, and unemployed.

Third, anytime a proposed Congressional bill mentions both "modernization" and financial services, a closer inspection is usually wise. (The Graham-Leach Bliley Act, which repealed Glass-Steagall comes to my mind.) Things often get modernized for some, not for others who really needed it, and there are always unintended consequences. One of the OCC's concerns is money-laundering, which is connected to a host of other global ills. Legislation that creates a new class of financial institutions needs to be well constructed, closely reviewed, an adequately discussed publicly.

The Attorney Generals' letter to Congress is available at the Illinois Attorney General website (Adobe PDF). Download H.R. 6139 (Adobe PDF) and see page 24, lines 3 through 8. That's a deal breaker. And, I suggest that you read the full testimony about H.R. 6139 by the OCC Deputy Comptroller of Compliance Policy (Adobe PDF).

Anthem Blue Cross Settles With California Attorney General Over Data Breach

Everyone who is security conscious knows that a business should never printer consumers' Social Security numbers on health care identification cards, statements, and letters. Doing so facilitates identity theft, fraud, and medical identity theft -- a big help for identity thieves.

Yesterday, the California Attorney General announced both a lawsuit and settlement involving Blue Cross of California, which operates under the name Anthem Blue Cross. The lawsuit, filed in Los Angeles Superior Court today along with the settlement, alleged that Anthem printed Social Security numbers on letters it mailed to more than 33,000 from April 2011 and March 2012. The lawsuit claimed that this violate state law prohibiting the disclosure of Social Security numbers. After the breach, Anthem offered those subscribers one year of free credit monitoring.

This blog has discussed repeatedly how the risk of identity theft doesn't end after a year or two - typically the period businesses offer breach victims free credit monitoring services. Identity criminals will use stolen credentials until they know the credentials are no longer usable.

Terms of the settlement include a $150,000 payment and:

"... requires Anthem to implement new technical safeguards for its data management system, restrict employee access to members’ Social Security numbers and provide enhanced data security training for all of its associates."

The fine seems light since this is not the first breach involving Anthem. A breach of the company's website in June 2010 affected about 470,000 subscribers nationwide.

California Legislature Approves Location Privacy Act

On Wednesday, the California legislation passed SB 1434, which requires government agencies to obtain a warrant before collecting your location-based information. All that is left is for the Governor to sign the law. The law reads:

"This bill provides that no government entity shall obtain the location information of an electronic device without a valid search warrant issued by a duly authorized magistrate."

"This bill would provide that no search warrant shall issue for the location of an electronic device pursuant to this section for a period of time longer than is necessary to achieve the objective of the authorization, nor in any event longer than 30 days, commencing on the day of the initial obtaining of location information, or 10 days after the issuance of the warrant, whichever comes first."

"This bill, as proposed to be amended, provides that extensions of a warrant may be granted, but only upon a finding of continuing probable cause by the judge or magistrate, and that the extension is necessary to achieve the objective of the authorization. Each extension granted for a warrant pursuant to this subdivision, shall be for no longer than the authorizing judge or magistrate deems necessary to achieve the purposes for which the warrant was originally granted, but in any event, shall be for no longer than 30 days."

Read SB 1434 for other provisions and exceptions. In an announcement, the ACLU emphasized the importance of this legislation:

"We shouldn't have to choose between using our smartphone and protecting our privacy. Unfortunately, outdated laws like the Electronic Communications Privacy Act of 1986 (yes, 1986!) do not provide the clear protection that sensitive information like location history - which can reveal your friends, activities, habits, and more - deserve. As a result, law enforcement agencies in California and elsewhere treat access to location information as a "routine tool" and frequently obtain this sensitive data with little or no judicial oversight."

Earlier this year, 35 ACLU chapters requested information from about 380 police departments in 31 states, and received about 200 replies. You can view the nationwide map with replies for your town and state of law enforcement tracking of consumers smart phones locations.

