Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 3)

Prior posts discussed offshore outsourcing and TransUnion. Laurie has problems with TransUnion's credit monitoring service, TrueCredit, and support from its call center. Laurie is worried that if TransUnion and TrueCredit outsource portions of their operations, she won't have the same protections she would have otherwise -- since data security laws vary in other countries. I'd promised Laurie that I'd try to find some answers to her questions.

A wider search found information about TransUnion's participation in industry events for outsourcing professionals. The International Association of Outsourcing Professionals published information about a June 2007 event:

"Performance Monitoring Goals and Requirements for BPO Operations (Call Centers)
Brad Rubin, Director of Operations for TransUnion Interactive (formerly TrueCredit)

• Overview of the business requirements for using tools to monitor the overall performance of BPO Call Center Operations
• Discussion of the functionality needed and the types of tools that were examined to achieve TransUnion’s goals.

Brad Rubin is responsible for managing all BPO operations where he has transformed the service operations into a global multi-site operation. Prior to TransUnion, Brad was with Accenture in San Francisco.

So, it appears that TransUnion, parent company, and TrueCredit both perform offshore outsourcing. This is the first time I have ever heard of a credit monitoring service that performs offshore outsourcing. According to a 2006 Janeeva, Inc. press release:

"Janeeva, Inc., the industry leader in ORM (Outsourcing Relationship Management) software, today announced that TrueCredit, a division of TransUnion and a provider of credit management services, has implemented Janeeva Assurance™ software to manage multiple outsourced vendor relationships. True Credit is experiencing rapid growth, and customer care via their call centers is critical to their success. With multiple offshore call center locations comes increased complexity that Janeeva helps manage."

So, TrueCredit has contracts with several outsourcing firms. According to a November 2006 entry at Outsourcing Magazine (OM):

"About Blogger Brad Rubin: Brad Rubin is currently the Director of Operations for TrueCredit, a wholly-owned subsidiary of TransUnion, LLC. While at TrueCredit, Mr. Rubin has been responsible for managing all business process outsourcing (BPO) operations. He has successfully transitioned the TrueCredit service delivery platform into a global, multi-site operation. In addition to his work at TrueCredit, Mr. Rubin is an active speaker within the outsourcing community. In 2006, he participated in the Outsourcing Relationship Management Forum at the University of Michigan and the Telecommunications Risk Management Association (TRMA), Summer Conference. In 2007, he will be presenting a case study entitled Managing Multi-Vendor Environments with Relationship Management Software at the International Association of Outsourcing Professionals (IAOP), World Summit."

The OM site provides Mr. Rubin's e-mail address and his blog address: www.sourcingprofessional.com. I scanned several posts in Mr. Rubin's blog. He mentioned TransUnion's offshore outsourcing activities with vendors in Manila (Philippines), Central America, and New Delhi (India). According to Mr. Rubin's blog, TransUnion is considering new offshore outsourcing arrangements in Cebu (Philippines) and Guatemala. While I haven't read all of the posts in Mr. Rubin's blog, so far I haven't seen any posts about data security or data breach notification.

Now, my friend Laurie knows that both TransUnion and TrueCredit perform offshore outsourcing. We now have idea of some of the country locations. We don't know yet which outsourcing firms. Maybe Mr. Rubin can help Laurie resolve her problems with TrueCredit's customer service department. Maybe Mr. Rubin can explain the scope of TrueCredit's offshore outsourcing activities. Maybe Mr. Rubin can explain the data security processes TransUnion takes to ensure the protection of Laurie's and others' credit information. Maybe Mr. Rubin can provide a list of the specific offshore outsourcing locations and firms.

Last weekend, I wrote to Mr. Rubin asking for answers to the questions above. In my e-mail message to Mr. Rubin, I shared Laurie's message and concerns. So far, I haven't received a response from him, or from anyone at TransUnion. If he responds, I will post his reply in the I've Been Mugged blog.

The economic reasons for companies to outsource work are understandable: to manage costs and stay profitable in a competitive business environment. That's one reason why I titled these posts, "Is It Wise...?" and didn't title it "Is It Profitable...?" Of course, outsourcing and offshore outsourcing are profitable. That's why companies do it.

My point is this: should they? Is it wise to offshore outsource work involving sensitive financial data? Is it wise to do so without informing consumers? Is it wise to do so if consumers prefer otherwise? Is it wise to do so if the company can't provide a high-quality call center operation?

There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with. Consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe. It all goes to risk. The fewer places credit and financial data are transmitted, the less chances for lost or stolen data. More importantly, it is unclear about exactly which country laws govern the protection of consumer credit and financial data. It is unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country.

That data breach in another country may never happen, but if and when it does, consumers have a right to know - promptly.

More about this next week.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 2)

Yesterday's post discussed the problems Laurie is having with her TransUnion credit monitoring service, and the related questions about legal protections when credit companies perform offshore outsourcing. I'd promised Laurie that I'd try to find some answers to her questions.

Meanwhile, Laurie contacted me again:

"I continue to call TransUnion (TrueCredit) and I leave messages for somebody in a managerial position to contact me but I never get a domestic employee. When I ask the phone associates where they are located they tell me they are prohibited from telling me. It's a vicious cycle because there's no mailing address and the potential for online help abuse is the same as telephone support. This is sensitive information I'm disclosing and all my alarms are going off like bells and buzzers."

Yesterday's post covered news reports from 2003 and 2004 about the credit bureaus' offshore outsourcing activities. In 2003, the bureaus promised more openness about their outsourcing plans, but the call center representatives' answer above does not show any openness.

So, I decided to look more closely at TransUnion, since that company was the source of Laurie's difficulties. Like most companies, TransUnion publishes its Corporate Privacy Policy on its main Web site. This seemed like a good starting point, since this document usually discloses what the company does with any sensitive consumer data collected within the site:

"Please carefully read our privacy policy to understand how we will treat the information you provide while visiting this web site or the web sites of most of our domestic subsidiaries and affiliates ("Web Site")... This privacy policy applies to TransUnion and its domestic subsidiaries and affiliates, except for TransUnion Consumer Solutions and TrueLink, Inc., who maintain their own privacy policies."

Note the emphasis on domestic subsidiaries. That refers to TransUnion divisions, companies, or business units within the USA. It implies that divisions, companies, or business units elsewhere are not subject to this Privacy Policy, a different Privacy Policy, or none at all. That should be unsettling to consumers. Why? TransUnion's approach to privacy policies forces users to wade through several documents that aren't that easy to read nor find. TransUnion has operations in 25 countries on 5 continents. So far, no explicit mentions about outsourcing in this TransUnion Privacy Policy.

