Former Employee At Web Hosting Service Arrested And Charged With Felony Computer Breaches

Ars Technica reported that Eric Gunnar Gisse, a former Hostgator employee, has been arrested and charged with felony computer breaches. Gisse allegedly used his position to install secret code that allowed him unauthorized, "back door" access to more than 2,700 Internet-connected computer servers. Gisse, of San Antonio, Texas is being held on $20,000 bail in the Harris County jail.

This highlights one risk with cloud computing services. Many companies outsource the operation of their website to third-party vendors, such as Houston-based Hostgator, that offer what the industry calls "web hosting services." This is not new.

As a usability professional who has worked with several digital agencies, I have seen this outsourcing repeatedly work well and data maintain security. The issue is when employees abuse their positions and either steal or expose the sensitive information of people who use the compromised web servers.

The C/Net website lists companies that provide web hosting services.

ACLU Files FTC Complaint Against Mobile Carriers About Smartphone Security Failures

The American Civil Liberties Union (ACLU) has filed a complaint via the U.S. Federal Trade Commission (FTC) against several mobile carriers for:

"... failing to warn their customers about unpatched security flaws in the software running on their phones... running versions of Google’s Android operating system. Unfortunately, the vast majority of these phones never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks."

The mobile carriers named in the complaint include AT&T Inc., Verizon Wireless, Sprint Nextel Corp., and T-Mobile USA. In its announcement, the ACLU also said:

"Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path... Although Google’s engineers regularly fix software flaws in the Android operating system, these fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners."

Download the ACLU complaint (Adobe PDF, 438k bytes).

Update: Schnucks Data Breach Exposed 2.4 Million Cards

Back in March 2013, this blog reported about the Schnucks supermarket data breach. On Monday, the St. Louis Business Journal reported:

"Over a three-month period, up to 2.4 million credit and debit cards used at 79 Schnucks stores may have been compromised..."

Two civiil lawsuits have been filed against the company. Now we know more than we did in March. Still, not good.

Consumers Advised To Be Wary Of Prepaid Card Protections

If you haven't read it, there is an article by Sheila Blair in USA Today. Blair is a chairwoman at the FDIC and also a senior adviser to the Pew Charitable Trusts. If you use a prepaid card, then this article is a must-read. If you are considering a prepaid card instead of a traditional bank account (e.g., checking and savings), then this article is a must read.

In her article, Blair explores the relationship between banks, prepaid cards, and FDIC insurance protection for consumers:

"Banks sometimes fail... because of insurance provided by the Federal Deposit Insurance Corporation (FDIC). When a bank fails today, its insured depositors never lose a dime. By design, the failing bank is usually taken over by another bank... In fact, nearly 500 banks failed during the financial crisis and its aftermath, and every single depositor had access to their insured money within one business day... But this seamless protection for insured depositors can be avoided by companies that offer "reloadable" prepaid cards, a rapidly growing product that many Americans use instead of conventional checking accounts..."

So, don't get "mugged" by your bank's prepaid card. Ask your prepaid card provider for a copy of the complete terms and conditions agreement for your prepaid card. To learn more, read the Prepaid Cards section of this blog.

The CFPB Accepts Complaints From Consumers About Money Transfers

If you are like most people these days, your transfer or "wire" money to people or companies. It's a fast, easy way to send money to somebody in another state or country.

Sometimes, consumers encounter problems when transferring money. The company involved performing the transfer may have made a mistake, and/or does not respond to fix the problem. Or, the resolution may be unsatisfactory. There is a new resource for consumers to help you get problems like these resolved: submit a complaint to the Consumer Financial Protection Bureau (CFPB).

The types of money transfer problmes the CFPB can help with:

• Money was not available when promised
• Wrong amount was charged or received (e.g., transfer amounts, fees, exchange rates, taxes, etc.)
• Incorrect or missing disclosures or information
• Other transaction issues (Unauthorized transaction, cancellation, refund, etc.)
• Other service issues (Advertising or marketing, pricing, privacy, etc.)
• Fraud or scams

This includes both domestic and international money transfers. When you send money electronically to people in other countries, these are called remittance transfers. Consumers can transfer money using banks or certain financial companies the industry calls "non-depository companies" or money transmitters.

By law, companies in the USA are required to provide consumers with a disclosure document (in English) before you pay for your remittance transfer. The disclosure document should include the exchange rate, applicable fees and taxes, and the amount of money to be delivered.There are additional protections for consumers:

"1. Consumers get 30 minutes (and sometimes more) to cancel a transfer. Consumers can get their money back if they cancel.

2. Companies must investigate if a consumer reports a problem with a transfer. For certain errors, consumers can get a refund or have the transfer re-sent without charge if the money did not arrive as promised.

3. Companies that provide remittance transfers are responsible for mistakes made by certain people who work for them.

4. The rules also contains specific provisions applicable to transfers that consumers schedule in advance and for transfers that are scheduled to recur on a regular basis."

All of these protections for consumers apply to remittance transfers that are more than $15. Learn more or submit a complaint to the CFPB about an unresolved problem you had with a financial product and service.

The CFPB Consumer Complaints Database Does What It Was Designed To Do

In March 2012, the Consumer Financial Protection Bureau (CFPB) began accepting complaints from consumers about bank accounts, including checking, savings, CDs, and related financial products and services. Consumers were able to submit complaints about poor customer service experiences with banks and financial institutions.

Later during 2012, the CFPB began accepting complaints about student loans, credit cards, and credit reporting. In April 2013, the CFPB began accepting complaints about money transfers. In March 2013, the CFPB expanded the database to include mortgage complaints received since December 1, 2011. This expansion also included the addition of complaints about bank accounts private student loans, and other consumer loans received since March 1, 2012.

In March 2013, the CFPB went live with its Consumer Complaints Database. Some facts about it:

• Contains complaints submitted by more than 90,000 consumers
• Includes 450 companies
• Total complaints received - 131,500
• Complaints cover bank accounts, mortgages, student loans, credit cards, and related consumer loans
• Complaints about credit reporting (e.g., credit reports, credit reporting agencies) will be added later
• 48% of complaints were submited through the CFPB website
• 9% of complaints were submitted bia telephone
• 32% of complaints were received from other rgulators and agencies
• At February 28, 2013, the CFPB sent 109,200 complaints (83%) to companies for review and response. Companies have already responded to 104,100 (95%) of those complaints sent

A typical complaint includes:

"... he type of complaint, the date of submission, the consumer’s ZIP code, and the company that the complaint concerns. The database also includes information about the actions taken on a complaint by those companies – whether the company’s response was timely, how the company responded, and whether the consumer disputed the company’s response. A consumer’s identity and other personal information is not included in the data."

So, similar to reports provided the BBB, the CFPB also tracks the status of complaint resolutionl. The CFPB goes further and includes resolution amounts.

In its summary report, the CFPB listed complaints by financial product type:

The CFPB has received 30,600 credit card complaints. The analysis of credit card complaints received by type:

Credit Card Complaint Type	%
Billing Disputes	15%
Annual Percentage Rate (APR) or interest rate	10%
Identity Theft, Fraud, Embezzlement	8%
Credit Reporting	7%
Closing, Cancel Account	6%
Other	6%
Collection Practices	5%
Late Fee	4%
Credit Card Protection, Debt Protection	4%
Collection Debt Dispute	4%
Total: top 10 credit card complaint types	69%

Of the 30,600 credit card complaints received, the CFPB has forwarded 27,700 (84%) to financial institutions for review and response, and forwarded 10% to other regulatory agencies. 5% of credit card complaints are considered incomplete, and 1% are pending. Companies have already responded to 24,800 (96%) of the complaints forwarded. The CFPB also reported:

"Since December 2011, companies have also had the option of reporting the amount of monetary relief, if any. The median amount of relief reported was approximately $125 with $25 being the most common amount of relief for the approximately 5,300 credit card complaints where companies reported relief. Consumers have disputed approximately 4,200 company responses (18%) to credit card complaints."

The types of mortgage complaints received by the CFPB:

The types of bank account and service complaints received by the CFPB:

The types of student loan complaints received by the CFPB:

The types of consumer loan complaints received by the CFPB:

The types of credit reporting complaints received by the CFPB:

Also, BusinessWeek summed it up quite nicely the impacts of the CFPB Consumer Complaints Database upon responses by financial companies:

"Response times have sped up by 3& percent since the database came online... Steven Ramirez, CEO of data-mining consultancy Beyond the Arc, says his financial industry clients are asking him to find patterns in the CFPB data that show where they’re lagging."

