1,046 posts categorized "Corporate Responsibility" Feed

Bloomberg: Equifax Had A Data Breach In March, Too. More Questions Result

Equifax logo According to news reports, Equifax experienced another data breach earlier this year before the massive data breach it announced on September 7th where criminals gained unauthorized access to Equifax's systems and computers from May through then end of July, 2017. Bloomberg reported:

"Equifax Inc. learned about a major breach of its computer systems in March -- almost five months before the date it has publicly disclosed, according to three people familiar with the situation... Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said..."

Two major data breaches? What's happening? A news report by Bank Info Security may clarify things:

"... the Bloomberg story is "attempting to connect two separate cybersecurity events and suggesting the earlier event went unreported." Instead, Equifax says the breach described by Bloomberg was a "security incident involving a payroll-related service." The incident, which Equifax refers to as the "March event," was reported to customers, affected individuals and regulators, as well as covered by the media, it says. "Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related."

Equifax appears to refer a breach involving TALX its payroll, human resources, and tax services subsidiary formally known as Equifax Workforce Solutions. The Bank Info Security news report explained:

"In early March, Equifax began notifying individuals whose employers use TALX for payroll services that it had detected unauthorized access to its web-based portal. Employees use the TALX portal to access their W-2, which is the annual income reporting form that U.S. employees need to file their federal tax return. That's also a key document for fraudsters, because it puts them one step closer to being able to fraudulently file and claim a tax refund in someone else's name.

In the March attack, hackers had luck accessing TALX accounts by guessing registered users' personal questions, according to Equifax's breach notifications. By answering the questions correctly, fraudsters were able to reset a PIN needed to access an account. With the fresh PIN, they were able to obtain an electronic copy of victims' W-2. The unauthorized access incidents occurred between April 17, 2016, and March 29, 2017, Equifax says..."

It's frightening that the TALX breach went undetected for almost a year. Also, the Krebs On Security blog reported in May about the Equifax-TALX breach. However, the Bloomberg news report explored another hacking method criminals might have used in March:

"... one goal of the attackers was to use Equifax as a way into the computers of major banks, according to a fourth person familiar with the matter. This person said a large Canadian bank has determined that hackers claiming to sell celebrity profiles from Equifax on the dark web -- information that appears to be fraudulent, or recycled from other breaches -- did in fact steal the username and password for an application programming interface, or API, linking the bank’s back-end servers to Equifax.

According to the person and a Sept. 14 internal memo reviewed by Bloomberg, the gateway linked a test and development site used by the bank’s wealth management division to Equifax, allowing the two entities to share information digitally."

So, there was a breach in March. Was it the TALX hack, the hack via a bank, both, or something else? If the Bloomberg report is accurate, then the post-breach consequences listed probably apply:

"... will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives. If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading... New questions about Equifax’s timeline are also likely to become central to the crush of lawsuits being filed against the Atlanta-based company. Investigators and consumers alike want to know how a trusted custodian of so many Americans’ private data could let hackers gain access to the most important details of financial identity... the revelation of an earlier breach will likely raise questions for the company’s beleaguered executives over whether that [March] investigation was sufficiently thorough or if it was closed too soon. For example, Equifax has said that the hackers entered the company’s computer banks the second time through a flaw in the company’s web software that was known in March but not patched until the later activity was detected in July."

If true, then consumers are left with more questions: which bank(s)? What fixes have been implemented so this doesn't happen again? Why wasn't this disclosed sooner? How many consumers were affected? Exactly how did the hackers gain access? Was it the same or a different group of hackers? Which consumers' data elements were accessed/stolen?

The cynic in me wonders if Equifax executives are using its TALX breach as cover -- to avoid having to admit to another massive (and embarrassing) data breach.

Regardless of which news report is accurate, there are plenty of reasons for consumers to feel uneasy about Equifax's breach(es), data security protections, and breach notifications. Equifax is a custodian of extremely valuable and sensitive information about consumers. It makes money selling that information to potential lenders, and consumers have a right to have their questions answered fully.

Maybe the various investigations and inquiry by 31 states will provide answers for consumers. Or maybe Congress needs to hold hearings. It's been done before. What do you think?


Facebook Enabled Advertisers to Reach ‘Jew Haters’

[Editor's note: today's guest post, by the reporters at ProPublica, is part of its Machine Bias series. After being contacted by ProPublica, Facebook removed several anti-Semitic ad categories and it no longer allows advertisers to target groups based upon self-reported information. Today's post is reprinted with permission.]

By Julia Angwin, Madeleine Varner, and Ariana Tobin - ProPublica

Facebook logo Want to market Nazi memorabilia, or recruit marchers for a far-right rally? Facebook’s self-service ad-buying platform had the right audience for you.

Until last week, when we asked Facebook about it, the world’s largest social network enabled advertisers to direct their pitches to the news feeds of almost 2,300 people who expressed interest in the topics of “Jew hater,” “How to burn jews,” or, “History of ‘why jews ruin the world.’”

To test if these ad categories were real, we paid $30 to target those groups with three “promoted posts” — in which a ProPublica article or post was displayed in their news feeds. Facebook approved all three ads within 15 minutes.

After we contacted Facebook, it removed the anti-Semitic categories — which were created by an algorithm rather than by people — and said it would explore ways to fix the problem, such as limiting the number of categories available or scrutinizing them before they are displayed to buyers.

“There are times where content is surfaced on our platform that violates our standards,” said Rob Leathern, product management director at Facebook. “In this case, we’ve removed the associated targeting fields in question. We know we have more work to do, so we’re also building new guardrails in our product and review processes to prevent other issues like this from happening in the future.”

Facebook’s advertising has become a focus of national attention since it disclosed last week that it had discovered $100,000 worth of ads placed during the 2016 presidential election season by “inauthentic” accounts that appeared to be affiliated with Russia.

Like many tech companies, Facebook has long taken a hands off approach to its advertising business. Unlike traditional media companies that select the audiences they offer advertisers, Facebook generates its ad categories automatically based both on what users explicitly share with Facebook and what they implicitly convey through their online activity.

Traditionally, tech companies have contended that it’s not their role to censor the Internet or to discourage legitimate political expression. In the wake of the violent protests in Charlottesville by right-wing groups that included self-described Nazis, Facebook and other tech companies vowed to strengthen their monitoring of hate speech.

Facebook CEO Mark Zuckerberg wrote at the time that “there is no place for hate in our community,” and pledged to keep a closer eye on hateful posts and threats of violence on Facebook. “It’s a disgrace that we still need to say that neo-Nazis and white supremacists are wrong — as if this is somehow not obvious,” he wrote.

But Facebook apparently did not intensify its scrutiny of its ad buying platform. In all likelihood, the ad categories that we spotted were automatically generated because people had listed those anti-Semitic themes on their Facebook profiles as an interest, an employer or a “field of study.” Facebook’s algorithm automatically transforms people’s declared interests into advertising categories.

Here is a screenshot of our ad buying process on the company’s advertising portal:

Screenshot of Facebook ad buying process

This is not the first controversy over Facebook’s ad categories. Last year, ProPublica was able to block an ad that we bought in Facebook’s housing categories from being shown to African-Americans, Hispanics and Asian-Americans, raising the question of whether such ad targeting violated laws against discrimination in housing advertising. After ProPublica’s article appeared, Facebook built a system that it said would prevent such ads from being approved.

Last year, ProPublica also collected a list of the advertising categories Facebook was providing to advertisers. We downloaded more than 29,000 ad categories from Facebook’s ad system — and found categories ranging from an interest in “Hungarian sausages” to “People in households that have an estimated household income of between $100K and $125K.”

At that time, we did not find any anti-Semitic categories, but we do not know if we captured all of Facebook’s possible ad categories, or if these categories were added later. A Facebook spokesman didn’t respond to a question about when the categories were introduced.

Two weeks ago, acting on a tip, we logged into Facebook’s automated ad system to see if “Jew hater” was really an ad category. We found it, but discovered that the category — with only 2,274 people in it — was too small for Facebook to allow us to buy an ad pegged only to Jew haters.

Facebook’s automated system suggested “Second Amendment” as an additional category that would boost our audience size to 119,000 people, presumably because its system had correlated gun enthusiasts with anti-Semites.

Instead, we chose additional categories that popped up when we typed in “jew h”: “How to burn Jews,” and “History of ‘why jews ruin the world.’” Then we added a category that Facebook suggested when we typed in “Hitler”: a category called “Hitler did nothing wrong.” All were described as “fields of study.”

These ad categories were tiny. Only two people were listed as the audience size for “how to burn jews,” and just one for “History of ‘why jews ruin the world.’” Another 15 people comprised the viewership for “Hitler did nothing wrong.”

Facebook’s automated system told us that we still didn’t have a large enough audience to make a purchase. So we added “German Schutzstaffel,” commonly known as the Nazi SS, and the “Nazi Party,” which were both described to advertisers as groups of “employers.” Their audiences were larger: 3,194 for the SS and 2,449 for Nazi Party.

Still, Facebook said we needed more — so we added people with an interest in the National Democratic Party of Germany, a far-right, ultranationalist political party, with its much larger viewership of 194,600.

Once we had our audience, we submitted our ad — which promoted an unrelated ProPublica news article. Within 15 minutes, Facebook approved our ad, with one change. In its approval screen, Facebook described the ad targeting category “Jew hater” as “Antysemityzm,” the Polish word for anti-Semitism. Just to make sure it was referring to the same category, we bought two additional ads using the term “Jew hater” in combination with other terms. Both times, Facebook changed the ad targeting category “Jew hater” to “Antisemityzm” in its approval.

Here is one of our approved ads from Facebook:

Screenshot of approved Facebook ad for ProPublica

A few days later, Facebook sent us the results of our campaigns. Our three ads reached 5,897 people, generating 101 clicks, and 13 “engagements” — which could be a “like” a “share” or a comment on a post.

Since we contacted Facebook, most of the anti-Semitic categories have disappeared.

Facebook spokesman Joe Osborne said that they didn’t appear to have been widely used. “We have looked at the use of these audiences and campaigns and it’s not common or widespread,” he said.

We looked for analogous advertising categories for other religions, such as “Muslim haters.” Facebook didn’t have them.

Update, Sept. 14, 2017: This story has been updated to include the Facebook spokesman's name.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


31 States Sent Joint Letter Demanding Equifax Provide Free Services And Better Support For Consumers

On Friday, September 15, the attorneys general in several states sent a joint letter to Equifax as a result of the credit reporting agency's response to a massive data breach affecting about 143 million persons in the United States. The participating attorneys general are concerned about the impacts and costs to consumers. They want Equifax to respond better to the needs of consumers, extend the duration of the sign-up period for breach victims, and waive the fees of certain services. Perhaps most importantly, they are concerned about Equifax benefiting unjustly due to a situation it created.