Next, I checked the Privacy Policy at TrueCredit, TransUnion's credit monitoring service, since Laurie is a subscriber. The TrueCredit Privacy Policy is more detailed and more comprehensive. It contains details about several subjects: what data the company archives, what happens when users opt-in to e-mail updates, how its web site works with the user's Web browser, the company's approach to online advertising, what situations TransUnion shares data with contractors, and so forth.

I'd like to give TransUnion and TrueCredit at least one "attaboy" for sharing this amount of detail in the TrueCredit Privacy Policy. However, this document didn't mention outsourcing either.

I also checked the Public Policies pages within the TransUnion site. No mentions of outsourcing there, either. Sadly, this site section was very thin regarding content. The little bit of copy on three pages could have easily been presented on a single page. Whatever promises TransUnion made in 2003 about more openness about its outsourcing activities, weren't being fulfilled in 2008.

Next, I looked for TransUnion's Annual Report and 10K filings; documents by publicly owned companies within the USA. TransUnion is privately held, so it is not required to provide these filings which the U.S. Securities & Exchange Commission requires of publicly-traded companies. Hence, it is more difficult to obtain detailed information about a privately-owned company... and any offshore outsourcing activities it might be engaged in.

Difficult, but not impossible. More about this tomorrow.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1)

A friend, Laurie, wrote to me recent about difficulty she is having with her credit monitoring service:

"In my effort to reduce the likelihood of identity theft, I've ordered a credit check from TransUnion this year as I have for the past 3. This year I had a hard time logging on so I called the help line. It was answered instantly by somebody who asked for my Social Security number. Of course it seems like a natural question from a credit bureau but I had the feeling the operator was an outsourced worker from India. I gave her my data but I still couldn't log in. After further attempts to reach TransUnion in the USA I've discovered it is nearly impossible. I feel like I got sucked into a trap door set for the financially paranoid! Have you heard of this being a problem? Do institutions outsourcing labor in other countries have to comply with the same laws? Do you have any way around credit reporting when it's done overseas?"

Laurie's situation caught my attention first because a friend was having difficulty getting the help she needed. Her situation also caught my attention because of the increasing popularity of credit monitoring services. All consumers demand effective and high-quality customer service... perhaps more so when it involves sensitive personal data, like credit reports.

So, I promised Laurie that I'd try to find answers to her questions. Maybe Laurie had encountered a new or poorly trained call center representative; or a representative with a thick accent. This could happen with any business. Regardless, consumers have an expectation for efficient, quality customer service. And according to Laurie's message, TransUnion's customer service isn't helping and is difficult to contact.

Some background: TransUnion is one of three national credit bureaus (also called credit reporting agencies) in the USA. The national credit bureaus play three roles in the credit services industry:

1. Collect and archive credit reports with consumers' sensitive personal and financial data
2. Sell credit reports to potential lenders
3. Sell credit monitoring services to consumers

The data collected in role #1 includes: Social Security Number, birth date, full legal name, current and past residential addresses, credit cards, loan accounts and information, credit score, employer information, e-mail address, and payment histories. But this data isn't always accurate. Even though credit bureaus make money by selling consumers' credit reports, it is the consumers' responsibility to check their credit files for accuracy at each of the three national credit bureaus.

Regarding role #3, TransUnion operates the TrueCredit credit monitoring service.

One could debate whether roles #2 and #3 present a conflict of interests, perhaps similar to the role a computer software company has when it sells operating system software and application software. But, that debate must wait until after I answer Laurie's questions.

Laurie's message raised the subject of outsourcing, but more specifically off-shore outsourcing. Like many Americans, Laurie probably has an impression that the three national credit bureaus support their credit monitoring service subscribers with systems entirely within the subscriber's home country. In other words, consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.

If this local-same-country processing and archiving isn't the case, then consumers intuitively assume that their personal data is at greater risk. How much more risk? Consumers don't know and the companies rarely say. Laurie has gone the extra step and asked: if her credit service offshore outsources, does she have the same data protections? Does the outsource firm have the same rigorous data security processes and policies? Which country's laws apply, if any, regarding data security standards? If there's a data breach by the outsource vendor in another country, will she be notified? Will that notification be accurate and timely?

Consumers' impressions that the three national credit bureaus don't outsource work are inaccurate. A news literature search found this San Francisco Chronicle article from November 2003:

"Two of the three major credit-reporting agencies, each holding detailed files on about 220 million U.S. consumers, are in the process of outsourcing sensitive operations abroad, and a third may follow suit shortly, industry officials acknowledge for the first time. Privacy advocates say the outsourcing of files that include Social Security numbers and complete credit histories could lead to a surge in identity theft because U.S. laws cannot be enforced overseas... The top credit agencies -- Equifax, Experian and Trans Union -- have refused in the past to comment on their outsourcing plans. No longer."

The article also reported this about TransUnion:

"A hundred percent of our mail regarding customer disputes is going to go to India at some point," said David Emery, executive vice president and chief financial officer of TransUnion in Chicago. "We are now testing the system and negotiating a contract with an outside vendor. We expect to sign that contract by the end of the year." Emery said in an interview that the decision to have an Indian firm handle thousands of written requests for changes to credit files each year was necessitated in part by the amended Fair Credit Reporting Act, which was approved by the U.S. Senate on Wednesday.

So, it would appear that (for a variety of reasons) at the end of 2003, TransUnion was planning to outsource work to firms in other countries. Since I am not a lawyer, I cannot provide a legal opinion on the laws which govern outsourcing and the credit industry. Nor can I provide an interpretation of the Fair Credit Reporting Act referenced by Emery above. For legal assistance regarding credit information, the Privacy Rights Clearinghouse recommends that consumers contact the National Association of Consumer Advocates, or the list of attorneys at My Fair Credit.

A Wired story from 2004 titled "Outsourcing: Danger to Privacy" reported:

"Democratic Sen. Dianne Feinstein warned the chief executives of banks and credit companies this week that she would crack down on them if they didn't take steps to protect their customers' private data, such as medical and financial information, which is increasingly being handled by clerks working abroad. In a letter to the CEOs of Citigroup, Bank of America, Equifax and TransUnion, Feinstein (D-California) said she might introduce federal legislation to protect the personal data of Americans if the companies don't establish safeguards... All of the recipients of Feinstein's letter already have outsourced clerical services, or have stated their intent to do so."