So now, at least in California, search warrants are required first. It will be interesting to see how this affects the use by law enforcement of automated license plate readers, which can append GPS location and other meta data (e.g., time, stop duration, nearby stores) data to scanned plates.

Mintz Levin: Breach Notification Laws In The United States

The law firm of Mintz Levin has produced a report listing data breach notification laws in the United States as of June 1, 2012. The report includes details by state, and includes the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. Typically, breach notification laws include a:

• Description of the personal information that must be protected
• List of the businesses, organizations, and state/local agencies that must comply with the state's breach notification law
• Process for the timing, content, and distibution of a breach notification
• Any exceptions to the law (e.g., encrypted files)
• Other provisions and applicable state laws
• Penalties for violations
• Whether breach victims (e.g., state residents) can sue, and if so against whom

Four states do not have any breach notification laws:

• Alabama
• Kentucky
• New Mexico
• South Dakota

If you live in one of these states, contact your elected officials and demand that your state pass a breach notification law. When companies or government agencies have consumers' sensitive personal information lost or stolen, you need to know to protect yourself.

The report is also available here (Adobe PDF, 469 k bytes).

Data Breach At Pantone.com

In an April 10, 2012 letter, X-Rite Inc. notified the State of California Attorney General of a data breach where hackers accessed a Pantone.com website server on or about February 6, 2012.The breach notice did not disclose the number of records accessed/stolen, nor the exact method the hackers used.

The breach was discovered by X-Rite management on March 23, 2012. The data accessed and stolen included the names, addresses, and credit card information of customers who bought products at the pantone.com website. X-Rite notified affected customers on April 6. In August 2007, X-Rite announced its acquisition of Pantone for about $180 million.

A copy of the breach notice is available at the State of California Attorney General website and here (Adobe PDF, 23k bytes).

Foreclosure Abuse Widespread

Last week, the San Francisco Assessor-Recorder office released the results of an audit (Adobe PDF) of about 400 home that were foreclosed on during 2009, 2010, and 2011. The audit found that about 84% of the homes had at least one violation of California foreclosure laws.

The office began the audit last Fall with Aequitas, a mortgage investigation firm, after problems surfaced in mortgage records requested by homeowners facing foreclosure. Assessor-Recorder Phil Ting said,

“When it became clear that property records were severely undermined, a red flag was raised... Those records are supposed to be filed with this office and many were simply missing or had serious inconsistencies..."

It's difficult to impossible for a homeowner to fight foreclosure when mortgage records are inaccurate or incomplete. Ting emphasized the need for state legislation to guarantee compliance with California foreclosure laws by the mortgage industry.

The register of deeds in Guildford County, North Carolina, examined 6,100 mortgage documents last year, and found signature irregularities in 4,500 (xx%). Experts see this as a clear indicator of the illegal practice of "robosigning" documents.

Seems to me it is time to both fine companies and send bankers to prison nationwide. Only then will this madness stop. Demand action from your elected officials.

CVS Caremark Agrees To Pay $20 Million To Settle With Three States For Pension Fraud Claims

CVS Caremark Corporation has agreed to pay about $20 million to settle lawsuits in three states about alleged pension system fraud. The lawsuits were filed by two whistleblowers, CVS pharmacists, and claimed that CVS resold returned drugs, changed presecription orders to increase prcies, and filed false reports about prescriptions fulfilment dates. The Los Angeles Times reported:

"... CVS Caremark will pay nearly $7 million to the California Public Employees’ Retirement System, $4 million to the state of Illinois and $3 million to the state of Florida. Other money from the settlement went to plaintiff attorneys’ fees and costs..."

In 2007, CVS Corporation merged with Caremark Rx Inc.. The combined company operates about 7,000 retail stores, and provides prescription drug management services for employers.

Crain's Chicago Business reported Michael Leonard, a partner with Chicago-based law firm Meckler Bulger Tilson Marick & Pearson LLP, which along with Los Angeles-based law firm Engstrom Lipscomb & Lack LLP represented the whistleblowers, as describing the lawsuit:

“They fought the thing tooth and nail, and denied, denied, denied, despite what the evidence was...”