The joint letter explained:

"... Chief among the issues causing confusion and concern are the inclusion of terms of service that required consumers to waive their rights, the offer of competing fee-based and free credit monitoring services by Equifax, and the charges consumers incur for a security freeze with other credit monitoring companies like Experian, TransUnion, and Innovis.

Initially, in order to enroll in the free credit monitoring that Equifax offered to all Americans, it appeared that Equifax attached certain conditions to the offer, including mandatory arbitration, among other things. The fact that Equifax’s own conduct created the need for these services demands that they be offered to consumers without tying the offer to complicated terms of service that may require them to forgo certain rights. It was not until after urging from our offices and public condemnation that Equifax withdrew these objectionable terms from its offer of free credit monitoring.

We remain concerned that Equifax continues to market its fee-based services to consumers affected by its data breach. Consumers who view Equifax’s homepage are offered both Equifax fee-based credit monitoring services, as well as its services offered at no cost. Again, at the urging of our offices and following criticism in the media, Equifax made its offer of free credit monitoring services more prominent so that it can be more easily found by consumers. Although these changes are an improvement over the site’s original offering, which presented a much less prominent link when compared to Equifax’s fee-based offering, they do not address all of our concerns.

We believe continuing to offer consumers a fee-based service in addition to Equifax’s free monitoring services will serve to only confuse consumers who are already struggling to make decisions on how to best protect themselves in the wake of this massive breach. We object to Equifax seemingly using its own data breach as an opportunity to sell services to breach victims. Selling a fee-based product that competes with Equifax’s own free offer of credit monitoring services to victims of Equifax’s own data breach is unfair, particularly if consumers are not sure if their information was compromised.

Equifax cannot reap benefits from confused consumers who are likely only visiting Equifax’s homepage because they are concerned about whether the breach affects them and their families. If there is any substantial benefit consumers can obtain by purchasing the fee-based services over the free credit monitoring, then we strongly suggest that Equifax upgrade its free credit monitoring service to provide equivalent protection. On the other hand, if the services are equivalent, then we fail to understand why Equifax continues to offer its fee-based services to those affected by the breach if equivalent services are obtainable at no cost. Either way, we request that Equifax disable links to its fee-based services until the sign-up period for the free service has ended. Additionally, the cutoff date of November 21, 2017 for consumers to avail themselves of the free services provided appears to us to be rather short-sighted and we suggest that date be extended to at least January 31, 2018.

Our offices are also receiving complaints from proactive consumers who have requested a security freeze. Although Equifax is not charging consumers a fee for its own security freeze service, these consumers are furious that they have been forced to pay for a security freeze with other companies, such as Experian and TransUnion, when this privacy breach was no fault of their own. We agree with these consumers that it is indefensible that they be forced to pay fees to fully protect themselves from the fallout of Equifax’s data breach.

Accordingly, we believe Equifax should, at a minimum, be taking steps to reimburse consumers who incur fees to completely freeze their credit..."

The participating attorneys general are from Alabama, Arizona, Connecticut, Delaware, Georgia, Hawaii, Illinois, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, Nevada, North Dakota, Oklahoma, Ohio, Oregon, South Carolina, South Dakota, Pennsylvania, Virginia, West Virginia, and the District of Columbia. Read the announcement by Christopher S. Porrino, the State of New Jersey Attorney General. A copy of the joint letter is also available here (Adobe PDF).


The Equifax Breach: Several Investigations Underway

The Office of the Attorney General (AG) for the State of Nevada announced yesterday an investigation into the Equifax data breach. About 143 million persons were affected. The announcement stated:

"The breach, which took place from mid-May through July of this year, neglected to keep important personal identifying information safe and allowed hackers to access names, Social Security numbers, birth dates, addresses and even some driver’s license numbers. As a result of this breach, approximately 209,000 individuals throughout the country are estimated to have had their credit card numbers stolen."

Nevada AG Adam Paul Laxalt said:

"As a part of my commitment to safeguard the identities and personal information of Nevadans, my office will be working diligently with other states to investigate the cause of the Equifax breach... I encourage Nevadans to contact Equifax to determine whether their data was compromised, and to consider taking additional steps to protect themselves."

The statement did not mention the other states the Nevada AG's Office is working with. Residents of Nevada should read the announcement which lists specific actions consumers in that state should take to protect themselves.

The Attorney General for the State of New York announced on September 8 both an investigation into the Equifax data breach and a consumer alert:

"Under New York law, businesses with New York customers are required to inform customers and the Attorney General’s Office about security breaches that have placed personal information in jeopardy. The Attorney General’s Office investigates data breaches to determine if customers were properly notified of the breach and if the entity had appropriate safeguards in place to protect customers’ data..."

The consumer alert portion of the announcement:

"1) Check your credit reports from Equifax, Experian, and TransUnion by visiting annualcreditreport.com. Accounts or activity that you do not recognize could indicate identity theft. This is a free service; 2) Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. It will not prevent a thief from using any of your existing accounts; 3) Monitor your existing credit card and bank accounts closely for unauthorized charges. Call the credit card company or bank immediately about any charges you do not recognize; and 4) Since Social Security numbers were affected, there is risk of tax fraud. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Consider filing your taxes early and pay close attention to correspondence from the IRS."

Annulacreditreport.com is the official site for free credit reports.  The U.S. Federal Trade Commission (FTC) issued new rules in 2010 which addressed consumer confusion in the marketplace about sites offering free credit reports. When using unofficial sites, some consumers found the "free" credit reports weren't truly free because they included expensive subscriptions to credit monitoring services.

On September 11, the New York AG's issued a warning about cyber attacks resulting from the Equifax breach:

"In addition to taking measures to protect their credit cards and bank accounts, New Yorkers should also think twice before clicking on any suspicious [e-mail] links claiming to be from Equifax or financial institutions... Hackers are resourceful criminals who are constantly looking to exploit any vulnerabilities... New Yorkers should be on the lookout for these possible attacks: a) Phishing emails that claim to be from Equifax where you can check if your data was compromised; b) Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information; c) Calls from scammers that claim they are from your bank or credit union..."

Also, the Los Angeles Times confirmed an investigation by the U.S. Federal Trade Commission (FTC):

"The FTC’s disclosure of an ongoing probe is highly unusual, underscoring the enormous stakes involved in the incident affecting what amounts to half the country."

The news report cited comments by Peter Kaplan, the agency’s acting director of public affairs. So far, little is known which aspects of the breach the FTC is investigating.

No doubt, there is more news to come.


Equifax Data Breach: 11 Reasons Why It Is Worse Than You Think

Equifax logo Equifax, one of the three major credit reporting agencies, announced on September 7 a massive data breach where criminals accessed the company's computer systems. How bad is it? It is instructive to analyze the text of Equifax's breach announcement:

"... a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed."

First, this is huge. Do the math 143 million persons is about 44 percent of the United States population of 325 million on July 4, 2017. So, almost half of the population was affected. Not good. But, there's more to this than size.

Second, the announcement stated "approximately." So, the true number could be lower or higher. The vagueness suggests that Equifax doesn't really know exactly how many consumers were affected. Not good. And, other details support this assumption that Equifax really doesn't know.

Third, the announcement stated "accessed." During the 10+ years I've written this blog, I've read dozens or hundreds of breach announcements. Many use this term. While the term may accurately describe what's Equifax knows, it also can be misleading. Criminals don't access companies' systems simply to window-shop or read files. They access systems to download and steal valuable information they can either use to make money, or resell to others. It's what online criminals do.

Fourth, the data elements accessed stolen allow criminals to do a lot of damage. That might include: a) obtain fraudulent loans or credit in breach victims' names; b) impersonate breach victims (it's called pretexting) to access online accounts; c) with online access withdraw money from victims' bank accounts; and much more. With online access, criminals can change passwords and take over victims' accounts effectively locking out victims.

Fifth, the breach investigation isn't finished:

"Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company's investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks."

The announcement didn't state when Equifax expected the investigation to be finished. Days? Weeks? Months? Not good.

Equifax hired an outside, independent technology firm to investigate its breach. That's what companies usually do during their post-breach response. This tiny bit of good news is quickly overshadowed by the bad. Without a completed breach investigation, Equifax can't really know whether the breach was caused by a technical systems problem, employee error, management oversight lapses, a sloppy or incompetent subcontractor, something else, or a combination of items. Only after a completed breach investigation can Equifax implement one or several fixes so this won't happen again. Not good.

Sixth, without knowing how criminals accessed their systems it is unlikely Equifax also can't know with certainty what data elements about consumers were stolen. More data elements could have been stolen, perhaps entire credit reports. Not good.

Seventh, it seems that Equifax's intrusion detection systems failed. Just look at the timeline. The breach started in mid-May and Equifax discovered it near the end of July. So, criminals had at least 2 full months to steal whatever they could find. Not good. Plus, after discovering the breach it would take Equifax another 5 weeks later to announce it. Why the delays? The breach announcement doesn't explain why. Not good.

Eighth, Equifax seems to take shortcuts with its breach notification:

"Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection."

Setting up a website to convey breach updates to consumers is a good thing, but using the site to notify consumers about the breach is not good for two reasons: a) the site requires consumers to enter many of the same sensitive, valuable data elements criminals want to steal; and b) it forces consumers to trust that the breach site is secure, when we know that the breach investigation is incomplete. This is a breach notification failure.

In the 10+ years I've written this blog, trustworthy companies notify breach victims via postal mail. Why won't Equifax notify all breach victims directly via postal mail? It has consumers' residential addresses in its databases. (That is a benefit for its lending customers.) So, the lack of data is not an excuse. Plus, the credit reporting agency is willing to notify some consumers directly:

"In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted."

Rather than notify all breach victims directly, Equifax seems to want to take shortcuts. Maybe it is to save money, laziness, or poor decisions by its executives. The announcement doesn't explain why, so consumers are left to draw their own conclusions. Not good.

Ninth, technologists have questioned the security of Equifax's new breach site. Ars Technica reported:

"... the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details..."

Reportedly, the domain name registration problem was fixed on Sunday. Still, Equifax's post-breach response appears amateurish. Meanwhile, data security problems persisted in its main website. According to Ars Technica:

"... in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks."

So, Equifax hasn't completed its breach investigation, doesn't know how its systems were hacked, has vulnerabilities in its main site, but wants consumers to trust that its breach site is secure. Not good.

