South Shore Hospital To Pay $750,000 In 2010 Breach Settlement

Yesterday, South Shore Hospital and the Massachusetts Attorney General's Office both announced a settlement agreement regarding the hospital's 2010 data breach. the breach exposed the sensitive personal and medical information of 800,000 current and former patients, plus patients at Harbor Medical Associates and South Shore Physician Hospital Organization.

In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes to an off-site vendor, Archive Data Solutions, for erasure. The boxes contained the records of 800,000 patients. According to AAG Coakley's office, the hospital failed to inform Archive Data that boxes contained sensitive personal protected health information. Nor did the hospital determine whether Archive Data had sufficient data security methods to protect this sensitive information.

In June 2010, the hospital learned that only one of the boxes, shipped via several companies, arrived at its destination in Texas. The missing boxes have not been recovered. In a statement, AG Coakley emphasized:

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form... It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

According to terms of the settlement approved in Suffolk Superior Court, the hospital will pay a $750,000 fine which includes a $250,000 penalty and $225,000 for a data security education fund. The Massachusetts Attorney General's office will use the education fund to:

"... promote education concerning the protection of personal information and protected health information."

The payment is also reduced by $275,000 for expenses the hospital has already made for data security improvements. The HIPAA Privacy Rule specifies which health care organizations must comply with certain data security standards. the rule also defines what "protected health information" is: personally identifiable health care information in any format (e.g., print, electronic).

Data Breach At Experian Credit Reporting Service

Experian has notified the New Hampshire Department of Justice of data breach where unauthorized third parties may have obtained consumers credit reports. The company discovered the breach in February 2012 and began notifying affected consumers on May 17, 2012.

The breach notice did not disclose the number of consumers affected. The unauthorized access occurred between November 2010 and March 2012. An investigation into the breach was conducted including the analysis of computer logs. In its breach notice, Experian stated:

"... we do not believe that any third party obtained access to any specific data elements that are covered by the New Hampshire security breach law because those data elements (e.g., financial account numbers) were redacted or truncated on any credit report disclosure..."

New Hampshire is one of about 46 states that require entities (e.g., companies and state agencies) to notify both the state and affected residents in each state whose personal information archived by that entity was lost, stolen, or accessed by unauthorized persons.

In its breach notice to consumers, Experian stated:

"While any consumer report will contain public information like name and address, Experian masks or displays only partial social security numbers, birth dates, and account numbers, so they are not identifiable and cannot be abused."

This is troublesome because, a) the breach went undiscovered for a long time, 16 months; b) partial social security and bank account numbers, partially masked, and c) the extremely sensitive personal and financial information contained in consumer credit reports.

Experian placed fraud alerts on the files of breach victims, and, of course, is offering breach victims two years of fee credit monitoring services through its ProtectMyID service.

Experian is one of the three larges credit reporting agencies. The other two are Equifax and TransUnion. Experian also operates the Triple Alert and FreeCreditReport.com websites. In 2010, the U.S. Federal Trade Commission changed the disclosre rules for web sites offering free credit reports. Consumers should know that the official webiste for truly free credit reports.

Data Breach At Choice Hotels

Since I started this blog almost five years ago, I've written about a variety of data breaches, where sensitive customer and employee information was stolen. Sometimes, the breach involved hackers breaking into a company's website server. Often, it included the theft of a laptop computer or flash drive left in an employee's parked car. Sometimes, it was "insider identity theft" by an employee or contractor. This latest breach involved a method I hadn't heard before.

About April 25, 2012, Choice Hotels notified the appropriate state agencies in both California and New Hampshire of a data breach affecting residents in those states. According to the breach letter submitted by the company, sensitive customer information (e.g., credit card numbers, drivers license numbers, passport numbers, Social Security numbers) were not entered into the proper database fields in the company's customer systems. As a result, this sensitive data wasn't protected (e.g., encrypted), and was passed along to the company's marketing partners where the sensitive data was inadvertently printed on marketing envelopes mailed to customers.

Choice Hotels claims that less than 0.001 percent of guest stays were affected. The breach was discovered in December 2011, and the company immediately stopped using the database for markeing purposes. The company hired Kroll Advisory Solutions to investigate the problem with a "forensic analysis." About 59 New Hampshire residents were affected and have already been notified.

The company's breach notice did not identify the company's marketing partners. Its website Privacy and Security Policy states that:

"If you reside in California and have provided Choice your personally identifiable information, you may request a list from us of third parties with whom we shared your personally identifiable information for their own direct marketing purposes during the preceding calendar year..."

Choice Hotels operates several lodging brands including Clarion, Comfort Inn, EconoLodge, MainStay Suites, and Rodeway Inn. A copy of the breach notice is available at the New Hampshire Department of Justice website and here (Adobe PDF; 154k bytes). The California Attorney General website also includes a copy of the breach letter sent to affected consumers. The company has reportedly contracted with TransUnion Interactive for for free credit monitoring services for breach victims.

Data Breach At Opening Ceremony

BankInfo Security reported details of a data breach at Opening Ceremony, a New York-based clothing and shoe retailer. Hackers inserted malicious software on the company's website server.

The data stolen included the payment card information of customers who purchased products online between Feb. 16 and March 21. the company has already notified customers affected by the breach. In a May 4 letter to affected customers (Adobe PDF), Opening Ceremony has contracted with ID Experts for complimenary credit monitoring and resolution services.

 

Consumer Reports Reviews Facebook And How To Use It Safely

If you haven't read it, there is a good review by Consumer Reports of the Facebook social networking website. The news media has focused on some of the controversial aspects of the report. For example, CNN reported, like many other news organizations, the survey finding that about 25 percent of Facebook users lie about information in their Facebook profile to protect their identity.

While lying about profile information may seem like an effective privacy strategy, the Consumer Report review of Facebook highlights the various ways Facebook tracks its members. Some Facebook members have made conscious choices to share personal data, and do so in status messages, sharing items, and commenting upon others' status messages. Yet other tracking methods exist.