Transparency and information are critical to a healthy, functioning marketplace. It helps everyone: both consumers and financial companies. It helpfs financial institutions improve their customer service, which can lower their costs by reducing account turnover and by retaining customers they'd otherwise lose.

With more information, consumers can make better informed decisions about the products and services they purchase. I like that there is now another option for consumers, besides filing a lawsuit or doing nothing. Consumers can now log complaints which the CFPB forwards to banks and financial institutions for review and resolution.

No business is ever too big to avoid responding to customer complaints. To use a sports analogy: while the playing field is still far from being level, the CFPB Consumer Complaints Database removes a lot of the tilt in the field.

Thanks to the CFPB and its staff for all of their excellent, hard work. Learn more about the CFPB Consumer Complaints Database.

Survey: Consumer Usage And Perceptions About Mobile Banking

Late last month, the Federal Reserve Board (FRB) released the results of its latest survey of mobile usage by consumers for online banking. Key findings:

• 87% of the U.S. adult population has mobile phones
• 52% of mobile phones are smartphones (Internet-enabled)
• 87% of smartphone users accessed their devices to access the Internet during the past week
• 28% of all mobile phone owners used their devices for mobile banking during the past 12 months, up from 21% in December 2011
• 48% of smartphone owners used their devices for mobile banking during the past 12 months, up from 42% in December 2011
• 10% of mobile phone users who don't perform mobile banking expect to do so within the next 12 months

The specific mobile banking tasks consumers said they perform:

• 87% check account balances
• 53% transferr money between accounts
• 21% deposit checks
• 24% of smartphone users made mobile payments during the past 12 months,
• 42% made an online bill payment, down from 47% in 2011
• 6% of smartphone users made a retail point-of-sale payment during the past 12 months, up from 1% in December 2011. 22% want to use their mobile devices for retail purchases

Perceptions about the technology:

• 54% of mobile phone users said the primary reason they do not use their device for mobile banking is that their banking needs were already being met without the use of mobile banking. This is down from 58% in 2011
• 38% said concerns about the security were the primary reason for not us mobile banking. This is down from 42% in 2011
• 49% said security was the second most common reason given for not using mobile banking. This is up from 48% in 2011
• More than a third of mobile phone users who do not use mobile payments don’t see any benefit
  from doing so, and find it easier to pay with another methods (e.g., cash, credit, debit, prepaid)

Other tasks respondents said they use their smartphones for:

• 42% comparison shop while in retail stores
• 32% scan a product’s barcode to find the best price for the item
• 64% percent of those who comparison shop have changed where they purchased the product based on the information found
• 44% browse product reviews or get product information while shopping at a retail store
• 70% of those who browse product reviews have changed the item purchased based on the information found
• 64% of mobile banking users checked their account balance before making a large purchase
  in the past 12 months. About half of them did not purchase an item as a result of their account balance or credit limit

Who uses mobile phones:

• 10% are unbanked (neither they nor their spouse have a checking, savings, or money market account)
• 10% are underbanked (have a bank account, but also use a payroll card, payday lender, check cashier, or auto title loan)
• 59% of the unbanked have access to a mobile phone, half of which are smartphones
• 90% of the underbanked have access to a mobile phone, 56% of which are smartphones
• 49% of the underbanked said they used mobile banking during the past 12 months

The terms "unbanked" and "underbanked" are labels used within the banking industry. The FRB defines mobile banking as using a mobile phone to access a bank account, credit card account, or other financial bank account. So, mobile banking includes using the mobile phone's web browse, text messaging, or application features.

The reasons unbanked consumers gave for why they don't have a checking, savings, or money market account:

How consumers said they use the money from payday loans:

The reasons consumers said for why they don't use mobile banking services:

The reasons consumers said for why they don't use mobile payments:

Consumers' perceptions of the security of mobile phones and mobile banking:

Regarding mobile payments, the report found:

"Despite the increasing availability of phones equipped with near field communication (NFC) chips for use with NFC-based payment services, retailers and consumers appear to be trending toward adoption of non-NFC-based payment services. Indeed, consumers making mobile payments were nearly twice as likely to have used a mobile app or barcode to make their payment as to have made a payment by waving or tapping their phone."

How consumers with checking, savings, or money market accounts do their banking:

• 85% of banked consumers said they had visited a branch and spoke with a teller in the past 12 months
• 74% said they used an ATM machine
• 74% said they used online banking
• 34% said they used telephone banking
• 29% said they used mobile banking

The report's authors concluded:

"The two factors limiting consumer adoption of mobile banking and payments are concerns about the security of the technology and a sense that they don’t offer any real benefits to the user over existing methods for banking or making payments. With regards to security, consumers have actually become more likely in the past year to report that they simply don’t know how safe it is to use mobile banking, suggesting that consumers need to be provided with reliable and accurate information on the level of security associated with the various means of accessing mobile banking. In terms of the value proposition to consumers, the significant number of mobile users who reported an interest in using their phones to receive discounts, coupons, and promotions or to track rewards and loyalty points suggests that tying these services to a mobile payment service would increase the attractiveness of mobile phones as a means of payment."

The FRB's Consumer Research Section sponsored the survey and developed the report. GfK (formerly Knowledge Networks), an online consumer research firm. administered the survey from November 16 to 27, 2012. Nearly 2,600 respondents ages 18 or older completed the survey. The FRB conducted its first mobile survey in December, 2011.

Download the FBR "March 2013 - Survey of Consumers' Use of Mobile Financial Services" report (Adobe PDF, 941 kbytes).

5 Ways Retail Stores Spy On Their Shoppers

If you haven't read it, there is a good article at Consumer Reports which lists the ways retail stores spy on consumers while shopping. Not the online stores but the physical, brick-and-mortar store locations. Some of the ways stores spy on shoppers:

1. Spy cameras: armed with facial recognition software, these cameras record and track both your movements in the store, the items you look at, and for how long. Some stores use mannequins that contain spy cameras, to distribute cameras thought store areas. Stores often merge these recordings with data from your purchases: amount, payment method (e.g., cash, credit, debit), store sections (e.g., clothing, shoes, housewares, etc.), and items browsed (e.g., pants, dresses, cookware, etc.). Outside cameras record your auto data (e.g., license number, make, model) which is also merged with interior recordings.
2. Smart phone tracking: retailers record the geo-location data from your phone to map/track which departments you visit, in what order, and how long you stay in each department.
3. Interactive digital ads: many contain tiny cameras to record the shoppers that view the ads.
4. RFID technology: merchandise with radio frequency identification tags (RFID) can trigger nearby interactive digital ads, to then serve up targeted, personal ads based on the specific merchandise you are carrying
5. Product returns: many stores demand photo identification to process product returns. Stores claim that the reasons for this are to prevent fraud, but the data collection includes shoppers who do not commit fraud.

What is worse is that the stores do no disclose any warning to shoppers or parents, except that most states require stores to post product return policies visibly in stores.

What's your opinion of the tracking/spying?

Data Breach At Schnucks Supermarkets Affects Customers And Their Banks

St. Louis-based KSDK television reported a data breach at Schuncks supermarkets. The supermarket chain isn't yet sure exactly where (e.g., which stores) and how the breach occurred (e.g., in the store or with a debit/credit card processor). The breach occurred about a week ago.

Schnucks operates stores in Missouri, Illinos, Iowa, and Indiana. Customers have already seen unauthorized charges on their debit/credit cards. A representative from Montgomery Bank reported that about 600 of their accountholders have already filed fraud claims. Some customers wonder why the store has not posted alerts in its stores, so shoppers can use cash instead:

“They’re just letting people use their cards and not saying anything.”

Reportedly, the retailer has hired a forensics technology firm to assist it with a breach investigation. It sounds to me like the company' was caught unprepared and its post-breach response needs improvement. Customers need to be notified prompty to take appropriate action to avoid or minimize identity theft and fraud.

Facebook Becomes More Annoying

This morning, I decided to clean out my personal Facebook email folder. I use Facebook.com for two reasons: 1) connect with friends, family, and former co-workers; and 2) a business page for this blog to connect with readers. The Facebook mail I deleted was for #1.