Tenth, the Equifax announcement promoted its credit monitoring service (emphasis added):

"Equifax has established a dedicated website... to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers - all complimentary to U.S. consumers for one year."

One year? Are Equifax executives serious? Stolen consumers' credentials don't magically lose value after one year. Criminals will use stolen credentials (e.g., name, address, Social Security Number, birth date, etc.) as long as they can. Criminals will resell stolen data to other criminals as long as the data has value. In my opinion, Equifax should provide complimentary lifetime credit monitoring indefinitely to all breach victims.

Why lifetime? Because the data elements accessed stolen have ongoing value. The cynical part of me wonders if some finance executives have done the math. As long as credit reporting agency executives believe that one year of free credit monitoring will appease breach victims, it's cheaper to pay that cost (plus a few out-of-court settlements), rather than implement more robust data security.

Eleventh, there is a history of questionable decisions by Equifax executives. In 2007, it paid a $2.7 million fine for violating federal credit laws. In 2009, it paid a $65,000 fine to the state of Indiana for violating the state's security freeze law. In 2012, Equifax and some of its customers paid $1.6 million to settle allegations of improper list sales. Earlier this year, Equifax and TransUnion paid $23.1 million to settle allegations of deceptive advertising about credit scores.

This history provides some context to news reports that three Equifax executives sold about $1.8 million in stock after the breach was discovered and before the public breach announcement. Equifax stock fell about 13 percent after the breach announcement. The company said on Thursday that these executives didn't know about the intrusion when they sold shares. Even if true, the optics of this look absolutely terrible.

The whole sordid affair should be a reminder to consumers that we are the product. Credit reporting agencies' true customers are lenders - the companies that lend money and make loans to consumers. Equifax makes its money selling credit reports to lenders.

What to make of this? I see several considerations for consumers:

  1. Assume the worst. Every time you hear or read the word "accessed" by Equifax, replace it with "stolen." Then, make your data security decisions accordingly.
  2. If you don't trust the security of Equifax's breach site, then call the company instead via the hotline listed in the breach announcement (preferably using a landline phone) to see if you are affected.
  3. Carefully consider the advantages and disadvantages of Equifax's offer of free credit monitoring and identity theft protection. Equifax has been criticized for forcing arbitration on consumers who accept the free credit monitoring offer. In a September 11th update in its breach site, Equifax reversed course and said the arbitration clause and class-action waiver don't apply in this incident. Regardless, read the fine print before signing up. They may try to re-insert it later. If you don't know what it is, learn about arbitration. A variety of companies have inserted these clauses into their user agreements policies. You'll need to learn about arbitration anyway in order to make informed purchase decisions about other products and services.
  4. If you don't need credit, consider a Security Freeze to lock down your Equifax credit reports. Then, Equifax can't sell your credit report to lenders. You can do this at all three major credit reporting agencies. I did this several years ago after a data breach by a former employer. Know that a Security Freeze is not a cure-all, since it won't stop data breaches and it won't stop all forms of identity theft and fraud. To learn more, this blog has plenty of information about credit reporting agencies, credit monitoring services, fraud alerts for your credit reports, and security freezes.
  5. If you dislike Equifax's post-breach response, then contact your elected officials and demand that they pressure Equifax to do the right thing: a) notify all breach victims directly via postal mail; and b) implement better data security.
  6. Equifax's post-breach response makes me question whether the company is really up to the data security task -- it's responsibility -- to adequately protect consumers' sensitive information. All credit reporting agencies are high-value targets by criminals. If Equifax's executives didn't understand this before, they should now -- and take actions to demonstrate to consumers they realize the seriousness of the breach. Words are not enough.
  7. Consumers lack choices. Citizens cannot opt in nor opt out of the data collection by credit reporting agencies. (Consumers can opt out of pre-approved credit offers, but can't opt out of the data collection. There's a difference.) Also, the Equifax breach highlights the hypocrisy of pundits and politicians who object to the mandate within Obamacare (e.g., the Affordable Care Act) legislation -- some called it socialism -- while remaining remain silent about a similarly socialistic mandate with credit reporting.

While writing a post recently about misdeeds at Wells Fargo, I asked the question: "How much damage can one bank do?" Now, I find myself asking a similar question about Equifax: "How much damage can one company do?" Credit and lending are essential to the United States economy. In my opinion, all credit reporting agencies should have NSA-level data security for their networks and computer systems. The data they archive is that critical.

And: if you can't protect it, don't collect it. It's that simple.

As more issues emerge about this breach, I will address them in subsequent posts. What are your opinions of the Equifax breach? Did you lock down your credit reports with a Security Freeze?


Wells Fargo: 1.4 Million More Fake Accounts Found By Latest Investigation

Wells Fargo logo Just before the long holiday weekend, Wells Fargo Bank announced in an August 31 news release the latest results of a third-party investigation into its retail bank account practices since 2009:

"The original account analysis reviewed 93.5 million current and former customer accounts opened in an approximately four and half year time period – from May 2011 through mid-2015 – and identified approximately 2.1 million potentially unauthorized accounts. The expanded analysis reviewed more than 165 million retail banking accounts opened over a nearly eight-year period – from January 2009 through September 2016 – and identified a new total of approximately 3.5 million potentially unauthorized consumer and small business accounts... In connection with these 3.5 million potentially unauthorized accounts, approximately 190,000 accounts incurred fees and charges, up from 130,000 previously identified accounts that incurred fees and charges, and Wells Fargo will provide a total of $2.8 million in additional refunds and credits on top of the $3.3 million previously refunded as a result of the original account review... a review of online bill pay services, as required by the Sept. 8, 2016, consent orders... the analysis identified approximately 528,000 potentially unauthorized online bill pay enrollments and Wells Fargo will refund $910,000 to customers who incurred fees or charges. "

To summarize: the latest investigation went two years further back in time, found about 1.4 million more phony accounts, found more customers affected by unauthorized bank accounts, and found possibly more phony online bill-pay enrollments. In a settlement agreement last year with the Consumer Financial Protection Bureau (CFPB), Wells Fargo paid a $185 million fine last year for alleged unlawful sales practices with the number of phony accounts known then.

Of course, the bank tried a different spin in its news release about the investigation's findings:

"... the completion of its previously announced expanded third-party review of retail banking accounts dating back to the beginning of 2009. Combined with a recent class action settlement and ongoing broad customer outreach and complaint resolution, the completion of the analysis further paves the way for making things right for Wells Fargo customers who may have been harmed by unacceptable retail sales practices."

Yeah, right. That sounds like some wayward teenager wanting praise for providing a complete list of damage to the family car which they didn't have permission nor a license to drive in the first place.

Much of Wall Street has seen through the spin. Some financial experts advise investors to sell Well Fargo shares and buy other banks' shares instead. One of the world's largest fund managers withheld support for three of the bank's directors. Some news headlines focused on the growing estimate of phony accounts uncovered. MSN Money listed reasons why the bank may not survive the growing scandal.

There is plenty of bad news. The Los Angels Times reported a lawsuit by former bank executives who claimed they were scapegoated and fired earlier this year after reporting unethical sales practices. News reports broke earlier this month about alleged insurance abuses of the bank's auto-loan customers.

Well, we now know more about the bank's retail banking practices. The latest announcement makes one wonder, a) how much damage one bank can do, and b) how many more phony accounts would have been uncovered if the investigation started before 2009. What are your opinions?


Neighbor Spoofing: What It Is And The Best Way To Stop It

A friend recently posted on social media:

"I get five to seven phone calls daily from a 617-388-(random) number. I keep blocking them but new ones keep calling. My number is a 617-388- number. I've called a few back and they're actually people's personal mobile numbers. What is going on?! Anyone know how to stop it?"

This is neighbor spoofing... where robocallers pretend to be neighbors with familiar looking phone numbers. NPR explained neighbor spoofing is:

"... when callers disguise their real phone numbers with a fake phone number that has the same area code and prefix as yours. The idea is you might be more likely to pick up because maybe you're thinking, this call could be my neighbor or my kid's school, someone I know... Even the chairman of the Federal Communications Commission, Ajit Pai, cannot escape... The calls have gotten so aggravating to Pai, he is doubling down and making the fight against spoofers a top priority for the FCC. Robocalls and telemarketers are the No. 1 complaint the agency gets from the public. New technology has made spoofing easier to do and harder to detect. Last year, people received about 2.5 billion robocalls every month...this spring, the FCC started investigating ways to let phone carriers block calls from spoofers..."

The best solution is a system where phone companies authenticate callers. That would stop or block neighbor spoofing. Until then, the FCC is using deterrence. Back in June, the FCC proposed a $120 million fine against a habitual robocall scammer, Adrian Abramovich, based in Florida:

"Over the course of several years, Abramovich's companies disrupted emergency services, bilked vulnerable consumers out of thousands of dollars and hurt legitimate businesses, the FCC contends... TripAdvisor was deluged by consumer complaints about robocalls that the company had not initiated or authorized. After conducting an internal investigation, TripAdvisor determined that the offending calls were linked to a Mexican hotel and resort chain that had contracted with Abramovich for advertising services."

Consumers interested in something they could do might consider Nomorobo, which works (landline or mobile) with many service providers. Users of Apple and Andorid OS phones might investigate Hiya. Windows and BlackBerry phone users can check the CTIA Wireless Association's guide for free (or low-cost) mobile apps to block robocalls.

Robocalls from schools, physicians, airlines, and law enforcement are helpful, while robocalls from scammers aren't. The best solution -- true authentication -- can't come fast enough. Consumers and businesses are suffering.

While I don't wish anything bad on anyone, I am happy that FCC Chairmann Pai is also directly feeling the pain. Perhaps, now he knows how consumers feel. The loss of broadband privacy and Pai's push to kill net neutrality annoy consumers almost as much as neighbor spoofing.


Despite Disavowals, Leading Tech Companies Help Extremist Sites Monetize Hate

[Editor's note: today's guest post, by reporters at ProPublica, explores how hate sites maintain an online presence. It is reprinted with permission.]

By Julia Angwin, Jeff Larson, Madeleine Varner and Lauren Kirchner. ProPublica

Because of its "extreme hostility toward Muslims," the website Jihadwatch.org is considered an active hate group by the Southern Poverty Law Center and the Anti-Defamation League. The views of the site's director, Robert Spencer, on Islam led the British Home Office to ban him from entering the country in 2013.