The Consumer Reports review is a good reminder that its members are the products:

"... the company uses your data to help advertisers deliver ads that you may find useful. Suppose, for example, that you have “liked” the San Francisco 49ers page, or simply posted comments about football. You shouldn’t be surprised to see ads in the margins for football tickets, fan paraphernalia, and the like. Facebook does not share any of your information with advertisers that buy those ads unless you give permission. If you click the ad and purchase something, the advertiser obviously learns who you are. And even if you simply “like” a brand page, the company can automatically send posts to your account."

One tracking method is the facial-recognition software used to "tag" (e.g., identify) people (and places) in both photos and videos. Members who aren't careful to turn off the geo-tagging feature in their smart phones or tablets will provide even more personal data with photos and videos uploaded to Facebook.

Another method are the Facebook apps member use for music, news, and games -- which are loosely managed by Facebook:

"... according to Kevin Johnson, security consultant at Florida-based Secure Ideas, who has developed apps and tests their security. The sole credential needed to create an app is a verified Facebook account, including a cell phone number or credit card. And the company doesn’t have to review your source code (programming instructions) before it goes live..."

So, there seems to be little to no verification of apps for security or compliance when those apps have a privacy policy.

A method Facebook uses to track both members and non-members includes those "Like" buttons you have see on websites across the Internet:

"... Facebook keeps track of the other websites [its members] visit. That happens via the “Like,” “Recommendations,” and similar buttons that so many sites include. In addition to reporting your presence, the “Like” button sends along the date and time of your visit and your IP address, whether or not you click on it. The company has acknowledged that this happens even when Facebook users are logged out, a practice that had prompted class-action lawsuits in the U.S. If you’re logged in to Facebook, it can collect even more data. The company also said that it collects data from people who are not its users and have never visited its site..."

The review is also a good reminder of the scope of data Facebook collects:

"... thanks in large part to Max Schrems, a 24-year-old Austrian law student who managed to get a fuller copy of his personal information last year from Facebook's Dublin office, which oversees relations with users outside the U.S. and Canada. Schrems was surprised to discover, among the 1,222 pages of data covering three years of Facebook activity, not only deleted wall posts and messages, some with sensitive personal information, but e-mail addresses he’d deleted and names he’d removed from his friends list... Facebook collects the same type of detailed information on American users, as confirmed by documents it released to Boston police during their investigation of Philip Markoff..."

If you want to learn more about Schrems, visit Europe Versus Facebook. The review ends with a list of nine ways consumers can use Facebook (and similar social networking sites) safely:

"1. Think before you type. Even if you delete an account (which takes Facebook about a month), some info can remain in Facebook’s computers for up to 90 days.

3. Protect basic information. Set the audience for profile items, such as your town or employer. And remember: Sharing info with “friends of friends” could expose it to tens of thousands.

4. Know what you can’t protect. Your name and profile picture are public. To protect your identity, don’t use a photo, or use one that doesn’t show your face.

5. “UnPublic” your wall. Set the audience for all previous wall posts to just friends.

7. Block apps and sites that snoop. Unless you intercede, friends can share personal information about you with apps. To block that, use controls to limit the info apps can see."

Read the complete review of Facebook.com by Consumer Reports.

Slamming And Your Home Energy Bills

Recently, an I've Been Mugged reader wrote asking me about what to do with their home energy bill. The reader was concerned that they had been "slammed" -- their energy supplier had been switched without their approval. When thinking about situations like this, it is important for consumers to understand your rights first.

Each state in the USA has a Public Utility Commission (PUC) or state agency to govern and regulate which companies are licensed to sell energy (e.g., electricity, natural gas). So, to understand your rights a good first step is the PUC website for the state where you live.

I'll use the state where I live as an example. In Massachusetts, some private companies are licensed to sell only electricity, some only gas, and some both. The Executive Office of Energy and Environmental Affairs (EEA) provides the lists of licensed energy sellers in Massachusetts. Obviously, this is a list consumers would use to verify any private company selling energy in the state, especially door-to-door sales people.

The same EEA website describes consumers' various rights about energy services. For example, the "Cooling Off Period" describes the length of time consumers can change their mind after switching to a new energy service provider:

"Your choice of a competitive power supplier will not take effect for at least three business days. Should you change your mind during that three day period, you will not incur any charges."

The site also describes consumers' rights about slamming:

"A competitive power supplier may not switch you to its service without your consent. Your consent must take the form of either: 1) a written letter of authorization signed by you; or 2) your oral statement to an independent third party, such as a separate verification company. If you are switched without your authorization, you may file a complaint with the Massachusetts Department of Telecommunications and Energy by calling 1-800-392-6066."

Historically, slamming happened a lot with phone services, but lately it can happen with energy services, too. In 2011, the Georgia Public Service Commission (PSC) fined gas marketer Energy America with a $400,000 penalty for customers it "slammed." While some companies approach consumers at home, others perform phone solicitations.

Before accusing a company of slamming your energy service, I would first check with other members in the home, or a landlord, to see if somebody else signed an order to switch service. Then, I would contact the new energy supplier to get the sales person's name and a copy of that new-service order.

If slamming is still a concern, other steps I might perform in order:

1. Check the website of my existing energy supplier to see what they advise about slamming
2. Check my state's PUC website to understand my rights and what they advise about slamming
3. File a complaint with the PUC in the state where I live
4. File a police report with local law enforcement, since it is fraud to forge another person's signature
5. File a complaint with the Federal Trade Commission
6. Consult with an attorney to see what other options there may be for consumers

Having difficulty finding the website for your state's PUC? This list may help.

Data Breach By PWC Exposes Personal Data Of Under Armour Employees

The Baltimore CBS News affiliate reported during the weekend about a data breach at Under Armour, that exposed the sensitive personal information of employees. The company's auditing firm, PWC, lost on or about April 12 in the postal mail an unencrypted flash drive containing personnel information.