If you use Facebook.com, it is important to manage your email inbox, since you probably have received Facebook email from both people you are connected to and business pages you have "liked." I found the process to delete old Facebook emails both time-consuming and difficult. Unlike traditional email software, the Facebook email interface forces members to delete one conversation at a time:

So, what should have taken at most 2 minutes, took almost 20 minutes. After deleting old conversations in my Facebook inbox, then I had to switch to the Facebook archive folder and repeat the deletion process:

I find this user interface unnecessarily difficult and time consuming. (Deleting Facebook email is even more tedious and time consuming if you delete items one message at a time. Who would choose that form of self torture?) Perhaps, making it difficult for you to delete your information is a key part of Facebook's "Big Data" strategy to retain as much of its members' content for as long as possible. Facebook frequently hides tasks in unlabeled drop-down menus, and/or in multiple locations you wouldn't expect.

Combine this with the new ads that appear directly in your Facebook News Feed (e.g., Facebook calls them "Suggested Pages," but an ad is an ad by any name -- and some users report this as spam!), and the service has become much more annoying. And, it seems that Facebook plans to deliver more ads in members' News Feeds in the future.

Of course, the folks at Facebook would love for you to use only Facebook email, and stop using traditional email. Last year, without asking Facebook switched the default email addresses in its members' profiles from your traditional email address to your new Facebook email address. Check your Facebook profile. I'll be you didn't notice that.

I switched back the default email address in my Facebook profile, since I still use traditional email. It is important to me to not use any single company's service for all of my online activities. To do that would be for me to give up my power as a consumer. No walled gardens for me. That's why I also use DuckDuckGo -- to escape from being trapped in the search engine filter bubble.

If you use Facebook email, what are your opinions of it? Share below.

Payment Processors: A New I've Been Mugged Topic

When consumers purchase a product or service with some form of plastic (e.g., credit cards, debit cards, prepaid cards) and their mobile device, usually several companies are involved in completing that transaction: getting the money to the retailer (online or brick-and-mortar). While many consumers may believe that only their bank is involved in processing the transaction, the reality is that more companies are often involved.

One type of company involved are payment processors, companies that process these financial transactions. Sometimes these payment processor companies experience data breaches where sensitive customer information is lost or stolen. With recent events in the banking industry, and the spread of prepaid debit cards, this new topic can help you more easily read about and understand what is happening within the banking and retail industries.

I have tagged this new topic retroactively to archived blog posts, so you read and understand the types of information available. See the new "Payment Processors" topic. I hope that you find it useful.

The State Of Texas Made $2.1 Million In 2012 Selling Drivers Personal Information

The CBS television network affiliate in the Dallas/Ft. Worth area reported that the State of Texas made $2.1 million in 2012 by selling the personal information of Texas drivers. Who buys this information collected by the Texas Department of Motor Vehicles:

"CBS 11’s I-Team Investigator Mireya Villarreal discovered nearly 2,500 agencies or businesses purchased the DMV’s data in some form last year. On this list there are towing companies, collection agencies, insurance companies, hospitals, banks, schools, city governments, and even private investigators."

The Driver Privacy Protection Act (DPPA) limits who can buy this information and what they can do with it. The report also highlighted the situation that Texas drivers cannot opt out of these sales.

CBS 11 provided a spreadsheet file which listed the companies that purchased information about Texas drivers. I spent some time reviewing the spreadsheet file and found:

• What happens in Texas doesn't stay in Texas. Companies from 30 different states purchased the information about Texas drivers
• Information about Texas drivers is popular. About 2,450 companies purchased information from at least 12 different business types
• Expected the unexpected. Businesses that purchased driver data included some you'd expect (e.g., auto dealers, banks, finance companies, title services), but also some you might not expect. The list of business types included auto actions, auto dealers, banks/credit unions, city agencies, collection agencies, finance companies, private investigators, salvage yards, title services, universities and colleges, and wrecker services
• Other who? The "Other" business type seemed to include some interesting organization names from the legal, oil, healthcare, software, and telecommunications industries; plus federal government agencies and some high schools.

The report did not mention the number records each company purchased, the total number of records purchased, or who the largest purchasers were. Knowing this would have enabled a deeper analysis. Then, you could compute an implied value to an average Texas driver's record.

The best comparison I can make is that the State of Florida made about $63 million in 2010 by selling drivers information, with an average value per record of about $ .01. This makes one wonder if Texas government officials did a poor job of selling driver information, or Florida government officials did an exceptional job.

While I didn't see in the Texas list of purchasers the high-profile names of data brokers from the Florida sales, I assume that intermediaries were used.

After reading the Texas DMV webpage about the DPPA, I felt that this page could do a far better job of informing consumers what is really happening. Other states say little in their websites about the money they make from DPPA sales.

What do you think of your state making money by selling your personal information?

Chicago Transit Authority Riders To Use New Ventra Card Starting This Summer

Last month, the CBS television network affiliate in Chicago reported about a new fare card to be offered this summer in Chicago by the local public transit authority. The news report stated:

"... one of the companies behind the new card gets an F rating from the Better Business Bureau... It will be offered by Money Network, which is owned by First Data. Money Network currently has an F rating with the BBB."

Reportedly, the "F" rating was based on complaints by consumers since 2010. Chicago officials said that the new Ventra fare system will save the Chicago Transit Authority (CTA) about $50 million during its 12-year contract with Money Network.

The new Ventra fare card will be available for Chicago consumers during the summer of 2013. Consumers will have the option to use the Ventra card to pay for CTA fares, or to opt in and also use it as a prepaid debit card to pay for purchases at local retail stores. By 2014, the CTA will migrate fully from the current Chicago Card and Chicago Card Plus payment methods to the new Ventra system. In the future, consumers will also be able to pay using their smart phones.

I visited the Ventra Chicago website to learn more. The website provides some information about this new fare and prepaid card:

"Cards are issued by MetaBank™, Member FDIC, pursuant to license by MasterCard International Incorporated. MasterCard and the MasterCard Brand Mark are registered trademarks of MasterCard International Incorporated."

This means that both the CTA and its riders will be doing business with MetaBank. Consumers that activate the prepaid debit option on their Ventra card will definitely want to know what bank is used, especially if there are problems or need help. (What could go wrong with a prepaid card? Read parts 1 and 2 about a consumer's experience with a healthcare prepaid card.) Since Money Network is a Ventra vendor, it means that Money Network (e.g., First Data Corp.) will likely perform the payment transaction processing.

You never heard of MetaBank? There is a pretty useful summary of MetaBank at the GetDebit website:

After reading the Ventra Chicago website, I also expected to find the full terms and conditions (e.g., contract) that applies when consumers opt-in to use the prepaid debit option with their Ventra Chicago card. In my experience, details matter with any prepaid card. Often, prepaid cards contain minimums, limits, and/or several fees (e.g., to load money onto the prepaid card, or make cash withdrawals at certain bank ATM network machines). Additional fees may apply if you use the prepaid card at a different ATM network.

In January, this blog reviewed the new AAA card. Like the coming Ventra Chicago card, AAA members can use their new AAA card as an identification card for towing services and discounts, or opt in and activate the prepaid debit option to use the card to make purchases at retail stores. The new AAA prepaid card has a $25.00 minimum to load money onto it, and a maximum monthly limit of $2,500 (or a $10,000 max with direct deposit). With the new AAA prepaid card, each month only the first ATM cash withdrawal is free, and all other ATM withdrawals cost $2.00 each. And, you have to use it at American Express network ATM machines.

I wanted to see if there were similar conditions with the new Ventra Chicago card, but the website didn't say. This is the type of information informed consumers look for, since there are legal differences and rights consumers have with prepaid cards compared to both credit- and debit cards. Informed consumers want to know their rights and specific rules, especially about replacing the funds on lost/stolen Ventra cards. Hopefully, CTA officials will update the Ventra Chicago website soon with the appropriate detailed information, so Chicago-area consumers can make informed choices.

I visited the BBB website to see if its rating of Money Network had changed since last month. It had and is now rated B+:

You don't need to be a rock scientist to see that the Ventra Chicago business model is one that can be replicated with public transit systems in other cities across the country. As each system makes decisions about the payment methods they will use, transparency is critical. It is important for transit systems to provide consumers with as much choice, freedom, and privacy as possible with payment options, while minimizing fees and surcharges.