But its designation as a hate site hasn't stopped tech companies -- including PayPal, Amazon and Newsmax -- from maintaining partnerships with Jihad Watch that help to sustain it financially. PayPal facilitates donations to the site. Newsmax -- the online news network run by President Donald Trump's close friend Chris Ruddy -- pays Jihad Watch in return for users clicking on its headlines. Until recently, Amazon allowed Jihad Watch to participate in a program that promised a cut of any book sales that the site generated. All three companies have policies that say they don't do business with hate groups.

Jihad Watch is one of many sites that monetize their extremist views through relationships with technology companies. ProPublica surveyed the most visited websites of groups designated as extremist by either the SPLC or the Anti-Defamation League. We found that more than half of them -- 39 out of 69 -- made money from ads, donations or other revenue streams facilitated by technology companies. At least 10 tech companies played a role directly or indirectly in supporting these sites.

Traditionally, tech companies have justified such relationships by contending that it's not their role to censor the Internet or to discourage legitimate political expression. Also, their management wasn't necessarily aware that they were doing business with hate sites because tech services tend to be automated and based on algorithms tied to demographics.

In the wake of last week's violent protest by alt-right groups in Charlottesville, more tech companies have disavowed relationships with extremist groups. During just the last week, six of the sites on our list were shut down. Even the web services company Cloudflare, which had long defended its laissez-faire approach to political expression, finally ended its relationship with the neo-Nazi site The Daily Stormer last week.

"I can't recall a time where the tech industry was so in step in their response to hate on their platforms," said Oren Segal, director of the ADL's Center on Extremism. "Stopping financial support to hate sites seems like a win-win for everyone."

But ProPublica's findings indicate that some tech companies with anti-hate policies may have failed to establish the monitoring processes needed to weed out hate sites. PayPal, the payment processor, has a policy against working with sites that use its service for "the promotion of hate, violence, [or] racial intolerance." Yet it was by far the top tech provider to the hate sites with donation links on 23 sites, or about one-third of those surveyed by ProPublica. In response to ProPublica's inquiries, PayPal spokesman Justin Higgs said in a statement that the company "strives to conscientiously assess activity and review accounts reported to us."

After Charlottesville, PayPal stopped accepting payments or donations for several high-profile white nationalist groups that participated in the march. It posted a statement that it would remain "vigilant on hate, violence & intolerance." It addresses each case individually, and "strives to navigate the balance between freedom of expression" and the "limiting and closing" of hate sites, it said.

After being contacted by ProPublica, Newsmax said it was unaware that the three sites that it had relationships with were considered hateful. "We will review the content of these sites and make any necessary changes after that review," said Andy Brown, chief operating officer of Newsmax.

Amazon spokeswoman Angie Newman said the company had previously removed Jihad Watch and three other sites identified by ProPublica from its program sharing revenue for book sales, which is called Amazon Associates. When ProPublica pointed out that the sites still carried working links to the program, she said that it was their responsibility to remove the code. "They are no longer paid as an Associate regardless of what links are on their site once we remove them from the Associates Program," she said.

Where to set the boundaries between hate speech and legitimate advocacy for perspectives on the edge of the political spectrum, and who should set them, are complex and difficult questions. Like other media outlets, we relied in part on the Southern Poverty Law Center's public list of "Active Hate Groups 2016." This list is controversial in some circles, with critics questioning whether the SPLC is too quick to brand organizations on the right as hate groups.

Still, the center does provide detailed explanations for many of its designations. For instance, the SPLC documents its decision to include the Family Research Council by citing the evangelical lobbying group's promotion of discredited science and unsubstantiated attacks on gay and lesbian people. We also consulted a list from ADL, which is not public and that was provided to us for research purposes. See our methodology here.

The sites that we identified from the ADL and SPLC lists vehemently denied that they are hate sites.

"It is not hateful, racist or extremist to oppose jihad terror," said Spencer, the director of Jihad Watch. He added that the true extremism was displayed by groups that seek to censor the Internet and that by asking questions about the tech platforms on his site, we were "aiding and abetting a quintessentially fascist enterprise."

Spencer made these comments in response to questions emailed by ProPublica reporter Lauren Kirchner. Afterwards, Spencer posted an item on Jihad Watch alleging that "leftist 'journalist'" Kirchner had threatened the site. He also posted Kirchner's photo and email, as well as his correspondence with her. After being contacted by ProPublica, another anti-Islam activist, Pamela Geller, also posted an attack on Kirchner, calling her a "senior reporting troll." Like Spencer, Geller was banned by the British Home Office; her eponymous site is on the SPLC and ADL lists.

Donations -- and the ability to accept them online through PayPal and similar companies -- are a lifeline for sites like Jihad Watch. In 2015, the nonprofit website disclosed that three quarters of its roughly $100,000 in revenues came from donations, according to publicly available tax records.

In recent weeks, PayPal has been working to shut down donations to extremist sites. This week, it pulled the plug on VDARE.com, an anti-immigration website designated as "white nationalist" by the SPLC and as a hate site by the ADL. VDARE, which denies being white nationalist, immediately switched to its backup system, Stripe.

Stripe, a private company recently described by Bloomberg Businessweek as a $9 billion startup, is unusual in not having a policy against working with hate sites. It does, however, prohibit financial transactions that support drugs, pornography and "psychic services." Stripe provided donation links for 10 sites, second only to PayPal on our list. Stripe did not respond to a request for comment.

VDARE editor Peter Brimelow declared on his site that the PayPal shutdown was likely part of a purge by the "authoritarian Communist Left to punish anyone who disagrees with their anti-American violence against patriotic people." He urged his readers to donate through other channels such as Bitcoins. "We need your help desperately," he wrote. "We must have the resources to defend ourselves and our people."

In 2015, VDARE received nearly all of its revenue -- $267,038 out of total $293,663 -- from donations, according to publicly available tax return forms that the Internal Revenue Service requires nonprofits to disclose.

Brimelow did not respond to our questions, instead characterizing ProPublica as the "Totalitarian Left."

Some sites also supplement their donations with revenue from online advertising. For instance, SonsofLibertyMedia.com, which is on the SPLC list, generated about 10 percent of its revenue -- $37,828 -- from advertising in 2015, according to its tax documents.

The site, which describes itself as promoting a "Judeo-Christian ethic," and recently posted an article declaring that a black activist protesting Confederate statues needed "a serious beat down," does not appear to attract advertisers directly.

Instead, Sons of Liberty benefits from a type of ad-piggybacking arrangement that is becoming more common in the tech industry. The website runs sponsored news articles from a company called Taboola, which shares ad revenues with it. Known for being at the forefront of "click-bait," Taboola places links on websites to articles about celebrities and popular culture.

Taboola's policy prohibits working with sites that have "politically religious agendas" or use hate speech. "We strive to ensure the safety of our network but from time to time, unfortunately, mistakes can happen," said Taboola spokeswoman Dana Miller. "We will ask our Content Policy group to review this site again and take action if needed."

Sons of Liberty founder Bradlee Dean said that he forwarded our questions to his attorney. The lawyer did not respond.

Hate sites can initiate relationships with tech companies with little scrutiny.

Any website can fill out an online form asking to join, for instance, Amazon's network, and often can get approved instantly. Once a website has joined a tech network, it can quickly start earning money through advertising, donations, or content farms such as Taboola that share ad revenues with websites that distribute their articles.

Some companies, such as Newsmax, say that joining their ad network requires explicit prior approval.

But, according to a former Newsmax employee, the only criterion for this approval was whether traffic to the site reached a minimum threshold. There was no content review. Salespeople were told to be aggressive in signing up publishing partners.

"We'd put our news feed on anybody's page, anyone who was willing to listen," he said, "it's about email addresses, it's about marketing, they don't care about ultra conservative or left wing."

Dylan Roof frequented a website described by the SPLC as "white nationalist." He said in a manifesto posted online that finding the website was a turning point in his life. He went on to murder nine African-American churchgoers in Charleston, South Carolina, in 2015. That year, USA Today found Newsmax ads on the site.

They no longer appear there.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


'Map Your Orgasm' - A New Smart Device For Women

Recently, Mashable reported about a new smart device for women:

"The Lioness looks like a pretty standard vibrator on the outside, but inside it has four sensors that measure temperature, the force of muscle contractions, and track the movement of the device. When you’re done with your session, you can sync the Lioness with its app (available for iOS and Android). It then provides you with easy-to-read visualization of what was happening to your body while you were busy getting off. So, yes, essentially it gives you a map of your orgasm. You can also tag each session with different terms so you can track how your health, sleep, alcohol consumption, mood, etc. affect your experiences."

Gives you a map of your orgasm? That's a surprising description. Perhaps, I shouldn't have been surprised. First, there were online tools such as "map my ride" and map my run." Good stuff to help consumers stay healthy. I guess a tool resembling 'map your orgasm' was bound to happen.

Lioness sounds like a much better product name. To learn more, I visited the Lioness site. The home page featured this statement: "Don't worry, we will never share your email or spam you." That's a good start.

Privacy is important; especially with smart devices which collect intimate data about consumers. Earlier this year, news reports described a plan by a smart-device maker to resell the interior home maps its robovacs created. And, another smart vibrator maker paid hefty fines to settle allegations that it tracked users without their knowledge nor consent.

A wise person once said, "the devil is in the details." The privacy policy in a company's website is a good place to hunt for details. While blogging about privacy and identity theft during the last 10 years, I've read plenty of privacy policies. Plenty. I read the Lioness Privacy Policy (dated May 1) and found some notable sections:

"This Privacy Policy applies to our vibrators and other devices (“Devices”), our websites, including but not limited to lioness.io (individually a “Site” and collectively “Sites”), the Lioness software (“Software”) and Lioness mobile applications (the “Apps”). The Devices, Sites, Software and Apps are collectively referred to in this Policy as the “Lioness Service,” and by proceeding to use the Lioness Service you consent that we may handle the data that we collect from you in accordance with this Privacy Policy."

Pretty standard stuff so far. Warning: I'm not an attorney. If you want legal advice, hire an attorney. Like you, I'm just a regular consumer trying to understand smart devices while maintaining as much privacy as possible. Additional sections in the policy I found interesting:

"Sync Your Device
When you sync your Device through an App or the Software, data recorded on your Device is transferred from your Device to our servers. This data is stored and used to provide the Lioness Service and is associated with your account. Each time a sync occurs, we log data about the transmission. Some examples of the log data are the sync time and date, device battery level, and the IP address used when syncing."

Let's unpack that. The vibrator and its mobile app, record the date, time, and battery usage. Combine this with data collected from the four sensors and Lioness will know plenty about your usage: when (date and time), location, duration, preferred movement patterns, and more. It indeed could create a map. More sections in the policy:

"WHY WE COLLECT DATA
Lioness uses your data to provide you with the best experience possible, to help you learn about your body, and to improve and protect the Lioness Service. Here are some examples: i) Contact information is used to send you notifications and to inform you about new features or products... ii) Data and logs are used in research to understand and improve the Lioness Device and Lioness Service; to troubleshoot the Lioness Service; to detect and protect against error, fraud or other criminal activity; and to enforce the Lioness Terms of Service; iii) Aggregate data that does not identify you may be used to inform the health community about trends; for marketing and promotional use..."

Data That Could Identify You
Personally Identifiable Information (PII) is data that includes a personal identifier like your name, email or address, or data that could reasonably be linked back to you."

Hmmm. The policy does not list all data elements that personally identify you. For me, that's important to know. And, anything recorded on a smartphone can easily be linked to a person using her 10-digit phone number or the mobile device's serial number.

Informed shoppers probably want to know before purchase which other companies (e.g., business partners, affiliates, advertisers, etc.) Lioness shares data with. Its May 1, 2017 privacy policy also states:

"... companies that are contractually engaged in providing Lioness with services, such as order fulfillment, email management and credit card processing. These companies are obligated by contract to safeguard any PII they receive from us..."

"THIRD PARTIES
Lioness will not be responsible for the practices of third parties that Lioness does not own or control or individuals that Lioness does not employ or manage. The information provided by you to other third parties may be subject to their own privacy policies, which may differ from Lioness’s privacy policy. The Lioness Service may contain links to other sites, and we make every effort to only link to sites that share our high standards and respect for privacy. However, we are not responsible for the privacy practices employed by other sites..."

"DATA RETENTION
Lioness reserves the right to retain your PII for as long as your account remains active..."

So, the policy doesn't mention other companies by name. Not good. That makes it tough for consumers to make informed decisions.

Fitness tracking with the MapMyRide app On Facebook, many of my friends regularly share visual maps of their workouts. (See example on right.) That's their freedom of choice. So, some consumers are probably wondering if Lioness offers a similar share function. Again from the privacy policy:

"Community Posts
The Lioness Service may offer discussion forums, message boards, social networking opportunities, chat pages and other public forums or features in which you may provide personal information, materials and related content. If you submit personal information when using these public features, please note that such personal information may be publicly posted and otherwise disclosed and used without limitation or restriction."

So, the policy doesn't mention literal maps, per se. They might or might not provide the feature to users. The key takeaway: the responsibility rests upon the user. Don't share it if you don't want it made public.

It's probably helpful to also know that the product uses Bluetooth technology to perform data syncing. From the Lioness FAQ page:

"Wait...will there be bluetooth in my vagina?
Nope. We know that there are a lot of people who don’t like the idea of bluetooth being on while in use, so we made it so bluetooth automatically turns off when you use it."

Also, the FAQ page mentioned:

"Is my data stored securely and kept confidential?
Absolutely. We thought about privacy and security from the beginning for this product. You are the only one who can access your individual data. Everything is encrypted and we fully anonymize the data..."

That's good, but the privacy policy didn't mention data encryption. I expected it would. Not sure what to make of that.

Is the Lioness a good deal? Only you can decide for yourself -- and you should after reading both the privacy and terms-of-service policies.

Me? In my opinion, there seems to be too much wiggle-room for data sharing. The policy contains a lot of words and nothing special compared to other policies I've read. What are your opinions?


Bungled Software Update Renders Customers' Smart Door Locks Inoperable

Image of Lockstate RemoteLock 6i device. Click to view larger version A bungled software update by Lockstate, maker of WiFi-enabled door locks, rendered many customers' locks inoperable -- or "bricked." Lockstate notified affected customers in this letter:

"Dear Lockstate Customer,
We notified you earlier today of a potential issue with your LS6i lock. We are sorry to inform you about some unfortunate news. Your lock is among a small subset of locks that had a fatal error rendering it inoperable. After a software update was sent to your lock, it failed to reconnect to our web service making a remote fix impossible...

Many AirBnb operators use smart locks by Lockstate to secure their properties. In its website, Lockstate promotes the LS6i lock as:

"... perfect for your rental property, home or office use. This robust WiFi enabled door lock allows users to lock or unlock doors remotely, know when people unlock your door, and even receive text alerts when codes are used. Issue new codes or delete codes from your computer or phone. Even give temporary codes to guests or office personnel."

Reportedly, about 200 Airbnb customers were affected. The company said 500 locks were affected. ArsTechnica explained how the bungled software update happened:

"The failure occurred last Monday when LockState mistakenly sent some 6i lock models a firmware update developed for 7i locks. The update left earlier 6i models unable to be locked and no longer able to receive over-the-air updates."

Some affected customers shared their frustrations on the company's Twitter page. Lockstate said the affected locks can still be operated with physical keys. While that is helpful, it isn't a solution since customers rely upon the remote features. Affected customers have two repair options: 1) return the back portion of the lock (repair time about 5 to 7 days), or 2) request a replace (response time about 14 to 18 days).

The whole situation seems to be another reminder of the limitations when companies design smart devices with security updates delivered via firmware. And, a better disclosure letter by Lockstate would have explained corrections to internal systems and managerial processes, so this doesn't happen again during another software update.

What are your opinions?


$5.5 Million Settlement Agreement Between Nationwide Insurance And 32 States

Nationwide Mutual Insurance Company logo Last week, 32 states inked a settlement agreement with Nationwide Mutual Insurance for the insurance company's data breach in 2012. The Attorney General's Office for the Commonwealth of Massachusetts participated in the agreement, and explained in an announcement: that the data breach reach in 2012 was:

"... allegedly caused by Nationwide’s failure to apply a critical software security patch. The breach resulted in the loss of personal information belonging to 1.27 million consumers, with nearly 950 in Massachusetts, including their social security numbers, driver’s license numbers, credit scoring information, and other personal data. The lost personal information was collected by Nationwide in order to provide insurance quotes to consumers applying for insurance. AG Healey’s Office is not aware of any fraud or identity theft involving Massachusetts residents related to this data breach."

Other states participating in the settlement agreement include the Attorneys General of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia. Terms of the settlement agreement require Nationwide to:

"... both generally update its security practices and to ensure that it keeps software up-to-date, including timely applying patches and other updates to its software. Nationwide must also hire a technology officer responsible for monitoring and managing software and application security updates, including supervising employees responsible for evaluating and coordinating the maintenance, management, and application of all security patches and software and application security updates.

Many of the consumers whose data was lost as a result of the data breach were consumers who never became Nationwide’s insureds, but whose information was retained by the company in order to provide the consumers re-quotes at a later date. The settlement requires Nationwide to be more transparent about its data collection practices by requiring it to disclose to consumers that it retains their personal information even if they do not become its customers."

950 Massachusetts residents were affected. Massachusetts' share of the payment is $100,000. Massachusetts Attorney General (AG) Maura Healey said in a statement:

"People shopping for financial products should be assured that companies collecting their personal information will protect it no matter what... Nationwide knew their software was vulnerable to hacking but did not promptly address it, leaving sensitive data vulnerable to identity thieves. This settlement holds the company accountable for subjecting our residents to this avoidable risk."

2,810 New York residents were affected. New York State's share of the payment is $107,736. New York State AG Eric T. Schneiderman said:

"Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process... This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers..."

774 Connecticut residents were affected. Connecticut's share of the payment is $256,559. Connecticut AG George Jepsen said:

"Connecticut law requires that anyone in possession of another person's personal information safeguard that data... It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols..."


Homeowners Receive $6.3 Million In Refunds Due To Improper Charges By Insurance Company

Assurant logo Last week, the Attorney General's office for the Commonwealth of Massachusetts announced the results of a post-settlement agreement audit with American Security Insurance Company, a subsidiary of Assurant, Inc., where homeowners in the state will receive $6.3 million in refunds for improper "forced-place insurance" charges. The announcement explained:

"Force-placed insurance is a type of property insurance that mortgage servicers can purchase on behalf of borrowers if they fail to maintain adequate homeowners insurance coverage on mortgaged properties. Mortgage servicers often hire insurance companies like Assurant to monitor whether borrowers are maintaining adequate homeowners insurance coverage and to issue force-placed insurance policies when appropriate homeowners coverage is not in place.

Premiums for force-placed policies are high—often two or three times as expensive as regular homeowners insurance—and the coverage provided is quite limited. Some mortgage servicers accept commission payments from force-placed insurers, which contribute to the high cost of force-placed insurance and create conflicts of interest for mortgage servicers."

The settlement agreement was first announced in November, 2015. The latest announcement described the results of the audit:

"Although force-placed insurance is only intended for circumstances in which the borrower has failed to adequately insure the mortgaged property, the Attorney General’s audit of Assurant found thousands of cases of duplicative insurance coverage for Massachusetts homeowners. Borrowers eligible for settlement money were previously required by their mortgage servicer to purchase force-placed insurance from Assurant, or were overcharged for force-placed insurance because they were mistakenly sold commercial policies rather than less expensive residential policies..."

4,500 homeowners were improperly charged. The average refund per homeowner is about $1,400. Refund checks were mailed last week to affected homeowners.


Wells Fargo Forced Customers To Buy Unwanted And Unnecessary Auto Insurance

Wells Fargo logo Just when it seems that executives at Wells Fargo Bank have seen the light and turned the ethics corner, along comes a news report about another fraudulent program at the bank. The New York Times reported:

"More than 800,000 people who took out car loans from Wells Fargo were charged for auto insurance they did not need, and some of them are still paying for it, according to an internal report prepared for the bank’s executives.

The expense of the unneeded insurance, which covered collision damage, pushed roughly 274,000 Wells Fargo customers into delinquency and resulted in almost 25,000 wrongful vehicle repossessions, according to the 60-page report, which was obtained by The New York Times. Among the Wells Fargo customers hurt by the practice were military service members on active duty."

The internal report, by the consulting firm Oliver Wyman, investigated auto insurance policies sold from January 2012 through July 2016. While this was happening, the bank has been recovering from a scandal where employees opened millions of phony accounts in order to game an incentive system.