To my knowledge, that crack-down never happened. It would seem that the US Congress has basically said to credit bureaus: go ahead and outsource, but you'd better not have any consumers' credit or financial data lost or stolen. And, we consumers have elected those members of Congress.

The article didn't explain exactly how Congress would oversee the companies' outsourcing activities in other countries. The article didn't say how Congress would monitor or audit the companies' compliance with the safeguards, or collect timely and accurate data breach notices about any lost, stolen, or mishandled consumer data by firms operating outside the USA.

A lot has happened since that 2003 article. Maybe, the companies' outsourcing plans, activities, or scope have changed. The fact is identity theft and fraud have blossomed as a problem since 2003. Plus, the 2003 San Fran Chronicle article made it clear that the credit bureaus were no longer going to hide their off-shore outsourcing plans and activities.

More about all of this tomorrow.

BBC Exposes Facebook Flaw

This May 1, 2008 BBC News video is short, clear, and informative for both current Facebook members and consumers considering Facebook. I strongly recommend that you view the BBC video. Be an informed user of social networking sites.

You may also find these prior I've Been Mugged posts helpful:

• Will The Lack Of Security Be the Downfall of Facebook?
• Facebook: Beacon Of Light Or Darkness?

You may also want to browse this MoveOn petition.

If all of the above has scared the daylights out of you, then you might want to view this YouTube video:

Wachovia To Pay Huge Fine For Conspiring With Fraudulent Telemarketers

[Editor's Note: today is the anniversary of an important event in U.S. history. May 1, 2008 is the fifth anniversary of "Mission Accomplished" - the day George W. Bush stood proudly on the aircraft carrier USS Abraham Lincoln and declared major combat operations over in Iraq. 140 U.S. military personnel died before May 1, 2003. During March 2008, the number of U.S. military deaths passed 4,000. Today, Osama Bin Laden has not been brought to justice and still remains at large. I think that it is important to judge a President, his administration, and his policies by the results achieved, and not on good intentions. Now, on to today's post.]

You could have labeled today's post, "When A Bank Goes Bad." The New York Times reported on April 26:

"The Wachovia Corporation agreed on Friday to pay as much as $144 million to end an investigation that accuses the bank of allowing telemarketers to use its accounts to steal millions of dollars. The settlement, one of the largest penalties ever demanded by the federal Office of the Comptroller of the Currency, concludes an 18-month inquiry into Wachovia’s relationships with schemes that investigators say stole from thousands of victims, many of them elderly."

The New York Times also reported:

"Though Wachovia did not admit or deny wrongdoing, the investigation found that Wachovia, one of the country’s largest banks, engaged in unsafe practices — failing to conduct suitable due diligence, failing to monitor accounts used by telemarketers and failing to follow normal procedures that would probably have uncovered the thefts. The bank’s actions were “part of a pattern of misconduct” that resulted in Wachovia’s collecting millions of dollars in fees, regulators wrote. Wachovia has agreed to pay a $10 million fine, contribute $8.9 million to consumer education programs and make restitution to victims that could top $125 million."

For consumers, it's tough enough to protect yourself against identity theft and identity fraud. Your bank should not facilitate identity fraud. For background, also read this February 2008 post about Wachovia. The huge fine is great, but jail time should also apply:

"Internal Wachovia e-mail messages and documents collected as part of that lawsuit showed that high-ranking employees long knew about accusations of fraud, but that some bank workers continued to solicit business from the telemarketing companies accused of crimes. “YIKES!!!!” wrote one Wachovia executive in 2005, warning colleagues that an account used by telemarketers had drawn 4,500 complaints. “DOUBLE YIKES!!!!” But Wachovia continued processing fraudulent transactions for that account and others."

That's 4,500 complaints! Not 45, but 4,500! For perspective, the Hannaford data breach included 1,800 cases of fraud. Thankfully:

"The settlement also does not preclude the United States attorney in Philadelphia, Patrick L. Meehan, from prosecuting Wachovia or bank employees. Mr. Meehan’s office is considering a criminal investigation, according to two people close to the matter who spoke on the condition of anonymity because they are not authorized to speak to the media."

Go Meehan! This type of crap will stop when senior executives serve significant jail time. Otherwise, banks will pass along the cost of the fine to consumers and account-holders through more and higher fees or other mechanisms.

Hannaford Issues An Apology

I recently read this Associated Press news story:

"Hannaford supermarket shoppers are getting an apology in their shopping bags for a security breach that was announced two weeks ago. CEO Ron Hodge sent a message to customers online and through leaflets left in grocery bags. In the note, he apologizes for the "concern and inconvenience" that was created when 4.2 million credit and debit cards were potentially compromised. At least 1,800 cases of fraud have been reported. He says Hannaford stopped the theft and brought in top security experts to help us guard against any further attacks."

Since I don't shop at Hannaford, I read Hodge's apology at the company's web site. ""Concern and inconvenience?" That seems to be an attempt to minimize a major data breach... to make it sound non-threatening or insignificant.

If your credit card number was stolen, then you probably got it replaced by your credit card issuer. Little problem there for consumers, but a major expense for credit card issuers.

If your debit card number was stolen, your bank probably issued a new checking account. There's the direct expense to the bank to issue a new checking account and debit card. There's also the time and work impact, since consumers have to set up their online banking with their new checking account. Plus, their bank may or may not have replaced any monies stolen from their checking account. I wouldn't describe that as "concern and inconvenience." And I doubt the identity theft victims view the incident as only a "concern and inconvenience."

At least Hodge had the good sense not to use in his statement the typical corporate double-speak (e.g., a lie) of "we have no indication that the personal data has been used for any improper purpose." There's no way to spin 1,800 fraud cases. Plus... theft is theft, and criminals will always attempt to use (or resell) stolen identity data.

The apology is nice but not enough. I understand a retailer's desire to do anything to get shoppers to continue shopping at their store. How about free credit monitoring and credit resolution for 10 years for identity theft victims? How about publication of Hannaford's revised data security processes so customers can feel confident about data security improvements so this doesn't happen again?

What a company does is more important than their words.