California Modifies Its Data Breach Laws To Improve Notification

Loeb and Loeb LLP reports that California has modified its security breach rules to expand notification. The revised law goes into effect January 1, 2012. Notification letters to consumers must include:

• A list of the types of personal data exposed,
• The date(s) or date range of the data breach,
• A description of the data breach,
• Whether or not an investigation by law enforcement delayed the notification, and
• The toll-free phone numbers and addresses of the major credit reporting bureaus

Consumers must be notified in writing, unless law enforcement views notification as an obstacle to criminal investigations. Organizations with breaches affecting more than 500 California residents must also notify the California Attorney General's office. According to Loeb and Loeb, the organizations that must comply with Senate Bill 24:

"... any agency, person, or business that owns or licenses computerized data that includes personal information. In the event of a security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, that agency, person, or business must issue a security breach notification."

Loeb & Loeb LLP provides a variety of services for its Fortune 100 clients, including media and technology, antitrust, finance, corporate and securities, energy, and more. The firm has about 300 attorneys with offices in Los Angeles, New York, Chicago, Nashville, Washington, DC, and Beijing.

These California modifications are good, because too many breach notifications lack details. More disclosure is better since it helps breach victims judge the severity of the breach. I have read several and some states post online the breach notices received by their state judicial agency.

Former Countrywide Financial Analyst Sentenced to 18 Months of Prison And Ordered To Repay $1.8 Million

The Los Angeles office of the Federal Bureau of Investigation (FBI) and the U.S. Attorney for the Central District of California announced that a former Countrywide Home Loan employee was sentence on September 28 to 18 months of prison and ordered to pay $1.8 million in restitution to Countrywide, now a unit of Bank of America.

Rene Rebollo, 39, of Pasadena, was arrested in 2008 after an investigation discovered that he had downloaded from Countrywide databases and sold the sensitive personal and financial information of about 2.5 million consumers. Rebollo was employed as a senior financial analyst for Countrywide’s subprime mortgage division in Pasadena. He admitted that that he saved the stolen information to a personal thumb drives and distributed consumers' Social Security numbers in at least 50,000 instances.

"As a result of the data breach, Countrywide underwent considerable expenses, including notification of individuals whose information was improperly disclosed, at a cost of approximately $1.2 million, and providing free credit monitoring for those individuals at a cost of approximately $15.75 million. Countrywide has also estimated that it has expended approximately $13.4 million in civil litigation, including several class action lawsuits, arising from the data breach."

This is a classic case of insider identity theft and the costs companies can incur from a breach. The case also highlights the importance of companies, small and large, to adopt data security measures and comply with Red Flag Rules.

Lawsuit Alleges Hulu.com and KISSmetrics Used "Zombie E-Tags" To Track Consumers Without Notice And Consent

Last month, a lawsuit was filed in Central California District Court against Space Pencil and Hulu.com, alleging that the companies tracked consumers online usage without notice or consent using "Zombie Etags," a newer Internet technology. According to the complaint, consumers:

"... that accessed Hulu's website had HTTP cookies respawn via Flash shared objects, HTML 5 Local Storage, and/or cache/ETags after they had been deleted."

"Zombie ETags" refers to the latest combination of Internet technologies used to track online usage: HTML 5 local storage, and/or cached Etags. The Zombie Etags allegedly regenerate any HTML cookies the user has deleted, removing control from the user and preventing privacy. Entity Tags, also known as "Etags," are a mechanism to verify that the page components a web browser displays match the components on the web server hosting the URL or original web page.

According to the complaint (PDF - 6.3 MBytes), Space Pencil is the company doing business as KISSmetrics. Hulu.com is a popular website that streams video of television shows from ABC, CBS, Fox, NBC, and other networks and studios. This is at least the second class-action lawsuit filed against both companies.