The data elements lost or stolen included employees' names, Social Security numbers, and pay. Under Armour has about 5,400 employees worldwide. Employees have been offered one year of free credit monitoring. PWC is investigating how its security failed.

This PWC data breach highlights the data security risks and impacts from an outsourcing vendor. And no client company wants a breach by their auditing firm. Sadly, this is not the first breach by an auditing or accounting firm. Notable breach history:

Year	Company	Auditor / Accountant	# Records	Comments
January, 2012	Regions Financial Corp.	Ernst & Young	Unknown	Sensitive personal financial information including SSNs of current and former Regions employees. Auditor from Ernst & Young mailed a flash drive and decryption code. Flash drive lost/stolen. Regions employs ~27K people in 16 states.
April 2009	Borrego SPrings Bank	Not disclosed	Unknown	Sensitive personal financial information including bank account names, numbers, and balances. Theft of 7 laptop computers from an auditing firm's office.
January 2008	Mariner Health Care, SavaSeniorCare Administrative Services, LLC	Windham Brannon	80, 124	Sensitive personal and financila information including current and former employees' SSNs, 401(k) data, DOBs, and salaries. Cash and several laptops stolen from Windham's Atlanta office.
March, 2007	Springfield City Schools (Ohio)	State Auditor	1,950	Sensitive personal information of current and former employees. Theft of laptop from a state auditor employee's vehicle parked at home.
October 2006	Community National Bank	Crowe Chizek	90	Sensitive personal and financial information including SSNs, tax ID numbers, and account numbers. Two laptops belonging to Crowe auditors were stolen from a car in a restaurant parking lot.
October 2006	DirecTV	Deloitte & Touche	55	Names and SSNs of some current and former employees. Laptop stolen during the home of a Deloitte & Touche employee.
Data Source: Privacy Rights Clearinghouse

Consumer Reports Reviews Several Prepaid Cards

This blog previously warned consumers about the differences between the three types of plastic in your wallets/pursues. Consumer Reports published the findings of its review of several prepaid cards, and concluded:

"... although fees are beginning to come down, they aren't always disclosed upfront. Moreover, prepaid cards offer weaker consumer protections than those provided by traditional debit cards..."

Some of the higher fees Consumer Reports found with prepaid cards:

• Activation or initiation fees ranging from from $3 to $14.95.
• Monthly fees as high as $10
• Fees to get cash as high as $2.50 per withdrawal
• Fees to contact customer service as high as $2.99 per call.

Obviously, consumers should ask for and read closely the terms and conditions or prepaid card agreement before purchasing a prepaid card. It is wise to understand the different types of prepaid cards.

Related posts:

• Your Rights And The Differences Between The Three Types Of Plastic In Your Wallet Or Purse
• How To Evaluate a Health Care Debit Card Plan From Your Employer
• Bank of America Merchant Services And Money Network Announce New Payroll Solution
• Move Your Money To... Walmart? A Good Deal?
• How To File A Complaint About A Bank

BCBS Of Tennessee To Pay $1.5 Million To HHS To Settle 2009 Breach

Blue Cross Blue Shield of Tennessee (BCBST) announced a settlement agreement with the U.S. Department of Health and Humans Services (HHS) about its 2009 data breach which exposed the medical records of about 500,000 patients in 32 states. Terms of the settlement agreement require BCBST to pay a $1.5 million penalty and submit to a 450-corrective action plan.

HHS had alleged in a lawsuit that BCBST had violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rules. The HIPAA Security Rules require covered health care organizations to notify affected individuals of any breach involving their health information, and to notify HHS and the news media about any breaches affecting more than 500 consumers.

HHS disclosed in a news release:

"... BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."

The 450-day corrective action plan requires BCBST to:

• Review, revise, and maintain its Privacy and Security policies and procedures,
• Conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and
• Perform monitor reviews to ensure BCBST compliance with the corrective action plan.

SAIC To Pay $500.4 Million to Settle Suit With U.S. Attorney And City of New York

Last month, Science Applications International Corporation (SAIC) announced a settlement with the U.S. Attorney Office for the Southern District in New York and with the City of New York about the company's CityTime system. Terms of the settlement require SAIC to pay $500.4 million in restitution and penalties, and an independent monitor selected by the U.S. Attorney's Office will review certain policies and practices by SAIC for three years.

CityTime is an automated workforce management system used by about 163,000 New York City employees in 65 agencies. According to a press release (Adobe PDF) by the U.S. Attorney's Office:

"Under the agreement, SAIC will forfeit a total of $500,392,977 to the Department of Justice, and forgive more than $40 million still owed by the City to SAIC in connection with the CityTime project. In a Statement of Responsibility (the “Statement”) that was part of the agreement, SAIC acknowledged that it failed to properly investigate a 2005 ethics complaint filed by a whistleblower alleging, among other things, that the project’s Program Manager, Gerard Denault, had to be receiving kickbacks on the project from the single source subcontractor he had hired to perform the work. SAIC also accepted responsibility for the illegal conduct alleged against Denault and admitted to by Carl Bell, who served as Chief Systems Engineer in SAIC’s New York City office."

The City of New York had selected SAIC's CityTime system to modernize its timekeeping and payroll systems across City agencies. In 2000, SAIC became the lead contractor on the City's CityTime project, with a value then of approximately $73 million. The Washington Post reported recently:

"Last year, SAIC said it removed three top executives — Deborah Alderson, president of the company’s defense solutions group; John Lord, her deputy; and Peter Dube, general manager of the enterprise and mission solutions business — although the company said there was no evidence that any of the three were involved in the fraud."

SAIC, a Fortune 500 scientific, engineering and technology applications company employs about 41,000 people worldwide, and about 93% of its business is generated by government contracts. In 2011, SAIC was involved with a TRICARE data breach that exposed the sensitive personal data of 4.9 million active and retired military personnel and their families.