Apparantly, several consumers agree. There are several class-action lawsuits claiming Hannaford didn't do enough to protect consumers' personal data. From the Times Hearald-Record:

"Lawyers are seeking to consolidate about nine lawsuits into one federal class-action suit against Hannaford Bros... The motion to consolidate, which was filed in U.S. District Court in Bangor, Maine, on behalf of Greg Doherty and 'all others similarly situated,' charges Hannaford was negligent in not providing adequate data security and did not inform customers of the breach quickly enough. It seeks credit monitoring or similar protection, unspecified damages and attorneys' fees. Attorneys will have a better idea of the scope of damages when they nail down exactly how many card numbers were stolen, which may take some time, said Jon Lambiras, an attorney with the Philadelphia-based law firm Berger & Montague, one of several plaintiffs' firms involved in the lawsuit."

And, there are parallels to the TJ Maxx data breach:

"Hannaford's lack of proactivity is not unusual. Framingham, Mass.-based TJX, which owns stores such as TJ Maxx and Marshalls, offered no credit monitoring after a data breach exposed the personal information of some 45 million customers. It took a class-action lawsuit, filed by the same firm now suing Hannaford, to get credit monitoring."

CVS And The State Of Texas AG Reach An Agreement Regarding Information Security

KLTV reported that the Texas Attorney General's office and CVS Pharmacy, Inc. agreed to a settlement to protect CVS customers from identity theft:

"The settlement resolves the state's April 2007 enforcement action against the nation's largest retail pharmacy, which was charged with violating state laws that govern the disposal of customer records containing sensitive personal information. Under an agreed final judgment obtained by the Attorney General, CVS will overhaul its information security program. The program must be fully documented in writing and contain administrative, technical and physical safeguards designed to protect the personal information of CVS customers. CVS also will pay $315,000 to the State of Texas, which will be appropriated for the investigation and prosecution of other identity theft cases, pursuant to the Identity Theft Enforcement and Protection Act."

The Attorney General's office took action after hundreds of documents containing customers' sensitive personal information (e.g., credit card numbers and expiration dates; prescriptions with date of birth, doctors names, medication type) were unlawfully dumped behind a CVS store in Liberty, Texas. The state will use the money to prosecute other identity theft cases.

Details about the settlement:

"... CVS must implement a new training program to inform its Texas employees about the company's enhanced information security procedures. The employee training program must provide employees with a review of CVS' privacy procedures and a review of state laws governing the disposal of customer records. The training program also must explain identity theft, its costs to individual consumers and businesses, and the importance of abiding by the company's disposal program."

Only Texas employees? This sounds to me like sensible and appropriate data security actions any and all companies should implement nationwide, without waiting for a state AG to sue them to comply. Forbes Magazine reported:

"... the improper disposal of this information was a violation of [CVS'] record retention and privacy policies, and CVS took appropriate disciplinary action,' the statement said. When the suit was filed last year, CVS said the store manager had been fired. Earlier this month, CVS Caremark agreed to pay almost $37 million to nearly two dozen states and the federal government to settle claims it billed Medicaid programs for a more expensive formulation of an antacid."

When disposing of customers' and employees' records, companies would be well advised to follow the advice in this National Law Journal article: "Shred It Or Regret It."

TJX Companies Agrees To A Settlement With MasterCard

The financial consequences for TJX Companies after its data breach still keep mounting. Recently, CNN Money reported:

"Discount retailer TJX Cos. could pay as much as $24 million in a settlement Wednesday with MasterCard Inc. over a massive breach that exposed tens of millions of payment card numbers to hackers... The TJX agreement, which follows a similar $40.9 million pact in November with Visa Inc., hinges on banks that issue MasterCards agreeing to waive rights to sue TJX in exchange for being paid for breach-related costs.

It isn't over for TJX/TJ Maxx:

"Issuers of at least 90% of the MasterCard accounts identified as possibly being compromised in the breach must approve the agreement by May 2 for the settlement to take effect, Purchase, N.Y.-based MasterCard and Framingham, Mass.-based TJX said in separate news releases."

This should be a clear reminder to other retailers: adequately protect the personal data you collect about consumers!

Consumer Reports On LifeLock

Many consumers consider Consumer Reports a trustworthy source of independent product and service information, in order to make smart purchases. As a child, I remember watching my parents read Consumer Reports' product testing results before buying a car and expensive household appliances. I currently subscribe to Consumer Reports' On Health publication.

Last month, Consumer Reports reviewed LifeLock, a credit monitoring service:

"LifeLock spent $5 million on TV and radio ads nationally in the first half of this year and claims to have 300,000 subscribers. It has been endorsed by actor Fred Thompson (before he officially became a presidential candidate) and radio personalities Rush Limbaugh, Sean Hannity, and Paul Harvey. But as Harvey might say, now here’s the rest of the story."

What LifeLock does to protect your sensitive personal data and credit reports:

"For $10 a month or $110 a year, LifeLock instructs the top three credit-reporting agencies — Equifax, Experian, and TransUnion — to place fraud alerts on your credit reports and renews them every 90 days. The service also tells the three bureaus that you opt out of receiving preapproved credit offers and asks the Direct Marketing Association (DMA) to remove your name from mailing lists. Of course, you can do those things yourself free. And fraud alerts are no guarantee against ID theft. Some lenders don’t see them and allow crooks to open accounts in other people’s names anyway."

If you are like me, then you've already done most of this on your own -- for free. I placed Fraud Alerts on my credit reports, and later renewed them. I have already opted out of pre-approved credit offers and telemarketing lists -- again, for free. Is there anything LifeLock provides that we consumers can't do ourselves? Perhaps it's their credit restoration services:

"... the company guarantees against all losses and expenses a client incurs up to $1 million. LifeLock’s guarantee will restore stolen funds to your bank accounts, get fraudulent credit accounts closed, pay lost wages, hire credit-repair firms, and do "whatever it takes to get your life back..."

While that sounds really appealing, Consumer Reports also wrote this:

"But the customer agreement doesn't actually bind LifeLock to much of what Davis promised us. It specifically says that the company will not reimburse "consequential damages, such as lost wages." [LifeLock CEO] Davis says customers should ignore the fine print: "The lost-wage clause is there because insurance commissioners wanted to be sure we’re not an insurance company. We’re not." The contract, meanwhile, is vague about reimbursing stolen money: "We will pay professionals to assist in restoring any such loss." The guarantee hinges on "the failure or defect in our service," which the contract defines as initiating requests with credit bureaus and the DMA. But Davis says the contract really means something else: "If the fraud alerts did not do what they were intended to do, then the service failed. I don’t just mean that my system didn’t send them correctly," he says.