This class-action lawsuit (Couch et al versus Space Pencil et al) was filed, in part, because the consumers:

"... accessed the Hulu website, relying on the Hulu's Terms of Service and Privacy Policy which provided assurances against unauthorized tracking..."

What makes this lawsuit a little different from prior lawsuits (e.g., "zombie cookies), is the technology and hacking allegations:

"... Internet users who accessed Hulu's website, and knowingly, without the user's knowledge or consent, "Hacked" the Plaintiffs' and Class Member's Computing Devices in order to conduct covert surveillance of Plaintiffs and Class Members online activities, using web analytics to collect and de-anonymize Plaintiffs' and Class members' online data, providing the mechanism for Hulu to conduct perpetual online tracking of its users and a method to use cross domain tracking..."

This alleged tracking technology allowed Hulu and KISSmetrics to track Hulu.com users' online usage across the Internet and beyond the Hulu.com website. The complaint referenced several working papers about tracking technologies:

• "Flash Cookies And Privacy" by Ashkan Soltani et. al, 2009
• "Respawn Redux" by Ashkan Soltani, 2011

The 2009 working paper documented the extent of company websites using Flash cookies to regenerate HTTP cookies. The 2011 working paper documented the regenerated HTTP cookies practice:

"In our follow-up study, we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the Hulu.com site. Additionally, Hulu, Spotify, and many others were also respawning using code provided by analytics firm KISSmetrics. Hitten Shah, the founder of KISSmetrics, initially confirmed that the research surrounding respawning was correct in an interview with Ryan Singel although he later criticized the findings after a lawsuit was filed."

Both companies supposedly stopped their Zombie Etag tracking on July 29, 2011. KISSmetrics published this response to the July 2011 lawsuit. The class-action plaintiffs want the tracking software and data files removed from their computers. The sensitive personal information:

"... compiled and misappropriated included sensitive information, such as users' video viewing choices revealing personal interests, his/her sexual preference, political views, and even more specific information like health conditions, such as DEPRESSION..."

The attorneys representing the plaintiffs in this class-action lawsuit include Strange & Carpenter, and a name I recognize: the law office of Joseph Malley.

If you want to learn more, I recommend reading this Wired story.

California Amends Its Breach Notification Law

California was the first state in the nation to enact a breach notification law. The 2002 law required organizations that store records with consumer information -- both companies and government agencies -- to notify consumers when their sensitive personal information was lost or stolen. Last week, California Governor Brown signed into law SB 24. What's new about SB 24:

"Specifically, SB 24 establishes standard, core content for data breach notifications including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.... In addition, SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General, if a single breach affects more than 500 Californians."

SB 24 (Adobe PDF) goes into effect January 1, 2012.

This is good news for consumers, as other states' breach notification laws have followed California's lead. I believe it is also good because too often, consumers have no idea what to do next when they receive a breach notificaton letter. Too many don't know about the credit reporting agencies: Experian, Equifax, and TransUnion; nor the consumer's responsibility to keep their credit reports accurate; and the need to monitor their credit reports after a breach/theft.

Since writing this blog I have talked with many consumers. A breach notification letter is often a wake-up call that he/she needs to take action to protect their sensitive personal and financial information.

Moreover, the InfoLaw Group appropriate emphasized that SB 24:

"... adds California to the list of states and other jurisdictions that require some type of regulator notice in the event of certain types of data security breaches... Other states that require some form of regulator notice in some circumstances for certain kinds of entities (sometimes for a breach, and sometimes to explain why an entity has determined there was no breach) include Alaska, Arkansas, Connecticut, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, Puerto Rico, South Carolina, Vermont, and Virginia."

Don't see your state on this list? Write to your elected officials and demand an improved breach notification law for your state.

Sadly, only four states' governments post online the breach notifications they receive: Maryland, New Hampshire, Vermont and Wisconsin. Online postings are a good way for consumers to verify the breach notifications they receive.