Wells Fargo released a statement about how it will help affected with unwanted and unnecessary insurance, and fix its Collateral Protection Insurance (CPI) policies:

"Wells Fargo reviewed policies placed between 2012 and 2017 and identified approximately 570,000 customers who may have been impacted and will receive refunds and other payments as compensation. In total, approximately $64 million of cash remediation will be sent to customers in the coming months, along with $16 million of account adjustments, for a total of approximately $80 million in remediation... in July 2016 Wells Fargo initiated a review of the CPI program and related third-party vendor practices. Based on the initial findings, the company discontinued its CPI program in September 2016... Wells Fargo’s review determined that certain external vendor processes and internal controls were inadequate. As a result, customers may have been charged premiums for CPI even if they were paying for their own vehicle insurance, as required, and in some cases the CPI premiums may have contributed to a default that led to their vehicle’s repossession... Wells Fargo already has been providing CPI-related refunds to some customers and, beginning in August, will send letters and refund checks to customers who are due additional payments. The process is expected to be complete by the end of the year and is as follows:

i) Approximately 490,000 customers had CPI placed for some or all of the time they had adequate vehicle insurance coverage of their own... These customers will receive additional refunds of certain fees and some additional interest. Refunds for this group total approximately $25 million;

ii) In five states that have specific notification and disclosure requirements, approximately 60,000 customers did not receive complete disclosures from our vendor as required prior to CPI placement. In these cases, even if CPI was required, customers will receive a refund including premiums, fees and interest. Refunds for this group total approximately $39 million:

iii) For approximately 20,000 customers, the additional costs of the CPI could have contributed to a default that resulted in the repossession of their vehicle. Those customers will receive additional payments as compensation for the loss of their vehicle. The payment amount will depend on each customer’s situation..."

Do the math. 490,000 customers were overcharged about $25 million, or about $51 per person. 60,000 customers were overcharged $39 million or about $1,950 per person. 34 percent of borrowers (274,000 divided by 800,000) were reportedly pushed into delinquency. Substantial amounts.

Besides reimbursements, the bank said it will work with credit reporting agencies to correct affected borrowers’ credit records. That seems to be the minimum solution. Not only did the bank overcharge some customers, but it also had inadequate controls for both internal processes and external vendors. Which managers were reprimanded, or fired, for those lapses? The bank's statement didn't say. Where were the bank's auditors throughout this mess?

National General Insurance (NGI) underwrote the auto insurance policies for Wells Fargo. A lawsuit by customers named both Wells Fargo and NGI as defendants. And, at least one other law firm is investigating a possible class-action suit.

How does unwanted and unnecessary insurance help customers? Not in any way I can see. Well, it probably helped the bank's profitability for a while.

Reportedly, military service members and their families were among the affected borrowers. And, this latest program isn't the first abuse by the bank of military members and their families. Last fall, the U.S. Justice Department (DOJ) sanctioned the bank for improperly repossessing cars owned by members of the military. The DOJ alleged 413 violations of the Servicemembers Civil Relief Act, and the bank agreed to pay more than $4 million to compensate borrowers affected by seven years of unlawful repossessions.

In June, one U.S. Senator called for the firing of all 12 board members for failing to protect account holders. It seems that unethical executive behavior at the bank will stop only when guilty executives serve jail time; not fines the bank can easily afford.

The whole sordid affair makes one wonder what other programs at the bank remain hidden. What are your opinions? If you received a refund letter and check, please share what you safely can about it below.


Survey: 90 Percent Of Consumers Want Smart Devices With Security Built In

A recent survey of consumers in six countries found that 90 percent believe it is important for smart devices to have security built into the products. Also, 78 percent said they are aware that any smart device connected to their home WiFi network is vulnerable to attacks by hackers wanting to steal personal data stored on the device.

Security importance by country. Irdeto Global Consumer IoT Security Survey. Select to view larger version The Irdeto Global Consumer IoT Security Survey, conducted online from June 22, 2017 to July 10, 2017 by YouGov Plc for Irdeto, included 7,882 adults (aged 18 or older) in six countries: Brazil, China, Germany, India, United Kingdom, and United States. Irdeto provides security solutions to protect platforms and applications for media, entertainment, automotive and Internet-of-things (IoT) connected industries.

Additional key findings:

"... 72% of millennials (ages 18-24 years) indicated that they are aware that any smart device connected to the Wi-Fi in their home has the potential to be targeted by a hacker, compared to 82% of consumers 55+. This indicates that older generations may be more savvy about IoT security or more cautious... More than half of consumers around the globe (56%) think that it is the responsibility of both the end-user and the manufacturer of the product to prevent hacking of smart devices. Alternatively, only 15% of consumers globally think they are responsible, while 20% feel the manufacturer of the device is responsible for cybersecurity. In China, more consumers than any other country surveyed (31%) stated that it is the responsibility of manufacturers. Brazilians led all countries surveyed (23%) in the belief that it is the responsibility of the end-user to prevent hacking of connected devices... Germans expressed the least concern with nearly half (42%) stating that they are not concerned about smart devices being hacked. On the opposite end of the spectrum, Brazilian smart device owners expressed the most concern with 88% of those surveyed saying they were concerned...

And, smart device usage varies by country:

"Regarding the number of smart devices consumers own, 89% of those surveyed have at least one connected device in their home. In addition, 81% of consumers across the globe admitted to having more than one connected device in the home. India led all countries with a staggering 97% of consumers stating that they have at least one smart device in the home, compared to only 80% of US consumers..."

Read the announcement by Irdeto. View the full infographic.

Device security responsibility. Irdeto Global Consumer IoT Security Survey. Select to view larger version


The Myth Of Drug Expiration Dates

[Editor's Note: some politicians and pundits repeatedly claim that the private sector is more efficient than the public sector. Today's blog post explores waste in the healthcare industry. Today's post is reprinted with permission.]

By Marshall Allen, ProPublica

The box of prescription drugs had been forgotten in a back closet of a retail pharmacy for so long that some of the pills predated the 1969 moon landing. Most were 30 to 40 years past their expiration dates -- possibly toxic, probably worthless.

But to Lee Cantrell, who helps run the California Poison Control System, the cache was an opportunity to answer an enduring question about the actual shelf life of drugs: Could these drugs from the bell-bottom era still be potent?

Cantrell called Roy Gerona, a University of California, San Francisco, researcher who specializes in analyzing chemicals. Gerona had grown up in the Philippines and had seen people recover from sickness by taking expired drugs with no apparent ill effects.

"This was very cool," Gerona says. "Who gets the chance of analyzing drugs that have been in storage for more than 30 years?"

The age of the drugs might have been bizarre, but the question the researchers wanted to answer wasn't. Pharmacies across the country -- in major medical centers and in neighborhood strip malls -- routinely toss out tons of scarce and potentially valuable prescription drugs when they hit their expiration dates.

Gerona and Cantrell, a pharmacist and toxicologist, knew that the term "expiration date" was a misnomer. The dates on drug labels are simply the point up to which the Food and Drug Administration and pharmaceutical companies guarantee their effectiveness, typically at two or three years. But the dates don't necessarily mean they're ineffective immediately after they "expire" -- just that there's no incentive for drugmakers to study whether they could still be usable.

ProPublica has been researching why the U.S. health care system is the most expensive in the world. One answer, broadly, is waste -- some of it buried in practices that the medical establishment and the rest of us take for granted. We've documented how hospitals often discard pricey new supplies, how nursing homes trash valuable medications after patients pass away or move out, and how drug companies create expensive combinations of cheap drugs. Experts estimate such squandering eats up about $765 billion a year -- as much as a quarter of all the country's health care spending.

What if the system is destroying drugs that are technically "expired" but could still be safely used?

In his lab, Gerona ran tests on the decades-old drugs, including some now defunct brands such as the diet pills Obocell (once pitched to doctors with a portly figurine called "Mr. Obocell") and Bamadex. Overall, the bottles contained 14 different compounds, including antihistamines, pain relievers and stimulants. All the drugs tested were in their original sealed containers.

The findings surprised both researchers: A dozen of the 14 compounds were still as potent as they were when they were manufactured, some at almost 100 percent of their labeled concentrations.

"Lo and behold," Cantrell says, "The active ingredients are pretty darn stable."

Cantrell and Gerona knew their findings had big implications. Perhaps no area of health care has provoked as much anger in recent years as prescription drugs. The news media is rife with stories of medications priced out of reach or of shortages of crucial drugs, sometimes because producing them is no longer profitable.

Tossing such drugs when they expire is doubly hard. One pharmacist at Newton-Wellesley Hospital outside Boston says the 240-bed facility is able to return some expired drugs for credit, but had to destroy about $200,000 worth last year. A commentary in the journal Mayo Clinic Proceedings cited similar losses at the nearby Tufts Medical Center. Play that out at hospitals across the country and the tab is significant: about $800 million per year. And that doesn't include the costs of expired drugs at long-term care pharmacies, retail pharmacies and in consumer medicine cabinets.

After Cantrell and Gerona published their findings in Archives of Internal Medicine in 2012, some readers accused them of being irresponsible and advising patients that it was OK to take expired drugs. Cantrell says they weren't recommending the use of expired medication, just reviewing the arbitrary way the dates are set.  

"Refining our prescription drug dating process could save billions," he says.

But after a brief burst of attention, the response to their study faded. That raises an even bigger question: If some drugs remain effective well beyond the date on their labels, why hasn't there been a push to extend their expiration dates?

It turns out that the FDA, the agency that helps set the dates, has long known the shelf life of some drugs can be extended, sometimes by years.

In fact, the federal government has saved a fortune by doing this.

For decades, the federal government has stockpiled massive stashes of medication, antidotes and vaccines in secure locations throughout the country. The drugs are worth tens of billions of dollars and would provide a first line of defense in case of a large-scale emergency.

Maintaining these stockpiles is expensive. The drugs have to be kept secure and at the proper humidity and temperature so they don't degrade. Luckily, the country has rarely needed to tap into many of the drugs, but this means they often reach their expiration dates. Though the government requires pharmacies to throw away expired drugs, it doesn't always follow these instructions itself. Instead, for more than 30 years, it has pulled some medicines and tested their quality.

The idea that drugs expire on specified dates goes back at least a half-century, when the FDA began requiring manufacturers to add this information to the label. The time limits allow the agency to ensure medications work safely and effectively for patients. To determine a new drug's shelf life, its maker zaps it with intense heat and soaks it with moisture to see how it degrades under stress. It also checks how it breaks down over time. The drug company then proposes an expiration date to the FDA, which reviews the data to ensure it supports the date and approves it. Despite the difference in drugs' makeup, most "expire" after two or three years.

Once a drug is launched, the makers run tests to ensure it continues to be effective up to its labeled expiration date. Since they are not required to check beyond it, most don't, largely because regulations make it expensive and time-consuming for manufacturers to extend expiration dates, says Yan Wu, an analytical chemist who is part of a focus group at the American Association of Pharmaceutical Scientists that looks at the long-term stability of drugs. Most companies, she says, would rather sell new drugs and develop additional products.