If you are considering LifeLock to protect your identity, I strongly encourage you to read the entire Consumer Reports review of LifeLock first. Then decide if LifeLock is for you.

20 Ways Wal-Mart Clinics Will Affect Health Care

In case you didn't notice, Wal-Mart recently entered the health care field by opening medical clinics. The company plans to open about 400 clinics by 2010 and 2,000 clinics by 2014. The company currently has about 60 in-store clinics.

I know that a lot of people really like Wal-Mart due to their low prices. However, it's interesting to read what nurses -- health care professionals -- have to say about how Walmart clinics will impact healthcare:

1. More immunizations
2. Cheaper fees and flat-fee visits
3. Faster care
4. Automated health care: "At Wal-Mart clinics, practitioners check out patients with the aid of a proprietary computer program that diagnoses illnesses. This sort of automation can help make diagnosis more accurate and efficient, while still allowing for human expert guidance when needed."
5. No insurance necessary
6. Race to the bottom: "Wal-Mart tends to have this effect on local businesses, creating a situation where quality must be sacrificed for price. In the healthcare world, cheaper isn't always better, and competing with Wal-Mart clinics could result in decreased quality of care."
7. One-stop shopping
8. Primary care providers can narrow their focus: "As Wal-Mart takes on all of the sniffles and scratches, doctors can spend more time working with patients who need more professional help. They'll be able to use their time more effectively and appropriately."
9. Automated health care could be problematic: "Although automation increases efficiency and reduces human error, that doesn't mean that a computer program is the best way to diagnose a patient. Critics are worried that this type of diagnosis will cause important intricacies to be missed."
10. Eased emergency room crunches at hospitals
11. More retail pricing information: "To compete with Wal-Mart, physicians will start sharing information about how much specific visits and procedures will cost. This can make health care more competitive and consumer-friendly."
12. Better rural medical access
13. Increased medical awareness
14. Increased office hours
15. Health clinics mean easier access to medical care
16. Traditional medical offices will feel the crunch: "As Wal-Mart's clinics tackle the easy patients, regular health practitioners will be left with more complicated patients that take more time and money. These patients are generally less profitable, and could cause monetary problems for these offices."
17. More referrals: Primary care physicans and specialists will see more referrals as Wal-Mart and others like it determine that some cases are too difficult to be handled by the clinic. This would include finding doctors and sharing medical records.
18. Increased utilization of nurse practitioners
19. Less red tape for known illnesses
20. Decreased continuity of care

I've provided explanations selected items above. The article contains full detail for all items. You'll quickly notice that not all of the impacts are positive.

Me? When it comes to my health, I am more interested in quality than the lowest cost provider. While Wal-Mart hasn't had any publicized data breaches (yet), I'll be looking. When a retailer leads the "race to the bottom" to lower costs, inevitably employees cut corners. I just hope for their customers' privacy, Wal-Mart doesn't cut corners on data security.

Top Five Data Security Risks For Healthcare Organizations

ComplianceHome reported the results of a study by Absolute Software Corporation, a provider of computer theft recovery, data protection, and hardware tracking solutions. Absolute identified the five computer security risks health care facilities most often encounter that produce data breaches.

If you are a new I've Been Mugged reader, a data breach is when a person accesses the personal data they are not authorized to access. Data breaches lead to identity theft and identity fraud. According to the article:

"Identity theft as a result of stolen or misplaced computers that contain sensitive information is an escalating problem. According to privacyrights.org, there were at least 46 US data breaches involving 62 stolen or lost computers at healthcare facilities in 2007, resulting in almost five million compromised identities."

That means that health care facilities (e.g., hospitals, health clinics, etc.) in 2007 alone, exposed the personal data for about five million consumers (e.g., patients, employees, former employees, contractors, etc.), making it easy for criminals to commit identity fraud. Absolute found these five computer security risks:

1. "Failure to Protect Sensitive Data Beyond Encryption: According to the 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare organizations must encrypt electronic protected health information (EPHI) stored on open networks such as laptops... lost or stolen mobile computers cited as the cause of nearly 50% of data breaches..."
2. "Inability to Accurately Manage Mobile Computer Assets: In order to achieve HIPAA compliance, healthcare organizations must be able to audit how many computers they have in their inventory, where they are assigned, who is logging into them, what software is installed and where the computer is physically located. However, recent studies show that most organizations are able to locate only 60% of their mobile computer assets."
3. "Sensitive Information on Public Terminals: Many healthcare facilities allow public information to be accessed on open-air terminals, such as nursing stations, public information terminals and help stations."
4. "Difficulty Implementing a Comprehensive Data Security Plan: Healthcare facilities need to institute a comprehensive data security plan to secure computing assets and sensitive information. Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords."
5. "Reluctance to Create a Data Breach Policy: Few healthcare facilities have 'nightmare scenario' policies in place should a data breach occur. In the event of a data breach, there should be a standard procedure in place for timely notification of supervisors, law enforcement, patients and the media."

If I had to sum up this situation, it seems that too many health care facilities are in denial about protecting the sensitive data they archive, including tracking who has what equipment and a process to resolve things when a data breach happens. What a pathetic state of security! Something to keep inmind the next time you visit a hospital as a patient or as a job applicant.

Hannaford Data Breach

The Hannaford Brothers grocery chain has received a lot of attention during the last week. On March 18, the Boston Globe reported:

"Hannaford Bros. supermarket chain yesterday said a breach of its computer system potentially exposed 4.2 million credit and debit card numbers and has led to about 1,800 fraud cases to date. The data breach affected customer cards used at more than 270 stores in states including Maine, Massachusetts, New Hampshire, New York, and Vermont, Hannaford said, and lasted from December until early March. The Secret Service is investigating, said spokesmen for Hannaford and the federal agency."

There's no getting around the fact that 4.2 million debit card and credit card numbers are a lot. Not as much as the TJX/TJ Maxx breach and data security debacle, but a lot nonetheless. Hannaford's response:

"A Hannaford spokeswoman, Carol Eleazer, said the company is still investigating the specifics of how data was taken..." In a statement posted to Hannaford's website, chief executive Ronald C. Hodge wrote that the data "was illegally accessed from our computer systems during transmission of card authorization."

During the transmission? An MSNBC report on March 20 seemed to best explain this:

"While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit. "Catching data on the move is a bit more challenging," said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. He compared it to robbing a truckload of merchandise: It's easier when the vehicle is parked than when it's zooming down a highway."