Federal Reserve Board Takes Action Against Wells Fargo Including $85 Million Fine

Only July 20, the Federal Reserve Board issued a press release about its action against Wells Fargo & Company for lending and mortgage abuses. The action includes a "cease and desist" order, an $85 million civil penalty, and an order for Wells Fargo to compensate affected borrowers:

"... issued a consent cease and desist order and assessed an $85 million civil money penalty against Wells Fargo & Company of San Francisco, a registered bank holding company, and Wells Fargo Financial, Inc., of Des Moines. The order addresses allegations that Wells Fargo Financial employees steered potential prime borrowers into more costly subprime loans and separately falsified income information in mortgage applications. In addition to the civil money penalty, the order requires that Wells Fargo compensate affected borrowers."

The lending and mortgage abuses:

"Wells Fargo Financial--a once-active, non-bank subsidiary of Wells Fargo--made subprime loans that primarily refinanced existing home mortgages in which borrowers received additional money from the loan proceeds in so-called cash-out refinancing loans. The order addresses allegations that Wells Fargo Financial sales personnel steered borrowers who were potentially eligible for prime interest rate loans into loans at higher, subprime interest rates, resulting in greater costs to borrowers. The order also addresses separate allegations that Wells Fargo Financial sales personnel falsified information about borrowers' incomes to make it appear that the borrowers qualified for loans when they would not have qualified based on their actual incomes."

The amount of compensation to be paid to affected borrowers has not been set. The number of affected borrowers is estimated betweet 3,700 and 10,000. The amount of compensation will be dependent upon several factors:

"... including differences between what borrowers paid and what they should have paid in terms of origination points, interest payments, fees, and penalties."

On the same day, Wells Fargo issued a statement which read in part:

"The alleged actions committed by a relatively small group of team members are not what we stand for at Wells Fargo,” said Chairman and CEO John Stumpf. “Fair and responsible lending practices have been at the core of our culture, and they will continue to guide us as we work closely with the Federal Reserve to provide restitution to customers who may have been harmed, and to reinforce our internal controls so they further reflect Wells Fargo’s commitment to helping customers succeed financially... The Company’s agreement with the Federal Reserve does not include an admission of the allegations cited, which cover lending practices at Wells Fargo Financial between January 2004 and September 2008... Within 90 days, Wells Fargo will submit plans to the Federal Reserve that will outline its oversight of its mortgage lending practices regarding certain compliance and incentive compensation programs. In addition, Wells Fargo will develop a plan for continuing to identify and provide compensation to Wells Fargo Financial customers who may have been harmed by the practices alleged in the agreement..."

Analysis: Several States' Online Consumer Forms For Filing Phone Scams Complaints

[Editor's note: this is part three of a three-part series about telemarketing or phone scams.]

Yesterday, I described my experience with filing online complaints with the U.S. Federal Trade Commission and with the Attorney General office in the state where I live. Today, I want to share my findings about how well several states' Attorney General websites allow consumers to file online complaints about phone scams.

Remember, the the FTC Phone Fraud website instructs consumers to file complaints at both the FTC Complaint Assist website and at their state Attorney General website. After having difficult at the Massachusetts AG website, I reviewed several states' AG websites. I wanted to know if other states presented online complaint forms that made it easy (or difficult) to file complaints about phone scams.

I reviewed and compared the online complaints form for six (6) states. I chose four states (California, Florida, New York, and Texas) with large populations since that would include the probable online experience for a large percentage of the US population. I also included my home state (Massachusetts), and one state (Alabama) that does not have any laws requiring the notification of consumers affected by data breaches:

#	State AG Website	Online Complaint Form
1	Massachusetts	https://www.eform.ago.state.ma.us/ago_eforms/forms/piac_ecomplaint.action
2	California	http://ag.ca.gov/contact/complaint_form.php?cmplt=CL
3	Florida	http://myfloridalegal.com/Contact.nsf/Contact?OpenForm&Section=Economic_Crimes
4	Alabama	http://www.ago.state.al.us/consumer_form.cfm
5	New York	http://www.ag.ny.gov/bureaus/consumer_frauds/filing_a_consumer_complaint.html
6	Texas	https://www.oag.state.tx.us/forms/cpd/form.php

Remember, the FTC website linked to the National Association of Attorneys General (NAAG) website, which lists all Attorney General websites in the 50 states, plus the District of Columbia, Guam, and Puerto Rico. So, many consumers will arrive at their state's AG website with the goal to complete this specific task: file a complaint online about a phone scam. Given this specific task, I used three criteria to evaluate the AG websites:

1. Did the AG website main page present a link or button for consumers to file a complaint online, that was prominent and easy to find?
2. Did the AG website allow consumers to actually file a complaint online?
3. Did the state's online form allow for the submission of phone scams?

There are many other criteria one could use to evaluate AG websites. I chose these three criteria because they directly relate to the specific task. I looked for variations of the "File a Complaint" phrase and not necessarily the same words. My findings:

1. Many AG websites made it difficult for consumers to file complaints. 50% (3 of 6) of the websites reviewed contain a link or button on the home page that was prominent and easy-to-find. Prominent and easy means that the link/button is immediately displayed when the page loads. So, half of the websites (e.g., Florida, New York, and Texas) evaluated didn't provide a link/button.

AG websites typically present information about news releases and the services available to consumers and businesses -- all very valuable information. The lack of a "File a Complaint" link or button on the home page makes the website needlessly more difficult to use. This forces consumers to hunt for the complaint form page.

Several example highlight this forced hunt. First, the online complaint form is buried in the Florida AG website under the Consumer Protection website section. That fom location may be a logical place for frequent website visitors, attorneys, and AG office staff, but not necessarily for first-time visitors or consumers. Second, the Texas AG website has a "Report Fraud, Waste, and Abuse" link on its main page, but that link is narrowly focused on complaints about state government agencies. Consumers looking to file a complaint about a non-government organization still have to hunt for the online complaint form.

Third, the New York AG website locates its complaint forms under the Consumer Frauds Bureau and Identity Theft sections. Again, frequent visitors, attorneys, and AG office staff may know to look there, but first-time visitors won't.

When hunting for a form, there are several time-consuming strategies that consumers may use: site-search mechanism, click on various navigation links, and/or read the page content.

2. Most AG websites present interactive online complaint forms. 83% (5 of 6) of the websites reviewed present online complaint forms. The only website that didn't -- New York -- presented static forms in Adobe PDF format, which consumers must download, complete offline, and submit via surface mail.

3. Not all AG websites allow consumers to submit complaints about telemarketing/phone fraud. 60% (3 of 5) of the websites with interactive, online complaint forms allow consumers to file complaints about phone scams. (Remember, the New York AG website had PDF forms instead of interactive forms.) That is, the complaint forms are flexible enough to allow consumers to enter the data elements they may have.

In my online experience, the form in the Massachusetts AG website requires consumers to submit all of the following data elements about the phone-scammer: company name, address, city, state, ZIP Code, and phone number. With phone scams, consumers won't necessarily have all of these data elements. I didn't. The complaint form at the Texas AG website also contained the same usability problems as  the Massachusetts AG website form.

While it is a fairly simple task to add a "File a Complaint" link on the home page and to edit an online complaint forms to make more company data elements optional rather than required, there probably are backend database considerations. The online databases must contains sufficient categorization and tagging to identify phone fraud complaints as such, and not as partially completed complaints.

If you have submitted complaints at your state's AG website, what was your experience?

The State of Florida Made $63 Million in 2010 Selling Drivers' Personal Data. What About Your State?

Business Insider reported that the state of Florida sells the personal information of drivers:

"... to private investigators and research services for years with last year's sale bringing in almost $63 million. Reported by News Channel 5 in Tampa, the state sells nearly all the information on every license including birth dates and drivers license numbers."

The news report listed the price at $ .01 price per drivers record. That sounds awfully low -- too low -- given the data elements purchased and the reliable data source (e.g., the State of Florida). Do you think your personal information is worth more than a penny? I do and guess that you do, too.

The companies that purchase Florida drivers' information include some familiar names: Acxiom Information Securities Service, Inc., Choice Point, E-Funds, Explore Information Services, LexisNexis, Line Barge, Goggan, Blair, & Simpson, Inc., SC Services, ShadowSoft, TLO LLC, and West Services Inc..

The Driver Privacy Protection Act (DPPA) is Federal law enacted in 1994, long before corporate data breaches, digitized profiles, and privacy became the problems we have today. The DPPA regulates what personal information must be protected, and can (cannot) be sold by states. According to the Electronic Privacy Information Center (EPIC):

"The DPPA was passed in reaction to the a series of abuses of drivers' personal information held by government. The 1989 death of actress Rebecca Schaeffer was a prominent example of such abuse. In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer's address through her California motor vehicle record. The fan used her address information to stalk and to kill her. Other incidents cited by Congress included a ring of Iowa home robbers who targeted victims by writing down the license plates of expensive cars..."

Some states have laws providing greater protections for drivers' personal information. There have been at least two class-action lawsuits for alleged DPPA violations.

Does your state sell drivers' personal information? Probably. It can be difficult to determine. Often, there is a disclosure in your state government motor vehicle registry website about the DPPA and what your state does (and does not) sell. For example, the Massachusetts RMV website:

"The DPPA restricts the disclosure of personal information, as defined in 18 U.S.C §2725. Personal information is information that identifies an individual, including name, address, driver's license number, social security number*, photograph* and medical information... The DPPA only restricts personal information. Information on vehicular accidents, driving violations and driver's status is not personal information. Also, information that does not pertain to an individual would not be considered personal information."

Like other states, only "Permitted Users" can buy this drivers personal information, and the state supposedly verifies both the purchasers' identities and whether the purchasers' usage post-sale complies with the law. So, drivers personal information is being sold. I wasn't able to find a disclosure about the annual total amount of revenues from DPPA sales.

Another example from the New York State DMV:

"You must have a DPPA permissible use to request DMV records that contain personal information. Personal information includes name, address, or Client ID Number (Driver License Number). You must certify that you have a permissible use when you request records that contain personal information... The DMV records that are frequently requested are driver abstracts, registration abstracts, title abstracts, and accident reports... The DMV normally does not provide a history of the ownership or the mileage of a vehicle... To request a vehicle ownership history, you must certify that you have a DPPA permissible use for the information... The National Driver Register (NDR) is a database maintained by the Federal government. The NDR lists: the drivers from each US state who have a driver license that is suspended or revoked, and the drivers who were convicted of a serious traffic violation like DWI or a drug-related violation. Motor vehicle bureaus in the US provide the NDR with the names of persons who lose the privilege to drive or who were convicted of serious traffic violations... You can use form NDR-1 to search the NDR. Information from the NDR must comply with the DPPA."

Another example from Texas:

"... the Driver’s Privacy Protection Act (DPPA), makes it illegal for the general public, including the media, to obtain, publish or confirm personal information about you from the state motor vehicle database. The law does provide exceptions for certain entities, such as courts and police. Texas law provides additional protection under the Motor Vehicle Records Disclosure Act, and the Public Information Act (Section 552.130)."

Personally, I don't believe that Florida (and other states) should sell drivers personal information to information brokers, regardless of the uses claimed by the data brokers. It effectively, makes the data publicly available to everyone, "permitted uses" or not.

The states' DPPA disclosures which I have read are often long, difficult to read, and at times confusing. The information could be presented far better with pages containing separate summaries, instructions, and forms for each target audience (e.g., individuals/residents, companies, state/local agencies, law enforcement/courts, etc.). When there are additional state laws providing broader protections, you almost have to be an attorney in order to reconcile the multiple laws to understand exactly what is protected and sold.

Kudos to News Channel 5 in Tampa for the good investigative journalism.

What is your opinion? Should states sell drivers personal information? Is the price Florida charged too low?