Pharmacists and researchers say there is no economic "win" for drug companies to investigate further. They ring up more sales when medications are tossed as "expired" by hospitals, retail pharmacies and consumers despite retaining their safety and effectiveness.

Industry officials say patient safety is their highest priority. Olivia Shopshear, director of science and regulatory advocacy for the drug industry trade group Pharmaceutical Research and Manufacturers of America, or PhRMA, says expiration dates are chosen "based on the period of time when any given lot will maintain its identity, potency and purity, which translates into safety for the patient."

That being said, it's an open secret among medical professionals that many drugs maintain their ability to combat ailments well after their labels say they don't. One pharmacist says he sometimes takes home expired over-the-counter medicine from his pharmacy so he and his family can use it.

The federal agencies that stockpile drugs -- including the military, the Centers for Disease Control and Prevention and the Department of Veterans Affairs -- have long realized the savings in revisiting expiration dates.

In 1986, the Air Force, hoping to save on replacement costs, asked the FDA if certain drugs' expiration dates could be extended. In response, the FDA and Defense Department created the Shelf Life Extension Program.

Each year, drugs from the stockpiles are selected based on their value and pending expiration and analyzed in batches to determine whether their end dates could be safely extended. For several decades, the program has found that the actual shelf life of many drugs is well beyond the original expiration dates.

A 2006 study of 122 drugs tested by the program showed that two-thirds of the expired medications were stable every time a lot was tested. Each of them had their expiration dates extended, on average, by more than four years, according to research published in the Journal of Pharmaceutical Sciences.

Some that failed to hold their potency include the common asthma inhalant albuterol, the topical rash spray diphenhydramine, and a local anesthetic made from lidocaine and epinephrine, the study said. But neither Cantrell nor Dr. Cathleen Clancy, associate medical director of National Capital Poison Center, a nonprofit organization affiliated with the George Washington University Medical Center, had heard of anyone being harmed by any expired drugs. Cantrell says there has been no recorded instance of such harm in medical literature.

Marc Young, a pharmacist who helped run the extension program from 2006 to 2009, says it has had a "ridiculous" return on investment. Each year the federal government saved $600 million to $800 million because it did not have to replace expired medication, he says.

An official with the Department of Defense, which maintains about $13.6 billion worth of drugs in its stockpile, says that in 2016 it cost $3.1 million to run the extension program, but it saved the department from replacing $2.1 billion in expired drugs. To put the magnitude of that return on investment into everyday terms: It's like spending a dollar to save $677.

"We didn't have any idea that some of the products would be so damn stable -- so robustly stable beyond the shelf life," says Ajaz Hussain, one of the scientists who formerly helped oversee the extension program.

Hussain is now president of the National Institute for Pharmaceutical Technology and Education, an organization of 17 universities that's working to reduce the cost of pharmaceutical development. He says the high price of drugs and shortages make it time to reexamine drug expiration dates in the commercial market.

"It's a shame to throw away good drugs," Hussain says.

Some medical providers have pushed for a changed approach to drug expiration dates -- with no success. In 2000, the American Medical Association, foretelling the current prescription drug crisis, adopted a resolution urging action. The shelf life of many drugs, it wrote, seems to be "considerably longer" than their expiration dates, leading to "unnecessary waste, higher pharmaceutical costs, and possibly reduced access to necessary drugs for some patients."

Citing the federal government's extension program, the AMA sent letters to the FDA, the U.S. Pharmacopeial Convention, which sets standards for drugs, and PhRMA asking for a re-examination of expiration dates.

No one remembers the details -- just that the effort fell flat.

"Nothing happened, but we tried," says rheumatologist Roy Altman, now 80, who helped write the AMA report. "I'm glad the subject is being brought up again. I think there's considerable waste."

At Newton-Wellesley Hospital, outside Boston, pharmacist David Berkowitz yearns for something to change.

On a recent weekday, Berkowitz sorted through bins and boxes of medication in a back hallway of the hospital's pharmacy, peering at expiration dates. As the pharmacy's assistant director, he carefully manages how the facility orders and dispenses drugs to patients. Running a pharmacy is like working in a restaurant because everything is perishable, he says, "but without the free food."

Federal and state laws prohibit pharmacists from dispensing expired drugs and The Joint Commission, which accredits thousands of health care organizations, requires facilities to remove expired medication from their supply. So at Newton-Wellesley, outdated drugs are shunted to shelves in the back of the pharmacy and marked with a sign that says: "Do Not Dispense." The piles grow for weeks until they are hauled away by a third-party company that has them destroyed. And then the bins fill again.

"I question the expiration dates on most of these drugs," Berkowitz says.

One of the plastic boxes is piled with EpiPens -- devices that automatically inject epinephrine to treat severe allergic reactions. They run almost $300 each. These are from emergency kits that are rarely used, which means they often expire. Berkowitz counts them, tossing each one with a clatter into a separate container, " 'that's 45, 46, 47' " He finishes at 50. That's almost $15,000 in wasted EpiPens alone.

In May, Cantrell and Gerona published a study that examined 40 EpiPens and EpiPen Jrs., a smaller version, that had been expired for between one and 50 months. The devices had been donated by consumers, which meant they could have been stored in conditions that would cause them to break down, like a car's glove box or a steamy bathroom. The EpiPens also contain liquid medicine, which tends to be less stable than solid medications.

Testing showed 24 of the 40 expired devices contained at least 90 percent of their stated amount of epinephrine, enough to be considered as potent as when they were made. All of them contained at least 80 percent of their labeled concentration of medication. The takeaway? Even EpiPens stored in less than ideal conditions may last longer than their labels say they do, and if there's no other option, an expired EpiPen may be better than nothing, Cantrell says.

At Newton-Wellesley, Berkowitz keeps a spreadsheet of every outdated drug he throws away. The pharmacy sends what it can back for credit, but it doesn't come close to replacing what the hospital paid.

Then there's the added angst of tossing drugs that are in short supply. Berkowitz picks up a box of sodium bicarbonate, which is crucial for heart surgery and to treat certain overdoses. It's being rationed because there's so little available. He holds up a purple box of atropine, which gives patients a boost when they have low heart rates. It's also in short supply. In the federal government's stockpile, the expiration dates of both drugs have been extended, but they have to be thrown away by Berkowitz and other hospital pharmacists.

The 2006 FDA study of the extension program also said it pushed back the expiration date on lots of mannitol, a diuretic, for an average of five years. Berkowitz has to toss his out. Expired naloxone? The drug reverses narcotic overdoses in an emergency and is currently in wide use in the opioid epidemic. The FDA extended its use-by date for the stockpiled drugs, but Berkowitz has to trash it.

On rare occasions, a pharmaceutical company will extend the expiration dates of its own products because of shortages. That's what happened in June, when the FDA posted extended expiration dates from Pfizer for batches of its injectable atropine, dextrose, epinephrine and sodium bicarbonate. The agency notice included the lot numbers of the batches being extended and added six months to a year to their expiration dates.

The news sent Berkowitz running to his expired drugs to see if any could be put back into his supply. His team rescued four boxes of the syringes from destruction, including 75 atropine, 15 dextrose, 164 epinephrine and 22 sodium bicarbonate. Total value: $7,500. In a blink, "expired" drugs that were in the trash heap were put back into the pharmacy supply.

Berkowitz says he appreciated Pfizer's action, but feels it should be standard to make sure drugs that are still effective aren't thrown away.

"The question is: Should the FDA be doing more stability testing?" Berkowitz says. "Could they come up with a safe and systematic way to cut down on the drugs being wasted in hospitals?"

Four scientists who worked on the FDA extension program told ProPublica something like that could work for drugs stored in hospital pharmacies, where conditions are carefully controlled.

Greg Burel, director of the CDC's stockpile, says he worries that if drugmakers were forced to extend their expiration dates it could backfire, making it unprofitable to produce certain drugs and thereby reducing access or increasing prices.

The 2015 commentary in Mayo Clinic Proceedings, called "Extending Shelf Life Just Makes Sense," also suggested that drugmakers could be required to set a preliminary expiration date and then update it after long-term testing. An independent organization could also do testing similar to that done by the FDA extension program, or data from the extension program could be applied to properly stored medications.

ProPublica asked the FDA whether it could expand its extension program, or something like it, to hospital pharmacies, where drugs are stored in stable conditions similar to the national stockpile.

"The Agency does not have a position on the concept you have proposed," an official wrote back in an email.

Whatever the solution, the drug industry will need to be spurred in order to change, says Hussain, the former FDA scientist. "The FDA will have to take the lead for a solution to emerge," he says. "We are throwing away products that are certainly stable, and we need to do something about it."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Wisconsin Employer To Offer Its Employees ID Microchip Implants

Microchip implant to be used by Three Square Market. Click to view larger version A Wisconsin company said it will offer to its employees starting August 1 the option of having microchip identification implants. The company, Three Square Market (32M), will allow employees with the microchip implants to make purchases in the employee break room, open locked doors, login to computers, use the copy machine, and related office tasks.

Each microchip, about the size of a grain of rice (see photo on the right), would be implanted under the skin in an employee's hand. The microchips use radio-frequency identification (RFID), a technology that's existed for a while and has been used in variety of devices: employee badges, payment cards, passports, package tracking, and more. Each microchip electronically stores identification information about the user, and uses near-field communications (NFC). Instead of swiping a payment card, employee badge, or their smartphone, instead the employee can unlock a device by waving their hand near a chip reader attached to that device. Purchases in the employee break room can be made by waving their hand near a self-serve kiosk.

Reportedly, 32M would be the first employer in the USA to microchip its employees. CBS News reported in April about Epicenter, a startup based in Sweden:

"The [implant] injections have become so popular that workers at Epicenter hold parties for those willing to get implanted... Epicenter, which is home to more than 100 companies and some 2,000 workers, began implanting workers in January 2015. Now, about 150 workers have [chip implants]... as with most new technologies, it raises security and privacy issues. While biologically safe, the data generated by the chips can show how often an employee comes to work or what they buy. Unlike company swipe cards or smartphones, which can generate the same data, a person cannot easily separate themselves from the chip."

In an interview with Saint Paul-based KSTP, Todd Westby, the Chief Executive Officer at 32M described the optional microchip program as:

"... the next thing that's inevitably going to happen, and we want to be a part of it..."

To implement its microchip implant program, 32M has partnered with Sweden-based BioHax International. Westby explained in a company announcement:

"Eventually, this technology will become standardized allowing you to use this as your passport, public transit, all purchasing opportunities... We see chip technology as the next evolution in payment systems, much like micro markets have steadily replaced vending machines... it is important that 32M continues leading the way with advancements such as chip implants..."

"Mico markets" are small stores located within employers' offices; typically the break rooms where employees relax and/or purchase food. 32M estimates 20,000 micro markets nationwide in the USA. According to its website, the company serves markets in North America, Europe, Asia, and Australia. 32M believes that micro markets, aided by chip implants and self-serve kiosk, offer employers greater employee productivity with lower costs.

Yes, the chip implants are similar to the chip implants many pet owners have inserted to identify their dogs or cats. 32M expects 50 employees to enroll in its chip implant program.

Reportedly, companies in Belgium and Sweden already use chip implants to identify employees. 32M's announcement did not list the data elements each employee's microchip would contain, nor whether the data in the microchips would be encrypted. Historically, unencrypted data stored by RFID technology has been vulnerable to skimming attacks by criminals using portable or hand-held RFID readers. Stolen information would be used to cloned devices to commit identity theft and fraud.

Some states, such as Washington and California, passed anti-skimming laws. Prior government-industry workshops about RFID usage focused upon consumer products, and not employment concerns. Earlier this year, lawmakers in Nevada introduced legislation making it illegal to require employees to accept microchip implants.

A BBC News reporter discussed in 2015 what it is like to be "chipped." And as CBS News reported:

"... hackers could conceivably gain huge swathes of information from embedded microchips. The ethical dilemmas will become bigger the more sophisticated the microchips become. The data that you could possibly get from a chip that is embedded in your body is a lot different from the data that you can get from a smartphone..."

Example: employers installing RFID readers for employees to unlock bathrooms means employers can track when, where, how often, and the duration employees use bathrooms. How does that sound?

Hopefully, future announcements by 32M will discuss the security features and protections. What are your opinions? Are you willing to be an office cyborg? Should employees have a choice, or should employers be able to force their employees to accept microchip implants? How do you feel about your employer tracking what you eat and drink via purchases with your chip implant?

Many employers publish social media policies covering what employees should (shouldn't, or can't) publish online. Should employers have microchip implant policies, too? If so, what should these policies state?


Microsoft Fights Foreign Cyber Criminals And Spies

The Daily Beast explained how Microsoft fights cyber criminals and spies, some of whom with alleged ties to the Kremlin:

"Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft’s trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls “the most vulnerable point” in Fancy Bear’s espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents.

Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company’s approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like “livemicrosoft[.]net” or “rsshotmail[.]com” that Fancy Bear registers under aliases for about $10 each. Once under Microsoft’s control, the domains get redirected from Russia’s servers to the company’s, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers’ network of automated spies."

Kudos to Microsoft and its attorneys.


U.S. Treasury Department Fined ExxonMobil $2 Million For Sanction Violations

ExxonMobil logo On Thursday, the U.S. Department of the Treasury fined ExxonMobil Corporation $2 million for violations of sanctions while current Secretary of State Rex Tillerson was the company's Chief Executive Officer. The Office of Foreign Assets Control (OFAC) within the Treasury Department issued the fine. According to the announcement:

"Between on or about May 14, 2014 and on or about May 23, 2014, ExxonMobil violated § 589.201 of the Ukraine-Related Sanctions Regulations when the presidents of its U.S. subsidiaries dealt in services of an individual whose property and interests in property were blocked, namely, by signing eight legal documents related to oil and gas projects in Russia with Igor Sechin, the President of Rosneft OAO, and an individual identified on OFAC’s List of Specially Designated Nationals and Blocked Persons.

OFAC determined that ExxonMobil did not voluntarily self-disclose the violations to OFAC, and that the violations constitute an egregious case."

During March of 2014, Russia officially annexed Crimea, a peninsula in the Black Sea, from Ukraine. Moscow retaliated by banning nine U.S. officials and lawmakers from entering Russia. Then, President Obama ordered more sanctions against two-dozen members of Putin's inner circle and against Bank Rossiya, the Russian bank supporting them.

During August of 2014, Russian troops invaded eastern areas of Ukraine along the country's southeast coast. Reportedly, Russian troops fought with pro-Russia rebels against Ukrainian military.

 The Treasury Department released an "Enforcement Information for July 20, 2017" document which stated in part:

"... ExxonMobil did not voluntarily self-disclose the violations to OFAC and that the violations constitute an egregious case. Both the base civil monetary penalty and the statutory maximum civil monetary penalty amounts for the violations were $2,000,000. OFAC thoroughly considered the arguments ExxonMobil set forth in its submissions to OFAC, and the penalty amount reflects OFAC's consideration of the following facts and circumstances... OFAC considered the following to be aggravating factors: (1) ExxonMobil demonstrated reckless disregard for U.S. sanctions requirements when it failed to consider warning signs associated with dealing in the blocked services of an SDN; (2) ExxonMobil's senior-most executives knew of Sechin's status as an SDN when they dealt in the blocked services of Sechin; (3) ExxonMobil caused significant harm to the Ukraine-related sanctions program objectives by engaging the services of an SDN designated on the basis that he is an official of the Government of the Russian Federation contributing to the crisis in Ukraine; and (4) ExxonMobil is a sophisticated and experienced oil and gas company that has global operations and routinely deals in goods, services, and technology subject to U.S economic sanctions and U.S. export controls. OFAC considered the following to be a mitigating factor: ExxonMobil has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the first transaction giving rise to the violation..."

It seems that OFAC would have fined ExxonMobil more if it could have. During 2016, ExxonMobil generated sales revenues of $197.52 billion and net income of $7.84 billion. So, the company can easily afford this fine.

ExxonMobil issued a press release on July 20 which denied the violations and claimed that it had received clear guidance from the Treasury Department that the transactions were legal, "so long as the activity related to Rosneft’s business and not Sechin’s personal business." The press release also cited several news sources. You'd think that the company's executive would simply have gone straight to the source, the OFAC, and bypassed intermediaries.

The OFAC Enforcement Information document debunked the energy company's claim:

"ExxonMobil claims that it interpreted press statements as establishing a distinction between Sechin's "professional" and "personal" capacity, in part citing to a news article published in April 2014 that quoted a Department of the Treasury representative as saying that a U.S. person would not be prohibited from participating in a meeting of Rosneft' s board of directors. However, that brief statement did not address the conduct in this case.

Furthermore, the plain language of the Ukraine-Related Sanctions Regulations (which were issued after the Executive branch statements) and E.O. 13661 do not contain a "personal" versus "professional" distinction, and OFAC has neither interpreted its Regulations in that manner nor endorsed such a distinction. The press release statements provided context for the policy rationale surrounding the targeted approach during the early days of the Ukraine crisis, which was to isolate designated individuals who were targeted as a result of the crisis in Ukraine, rather than imposing blocking sanctions on the large companies that they managed. No materials issued by the White House or the Department of the Treasury asserted an exception or carve-out for the professional conduct of designated or blocked persons, nor did any materials suggest that U.S. persons could continue to conduct or engage in business with such individuals.

Separately, there was a Frequently Asked Question (FAQ) publicly available on the OFAC website at the time of the violations that specifically spoke to the conduct at issue in this case..."

The Enforcement Information document is available at the Treasury Department's website and here (Adobe PDF).

While at the Treasury Department's website, I noticed that the Treasury Notes blog stopped publishing on January 19, 2017 -- about the same time as the Presidential Inauguration. What's up with that? Does the Treasury Department, under the Trump Administration, believe that it is okay not to inform citizens, taxpayers, and voters?


CFPB Issues New Rule Governing Arbitration Clauses

The products and services many consumers purchases include contractual agreements with arbitration clauses, which prohibit consumers from getting relief by joining class-action lawsuits. Those clauses also specify the out-of-court process to resolve disagreements and the upfront fees consumers must pay.

Many you have heard of the phrase, "binding arbitration." Regular readers of this blog are familiar with the issues with binding arbitration. Many popular mobile apps, websites, streaming video services, and some augmented-reality (AR) mobile games contain these clauses. The Public Citizen website lists the banks, retail stores, entertainment, online shopping, telecommunications, consumer electronics, software, nursing homes, and health care companies that include binding arbitration clauses in their contracts with customers.

To achieve a better balance between the needs of consumers versus the needs of corporations, the Consumer Financial Protection Bureau (CFPB) has issued new rules governing arbitration clauses. The CFPB explained:

"No matter how many people are harmed by the same conduct, most arbitration clauses require people to bring claims individually against the company, outside the court system, before a private individual (an arbitrator). Companies know that people almost never spend the time or money to pursue relief when the amounts at stake are small, so few people do this. Our new rule will restore the ability of groups of people to file or join group lawsuits. In some cases, not only will companies have to provide relief, they will also have to change their behavior moving forward.

People who would otherwise have to go it alone or give up, will be able to join with others to pursue justice and some remedy for their harm."

Richard Cordray, the Director of the CFPB, in a statement briefly discussed the history:

"Originally, arbitration was primarily used for disagreements between two businesses. But over the last quarter century or so, companies started adding arbitration clauses to their consumer contracts... In 2007, Congress passed the Military Lending Act, which disallows mandatory arbitration clauses in connection with certain loans made to servicemembers. Three years later, in the Dodd-Frank Wall Street Reform and Consumer Protection Act, Congress went further and banned mandatory arbitration clauses in most residential mortgage contracts."

Supporters of binding arbitration clauses have long fought pro-consumer action by the CFPB. Director Cordray also discussed the new CFPB rule:

"A cherished tenet of our justice system is that no one, no matter how big or how powerful, should escape accountability if they break the law. But right now, many contracts for consumer financial products like bank accounts and credit cards come with a mandatory arbitration clause that makes it virtually impossible for people to sue the company as a group if things go wrong. On paper, these clauses simply say that either party can opt to have disputes resolved by private individuals known as arbitrators rather than by the court system. In practice, companies use these clauses to bar groups of consumers from joining together to seek justice by vindicating their legal rights..."

"The breadth and application of these clauses can be unexpected and severe. For example, when Wells Fargo opened millions of deposit and credit card accounts without the knowledge or consent of consumers, arbitration clauses in existing account contracts blocked their customers from bringing group lawsuits for the unauthorized account openings. Companies have argued that group lawsuits are unnecessary because the government can pursue enforcement actions to address the same problems. But consumers should be able to stand up for themselves and pursue their own legal rights without having to wait on the government. And the government has limited resources..."

The CFPB also produced this video:

What are your opinions of binding arbitration clauses? Were you aware of them? What are your opinions of the new CFPB rule?