Okay, I get it: identity criminals are computer-savvy and smart enough to find holes in computer systems to hack into. The criminals are also fast: within a month they generated at least 1,800 reports of identity and credit card fraud. The MSNBC article also highlighted two important points about the Hannaford data breach. First:

"But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards. For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval."

Second:

"... that Hannaford was found — while the hack was still going on last month — to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies. The PCI group sets rules governing such issues as how employees should be screened and precautions against hackers, but it does not audit companies like Hannaford to ensure compliance. That is performed by outside assessors. The identity of Hannaford's auditor was not disclosed.

This is important because:

"The fact that Hannaford could be considered up to snuff and yet still be vulnerable to a big heist raised questions about whether other merchants — and by extension, their customers — are falsely confident about their security."

The MSNBC article added:

"... the [PCI] standards require companies to encrypt data that travels over computer networks "that are easy and common for a hacker to intercept." Whether certain internal networks are "easy and common" to crack is a matter of judgment... Hannaford would not discuss specifics of its security system, so it was unclear to what extent its stores encrypted payment data throughout the transmission process."

That's just peachy. First, the rules aren't strong enough to guarantee compliance. Second, the rules are loose enough to allow retailers to cut corners and not encrypt our sensitive personal data throughout the retailers' entire data transmission process. Why?

"But in practice, encryption often goes unused at certain points in a data-processing chain because the computing power it requires can slow down transactions, especially on older hardware."

One industry expert emphasized as a solution:

"... the biggest lesson is that the banking industry needs to make it harder for thieves to put stolen credit card data to use. Requiring PINs on credit card transactions would remove 75 to 90 percent of the fraud in the system."

InformationWeek reported:

"A retailer's [PCI] compliance status matters: The penalties for noncompliance are significant, and the card brands can fine the retailer while also raising the transaction fees levied for each credit or debit card transaction. A finding of noncompliance also will be potent ammunition for inevitable lawsuits. The big loser: consumers."

Yes, we consumers are the big loser. We consumers end up paying:

• Higher credit card fees and/or higher interest rates from credit card issuers to cover their expenses to issue replacement cards and accounts. While identity theft victims enjoy the $50 credit card liability limit, credit card issuers cover their identity theft expenses by charging higher fees and rates to all credit card holders
• Higher banking fees, because banks must issue replacement debit cards and accounts. A few generous banks may also replace the stolen monies. Banks charge higher fees, and fees on a wider range of transactions, to cover their identity theft expenses, too.

In my opinion, the consequences and fines to retailers still aren't severe enough. In both scenarios above, the companies pass along their increased costs to consumers. While replacement credit cards with $50 maximum liability is great, one year of free credit monitoring for identity theft victims isn't enough.

The good news just kept coming. More stores were affected by the Hannaford breach. Also on March 20, the Albany Times Union reported:

"Independent stores in Ravena and Schaghticoke affiliated with Hannaford were also affected by the recent hacking of customer credit card numbers, the Scarborough, Maine-based supermarket chain said today. The company’s Web site lists more than 20 independents around the Northeast that had credit card information stolen as a result of the security breach. Hannaford supplies the Ravena and Schaghticoke stores, which operate under the Shop ‘n Save name, but does not own them. In September, Hannaford purchased formerly independent stores in West Sand Lake and Voorheesville."

Several class-action lawsuits have already been filed against Hannaford in New Hampshire, Maine and Pennsylvania. What's a consumer to do?

1. Contact your bank and credit card issuer, if you shopped and paid with plastic at Hannaford between Dec. 7, 2007 and March 10, 2008.
2. If you continue to shop at Hannaford, use your credit card and not a debit card to get the best protections. Or use cash.
3. If you are a Hannaford identity theft victim, read closely any correspondence you receive from the company. File a police report for any monies stolen or abuse of your financial accounts. Place a Fraud Alert on your credit reports. Monitor your credit reports closely for abuse, since criminals may use your stolen personal data to try to take out new credit in your name. If Hannaford offers free credit monitoring, accept their offer if you don't already have a credit monitoring service. Watch the news to see if you qualify for any of the class-action lawsuits.
4. Read the I've Been Mugged blog. During the coming weeks, I will post on this blog reviews of several credit monitoring services. There is a link in the top of the right column to sign up for alerts via e-mail.

A New Service Idea From Comcast

About a week ago, the I've been Mugged blog explored the consumer data security issues with behavioral advertising: companies want to serve online ads by tracking all of the web sites you have visited and the keywords you entered at search engine web sites. The NewTeeVee blog reported this new service idea from Comcast:

"At the Digital Living Room conference today, Gerard Kunkel, Comcast’s senior VP of user experience, told me the cable company is experimenting with different camera technologies built into devices so it can know who’s in your living room. The idea being that if you turn on your cable box, it recognizes you and pulls up shows already in your profile or makes recommendations. If parents are watching TV with their children, for example, parental controls could appear to block certain content from appearing on the screen. Kunkel also said this type of monitoring is the “holy grail” because it could help serve up specifically tailored ads. Yikes."

Comcast claims that the cable box camera won't actually use facial recognition and take a picture of you. Instead it would just take a picture of the "form" of viewers: one, several, and their relative sizes.

Yeah, right.

Yikes, indeed! This is a really bad idea... a stupid one, too. I see "mission creep" as any cable box camera might start with the viewers' "form" and migrate to actual photos using facial recognition. This invasion of privacy is not worth any amount of convenient, free, or relevant ads promised by any network/cable television provider.

My impression... Comcast executives have concluded that since the NSA, FBI, and phone companies already spy on citizens by tracking the web sites consumers visit, e-mails and text messages sent, and phone calls made, then Comcast can make more money by tracking viewers sitting in the privacy of their living room and charge advertisers more for this new service.

And this new idea from Comcast was preceded by a comment from an IBM executive that a total surveillance society is inevitable. Seems to me like many corporations are ready to make money by exploiting our country's focus on security after 9-11.

What do you think? Share your comments below. I hope that you will also write to your elected officials today and tell them your privacy concerns.