What else is going on here? As I see it, several things. First, banks are trying to capture more customers by targeting both consumers who don't have a bank account (called the "unbanked" in industry jargon), and consumers have a single bank account (e.g., checking or a savings but not both are called the "underbanked) with prepaid card pitches. Second, banking industry research has found that consumers who have used debit cards and were burned with multiple overdraft fees, now view prepaid cards as a way to avoid high overdraft fees. So, banks have targeted these consumers, too, with prepaid card pitches directly or through intermediaries (e.g., government, employers). These consumers often don't realize the limits, minimums, fees, and surcharges that often are included with prepaid cards.

Third, given current technologies it is fairly easy to make plastic identification cards perform the traditional functions plus act as a prepaid debit card. That's why you now see prepaid cards to receive government benefits, and with employer healthcare FSA programs. Fourth, it is no secret that banks perform huge data collection of consumers' purchases with all types of plastic in your wallet or purse: debit cards, credit cards, and prepaid cards. Banks analyze and sell your purchases with other businesses including data brokers. So, if you want privacy, keep using cash.

My advice to consumers is this: anytime a bank or company serves up a strong "convenience" pitch with a prepaid debit card, take the time to read closely the contractl details (e.g., often called the Terms and Conditions), the schedule of fees, and the privacy policy. Those documents will indicate what protections and rights you have (or don't have), and the costs. And, there are five things you should know about prepaid cards.

What is your opinion of Ventra Chicago? Of MetaBank? Of Money Network?

The Mugshot Industry. Accurate Information That Is Beneficial For Consumers?

Thursday night, ABC Nightline reported about problems consumers encountered with the mugshot industry -- websites that publish online photos of citizens arrested by law enforcement. While there have been very public, high-profile cases of celebrities' mugshots, the reality is that many consumers have been affected.

You've never heard of the mugshot industry? Neither had I until this Nightline report:

"Here's how it works, the sites legally download the latest mug shots from police web sites [that] published the faces of alleged lawbreakers on the Internet. And then often charge the accused of -- sometimes hundreds of dollars to pull all the photos..."

That's right. The sites charge consumers a fee, sometimes called a "take-down fee," to remove their mugshot photos. There are several problems with this. First, after paying one website to remove their mugshot photo, many consumers find that their mugshot photos re-appear on another website. Second, many sites don't consistently remove mugshot photos of consumers wrongfully arrested or found innocent by a court:

"... Sofia on Roddy says that was not her experience dealing with other companies she says she explained over and over again how she was the victim. And how the photos were preventing her from obtaining employment. And she provided these court document showing that prosecutors cleared her case. This was a wrongful arrests. And the case was dismissed by the state attorney's office. But her picture remains published..."

That does not sound good at all. According to ABC Nightline, there are 60 such mugshot websites. I searched online and easily found several within five minutes:

• Tampa Bay Mugshots (Florida)
• Busted! Mugshots
• Sarasota Mugshots (Florida)
• Springfield Mugshots (Missouri)
• Just Mugshots
• Shasta Mugshots (California)
• Gwinnett County Mugshots (Georgia)
• Mugshots Ocala (Florida)
• Mugshots Atlanta (Georgia)
• Go Upstate Mugshots (South Carolina)
• Cincy Mugshots (Ohio)
• Mugshots Gainsville (Florida)
• Who's Arrested

Some sites focus on a specific city or country, while others include several states and/or geographic areas. I am sure that some sites operate responsibly. Some are operated by newspapers. Why is this industry growing quickly? The ABC Nightline report interviewed one mugshot website operator, who admitted:

"Think of how many people have been arrested. Now put a small service fee on data -- of people and you can see why the industry is sort of taken off..."

Some consumers are fighting back. First, there is at least one blog about the mugshot industry. Increasing awareness among consumers is always good.

Second, in Florida legislators introduced a new bill (HB 677) to require mugshot website operators to automatically take down photos when consumers are found not guilty, or the charges were later dropped. That seems to be a very appropriate common-sense law.

Third, there is a class-action lawsuit in Ohio against several mugshot websites. According to Findlaw, the lawsuit claims:

"... these mugshot websites violate a person's right to publicity... to control how their own names and likenesses are used in the public domain, similar to how someone would own a copyright or patent... these mugshot websites may not publish such photos for the sole purpose of profiting off them, the lawsuit claims. The suit asserts that the websites' primary purpose for publishing these mugshot photos is so that those charged with a crime will pay money to remove their pictures."

The credit reporting industry is catching some most-deserved criticism about high error rates in credit reports. Plus, a couple federal laws govern and dictate a consistent process for consumers to report and challenge errors in credit reports. Accuracy seems important for the mugshot industry. HB 677 is a good start, but that is only one state. Issues with the mugshot industry are likely to continue until consumers pressure their elected officials for improved laws that better balance the privacy rights of consumers with the publishing rights of mugshot websites.

Watch the ABC News/Nightline report. And, learn more about the class-action lawsuit in Ohio.

What do you think of the mugshot industry? If you have been affected by, or paid a take-down fee to a mugshot website, what was your experience?

Disney Cruise Ship Child Care Staff Lose Young Child. Frantic Search Ensues

At his blog, Brent Csutoras shared a frightening story about how his child was lost during a Disney cruise while under the supervision of daycare staff. Brent wrote:

"In January, we decided to take our two children on a Disney Wonder cruise... While on board, we left our 3 year old son, in their child care facility, the Oceaneer Club (for children aged 3 to 12). We were happy to see they had a wrist band tracking system, which could identify where a child was on the ship at any time and alert staff if the band went outside the area he was supposed to be in. So you can imagine our fear, shock, outrage and panic when we came back after an evening with friends, to find our child missing from their child care facility."

And, what happened with that high-tech wristband tracking? It's similar technology to what Disney plans to use in its land-based theme parks. It failed to work:

"... the next step was to check the tracking band system, which would pinpoint my son’s location. We walked over to the computer and as they pulled it up, everyone got very quiet. The screen showed my son’s band as ‘UNREADABLE’!!!."

After searching frantically for about 45 minutes, Brent's child was found sleeping under a "tunnel of chairs" in the child care center.

This story is horrendous. I am a parent, plus my wife and I have sailed on about 19 cruises on several cruise lines: Carnival,Celebrity, Costa, Holland America, MSC, Norwegian, Princess, and Royal Caribbean. We've sailed the Caribbean (West, South, and East), the Hawaiian Islands, Bermuda, the Panama Canal, Alaska, and the Eastern Mediterranean. While we have not sailed yet on Disney, we are very familiar with the cruising vacation experience. I would classify Brent's experience on the Disney Wonder an epic customer-service failure:

• Clearly, the wristband technology, which should have worked, didn't and failed.
• Clearly, the lighting in the daycare space was insufficient
• Responsible cruise ship daycare staff should know where their children are, and not rely on wristbands to locate children. An on-board power failure could render that technology useless.
• While cruise ship staff emphasized that they had a process for lost/missing children, it was not apparent nor clearly explained to the parents.
• The ship seemed very reluctant to perform a public announcement. While they probably didn't want to alarm other passengers, the needs of a lost child outweigh that concern.

By law, cruise ships must perform safety drills before departing the embarkation port, or at sea soon after departure. This helps passengers what to do in case of an emergency.

Brent's story highlights the need for parents to apply the same level of importance to daycare services and safety, so they know what to do and where to go for their children during or after an emergency.

Disney's response, as Brent explained it, seems shortsighted and insufficient -- especially since the stranded Carnival Triumph cruise ship is fresh in many consumers' minds. After that mishap, some passengers have sued Carnival. Frankly, Disney's poor response to Brent and his family seems to risk losing future business:

"Considering I have two little boys, we would most certainly have booked other Disney vacations and cruises in the years to come. But this experience—the loss of my son, the poor response to the crisis aboard ship, and the uncaring, calculated corporate response afterward—has changed all that... Where is the Disney ‘magic’? For me, it’s been lost. Where is the customer service Disney is supposed to be known for? Nonexistent."

I suggest that Brent submit a cruise review to several cruising industry websites that consumers visit, such as Cruise Critic, Cruise411.com, and Cruise-Addicts.com. For parents who are considering a future cruise ship vacation with their children, I suggest that you:

1. Before booking a cruise, read the safety materials in the cruise lines' websites
2. After booking a cruise, read the safety materials in your cruise documents before your vacation. The cruise line or your travel agent will send these documents
3. After boarding the cruise ship, meet with the daycare staff and have them show a successful test of any wristband or other technology used to track young children
4. After boarding the cruise ship, review with daycare staff the safety procedures involving lost/missing young children before you drop them off at daycare, so you know what the process is and what to do during or after an emergency

In 2003, my wife and I sailed with our children, who were teenagers at that time. Before leaving on vacation, we reviewed with them the ship's safety rules, which we expected them to comply with 100%. Although rare, some adults have fallen overboard during cruises. A young woman wrote fake bomb-threat notes to divert a cruise ship so she could return home sooner to her boyfriend.

For cruise ship vacation, I think that this is a good rule of thumb: act and plan accordingly, because the knuckleheads you encounter on land you may also encounter at sea.

The Words Organizations Use In Their Data Breach Notices

What words do organizations use frequently in breach notification letters and announcements? To better understand this, I used the Wordle tool to create word clouds from several actual, high-profile breach notifications during the past six months. The tool gives more prominence to words that appear more frequently.

Some breach notices were blog posts, some were press releases, some were web pages in a small website specifically about that data breach, and others were letters shared with state agencies, as required by law in some states. I wanted to see what words were frequently used and any variations.

A word cloud from the February 2013 breach notice by Twitter:

 

A word cloud from the February 2013 breach notice by GE Capital Retail Bank (Adobe PDF):

A word cloud from the February 2013 breach notice by Walgreens drug stores (Adobe PDF):

A word cloud from the January 2013 breach announcement by the Experian credit reporting agency (Adobe PDF):

A word cloud from the January 2013 breach announcement by Zaxby's restaurants:

A word cloud from the November 2012 breach notice by Pinnacle Foods:

A word cloud from the November 2012 breach notice by Nationwide Insurance:

Clearly, there is a lot of variety. Some words (e.g., information, report, credit, security) appear frequently within and across breach notices. Some breach notices feature the company name prominently while others don't. While the words may vary, basic information about the breach is presented pretty consistently: organization name, relevant dates, the types of individuals affected (e.g., members, employees, students), and what that organization calls the notice.

A lot of this is mandated by state breach notification laws. Depending upon local laws, the notification may be sent to affected individuals, a public notice, or both.

The content that varies seems to be the amount of detail disclosed about he cause of the data breach, and the resources for breach victims. The resources vary based on the type of data stolen. For example, when consumers' Social Security numbers have been stolen. the notices frequently mention the major credit reporting agencies. This is what I have seen frequently in both breach notices I have received and others I have read.

An exception seems to be the GE notice which only mentions a single credit reporting agency. Sometimes, the resources to help breach victims are in a separate document or website page. So, this will affect the words used in the actual breach notice.

Sadly, the credit reporting agencies experience data breaches, too. Since they specialize in information about individuals, you might think that they don't experience data breaches, but they do. The FTC has studied the accuracy of credit reports, and many people feel that credit reporting agencies should do a lot more to fix the errors in their consumer credit reports.

What do you think of data breach notices? How many breach notices have you received?

Michaels Stores Provide Policies And Class Action Notice On Sales Receipts

My wife and many of her friends like to quilt. They regularly visit retail stores and quilt shops for quilting supplies. This past weekend, my wife visited a Michaels store in Massachusetts. After paying (with cash) for her purchases, she received the following sales receipt:

The sales receipt mentions the store's coupon, exchanges, and returns policies, plus a recent class action lawsuit. The Michaels sales receipt says:

"Dear Valued Customer:

Our coupon policy is to accept one coupon per customer per day. Certain exclusions apply. Please review the exclusion on the coupon and speak with the manager on duty for any questions you may have. Thank You.

To return or exchange an item, customer is required to present a valid photo ID that will be swiped/recorded at the time of the return or exchange for return authorization purposes only. Receipt required within 60 days for refund on most products. Alternate rules apply to books, magazines, and technology and custom products. Returns without receipt will receive Store Return Card. Refunded amount will be the lowest sales price of the item within the last 90 days. Return polices are available at Michaels.com and in store."

One coupon per customer per day? That sounds very stingy and customer unfriendly, as if the store really doesn't want to accept any coupons. And, why use the sales receipt to deliver policy information? This seems customer unfriendly. I've seen promotions and contest information on sales receipts, but not detailed policy information. Simply, print the complete information on regular 8.5 x 11 inch sized paper which is more legible; and insert in each customer's bag. Plus, some customers prefer or require large-print notices.

If you compare the returns/exchanges language on the sales receipt to the store's online Return Policy for US residents (there is a separate Return Policy for Canadian residents), you will find that the online policy has additional language. Customers should not assume that the sales receipt mentions the entire return policy.

More importantly, I want to know why Michaels' return/exchange policy requires the scanning and retention of consumers' identification documents (e.g., driver's licenses, state-issued ID's, passports, and military ID's) even when customers have a receipt. This seems customer unfriendly. When a store requires a document like a driver's license to process a return or exchange, the store collects everything on that document: your address, Driver ID number, height, weight, hair and eye color, and birth date.

Does Michaels really need all of this information (e.g., my weight, eye and hair color) to process a return with a valid receipt? This data collection is legal when performed for fraud prevention. There seems to be nothing stopping retailers from using the data collected for other purposes, such as data mining and marketing.

If a consumer has a receipt, that should be all that is necessary. I did some brief checking and at least one' competitor, Jo-Ann Fabric & Craft Stores, does not require IDs for in-store product returns. Smaller local and mom-and-pop fabric/crafts stores probably have more customer-friendly policies, too.

The sales receipt does not mention a privacy policy. It should, since Michaels does have a privacy policy online at its website, with specific additions for residents of California, Nevada, Vermont, and Canada. However, that online privacy policy does not seem to mention its data retention and sharing polices with ID information collected via returns or exchanges.

Given its return/exchange policy, I want to know how long Michaels retains ID information and what other companies (by name) it shares that ID information with -- items a privacy policy typically state. Without a statement in its privacy policy, a retailer can do anything with that data collected. This ID information is very sensitive data. Customers need to know how long a store retains this information and who it is shared with. Otherwise, consumers cannot make an informed choice.

The sales receipt also says (links enabled):

"Michaels Data Breach Class Action (for more information, please go to www.michaelsdatasettlement.com)

Michaels has settled a lawsuit that allowed certain of its customer suffered damages as a result of a data breach at selected Michaels stores between January 1, 2011 and May 12, 2011. Michaels denies all of the claims."

Unfortunately, that last sentence is vague. It refers to claims alleged in the lawsuit and not claims submitted by data breach victims seeking reimbursement for damages. In May 2011, Michaels stores warned customers in Illinois, New Jersey, California, and 15 other states about the data breach. Criminals had reportedly tampered with in-store PIN pads in checkout lines (e.g., skimming) to steal debit and credit card data. Reportedly, 90 PIN pads were initially affected, but the retail chain later replaced about 7,200 PIN pads. About 94,000 consumer accounts were affected.

Browse the list of Michaels stores (Adobe PDF) affected by the data breach. The list included several stores in Massachusetts in Braintree, Burlington, Danvers, Everett, and Hanover. Customers can also visit the Consumer Notices page at the Michaels.com.

Skimming is a worldwide identity theft and fraud problem. Besides supermarkets and retail stores, criminals target bank ATM machines, gas station pumps, and contact-less (e.g., RFID) payment methods. Several states, including California and Washington, have already banned RFID skimming. Stolen debit card and PIN data gives thieves direct access to consumers' checking bank accounts.

The sales receipt also says:

"You are included in the class if you shopped in this Michaels store or in other selected Michaels stores during that period and your Payment Card was swiped on a PIN Pad terminal from which credit or debit card information was stolen. A complete list of affected Michaels stores can be found at www.michaelsdatasettlement.com. Customers whose credit or debit card information was stolen may receive monetary payment for documented unreimbursed monetary damages and/or credit monitoring services. To request such relief, you must submit a claim postmarked by May 25, 2013.

Unless you exclude yourself from the class by March 5, 2013, you will give up the right to ever sue Michaels about the legal claims the settlement resolves. If you stay in the class, you may object to the settlement by March 5, 2013.

The Court will hold a hearing on April 4, 2013, to consider whether to approve the settlement and payment of attorneys' fees and expenses. You may ask to appear and speak at the hearing."

The settlement agreement includes a $600,000 payment by Michaels stores, which could increase to $800,000 depending upon the volume of claims and reimbursements. If the entire $600,000 is not used, then the remainder will be donated to the Starlight Childrens Foundation, which works with seriously ill children.

I'm glad that my wife paid with cash. I hope that she buys her quilting supplies elsewhere in the future, and doesn't have to return or exchange any of her purchases made at Michaels stores.

Report: It Takes Months For Organizations To Detect And Resolve Data Breaches

I started writing this blog after a data breach at a former employer exposed my sensitive personal information. The consequence was that I had to take action due to a former employer's sloppiness.

Given that history, a new report by the Ponemon Institute, and sponosred by Solera Networks, caught my attention. The report included results from a study of data breaches in organizations to understand the differences between malicious and non-malicious data breaches, plus any lessons learned from the post-breach and forensic investigations.

Typically, after a data breach organizations' IT departments investigate independently or with the assistance of an outsourced technology consultant, the data breach. That investigation includes the cause of the breach, the specific computer systems and/or networks compromised, the number and types of records accessed (e.g., current employees, prior employees, contractors, students, etc.), and the specific data elements (e.g., names, street addresses, bank account numbers, Social Security numbers, e-mail passwords, etc.) accessed and/or stolen. By understanding what happened, organizations, in theory, can better secure their computers and networks from future data breaches.

The Ponemon study used the following definitions for data breach types:

"... we define a non-malicious breach as a system error, employee negligence or third-party snafu and a malicious breach is defined as one involving the theft of information assets by a criminal insider or [external hacker]..."

I found the results fascinating for several reasons. In my personal experience, my former employer's breach included data tapes shipped via a third-party vendor which never arrived at the off-site storage facility. This affected my privacy along with that of both current and other former employees.

First, the global results from the Ponemon report:

• 54% of IT professional respondents said (e.g., Strongly Agree or Agree) that the severity of data breaches has increased during the past 24 months
• 52% of respondents said (e.g., Strongly Agree or Agree) that the frequency of data breaches has increased during the past 24 months
• Only 44% of respondents said that their organization has the tools, personnel, and funding to quickly detect data breaches
• Only 43% of respondents said that their organization has the tools, personnel, and funding to prevent data breaches
• While 63% of respondents said that understanding the root causes of data breaches has increased data security in their organization, but only 40% said they have the tools, personnel, and funding to determine the root causes of data breaches
• On average, it took organizations 49 days to detect non-malicious data breaches, and 80 days -- almost 3 months -- to detect malicious breaches. For resolution, it took 83 and 123 days, respectively.
• Only 39% of respondents that experienced a malicious breach said that they were confident (e.g., Very Confident and Confident) that their organization determined the root cause of the breach

This is not good. It takes a long time to detect breaches, if at all, and a long time to fix them. The most frequent types of data breaches experienced during the past 24 months:

• 47% - Employee or contractor negligence
• 32% - System error or malfunctions
• 24% - External attacks
• 23% - Third party mistakes or negligence
• 14% - Malicious insiders

Where the data breach occurred within the organization varies:

Breach Location	Malicious Breaches	Non-Malicious Breaches
Within business unit	15%	27%
During transit or transmission to a third-party location	6%	22%
Off-site	30%	20%
Off-site data center	12%	12%
On-site data center	9%	9%
Unable to determine	28%	9%

When the breach was discovered:

When Discovered	Malicious Breaches	Non-Malicious Breaches
Immediately	2%	20%
Within one week	19%	19%
Within one month	29%	28%
Within 3 months	24%	16%
Within 6 months	6%	4%
Within 1 year	4%	2%
Within 2 years	2%	1%
Unable to determine	15%	10%

So, an astounding 15% of the time organizations were never able to determine when malicious data breaches were detected. That's about one out of every six breaches. How malcious breaches were discovered:

• 28% - Forensic tools and methods
• 19% - Loss preventiona tool such as DLP
• 15% - Notification by law enforcement
• 10% - Automated monitoring
• 9% - Accidental discovery
• 6% - Audit or assessment
• 3% - Legal filing or complaint
• 3% - Manual monitoring
• 3% - Notification by partner or third-party
• 3% - Consumer or customer complaint
• 3% - Unsure
• 1% - Other

Second, some country-specific results:

• 41% of survey respondents from the USA said (e.g., Strongly Agree and Agree) that their organization were ready with the tools, personnel, and funding to prevent data breaches. The average across all countries was about 44%. Organizations in Japan (56%) and Singapore (58%) led the way with prevention readiness.
• 42% of survey respondents from the USA said that their organization were ready with the tools, personnel, and funding to quickly detect data breaches. The average across all countries was about 44%. Again, organizations in Japan (55%) and Singapore (57%) led the way with detection readiness.
• 33% of survey respondents from the USA said that their organization's leaders view data security as a top priority. The average across all countries was about 37%. Again, organizations in Japan (51%) and Singapore (50%) led the way with senior management leadership.

The study included a survey of 3,529 Information Technology professionals in eight countries. 54% of survey participants report directly to the chief information officer (CIO) in their organization. Participants were selected from organizations that had at least one data breach during the past 24 months. The survey included organizations from both the public and private sectors.

Survey respondents by country:

• 659 - USA
• 566 - Japan
• 445 - Brazil
• 431 - United Kingdom
• 423 - Canada
• 395 - Australia
• 309 - Singapore
• 301 - United Arab Emirates
• 3,529 - Total

Third, survey respondents by industry:

• 18% - Financial Services
• 11% - Federal and central government
• 7% - Services
• 7% - Retail, Internet
• 6% - Professional services
• 5% - Industrial products and chemicals
• 4% - State, province and local government
• 4% - Communications
• 4% - Consumer products
• 4% - Entertainment and media
• 4% - Hospitality
• 3% - Defense contractor
• 3% - Retail, conventional
• 3% - Technology and software
• 2% - Energy and utilities
• 2% - Education and research
• 2% - Healthcare and medical devices
• 2% - Pharmaceuticals and biotech
• 1% Transportation
• 1% - Other
• 100% - Total

What is a consumer to take from the results in this report? As I see it:

1. Data breaches will continue to happen. The bad guys also read reports like this, and determine where the soft or easy targets are.
2. There is an opportunity for companies and senior executives in the USA to do much better and take a leadership role. Will they?
3. Outsourcing matters, since about 48% of malicious breaches happened off-site or during transit/transmission with a third party contractor or partner
4. Despite what senior-level executives say in speeches and press releases about valuing data security, the survey suggests otherwise. Many organizations don't have the necessary tools, personnel, and funding.
5. Despite what senior-level executives say in breach notification letters after a data breach, they often don't know what happened and won't for a long while, if they ever do. Too many never determine when and what happened.
6. Informed consumers realize the reality is that you have to protect your sensitive personal data. Don't rely on a employer or former employer to do it.
7. All of this applies to mobile app developers, app stores, online retailers, and related Internet companies since the study included those industries, too.

Access the complete "Post Breach Boom" Ponemon report here.

21 Fung Wah Buses Removed From Service After Failed Inspections

WBZ-TV, the CBS network affiliate in Boston, reported yesterday evening about the results of an investigation by both the station and the State of Massachusetts. After several bus inspections by state officials, 21 of 28 Fung Wah buses have been removed from service.

Reportedly, bus inspectors found:

"... multiple oil leaks from different parts of the engine, and nuts and bolts that weren’t secure. There were also faulty lights, a door with a broken latch and the lack of proper registration on the charter bus hired by Fung Wah... Three of those buses had cracked frames. Inspectors found they had been re-welded and the work wasn’t done properly..."

The bus company had hired charter buses to replace its buses that had been removed from service. The Boston Globe reported:

"The frame cracks, located in the drive axle, rear axle, engine cradle, and other locations, posed serious safety issues, said Ann Berwick, chairwoman of the utilities department."

State inspectors are so concerned, they have asked the Federal government to suspend Fung Wah's operating license until repairs have been made. The Massachusetts Department of Public Utilities (DPU) oversees transportation and public safety.

Fung Wah operates low-cost passenger bus service between Boston and New York City. Some ticket prices are as low as $15 each way. A check of the company's website did not find any mentions of the failed bus inspections.

[Update, 3:15 pm EST: the U.S. Department of Transportation has ordered Fung Wah to cease passenger operations until safety concerns are addressed.]

FTC Studies The Accuracy Of Consumer Credit Reports. Plenty Of Errors To Be Fixed By Credit Reporting Agencies

The blog post on Monday discussed the 60 Minutes report about the failures in the dispute process at credit reporting agencies to fix mistakes in consumers' credit reports. Today's post discusses the recent U.S. Federal Trade Commission (FTC) survey, which prompted that news report.

The FTC survey analyzed the accuracy and completeness of consumer credit reports. This was the agency's fifth such report. Section 319 of the 2003 FACT Act requires the FTC to conduct a study of the accuracy and completeness of consumer credit reports.

Major findings from this FTC study:

1. 26% of consumers (262 of 1,001 participants) identified errors on their credit reports that might affect their credit scores. 19% of credit reports (572 of 2,968 reports) had an alleged error reported by participants
2. 20% of consumers had an error that was corrected by a credit reporting agency (CRA) after it was disputed, on at least one of their three credit reports
3. Of the 572 credit reports where an error was submitted, 399 reports (70%) were modified by a credit reporting agency, and 211 (36%) had a credit score changed. Those same 211 credit reports are 7.1% of all credit reports in the study
4. Of the 262 consumers who identified alleged inaccuracies in their credit reports and filed disputes, 206 consumers (80%) had a modification made by a credit reporting agency to their credit report in response to the dispute. Of these, 129 consumers (12.9% of all 1,001 participants) experienced a change in credit score following the dispute process
5. Slightly more than 10% of consumers saw a change in their credit score after the credit reporting agencies fixed errors on their credit reports
6. Approximately 5% of consumers had a maximum credit score change of more than 25 points, while 0.4% of consumers had a maximum score change of more than 100 points

If you skimmed or quickly read the high-level findings or the FTC press release, then you might assume that there is no problem -- and you would be wrong for a several reasons. First, that 20% of consumers found an error in at least one of their credit reports means that about could be as many as 40 million people (20% of the 200 million Americans with credit reports) have at least one error in one of their three credit reports with Experiran, Equifax, or TransUnion. That seems to be a huge error rate.

Second, this error rate is based on a percentage of consumers. Some credit reports had multiple errors in them. So, a more accurate error rate would be based on the number of credit reports with errors compared to the total number of credit reports. Or, an even better error rate would be the average number of errors in a credit report. Third, the report doesn't seems to measure the percentage of error items that credit reporting agencies don't fix which they should have fixed (that's another type of error).

Fourth, that 20% error rate is the number of consumers who reported errors and the credit reporting agencies fixed them. (Explanation below.) A much higher rate of consumers reported errors: 26%. It seems that the real error rate is far higher.

I waded through the 370-page FTC report because credit reports are critical documents. Consumers need them to be accurate do business with lenders, and lenders use these documents constantly. Plus, credit reports contain a lot of important, sensitive, personal information about you, your lifestyle, and the purchases you've made:

"... (1) Identifying information including name, address, birth date, SSN, and previous/alternate names and addresses; (2) Credit account information including information about current and past credit accounts such as mortgages, car loans, credit cards, and installment payments; (3) Public records such as bankruptcies, foreclosures, civil judgments, and tax liens; (4) Collection accounts, which include unpaid debts (such as medical bills) that have been turned over to collection agencies; and (5) Inquiries (subscriber requests to access a consumer credit report)."

When you apply for credit or when a potential lender requests to view your credit report to make a lending decision, a "hard inquiry" results. Too many "hard" inquiries and your credit score can go down. The study identified different types of errors (bold emphasis added):

"... we define a ‘potential error’ as an alleged inaccuracy identified by the participants with the help of the study associate... Lenders often use the credit score associated with a credit report to assess the credit risk of a particular consumer. Therefore, we define a ‘potentially material error’ as an alleged inaccuracy in information that is commonly used to generate credit scores. Information used to generate credit scores include the number of collections accounts, the number of inquiries (hard pulls on a credit file), the number of negative items such as late or missed payments, and other factors. An alleged error is considered potentially material prior to the dispute process simply by its nature as an item used to generate credit scores... We define a ‘confirmed material error’ in several ways, though all rely on a confirmed error being determined as a result of the FCRA dispute process..."

If you are reading this closely, then you realize that credit reports contain errors both in the information used to calculate consumers' credit scores, and in the information not used to calculate credit scores:

"Errors in header information (current/previous address, age, or employment) are not considered in determining a FICO credit score and thus are not defined as material in the context of this study."

In my opinion, this distinction does a disservice to consumers. It tolerates a certain level of sloppiness; that it is okay for credit reporting agencies to get their credit reports mostly correct. Header information elements are no less important than other credit report elements. These header elements could be used to match credit reports for a person with input submitted by lenders and/or within dispute investigations. Second, a credit report is such an important document that it needs to be correct. Period. Credit reports are important because:

• They are used by so many potential lenders
• Consumers pay large sums for credit monitoring services
• Credit reporting agencies share information with data brokers

Errors are errors. Period. They all are important. Fix them all. Decades ago and early in my business career, I learned an important lesson about producing a quality product or service:

"Why spend all this time finding and fixing and fighting when you could prevent the incident in the first place?... It is much less expensive to prevent errors than to rework, scrap, or service them... It is always cheaper to do the job right the first time."

Either the credit reporting agencies haven't learned these lessons about quality, or they intentionally choose not to pursue a goal of zero defects.

To the good, the FTC study looked at error rates among header information from credit reports:

"In cases where a participant identified only an error in header information, the participant was instructed to dispute the error directly with FICO and the participant’s credit report was not redrawn. For the individuals with material errors and header information errors, the outcome for the header information disputes is known. The third most common alleged inaccuracies occur in the data on header information (154 alleged errors on 127 reports, comprising 4.3% of the sample). Note this represents a lower bound of the frequency of header information errors, as reports with errors only in header information are not included. The modification rate for header information is higher than that of other alleged material error types (99 modifications, comprising 64.3% of the disputed header information items)."

In other words, in this study 127 credit reports had 154 alleged errors in the header information, or 1.2 errors on average per credit report. The credit reporting agencies fixed 99 of these 154 alleged errors -- what I would calculate as a 64.3% correction rate for header items. Still, this is still a best-case correction rate, because the above excluded instances where the only error reported by the consumer was in the header information.

The study found that the main types of confirmed material errors (that could affect a consumer's credit score) that were fixed by credit reporting agencies were:

"... errors in the tradeline (consumer accounts) or collections information. The most common alleged inaccuracies occur in the data on tradelines (708 alleged errors on 409 reports, comprising 13.8% of the sample) or collections accounts (502 alleged errors on 223 reports, comprising 7.5% of the sample). The most commonly modified errors are tradeline information errors (395 modifications) and collections information errors (267 modifications)."

The supporting details:

Error Type	# of Alleged Errors	Items Modified #(%)	# Reports with Alleged Errors	Avg. # Alleged Errors / Report	Reports with Errors Modified #(%)
Collections	502	267 (53.2%)	223	2.3	146 (4.9%)
Duplicate Entries	65	30 (46.2%)	39	1.7	27 (0.9%)
Header Information	154	99 (64.3%)	127	1.2	90 (3.0%)
Inquiries	88	48 (54.5%)	48	1.8	34 (1.1%)
Derogatory Public Records	44	25 (56.8%)	35	1.3	20 (0.7%)
Tradeline Information	708	395 (55.8%)	409	1.7	267 (9.0%)
Total	1,561	864 (55.3%)	--	--	--

Note: the report did not provide totals. I calculated that row. Overall, slightly more than half (55.3%) of error items reported by consumers are fixed -- and this chart includes only the material errors that could affect a consumer's credit score. What I found interesting: regardless of the error type, there is consistently more than one error per credit report.

The following chart highlights how often credit reporting agencies co-mingle your information with other persons' information:

Error Type	# of Alleged Errors	# Items "Not Mine" Alleged	Items "Not Mine" Corrected #(%)	# Reports With This Alleged Error	# Reports With "Not Mine" Alleged	Reports With "Not Mine" Corrected #(%)
Collections	502	413	209 (50.6%)	224	190	116 (61.1%)
Inquiries	88	88	48 (53.9%)	48	48	33 (68.8%)
Tradeline Information	708	246	133 (54.1%)	409	144	81 (56.3%)
Total	1,561	747	390 (52.2%)	--	--	--

Again, the report did not calculate the total row. I did. As you can see, credit reporting agencies fixed slightly more than half of errors consumers reported as not theirs. How the researchers calculated the effects on consumers' credit scores from credit report errors:

"After the disputes were filed and completed, the study associate drew new credit reports for the consumer and analyzed whether there were changes to the report in response to the dispute. If there were no changes to the report, the original FICO score is relevant for our calculations and if all the alleged inaccurate items were modified by the CRA, the provisional FICO rescore is the relevant credit score. If only some of the disputed items were changed, the modified report was sent to a FICO analyst for a second rescoring to assess the impact of the modifications. The relevant FICO score at the conclusion of the dispute and rescoring process is then compared to the original FICO score to determine how the credit report inaccuracies affected the consumer credit score."

The reports shared a brief explanation of why credit reporting agencies don't fix errors as consumers who reported errors expect:

"... There are a number of reasons, however, why a CRA may make changes to a credit report that differ from the consumer’s instructions. For example, a consumer may dispute an account balance and instruct the CRA to change the balance to a specific amount (i.e., the consumer alleges what is incorrect and what action by the CRA would set it right). If the CRA cannot confirm the existence of the account with the data furnisher, the account is removed from the consumer’s credit report; in this case the outcome is not what the consumer requested. In addition, a consumer may dispute multiple items on a credit report as inaccurate and the CRA may only modify a subset of the disputed items, thus suggesting that the consumer was correct regarding some of the inaccuracies on the report but not all."

The report shared a brief explanation of why credit reporting agencies may not fix at all any errors reported by consumers:

"... there are some consumers who file disputes and yet the CRA makes no modification to their report. For the purpose of the analysis within this report, these consumers are not defined as having a confirmed material error. It is important to note that these consumers with alleged potentially material errors that are not confirmed through the FCRA dispute process may still have inaccurate items on their credit reports; however, we are unable to verify the inaccuracy within the design of this study..."

So, the 20% error rate (percentage of consumers who reported errors and credit reporting agencies fixed them) in the study is probably the best-case scenario; and the real-world error rate is higher. How? If an error discovered and reported by a consumer cannot be verified via the FCRA dispute process, then the credit reporting agencies does nothing and that error remains in the consumers' credit reports. The 60 Minutes show documented real-world examples where consumers fully documented errors in their credit reports; which the credit reporting agencies proceeded to ignore (sometimes setting a lawsuit later out of court).

This best-case error rate problem is also backed by the research methodology. The research team included members from the University of Missouri, St. Louis (UMSL), the University of Arizona, and the Fair Isaac Corporation (FICO). The research methodology included consumers selected at random:

"... from the population of interest (consumers with credit histories at the three national CRAs). Ultimately, 1,001 study participants reviewed 2,968 credit reports (roughly three per participant) with a study associate who helped them identify potential errors. Study participants were encouraged to use the Fair Credit Reporting Act (“FCRA”) dispute process to challenge potential errors that might have a material effect on the participant’s credit standing (i.e., potentially change the credit score associated with that credit report). When a consumer identified and disputed an error on a credit report, the study associate informed FICO of the disputed items, and FICO generated a provisional FICO score for the report under the assumption that all consumer allegations were correct. After the completion of the FCRA dispute process, study participants were provided with new credit reports and credit scores. Using the provisional FICO score, the new credit reports and credit scores, and the original credit reports and credit scores, we are able to determine the impact on the consumer’s credit score..."

Descriptive information of the study participants:

FICO Credit Score	Age	Education	Race
589 and below: 18.2% 590 - 679: 20.2% 680 - 749: 21.0% 750 - 789: 19.5% 790 and above: 21.2%	18 - 30: 21% 31 - 40: 20% 41 - 50: 15% 51 - 60: 21% 61 and older: 22%	HS diploma or less: 12% Some college: 31% College degree: 30% Graduate study: 26%	White: 78% Black: 12% Other: 9%

The study never looked at credit report accuracy in the regional and smaller credit reporting agencies. So, there are more than three credit reports per person on average, when you include those smaller and regional agencies. More credit reports and probably more errors.

What do I think of this study by the FTC? It highlights several important concepts:

• How you define an "error" matters. In the study, a conservative definition yielded a 9.7% error rate (defined as the as the percentage of consumers) while a more expansive definition yielded a 21% error rate.
• How you define an "error" matters. The study calculated the much-publicized error rate based on the percentage of consumers who reported errors. To me, a better method is to calculate the error rate based on the percentage of credit reports with errors. This lets you proceed to the next level to calculate which which credit reporting agency has the higher (or lower) error rate.
• How you label an "error" matters. While caclulating the percentage of credit reports with errors fixed and/or the percentage of error items fixed by credit reporting agencies, what you label these is important. The study used what I consider to be clumsey labels:  "Percent of All Reports Examined With This Error Modified" and "Percent of Items With Any Allegation of this Type Modified," respectively. Let's call them what they really are: "Report Correction Rate" "Report Item Correction Rate," respectively. Then, we can examine which credit reporting agency does a better job of fixing credit reports. Sadly, the study did not provide this level of detail.
• How you define "investigation" matters: this includes both the FCRA dispute process and what credit reporting agencies actually do (or don't do) to investigate error disputes reported by consumers. The 60 Minutes report mentioned low-wage staff in other countries simply assign code numbers to error reports without performing a substantial, comprehensive investigation -- which most consumers probably expect.
• Which brand of credit score matters: this study used FICO credit scores, while many credit reporting agencies and other retailers sell different brands of credit scores to consumers
• Where you place the "responsibility" matters. The study is consistent with general practice -- for better or worse -- that places the responsibility for finding and reporting errors with consumers. Why aren't the credit reporting agencies held responsible for finding, reporting and fixing errors on their own? Would they find the same errors that consumers found? Or more? Or fewer?

This FTC study is half a loaf at best. Why?

First, it didn't analyze the real problem of actual errors already reported by consumers that were never fixed -- what I call the correction rate. A better study would investigate both error rates and correction rates, by perhaps using an independent third-party to analyze the dispute process and the supporting documents submitted by consumers to credit reporting agencies. This would get at the true heart of the matter: how accurate credit reporting agencies are (or are not) with using the documentation consumers provide. In other words, lets better understand the errors that weren't fixed which should have been fixed by credit reporting agencies.

Second, it is better to define error rates not as a percentage of consumers, but instead based on either the number of credit reports with errors, or the average number of error items in a credit report. Each consumer has at least three credit reports -- one with each of the three major credit reporting agencies: Experian, Equifax, and TransUnion. Some consumers have more credit reports with the smaller, regional credit reporting agencies.

Third, the study perpetuates a current bias that distinguishes between errors used to make credit score decision and errors not used in this calculation. Errors are errors. Period. Credit reports are so important, that they need to be correct. Fourth, the study ignored the smaller and regional credit reporting agencies.

Fourth, the study methodology had 100% of participants review their credit reports. In the real-world, far fewer consumers check their credit reports for accuracy. In its report, the FTC said:

"... In 1992, the Associated Credit Bureaus (later Consumer Data Industry Association, or “CDIA”) commissioned Arthur Andersen & Company to perform a study about credit report accuracy. Using credit applicants who had been denied credit, the Andersen Study found that only 8% requested a copy of their report and 2% of those denied credit disputed information contained in their report. Following the dispute, 3% of the people who received copies of their report had the original decision to deny credit reversed...."

While the report cites other studies, the important point is this: if only 8% or consumers request copies of their credit reports, then it makes sense to pursue ways to engage more consumers with checking their credit reports for accuracy. Business as usual means a lot of errors go unreported and undiscovered. In a truly open market with credit reports, each credit reporting agency would tout its accuracy levels; unlike the current mess. The FTC needs to make it real for consumers by explaining the real-world costs of inaccurate credit reports with real examples of denied credit and loans with higher interest rates.

Fifth, I found the language in the report and study methodology needlessly confusing. It could have been simplified with clearer labels, such as:

• Consumer Dispute Rate: the percentage of consumers that submitted error reports
• Credit Report Dispute Rate: the percentage of credit reports with at least one error reported by consumers
• Credit Report Average Item Dispute Rate: the average number of error items per credit report submitted by consumers
• Gross Credit Report Correction Rate: the percentage of credit reports with (all or some) error items fixed by credit reporting agencies
• Net Credit Report Correction Rate: the percentage of error items in credit reports where all items are fixed by credit reporting agencies
• Gross Item Correction Rate: the average number of error items fixed (all or partial) per credit report
• Net Item Correction Rate: the average number of error items where all items are fixed per credit report

What is your opinion of credit reporting agencies? Of their dispute process? Of the FTC study? Share you thoughts below.

Download the 2013 FTC FACTA report (Adobe PDF, 20.8 Mbytes).