Class Action Suit Filed Against Path Claims More Data Was Collected Besides Address Books

A second class-action lawsuit was filed against Path Inc. claiming the company's mobile app collected more infromation than just users' address books. The suit also calimed that users of the Path app were:

"... victims of unfair, deceptive, and unlawful business practices; wherein their property, privacy, and security rights were violated..."

The additional data allegedly collected without notice and without consent included find GPS locations, users' personally identifiable information, and the personal information of minor children.

The suit claims that the information collected was distributed to other companies with notice or consent, and that tracking methods were added to users digital information:

"Affix to Plaintiff's and Class members' digital content, referencing photos, videos, and audio files, without notice or authorization tracking mechanisms and information... "filtering" of digital content by installation of geo-tags for tracking, interception and monitoring of social network interactions... that third-party social network interactions would be monitored and then transmitted, used, disclosed, and stored on path's servers..."

The suit claims that Path stored address book information is an insecure manner. By February 2012, Path reportedly had about 2 million users.

The suit was filed in Northern District Court of California by attorneys Strange & Carpenter of Los Angeles, and Joseph Malley of Dallas. Readers of this blog recognize Malley, often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Hulu.com and KISSmetrics ("zombie E-Tags"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, Malley has plenty of experience with online privacy and tracking issues.

You can download the Hernandez et al v Path Inc. complaint from Courthouse News (Adobe PDF).

Global Payments Breach Affects 1.5 Million Consumers

Last week, debit and credit card payments processor Global Payments Inc. announced that its systems had been breached by hackers and perhaps as many as 3 million credit and debit card numbers had been stolen. Global Payments processes transactions for Visa and MasterCard for retailers and card issuers.

In a statement released Sunday, Global Payments revised downard the number of stolen cards:

"... it identified and self-reported unauthorized access into its processing system. The company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. The investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained..."

The company has not disclosed how hackers breached its systems, nor the duration of the breach. The company's Monday-morning conference call focused on earnings and left little time for questions about the breach details.

The term "Track 2" refers to certain data elements stored in the magnetic strip on the back of debit and credit cards. Also on Sunday, Visa removed Global Payments from its list of "compliant service providers." Forbes magazine reported that the company expects to quickly correct the Visa compliance issue:

"Global Payments chief executive Paul Garcia is quoted in the company’s statement as saying that “We are making rapid progress toward bringing this issue to a close,” and emphasized that all major brands of cards still allow Global Payments to act as a payment processor."

After a breach like this, card issuers (e.g., banks, credit unions, retailers) will usually notify directly those cardholders with stolen account information, and whether replacement cards and accounts will be issued. And the card issuers usually seek reimbursement from the payments processor to cover the costs of issuing replacement cards to consumers.

Another payments processor, Heartland Payment Systems, experienced a much larger breach in 2008, after which multiple lawsuits resulted as card issuers provided replacement cards and accounts. With a reported 800,000 merchants and 3.5% market share, Global Payments is a smaller payments processor, when compared to First Data Corporation's 22.6% market share.

The largest banks, like Bank of America, have subsidiaries with joint venture arrangement with processor First Data to process card transactions. It seems to me that hackers have smartly figured out a way to steal valid credit/debit card information is to attack the transaction processors instead of retailers, like T.J.Maxx, or banks directly.

I called Global Payments to see how many retailers they may have lost already due to the breach and their inability to process Visa transactions. The public relations rep referred inquiries to the company's data breach site: www.2012securityupdate.com, which includes this statement to its merchants/retail clients:

"We are still processing all of your transactions, including Visa transactions, and will continue to work with the card associations in response to this incident."

Time will tell if and how long that continues. The company's breach web site also advises affected cardholders who suspect fraud to monitor their accounts, contact their card issuer, and place a Fraud Alert on their credit reports.

The Global Payments breach highlights the fact that several companies are involved in debit/credit card transaction flow, from the time yo swipe your card until when payment is completed. And, the security of that transaction flow is only as strong as the weakest link, or company, in the flow.

MBTA Releases Third Proposal: Smaller Fare Increases And Fewer Service Reductions

Earlier this year, the MBTA held 25 community meetings to collect feedback from the public about its two proposals; each including different amounts of fare increases, service reductions, and service eliminations. Yesterday, the MBTA release a third proposal, based upon feedback from the public, which includes smaller fare increases and fewer service changes than the first two proposals.

Highlights of the latest proposal:

• Reduces its single year deficit from $185 million to $159 million
• 23% overall fare increase
• 35% fare increase for ferry riders
• Green Line: elimination of E branch weekend service between Brigham Circle and Heath Street
• Commuter Rail: elimination of weekend service on Needham, Kingston/Plymouth, and Greenbush lines
• No reduction in RIDE service, but a $5.00 premium territory fare
• Creation of a "Watch List" for low-performing routes

While the overall, average fare increase reportedly is 23%, the actual fare increases for certain segments are greater. These increases are still painful for many residents who can least afford the increases. Single-fare increases:

• Seniors: local bus: 87.5%
• Seniors: rapid transit: 66.7%
• Student: local bus: 25.0%
• RIDE within ADA territory: 100.0%
• RID outside ADA territory: $5.00 surcharge per trip

Fare increases for selected passes:

• Senior/TAP: 40.0%
• Student 5-Day: 25.0%

Several documents describing the latest proposal are available at the MBTA.com website. The fare increases and service changes will affect everyone, not just MBTA customers. The MBTA Impact Analysis (Adobe PDF; 3.4 M Bytes) states the following about air quality and quality-of-life impacts:

"A reduction in transit trips and addition of automobile trips generally causes increases in the generation of CO, VOC, NOx, CO2, and particulates... as the numbers of automobile trips and vehicle hours increase, the congestion on area roadways also increases. This additional congestion results in lower travel speeds (which are associated with higher emissions of pollutants) for all vehicles, not just those of former transit users... Scenario 3 results in increases in all pollutant emissions and an overall worsening of air quality. VOC emissions increase by the greatest percentage, followed by CO and CO2. Scenario 3 bears out a general rule that usually applies in air quality analyses of this kind: any loss in transit ridership that results in an increase in auto vehicle-miles and vehicle-hours traveled will lead to some level of increase in pollutants."