Data Breach At Harvard University

Several news sources have reported a data breach at Harvard University. From ABC News:

"... at least one hacker launched an attack on a computer server at Harvard University, potentially viewing the personal information of up to 10,000 graduate students and applicants to the Graduate School of Arts and Sciences and posting some of the information on the Web. Harvard officials began notifying thousands of students and applicants this week... According to Harvard chief information officer Dan Moriarty, an attack was launched Feb. 16 on a server that contained summary information from applications for prospective students as well as the housing information of current students. About 6,600 of those applications included Social Security numbers. Some of the information on the server was copied and ultimately posted on The Pirate Bay, a well-known bit torrent Web site where people can download movies and music.

The Chronicle Of Higher Education reported:

"Harvard has sent notices to all affected people and is offering, at the university’s expense, to help them obtain credit reports, set up credit-monitoring services and fraud alerts, and take other steps to guard against identity thieves."

If that's all Harvard is offering, then Harvard's identity theft victims are getting much. First, free credit reports are already available online for consumers. Second, the credit bureaus already provide free Fraud Alerts for consumers. There is some value in free credit monitoring services, provided the services include flexible and timely alerts, access to credit reports throughout the year, two or more years of free services, and credit restoration services.

Since news stories don't provide much detail about the credit monitoring services offered, I checked the Harvard news release:

"In situations where applicants’ Social Security numbers or Harvard University ID numbers may have been accessed, the notifications provide contact information for free use of the services provided by Kroll Inc. At Harvard’s expense, Kroll is helping potentially affected persons obtain copies of their credit reports, set up credit-monitoring services and fraud alerts, and take other steps to protect themselves."

That is good news. Harvard is offering its identity theft victims credit restoration services from Kroll. the restoration service helps identity theft victims clean up accounts that have been taken over or new accounts established by criminals. The monitoring services helps identity theft victims check their credit repors frequently to discover abuse as soon as possible. I hope that all of harvard's identity theft victims take advantage of both services.

While 10,000 records is a sizable data breach, other colleges and universities have had far larger data breaches:

• George Mason University: January 2005: 32,000 records
• University of California at Berkeley: March 2005: 98,400
• Boston College: March 2005: 120,000
• Tufts University: April 2005: 106,000
• University of Hawaii: June 2005: 150,000
• University of Connecticut: June 2005: 72,000
• University of Utah: August 2005: 100,000
• University of Colorado: August 2005: 49,000
• Kent State University: September 2005: 100,000
• Metropolitan State College (Denver): March 2006: 93,000
• Georgetown University: March 2006: 41,000
• University of Texas McCombs School of Business: April 2006: 197,000
• Ohio State University: April 2006: 300,000
• Western Illinois University: June 2006: 180,000
• University of Tennessee: July 2006: 36,000
• University of California at Los Angeles: December 2006: 800,000
• University of Idaho: January 2007: 70,000
• East Carolina University: February 2007: 65,000
• Community College of Southern Nevada: May 2007: 197,000
• University of Colorado at Boulder: May 2007: 45,000
• Georgetown University: January 2008: 38,000

There are many more smaller data breaches at colleges and universities. Some schools don't announce the number of total records exposed. In my opinion, academia as a whole still does a poor job with data security. It'll be interesting to see if the number of records exposed in Harvard's data breach remains at 10,000 or goes up.

[Editor's note: in the interest of full disclosure, from 1992 to 1997 I worked in Baker Library at the Harvard Business School as a business analyst researching business and economics topics.]

The Word From Colbert: AT& Treason

Stephen Colbert shares his rationale about the issue of retroactive immunity for the telecommunications companies. His logic is undeniable:

Woman Claims Salem Clinic Mishandled Patient Records

Portland, Oregon-based KATU reported the following about the Salem Clinic:

"The records of some patients were apparently included in an employee handbook, according to an ex-employee. A former worker, who wishes to remain anonymous, told KATU News that everything from actual Social Security numbers to records revealing patient's ailments were part of the clinic's training binder. She also said employees were allowed to take the handbooks home. The woman said she was fired after pointing out the problem on Wednesday."

If true, this is a big data breach. It just shouldn't happen in a well-managed company. It is wrong in several ways.

First, the whistle blower should not lose their job after a company's data breach. Second, it's better to insert fake or dummy patient records in an employee training handbook that the company knows will be taken into homes.

I hope that the Salem Clinic gives all of the data breach victims at least 5 years of free credit monitoring services. I'm sure an enterprising lawyer will represent the former employee.

Behavioral Advertising: What Consumers Must Do (Part Four)

Monday's post discussed the benefits of behavioral advertising, and the proposed rules by the FTC. Tuesday's post listed the leading companies that collect consumer data for behavioral advertising. Wednesday's post discussed the growing role of ISPs in behavioral advertising and the new technologies being deployed.

So, what next?

For me, my first concern is data security. 2007 was a record year for corporate data breaches. The number of incidents rose 40% -- where companies either "lost" or had stolen records about their employees, former employees, retirees, contractors, and/or customers. And this includes data only from the data breach incidents we know about. It does not include incidents from companies in states that lack breach notification laws. It does not include incidents of identity fraud during a crime.

From InformationWeek:

"In its December 24 report, the ITRC said that there were publicly reported 443 breaches in the U.S. in 2007. In 2006, the ITRC identified 315 publicized breaches. Some 127 million data records were exposed during 2007. In 2006, nearly 20 million records were exposed. In 2005, there were 158 breaches reported involving about 65 million records."

And some of these data breaches have already included ISPs, like AOL; and major advertisers, like TJ Maxx, AIG Insurance, and IBM.

Given this lousy track record of data security, I fully expect companies to continue to "lose" -- and criminals to continue to steal -- confidential data via data breaches. Why? Nothing has changed to alter past history. There is a lack of government oversight. There are no substantial penalties. And many companies just don't provide good data security.