The fare increases and service changes move the state away from sustainable solutions and towards a greater dependence upon automobiles (and petroleum), with both increased air pollutants and greenhouse gas emissions. This is the wrong direction. Commute times will increase and air quality will worsen for everyone. We cannot drive our way out of this problem.

Transportation systems in several American cities face fiscal issues similar to Boston's system. Several consumer groups are planning a national protest about mass transit for April 4, the 44th anniversary of the assassination of Dr. Martin Luther King.

A Privacy Bill Of Rights For Mobile Users

The Electronic Frontier Foundation (EFF) issued a statement calling for a bill of rights for wireless users. Because mobile devices are always on and store a vast amount of sensitive personal data (e.g., contacts, Internet usage, social networking website usage, GPS location, calendar, phone calls made and received, online banking, photographs, user-created documents, etc.), the EFF believes firmly that:

"... he stakes are even higher for manufacturers, carriers, app developers, and mobile ad networks to respect user privacy in order to earn and retain the ever-important trust of the public."

I agree with this position, and this blog has covered numerous instances where mobile device manufacturers, telecommunications providers, advertising networks, apps-store operators, and/or app developers working singularly or together have abused consumers' privacy. The EFF's proposed Mobile User Bill of Rights contains six items:

1. Individual control: Users have a right to exercise control over what personal data applications collect about them and how they use it. Although some access control exists at the operating system level in smart phones, developers should seek to empower users even when it's not technically or legally required by the platform. The right to individual control also includes the ability to remove consent and withdraw that data from application servers. The White House white paper puts it well: "Companies should provide means of with drawing consent that are on equal footing with ways they obtain consent. For example, if consumers grant consent through a single action on their computers, they should be able to withdraw consent in a similar fashion."

2. Focused data collection: In addition to standard best practices for online service providers, app developers need to be especially careful about concerns unique to mobile devices. Address book information and photo collections have already been the subject of major privacy stories and user backlash. Other especially sensitive areas include location data, and the contents and metadata from phone calls and text messages. Developers of mobile applications should only collect the minimum amount required to provide the service, with an eye towards ways to archive the functionality while anonymizing personal information.

3. Transparency: Users need to know what data an app is accessing, how long the data is kept, and with whom it will be shared. Users should be able to access human-readable privacy and security policies, both before and after installation. Transparency is particularly critical in instances where the user doesn’t directly interact with the application (as with, for example, Carrier IQ).

4. Respect for context: Applications that collect data should only use or share that data in a manner consistent with the context in which the information was provided. If contact data is collected for a "find friends" feature, for example, it should not be released to third parties or used to e-mail those contacts directly. When the developer wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user.

5. Security: Developers are responsible for the security of the personal data they collect and store. That means, for example, that it should be encrypted wherever possible, and data moving between a phone and a server should always be encrypted at the transport layer.

6. Accountability: Ultimately, all actors in the mobile industry are responsible for the behavior of the hardware and software they create and deploy. Users have a right to demand accountability from them.

The industry would be well advised to comply now with this bill of rights, rather than wait, deflect, and avoid. It can simply look at the airline industry as an example of what happens when an industry abuses it customers, loses the public's trust, and is then forced to comply with a airline passengers bill of rights.

Your Rights And The Differences Between The Three Types Of Plastic In Your Wallet Or Purse

While this blog has covered a variety of banking issues, one of the more important issues is that consumers need to know about the three types of "plastic" in your wallet or purse. Otherwise, you are likely to be "mugged" by your bank or card issuer.

As part of National Consumer Protection Week, the U.S. Federal Deposit Insurance Corporation (FDIC) listed the differences between credit, debit and prepaid cards. There are important differences about how interest rates, fees, and your liability apply. Your rights vary greatly with the type of "plastic" you choose to use.

What protections do consumers have with prepaid cards? How are prepaid cards different? The first thing you need to know is that there are several types of prepaid cards:

• "General purpose reloadable" (GPR) cards: these carry a brand of a card network (e.g., Visa, MasterCard) and can be used wherever that brand is accepted
• Payroll cards
• Gift cards

Prior blog posts have discussed payroll cards from Bank of America and the Walmart MoneyCard. How prepaid cards work:

"... allow consumers to spend only the money deposited onto them, can have a number of different features. For instance, some gift cards may be used only at a single merchant; most GPR cards may be used to pay for purchases and access cash at ATMs."

When using a prepaid card, your liability is different from a credit or debit card:

"Liability depends on the type of funds on the card. If the card is a payroll card, then the liability rules are the same as for debit cards. But if the card is a general purpose reloadable card or a gift card, then there are no protections to limit your liability under federal law."

What prepaid card issuers (e.g., retail store, employer, bank) must tell you in the prepaid card agreement varies:

"Disclosures depend on the type of card. For example, payroll cards must disclose any fees and the error resolution process, but a GPR card does not have any disclosure requirements. In addition, gift cards must disclose the terms of dormancy fees, whether there is an expiration date, and any other associated fees."

Similarly, your rights and access to statements are different with prepaid cards:

"Payroll cards must provide either a periodic statement or account balance by telephone as well as electronic transaction history. GPR cards and gift cards do not have periodic statement requirements under federal law."

When terms change for a prepaid card, your rights about advance notice of changes are different, too. With prepaid cards, you generally don't get as much advance notice as with credit cards (45 days):

"Payroll cards must provide 21 days notice before making changes to fees charged or the liability limits for unauthorized transactions. GPR cards and gift cards are not required to do so under federal law."

Some people like prepaid cards because they can avoid interest rates. It is wise for consumers to fully understand the types of fees that apply to prepaid cards:

"GPR cards and gift cards have certain restrictions on dormancy fees charged. There are no specific requirements related to payroll cards under federal law."

So, you are probably wondering if prepaid cards are a good deal, or not. That answer depends upon your financial situation and the type of prepaid card you expect to use.

Since I already have checking and savings accounts at a bank, prepaid payroll cards are of no value to me. I find extremely troublesome the lack of restrictions on payroll cards, which means the banks can change terms, fees, and interest rates whenever they want; and as high as they want.

If you don't have a checking account, then a payroll card may benefit you. (Given the fee schedules and lack of restrictions, payroll cards will definitely benefit the banks but not necessarily consumers.) However, closely read the card agreement and fee schedule first. You may be better off (e.g., fewer fees, lower rates) opening a checking account instead at a community bank or credit union.

I still find retailers' prepaid gift cards (e.g., Dunkin' Donuts, Stop 'n Shop, Cheesecake Factory) useful for some holiday or birthday gifts, but the lack of agreements with many prepaid gift cards is troublesome. The lack of an agreement means the card issuer can change things whenever they want and not notify you. I will likely reduce my use of prepaid gift cards to only those that have card agreements.

What's your opinion? Do you use prepaid cards? If so, which types? If not, why not?

HSBC Agrees To Pay $5.25 Million Settlement To NCUA

Last week, the National Credit Union Administration (NCUA) announced a settlement agreement with HSBC. HSBC hs agreed to pay $5.25 million to the NCUA for a complaint about its sale of residential mortgage-backed securities to five failed credit unions. The settlement agreement does not require HSBC to admit fault.

Similar to FDIC and the banks it oversees, the NCUA charges the credit unions it oversees with fees to cover failed credit unions and to protect depositors' assets. The NCUA uses the Temporary Corporate Credit Union Stabilization Fund (TCCUSF) to cover failed corporate credit unions. In this instance, the true risk of the mortgage-backed securities sold to corporate credit unions allegedly wasn't disclosed and led to the failed credit unions. Any payments the NCUA collects is used to offset future fees the NCUA charges for the TCCUSF.

The NCUA had filed five lawsuits against various securities firms, and had negotiated settlements with Deutsche Bank Securities ($145 million) and Citigroup ($20.5 million).

Corporate credit unions provide various services (e.g., short-term loans, check clearing, electronic funds transfers, ATM networks) to the consumer credit unions they serve. Consumer credit unions are the credit unions which we consumers join. Corporate credit unions are chartered by the NCUA or states.

In its 2010 annual report, the NCUA listed the following corporate credit unions:

Corporate Credit Union Name	State	Assets (Mill)	Members
Corporate America CU	Alabama	$3,701.7	369
First Corporate	Arizona	$979.4	51
Western Bridge Corporate Federal	California	$16,756.3	1,010
System United Corporate Federal CU	Colorado	$2,091.3	363
Southeast Corporate	Florida	$2,561.5	390
Georgia Corporate Federal CU	Georgia	$1,737.1	171
Iowa Corporate Central CU	Iowa	$108.2	159
Members United Bridge Corporate Federal	Illinois	$10,012.9	2,166
Kansas Corporate	Kansas	$302.3	148
Kentucky Corporate	Kentucky	$363.3	105
Louisian Corporate	Louisiana	$146.7	172
Eastern Corporate	Massachusetts	$507.5	278
Tricorp	Maine	$617.1	184
Central Corporate	Michigan	$2,394.3	359
Missouri Corporate CU	Missouri	$501.0	223
Treasure State Corporate CU	Montana	$386.3	63
First Carolina Corporate	North Carolina	$1,917.7	172
Midwest Corporate	North Dakota	$181.7	60
Corporate One Federal CU	Ohio	$2,881.1	768
MidAtlantic Corporate	Pennsylvania	$3,025.7	888
Volunteer Corporate	Tennessee	$1,351.7	256
Southwest Bridge Corporate Federal	Texas	$7,745.3	1,377
VA Corp	Virginia	$1,056.5	229
Corporate Central CU	Wisconsin	$1,623.7	281
West Virginia Corporate Federal CU	West Virginia	$228.1	110
U.S. Central Bridge Federal	Kansas	$18,412.9	56
Total		$81,591.1	10,428

Two Years After Its Data Breach, Upromise Email Notice Leaves Customer Confused

William, an I've Been Mugged reader, received the below email message from Upromise.com:

"From: Upromise (member@your.upromise.com)
Subject: Important information regarding Personalized Offers
Date: March 10, 2012 12:14:23 AM EST
To: ***********@************

Dear William,
Our records show that you had the TurboSaver® toolbar installed with the optional Personalized Offers feature enabled at some point through January 21, 2010. Through that date, because of an issue with vendor-supplied software, the use of this feature resulted in the unintended collection and transmission of certain categories of your personal information to Upromise or our vendor. Depending on how a particular web page was configured, this could have included information you entered into forms such as usernames, passwords, search terms, credit card numbers or financial account numbers. Our members' privacy is extremely important to us, and we took immediate action when we learned of this issue in January 2010 by directing the software vendor to disable the Personalized Offers functionality. As a result of this change, the toolbar is not collecting or transmitting Personalized Offers data, even if your toolbar indicates that the feature is enabled.

As always, if you would like to uninstall the TurboSaver toolbar, simply access the toolbar menu by clicking the Upromise logo on the left hand side of the toolbar, select "Uninstall" and follow the prompts. If you have any questions, or need additional information, we welcome you to contact us at 1-800-877-6647 or email questions@upromise.com.

Sincerely,

The Upromise Customer Care Team
www.upromise.com"

William doesn't remember receiving a prior breach notice from Upromise, and says he is diligent about opening both email and postal mail from companies he does business with. William wants to know what is happening at Upromise, and why he received an email that looks like a breach notice two years after the data breach.

William does not appear to be the only concerned Upromise member. You can read posts by a couple customers in the Upromise community forum.

A review of the Upromise Facebook page and Upromise Insider blog did not find any posts during 2012 about a breach notice. I contacted Upromise and a representative, Deborah Hohler replied:

"When the matter came to our attention two years ago, we immediately addressed it and saw no evidence anyone’s data was misused. The protection of personal information is extremely important to us. This email communication was in connection with a proposed consent order from the FTC, and we worked with them on actual content and timing of the message."

At this point, a little history might help. In January 2010, PC Magazine reported about the Upromise breach involving the Upromise Toolbar:

"Privacy researcher and Harvard Business School Professor Ben Edelman has written a report on the practices of the Upromise Toolbar, called TurboSaver by the company. Upromise is a membership system through which you can earn money for college savings by buying items from certain vendors through Upromise. The toolbar facilitates this in your browser and tracks user behavior."

Another breach at a Sallie Mae company seems to have been the result of insider identity theft. In July 2011, WTHR Channel 13 in Indiana reported:

"The suspect is an employee at another Sallie Mae spin-off in Massachusetts - College Choice... In a letter sent to more than 300 parents, College Choice admitted an employee with its program manager, UPromise Investments, accessed names, social security numbers, birthdays and other contact information for seven months while on the job."

Also during July 2011, Upromise filed a breach notice (Adobe PDF) with the State of New Hampshire Department of Justice. The notice did not disclose how many customers were affected, but confirmed the WTHR news report and that letters were mailed to breach victims on June 23, 2011 -- about six months after the toolbar breach was discovered. I also checked Maryland, Vermont, and Wisconsin. None contained any Upromise breach notices, but Maryland hasn't yet uploaded breach notices received during 2011.

William lives in a state that does not post online the breach notices it receives.

The January 18, 2012 U.S. Federal Register (Adobe PDF) mentioned a proposed settlement agreement between the U.S. Federal Trade Commission (FTC) and Upromise, which alleged that:

"... Upromise engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for the personal information it collected and maintained. Among other things, Upromise: (1) Transmitted sensitive information from secure web pages, such as financial account numbers and security codes, in clear readable text; (2) did not use readily available, low-cost measures to assess and address the risks to consumer information; (3) failed to ensure that employees responsible for the information collection program received adequate guidance and training; (4) failed to take adequate measures to ensure that its service provider employed reasonable and appropriate measures to protect consumer information."

The proposed settlement agreement includes six parts describing the actions Upromise must take to improve its data security and notices to its members (bold emphasis added):

"Part I of the proposed order requires Upromise to disclose to consumers—before the download or installation of software that records or transmits information about any activity occurring on a computer involving the computer’s interactions with Web sites, services, applications, or forms—the types of information collected and how the information will be used. The disclosure must be clear and prominent and separate from other notices. The company must also obtain consumers’ express affirmative consent before the consumer downloads, installs, or otherwise activates such software. In addition, the company must provide this clear and prominent notice, and obtain express affirmative consent, before enabling data collection through any previously installed TurboSaver Toolbar and before making any material change from stated practices about collection or sharing of personal information through the Toolbar.

Part II of the proposed order requires Upromise to provide notice to consumers who, prior to the issuance of the order, had the Personalized Offers feature enabled. The notice must inform consumers about the categories of personal information that were, or could have been, transmitted by the feature, and how to disable the Personalized Offers feature and uninstall the Toolbar. Part III of the proposed order requires the company to destroy data it collected during the years covered by the complaint unless otherwise directed by the Commission.

Part IV of the proposed order prohibits the company from making any misrepresentations about the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of any information collected from or about consumers. Part V of the proposed complaint requires Upromise to maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of such information (whether in paper or electronic format) about consumers. The security program must contain administrative, technical, and physical safeguards appropriate to Upromise’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees. Specifically, the proposed order requires Upromise to:
- Designate an employee or employees to coordinate and be accountable for the information security program;
- Identify material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks;
- Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures; - Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Upromise or obtain on behalf of Upromise, and require service providers by contract to implement and maintain appropriate safeguards; and
- Evaluate and adjust its information security programs in light of the results of testing and monitoring, any material changes to operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Part VI of the proposed order requires Upromise to obtain within the first one hundred eighty (180) days after service of the order, and on a biennial basis thereafter for a period of twenty (20) years, an assessment and report from a qualified, objective, independent third party professional, certifying, among other things, that: (1) It has in place a security program that provides protections that meet or exceed the protections required by the proposed order; and (2) its security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of sensitive consumer, employee, and job applicant information has been protected."

Upromise is a rewards program where members save towards college by making everyday purchases with Upromise partners: brick-and-mortar and online stores, restaurants, grocery stores, drug stores, and similar retailers. Upromise members include parents, grandparents, and other family members saving for college for a child, grandchild, or family member. Upromise members can invest their savings in a high-yield savings account or tax-deferred 529 plan, and then use that to pay down student loan, or request a check to pay for college expenses.

What might all of this mean?

According to Hohler at Upromise, the email message William received was part of the above proposed settlement agreement with the FTC (probably Part 2). Given this, the email is in my opinion confusing and unnecessarily vague. It raises more questions than it answers.

A better email update would have reminded Upromise members that this email was follow-up to a prior breach notice, and that it was prompted in part by the settlement agreement with the FTC. The email update didn't mention the settlement agreement at all.

A better email update would also explain why Upromise left a toolbar installed in customers' web browsers that might display inaccurate messaging which might confuse users:

"As a result of this change, the toolbar is not collecting or transmitting Personalized Offers data, even if your toolbar indicates that the feature is enabled."

This seems to conflict with Upromise's reply that, "... we immediately addressed it..." about the toolbar data breach. A defective browser toolbar still operating two years after the breach would make anyone wonder.

A better email update would instruct users how to upgrade the defective toolbar. A better email update would have mentioned the proposed settlement agreement with the FTC, and then outlined everything Upromise is doing, or has already done, to comply.

The comprehensive and detailed scope of the proposed consent agreement suggests to me that there were more data security problems at Upromise than a toolbar breach. It seems to me that most of the six parts of the proposed settlement agreement are data security methods a company would implement anyway to protect sensitive assets and customer information.

Having received a breach notice via postal mail after IBM's 2007 breach, I can definitely tell you that a breach letter is not something you would easily forget nor misplace. So, I believe William 100% when he said that the above email is his first notice from Upromise about its 2010 data breach.

In the 4+ years I have written this blog, I have encountered situations where companies experiencing data breaches have created a website about its breach investigation. IBM created such a web site after its 2007 data breach. I searched for such a site at Urpomise and didn't find one. Perhaps its exists and is behind a secure log-in available only to customers. Then again, William would have mentioned it if it exists. A better email update would summarize its breach investigation(s) and explain the proposed consent agreement.

As it stands, users like William are unsure and left wondering exactly what is happening. Transparent communication promotes trust.

If you were affected by the Upromise breach, what has been your experience? What do you think of Upromise's post-breach response? What are your opinions of the proposed settlement agreement?

CFPB Accepts Complaints From Consumers About Checking And Savings Accounts

By now, you have probably heard about the new Consumer Financial Protection Bureau (CFPB), a federal agency designed to ensure that financial products and services for consumers are beneficial for consumers. Previously, the CFPB accepted complaints about credit cards and mortgages. Consumers can now submit complaints about checking and savings accounts to the CFPB. The website has a different form for consumers to share their stories about experiences with financial products.

Also, the CFPB is investigating how checking account overdraft programs affect consumers. Part of this investigation the CFPB seeks feedback from the public about a proposed “penalty fee box” disclosure on a consumers’ checking account statements to clarify the amount overdrawn and total overdraft fees charged.

Reportedly, the average overdraft fee ranged from $30 to $35 in 2011. A 2008 study (Adobe PDF) by the Federal Deposit Insurance Corporation (FDIC) found several alarming trends and statistics about overdraft programs.The CFPB has four concerns about overdraft fees:

1. Transaction Re-ordering that Increases Consumer Costs: the way that overdraft fees are applied by some banks increase costs to consumers. One practice is the co-mingling of all checks, bill payments, debit card transactions, and ATM withdrawals each day and processing the largest transactions first -- rather than in the order received. This maximizes the number of transactions that will trigger overdraft fees.
2. Missing or Confusing Information: the CFPB is analyzing how consumers anticipate and avoid overdraft fees given current banking disclosures -- and if there is a better way.
3. Misleading Marketing Materials: the CFPB is investigating reports that consumers have received misleading marketing materials about overdraft fees, since opt-in rates to overdraft programs vary widely by bank.
4. Disproportionate Impact on Low-Income and Young Consumers: The CFPB is concerned that overdraft programs disproportionately affect certain groups. The same 2008 FDIC study found several alarming statistics, including that 9 percent of checking account customers pay about 84 percent of overdraft fees.

You can view a prototype of this "penalty fee box" at the CFPB website (Adobe PDF). To submit feedback about overdraft fees, include the Docket No. CFPB-2012-0007 with your submission by:

• Online instructions: www.regulations.gov,
• Email: cfpb_overdraft_comments@cfpb.gov
• Postal Mail: send letters to Monica Jackson, Office of the Executive Secretary, Bureau of Consumer Financial Protection Bureau, 1500 Pennsylvania Ave, NW, (Attn: 1801 L Street, NW), Washington, DC 20220.

The CFPB began operation on July 21, 2011. In its annual report (Adobe PDF) to the U.S. Congress, the CFPB reported that by December 31, 2011, it had received 13,210 complaints from consumers, including 9,307 credit card complaints and 2,326 mortgage complaints. 44% of all complaints were submitted through the CFPB website, and about 15% via telephone calls.

The FTC advises consumers who experience identity theft or fraud with financial products to both submit a complaint to the CFPB and submit a complaint to the FTC.

PHI Project Releases Report About Health Care Data Security

On Monday, the PHI Project released a report about the state of data security within health care organizations titled, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security." Key findings:

• Weak Data Security: health care organizations are entrusted with safeguarding patient privacy, but their security efforts are not keeping pace with the growing risks of lost/stolen protected health information (PHI),
• Data Breach Activity: the number and size of data breaches including PHI are increasing. The negative impacts are financial, legal, clinical, and reputational for the organizations experiencing data breaches,
• The PHI Project recommends that health care organizations implement a five-step method – PHI Value Estimator (PHIve) -- to evaluate the risks of a breach of PHI data, and implement preventative measures.

According to Rick Kam, president and co-founder of ID Experts and chair of the PHI Project:

“No organization can afford to ignore the potential consequences of a data breach... We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI.”

The PHI Project is a partnership including the American National Standards Institute (ANSI) via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) -- with assistance from ID Experts.

Bank Of America To Test New Fees

After consumer backlash last fall forced it to abandon plans to add fees for consumer debit card accouns, the Bank of America is now testing new fees for checking accounts in three states: Arizona, Georgia, and Massachusetts. Reportedly, the new monthly fees apply only to new accounts and range from $9 to $25 depending upon the consumer's account balance.

Meanwhile, the Massachusetts Secretary of State Galvin seeks legislation for national banks operating within the state to offer free checking accounts for young adults under 19 years of age and elders ages 65 and older. Galvin wants to prohibit these banks from holding state and local government deposits unless they offer free checking for these two groups. State-chartered banks in Massachusetts are already required by law to offer free checking to these two groups.

To learn more, visit the banking authority for your state.