This means that many of the future data breaches will include consumers' sensitive data collected during behavioral advertising programs. Given this, it seems sensible for the FTC to craft behavioral advertising rules that acknowledge poor corporate data security:

• For behavioral advertising/targeting programs, companies (including advertisers and ISPs) should include the default as all consumers opted out. Consumers should be given the option to opt-in to a companies behavioral advertising program
• The behavioral advertising rules for companies, advertisers, and ISPs must specify an exhaustive list of consumer data that's collectible and sensitive personal data excluded
• Web sites designed for primarily for children (e.g., age 17 and under) should be excluded from any and all behavioral advertising. Children don't have the means to handle opt-in/out for behavioral advertising programs. Ideally, parental controls software should provide parents with the tools to prevent opt-in by their children at all children's web sites
• There must be clear, minimum standards for companies for data security of the personal data collected for behavioral advertising programs
• There must be specific time limits for how long companies can archive personal data collected for behavioral targeting. "Forever" is not an acceptable answer. Consumer data should be purged at three (3) year intervals
• There must be specific rules for ISPs, since ISPs have a unique position providing Internet access for consumers. ISPs must treat their members' IP Address as sensitive  personal data similar to a Social Security Number or e-mail address. ISPs should never match personal-identifying data (e.g., name, address, phone #, e-mail address, cell #, fax #, SS#, birth date, driver's license #, etc.) to behavioral advertising data
• The rules must include timely disclosure to consumers when a company, advertiser, and ISP: a) starts a behavioral advertising program; b) modifies an existing behavioral advertising program; c) trades behavioral advertising data with other companies; and d) merges or acquires other companies, within the USA or globally. These rules must apply to the entire company, not just its US-based divisions. It should also apply to business units, divisions, contractors, or outsourcing firms based outside the USA
• Medical data should be excluded from all behavioral advertising programs for a couple reasons. First, many consumers consider this highly sensitive data not to be shared under any circumstances. Second, let's "walk first before we run." That is, let's see how behavioral advertising performs with other types of available consumer data first, before deciding whether to extend it to medical information
• All advertisers, companies, and ISPs must disclose to consumer their behavioral advertising program in both their web site legal "Privacy" or "Terms and Conditions" pages, and via print materials (similar to the way companies today provide consumers with a revised Privacy Policy every time this document changes).
• The FTC must publish a clear, detailed plan about how it will implement oversight to monitor compliance and penalize violators
• The behavioral advertising rules must include clear, strong penalties for companies, ISPs, advertisers, and their senior executives for violators. I'd like to see fines starting at $10,000 per consumer record and jail time for fines exceeding $250k
• Violators (e.g., companies, ISPs, and advertisers) must provide consumers with ten (10) years of free credit monitoring and credit restoration after a data breach

Why these rule amendments? If you have read the I've Been Mugged blog, then you know about the issues related to data breaches, data security, and corporate responsibility. Unfortunately, the American business is heavily tilted towards companies making money with consumers' personal data, and tilted away from strong protections for consumers when companies suffer a data breach. I'm concerned that behavioral advertising will make this worse.

All of the above rule amendments address the corporate data breach problems I've experienced. The rule amendments allow companies to profit from behavioral advertising and hold these companies accountable when they don't provide the data security programs they should.

For me personally, the assumed benefits of behavioral advertising (e.g., free content, relevant ads, personalized ads, and a promised reduction in the number of ads) do not outweigh the privacy I would give up. Maybe the benefits are enough for you, but they aren't enough for me. Where I surf on the Internet is my business unless I decide explicitly to tell somebody else.

If you feel the same or different, share your comments below. I'd love to hear why you feel the way you do. If you have sent feedback to the FTC, share that too.

As I mentioned before, the FTC seeks comments from the public (that's us consumers!) about its proposed behavioral advertising rules. The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you fell are necessary to the FTC's proposed rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. See Monday's post for the specific types of feedback the FTC seeks.

You should send comments and feedback to the FTC at:
Secretary
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580

Or, you can also submit comments and feedback to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available for viewing online at the FTC web site.

Behavioral Advertising: The Role Of Internet Service Providers (Part Three)

Monday's post discussed the benefits of behavioral advertising, and the proposed rules by the FTC. Tuesday's post listed the leading companies that collect consumer data for behavioral advertising.

In December 2007, the Wall Street Journal profiled CenturyTel Inc., a Louisiana phone company, and its attempt to enter the Internet Service Provider (ISP) business. Along the way, CenturyTel decided to also enter the online advertising business:

"The technology it's using could change the way the $16.9 billion Internet ad market works, bringing in a host of new players -- and giving consumers fresh concerns about their privacy. CenturyTel's system allows it to observe and analyze the online activities of its Internet customers, keeping tabs on every Web site they visit. The equipment is made by a Silicon Valley start-up called NebuAd Inc. and installed right into the phone company's network."

Pretty soon, advertisers will no longer need to install software or use the HTTPs cookies file on consumers' computers to perform behavioral advertising (a/k/a behavioral targeting). Instead, they can get all the consumer data they'd ever want from ISPs -- who are happy to install the behavioral targeting software and equipment on their servers for a piece of the new revenue stream. How it will work:

"NebuAd takes the information it collects and offers advertisers the chance to place online ads targeted to individual consumers. NebuAd and CenturyTel get paid whenever a consumer clicks on an ad."

The description of the new server software and equipment:

"The newer form of behavioral targeting involves placing gear called "deep-packet inspection boxes" inside an Internet provider's network of pipes and wires. Instead of observing only a select number of Web sites, these boxes can track all of the sites a consumer visits, and deliver far more detailed information to potential advertisers."

Companies already see the new revenue opportunity:

"... new companies are rushing in. Both wireless and wireline Internet-access providers such as CenturyTel, Rochester Telecom Systems Inc. and Embarq Communications Inc., among others, have entered the advertising gold rush. And they've tapped Internet equipment companies like NebuAd, Front Porch Inc., and Phorm Inc. to provide the gear to help them along."

Well, this is just peachy. Every ISP knows a lot about its subscribers... personally identifiable information such as name, address, birth date, phone, credit card, e-mail address, IP address, and in some cases Social Security Number. It doesn't take much effort to match this personally-identifiable data to a subscriber's web surfing activity.

This new technology fundamentally changes the relationship between ISPs and their subscribers. As ISPs get more or most of their revenue from advertising, and a decreasing amount from subscribers' fees, it logical to question whether ISPs will continue to operate in the best interests of consumers. In a weird way, ISPs can now make (a lot of) money through surveillance.

This makes it more important now for consumers to express their privacy and data security concerns. It is reasonable for consumers to demand legislation requiring ISPs to provide clear, easy, free, opt-in mechanisms for consumers who wish to participate in that ISP's behavioral advertising program.

Now is also an opportunity for consumers to specify the data they consider sensitive and should be excluded from any ISP behavioral advertising programs. See these prior posts about why consumers' IP addresses should be considered sensitive personal data, and why consumers' personal data should be treated (and protected) like nuclear fuel.

Behavioral Advertising: Leading Collectors of Consumer Data (Part Two)

Yesterday's post was the first in a series. Today's post looks at how much data selected companies already collect about consumers. From yesterday's New York Times: