BCBS Of Tennessee To Pay $1.5 Million To HHS To Settle 2009 Breach

Blue Cross Blue Shield of Tennessee (BCBST) announced a settlement agreement with the U.S. Department of Health and Humans Services (HHS) about its 2009 data breach which exposed the medical records of about 500,000 patients in 32 states. Terms of the settlement agreement require BCBST to pay a $1.5 million penalty and submit to a 450-corrective action plan.

HHS had alleged in a lawsuit that BCBST had violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rules. The HIPAA Security Rules require covered health care organizations to notify affected individuals of any breach involving their health information, and to notify HHS and the news media about any breaches affecting more than 500 consumers.

HHS disclosed in a news release:

"... BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."

The 450-day corrective action plan requires BCBST to:

• Review, revise, and maintain its Privacy and Security policies and procedures,
• Conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and
• Perform monitor reviews to ensure BCBST compliance with the corrective action plan.

SAIC To Pay $500.4 Million to Settle Suit With U.S. Attorney And City of New York

Last month, Science Applications International Corporation (SAIC) announced a settlement with the U.S. Attorney Office for the Southern District in New York and with the City of New York about the company's CityTime system. Terms of the settlement require SAIC to pay $500.4 million in restitution and penalties, and an independent monitor selected by the U.S. Attorney's Office will review certain policies and practices by SAIC for three years.

CityTime is an automated workforce management system used by about 163,000 New York City employees in 65 agencies. According to a press release (Adobe PDF) by the U.S. Attorney's Office:

"Under the agreement, SAIC will forfeit a total of $500,392,977 to the Department of Justice, and forgive more than $40 million still owed by the City to SAIC in connection with the CityTime project. In a Statement of Responsibility (the “Statement”) that was part of the agreement, SAIC acknowledged that it failed to properly investigate a 2005 ethics complaint filed by a whistleblower alleging, among other things, that the project’s Program Manager, Gerard Denault, had to be receiving kickbacks on the project from the single source subcontractor he had hired to perform the work. SAIC also accepted responsibility for the illegal conduct alleged against Denault and admitted to by Carl Bell, who served as Chief Systems Engineer in SAIC’s New York City office."

The City of New York had selected SAIC's CityTime system to modernize its timekeeping and payroll systems across City agencies. In 2000, SAIC became the lead contractor on the City's CityTime project, with a value then of approximately $73 million. The Washington Post reported recently:

"Last year, SAIC said it removed three top executives — Deborah Alderson, president of the company’s defense solutions group; John Lord, her deputy; and Peter Dube, general manager of the enterprise and mission solutions business — although the company said there was no evidence that any of the three were involved in the fraud."

SAIC, a Fortune 500 scientific, engineering and technology applications company employs about 41,000 people worldwide, and about 93% of its business is generated by government contracts. In 2011, SAIC was involved with a TRICARE data breach that exposed the sensitive personal data of 4.9 million active and retired military personnel and their families.

Class Action Suit Filed Against Path Claims More Data Was Collected Besides Address Books

A second class-action lawsuit was filed against Path Inc. claiming the company's mobile app collected more infromation than just users' address books. The suit also calimed that users of the Path app were:

"... victims of unfair, deceptive, and unlawful business practices; wherein their property, privacy, and security rights were violated..."

The additional data allegedly collected without notice and without consent included find GPS locations, users' personally identifiable information, and the personal information of minor children.

The suit claims that the information collected was distributed to other companies with notice or consent, and that tracking methods were added to users digital information:

"Affix to Plaintiff's and Class members' digital content, referencing photos, videos, and audio files, without notice or authorization tracking mechanisms and information... "filtering" of digital content by installation of geo-tags for tracking, interception and monitoring of social network interactions... that third-party social network interactions would be monitored and then transmitted, used, disclosed, and stored on path's servers..."

The suit claims that Path stored address book information is an insecure manner. By February 2012, Path reportedly had about 2 million users.

The suit was filed in Northern District Court of California by attorneys Strange & Carpenter of Los Angeles, and Joseph Malley of Dallas. Readers of this blog recognize Malley, often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Hulu.com and KISSmetrics ("zombie E-Tags"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, Malley has plenty of experience with online privacy and tracking issues.

You can download the Hernandez et al v Path Inc. complaint from Courthouse News (Adobe PDF).

Former MLB Player Jailed On Fraud And Identity Theft Charges

This story caught my attention for reasons you might find surprising. It did not catch my attention because it involves a celebrity. It caught my attention because it shows how employees and independent contractors can become identity theft and fraud victims via an employer.

The Sports Illustrated article, "How Lenny Dykstra Got Nailed" explains how former Major League Baseball player Lenny Dykstra was jailed on identity theft and fraud charges. To fund a lavish lifestyle, Dykstra allegedly asked his employees to use their credit cards, never repaid them for the purchases, and used without authorization their sensitive personal information (e.g., Social Security Number) to apply for loans.

This story also highlights the importance of filing identity-theft and fraud complaints with both local law enforcement, the FTC, and the CFPB. Filed complaints allow law enforcement to discover patterns they might not discover otherwise.

Wilberto Hernandez, a personal credit repair consultant in Los Angeles had phoned local police after he received a notice from a credit agency that his Social Security number had been presented for credit checks at two car dealerships. Hernandez had helped one of Dykstra's business associates with credit repair services. Local police quickly saw a pattern among police reports filed:

"By Christmas 2010, [the police detective] had spoken with 17 people—personal assistants, drivers, private jet pilots and housekeepers—who claimed that Dykstra did not pay them for services, used their credit cards or got hold of their Social Security numbers and opened credit cards in their names."

One victim's situation was particularly instructive:

"Christopher Gavanis, then 30, had just moved to Los Angeles from Pennsylvania. Gavanis... couldn't afford a car to help him find work—but he did have a sterling credit rating. According to an interview police conducted with Gavanis on April 14, 2011, Dykstra promised him the car he desperately needed in return for the use of his credit... Dykstra also promised Gavanis a job with Home Free Systems once clients started rolling in..."

HSBC Agrees To Pay $5.25 Million Settlement To NCUA

Last week, the National Credit Union Administration (NCUA) announced a settlement agreement with HSBC. HSBC hs agreed to pay $5.25 million to the NCUA for a complaint about its sale of residential mortgage-backed securities to five failed credit unions. The settlement agreement does not require HSBC to admit fault.

Similar to FDIC and the banks it oversees, the NCUA charges the credit unions it oversees with fees to cover failed credit unions and to protect depositors' assets. The NCUA uses the Temporary Corporate Credit Union Stabilization Fund (TCCUSF) to cover failed corporate credit unions. In this instance, the true risk of the mortgage-backed securities sold to corporate credit unions allegedly wasn't disclosed and led to the failed credit unions. Any payments the NCUA collects is used to offset future fees the NCUA charges for the TCCUSF.

The NCUA had filed five lawsuits against various securities firms, and had negotiated settlements with Deutsche Bank Securities ($145 million) and Citigroup ($20.5 million).

Corporate credit unions provide various services (e.g., short-term loans, check clearing, electronic funds transfers, ATM networks) to the consumer credit unions they serve. Consumer credit unions are the credit unions which we consumers join. Corporate credit unions are chartered by the NCUA or states.

In its 2010 annual report, the NCUA listed the following corporate credit unions:

Corporate Credit Union Name	State	Assets (Mill)	Members
Corporate America CU	Alabama	$3,701.7	369
First Corporate	Arizona	$979.4	51
Western Bridge Corporate Federal	California	$16,756.3	1,010
System United Corporate Federal CU	Colorado	$2,091.3	363
Southeast Corporate	Florida	$2,561.5	390
Georgia Corporate Federal CU	Georgia	$1,737.1	171
Iowa Corporate Central CU	Iowa	$108.2	159
Members United Bridge Corporate Federal	Illinois	$10,012.9	2,166
Kansas Corporate	Kansas	$302.3	148
Kentucky Corporate	Kentucky	$363.3	105
Louisian Corporate	Louisiana	$146.7	172
Eastern Corporate	Massachusetts	$507.5	278
Tricorp	Maine	$617.1	184
Central Corporate	Michigan	$2,394.3	359
Missouri Corporate CU	Missouri	$501.0	223
Treasure State Corporate CU	Montana	$386.3	63
First Carolina Corporate	North Carolina	$1,917.7	172
Midwest Corporate	North Dakota	$181.7	60
Corporate One Federal CU	Ohio	$2,881.1	768
MidAtlantic Corporate	Pennsylvania	$3,025.7	888
Volunteer Corporate	Tennessee	$1,351.7	256
Southwest Bridge Corporate Federal	Texas	$7,745.3	1,377
VA Corp	Virginia	$1,056.5	229
Corporate Central CU	Wisconsin	$1,623.7	281
West Virginia Corporate Federal CU	West Virginia	$228.1	110
U.S. Central Bridge Federal	Kansas	$18,412.9	56
Total		$81,591.1	10,428

Insider Identity Theft Example: Banc of America Broker

If you wonder what the phrase "insider identity theft" means, this case below is an excellent example. The basic definition of insider identity theft is when an employee (or contractor) at a company accesses personal information they aren't authorized to access. In the case below, it included the contact information of the company's clients. If you are one of those clients, this case illustrates how your contact information can be abused.

The Forbes article described how Dante J. DiFrancesco worked at Banc of America Investment Services (BAIS). When he left BAIS, DiFrancesco attempted to take his clients' contact information with him, only to clumsily discover that he'd take the contact information for 36,000 clients instead of his 180 clients.

The good news in this story is that BAIS discovered DiFrancesco's data access attempts. Companies with good data security have processes in place to detect when employees attempt to access information they aren't authorized to access, as BAIS did.

Like many things in business, the case went to court. The Financial Industry Regulatory Authority (FINRA) investigated, filed charges, and ultimately ruled in favor of BAIS. DiFrancesco appealed the ruling twice; first at FINRA (which affirmed the first ruling) and then at the U.S. Securities & Exchange Commission (SEC). The SEC ruled against DiFrancesco, too.

Investigate The Banks

Professor, political economist, author and former Secretary of Labor chief Robert Reich called on President Obama to hold big banks fully accountable for their part in the alleged mortgage abuses and housing market crash -- which the President finally addressed, in part, during his SOTU speech last night:

"We'll also establish a Financial Crimes Unit of highly trained investigators to crack down on large-scale fraud and protect people's investments. Some financial firms violate major anti-fraud laws because there's no real penalty for being a repeat offender. That's bad for consumers, and it's bad for the vast majority of bankers and financial service professionals who do the right thing. So pass legislation that makes the penalties for fraud count."

To learn more, visit YesHeCan.org.

CVS Caremark Agrees To Pay $20 Million To Settle With Three States For Pension Fraud Claims

CVS Caremark Corporation has agreed to pay about $20 million to settle lawsuits in three states about alleged pension system fraud. The lawsuits were filed by two whistleblowers, CVS pharmacists, and claimed that CVS resold returned drugs, changed presecription orders to increase prcies, and filed false reports about prescriptions fulfilment dates. The Los Angeles Times reported:

"... CVS Caremark will pay nearly $7 million to the California Public Employees’ Retirement System, $4 million to the state of Illinois and $3 million to the state of Florida. Other money from the settlement went to plaintiff attorneys’ fees and costs..."

In 2007, CVS Corporation merged with Caremark Rx Inc.. The combined company operates about 7,000 retail stores, and provides prescription drug management services for employers.

Crain's Chicago Business reported Michael Leonard, a partner with Chicago-based law firm Meckler Bulger Tilson Marick & Pearson LLP, which along with Los Angeles-based law firm Engstrom Lipscomb & Lack LLP represented the whistleblowers, as describing the lawsuit:

“They fought the thing tooth and nail, and denied, denied, denied, despite what the evidence was...”

Bank Of America Agrees to Pay $335 Million To Settle Discriminatory Lending Lawsuit

Bank of America Corporation has agreed to pay $335 million to settle a government lawsuit that its Countrywide Financial unit discriminated against minority home buyers. The settlement, filed yesterday in the U.S. District Court for the Central District of California by the U.S. Justice Department, must be approved by a federal court.

The government alleged that Countrywide and its subsidiaries charged more than 200,000 African-American and Hispanic home loan borrowers higher interest rates and fees than non-Hispanic white borrowers with similar incomes and credit scores. The lawsuit also claimed that:

"... Countrywide discriminated by steering thousands of African-American and Hispanic borrowers into subprime mortgages when non-Hispanic white borrowers with similar credit profiles received prime loans. All the borrowers who were discriminated against were qualified for Countrywide mortgage loans according to Countrywide’s own underwriting criteria."

Subprime loans are generally more expensive, with prepayment penalties and adjustable interest rates with sudden and huge increases after two or three years. Thomas E. Perez, Assistant Attorney General for the Civil Rights Division, said:

“Countrywide’s actions contributed to the housing crisis, hurt entire communities, and denied families access to the American dream... We are using every tool in our law enforcement arsenal, including some that were dormant for years, to go after institutions of all sizes that discriminated against families solely because of their race or national origin.”

The department’s investigation into Countrywide’s lending practices began in 2007 after referrals by the Board of Governors of the Federal Reserve and the Office of Thrift Supervision to the Justice Department’s Civil Rights Division. Bank of America purchased Countrywide in 2008 for about $4 billion. The settlement amount is the largest of its type filed by the U.S. Justice Department.

Massachusetts Attorney General Sues Five Banks For Alleged Foreclosure and Loan Servicing Abuses

Earlier this month, the Massachusetts Attorney General's office filed a complaint against five national banks for alleged abuses involving fraudulent documentation in home foreclosures (commonly referred to as “robo-signing”), foreclosing without holding the actual mortgage, and failing to uphold loan modification promises to Massachusetts homeowners. The banks named in the lawsuit:

• Bank Of America, N.A. (and its BAC Home Loans Servicing LP subsidiary, formerly Countrywide),
• JP Morgan Chase Bank, N.A.,
• CitiBank, N.A. (and its CitiMortgage subsidiary),
• GMAC Mortgage, LLC, and
• Wells Fargo Bank, N.A.

Also named in the complaint (Adobe PDF, 4.1 MBytes) was MERSCORP, Inc. which owns and operates the MERS System, a national registry that tracks ownership and servicing rights in residential mortgages loans. The Massachusetts AG alleged:

"... the banks used false documentation in the foreclosure process, including so-called “robo-signing”, whereby bank personnel signed affidavits that were untrue, or not based on the signor’s actual knowledge. An entity wishing to foreclose on a property must demonstrate it has filed an affidavit in compliance with Massachusetts law... Filings with various Registers of Deeds provided to the Attorney General’s Office revealed the pervasive use of mortgage service employees to sign hundreds of affidavits and sworn statements without personal knowledge of the information contained in those affidavits. Evidence also suggests these practices were not confined to the foreclosure process, but also used in the assignment, transfer and modification of mortgages..."

About alleged foreclosure abuses:

"... these five entities participated in unlawful foreclosures when they commenced foreclosures on mortgages where they were not the holders of those mortgages. The Supreme Judicial Court (SJC), in Commonwealth v Ibanez, recently upheld Massachusetts law and stated that “only the present holder of a mortgage is authorized to foreclose on the mortgaged property.” The complaint alleges that these entities ignored this fundamental legal mandate and proceeded to foreclosure even though they did not hold the mortgage... The banks’ failure to obtain a valid assignment of the mortgage prior to foreclosure has adversely impacted titles to hundreds, if not thousands, of properties..."

And, about alleged failures regarding home loan modifications:

"... the banks deceived and misrepresented to borrowers the process, requirements, and availability of loan modifications. The banks publicly claimed to be engaged in widespread loan modifications aimed at preserving home ownership and avoiding unnecessary foreclosures. Through the National Homeownership Retention Program, which commenced on November 6, 2008, these banks represented that they would work with borrowers to help them avoid unnecessary foreclosures by reducing monthly mortgage payments to affordable and sustainable levels. The complaint alleges these banks misled borrowers about their eligibility for this program and the amount of relief available, failed to achieve a significant level of modifications, and often strung along borrowers for months in trial modifications that were ultimately rejected."

Class Action Settlement For Users Of Identity Protection Services With Discover Financial Services

Last week, I received a notice from Discover Financial Services about a class-action settlement offer for consumers who used one a Discover identity protection service:

"If you were enrolled in or billed for Discover Payment Protection, AccountGuard, Identity Theft Protection, Profile Protect, Wallet Protection, The Register and/or Credit Score Tracker between January 21, 2004 and November 9, 2011, this notice describes your rights in connection with a settlement of a lawsuit and your potential recovery."

The settlement combines class-action lawsuits in several states which claimed that Discover Financial Services used improper marketing, enrollment, and pricing practices:

• Walker v. Discover Financial Services et al (N.D. III Case No. 10-cv-06994-JWD)
• Callahan v. Discover Financial Services et al (N.D. III Case No. 1:10-cv-07181-JWD)
• Alexander v. Discover Financial Services et al (D.S.C. Case No. 7:10-cv-02754-HMH)
• Sack v. DFS Services LLC et al (W.D. Tenn. Case No. 2:10-cv-02906-JPM)
• Boyce v. DFS Services LLC (E.D. Pa. Case No. 2:11-cv-00265-LDD)
• Conroy v. Discover Financial Services et al (C.D. Cal. Case No. 2:10-cv-5260-MMM-E)
• Triplett v. Discover Financial Services, Inc. et al (S.D. Fla. Case No. 1:11-cv-20519-AJ)
• Carter v. Discover Financial Services, Inc. et al (E.D. Pa. Case No. 2:11-cv-01656-BMS)

Discover has agreed to set up a settlement $10.5 million fund. If you want to learn more, read the settlement offer details, file a claim, or exclude yourself from this settlement, visit the WalkerSettlement.com website, or contact the Settlement Administrator:

Settlement Administrator
Walker Settlement
P.O. Box 8023
Faribault, MN 55021-9423
Phone: (866) 944-5034

Claims must be filed by June 6, 2012. Exclusion requests and settlement objections must be received by March 23, 2012.

In April 2008, I discussed in this blog my experiences with the Discover Identity Theft Protection service. In September 2011, Javelin Strategy & Research rated Discover's identity fraud resolution services highly in its Seventh Annual Card Issuer's Safety Scorecard. The study evaluated the top 23 card issuers according to three categories: identity fraud prevention, detection and resolution.

The press releases section at the Discover website did not mention the Walker Settlement.

ScanScout Settles With FTC About Flash Cookies Used For Tracking Consumers

ScanScout has agreed to settle with the U.S. Federal Trade Commission (FTC) about charges the company used deceptive marketing with a website privacy policy that claimed consumers could opt-out of online tracking, when they couldn't opt-out because the company's website used the Flash cookie technology to collect data which browser settings couldn't block. An FTC press release summarized the terms of the proposed settlement:

"... bars misrepresentations about the company’s data-collection practices and consumers’ ability to control collection of their data. It also requires that ScanScout take steps to improve disclosure of their data collection practices and to provide a user-friendly mechanism that allows consumers to opt out of being tracked."

During the lawsuit and before the settlement agreement, ScanScout merged with Tremor Video. The consent order (PDF), which applies to the merged company and its subsidiaries, stated:

"... officers, agents, representatives, and employees and all other persons in active concert or participation with any of them, who receive actual notice of this Order by personal service or otherwise, whether acting directly or through any entity, in connection with the online advertising, marketing, promotion, offering for sale, sale, or dissemination of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: (A) the extent to which data from or about a particular user or the user’s online activities is collected, used, disclosed, or shared; or (B) the extent to which users may exercise control over the collection, use, disclosure, or sharing of data collected from or about them, their computers or devices, or their online activities."

The consent order also stated that within 30 days of the approved consent order, the company:

"... place a clear and prominent notice, including a hyperlink, on the homepage(s) of its website(s), which states, “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements click here.” When selected, the hyperlink shall take consumers directly to the mechanism... that enables users to prevent respondent: from collecting data that can be associated with a particular user, or that contains any unique identifier, including user ID or Internet Protocol (IP) address; from redirecting users’ browsers to third parties that collect data, absent a click or other affirmative action by such user; and from associating any previously collected data with the user..."

For five years after the approved consent order, the companies must save and forward to the FTC both complaints from consumers and all company documentation proving compliance with the consent order.

During the summer of 2011, a class-action lawsuit was filed against AOL, Brightcove, and ScanScout about the use of the Flash cookies technology to secretly track consumers' online usage.

The proposed settlement agreement is open for comment by the public until December 8, 2011, after which the FTC will decide whether to make it final. To submit comments, follow the online comment instructions at this website. Comments submitted via postal mail should be sent to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

To learn more about the various tracking technologies, browse posts in this blog about browser cookies, "zombie cookies," Flash cookies, "super cookies," and etags. The FTC OnGuard Online website also contains a section about the various online cookies technologies.

Citigroup To Pay $285 Million To Settle An SEC Lawsuit About Mortgage Backed Securities

On Wednesday, the U.S. Securities and Exchange Commission (SEC) announced that Citigroup will pay $285 million to settle a lawsuit regarding allegations that the company misleading investors about mortgage-backed securities. The lawsuit was filed in U.S. District Court for the Southern District of New York.

The lawsuit alleged that the bank's broker-dealer subsidiary misled investors to purchase about $1 billion in collateralized debt obligations (CDOs) based on repackaged home mortgages, many of which were sub-prime. Citigroup allegedly didn't disclose the risk to investors, and then bet against its investors. When the CDOs defaulted, investors lost most or all of their money while Citigroup made about $160 million in fees and trading profits.

The SEC press release announced:

"... Citigroup Global Markets structured and marketed a CDO called Class V Funding III and exercised significant influence over the selection of $500 million of the assets included in the CDO portfolio. Citigroup then took a proprietary short position against those mortgage-related assets from which it would profit if the assets declined in value. Citigroup did not disclose to investors its role in the asset selection process or that it took a short position against the assets it helped select."

The only penalty announced was the settlement payment by Citigroup, which is about 7.5% of the bank's $3.8 billion third-quarter 2011 net income. No bank executives were sent to jail, although:

"The SEC also charged Brian Stoker, the Citigroup employee primarily responsible for structuring the CDO transaction. The agency brought separate settled charges against Credit Suisse’s asset management unit, which served as the collateral manager for the CDO transaction, as well as the Credit Suisse portfolio manager primarily responsible for the transaction, Samir H. Bhatt... Credit Suisse also was responsible for the disclosure failures and breached its fiduciary duty to investors when it allowed Citigroup to significantly influence the portfolio selection process."

The SEC's complaint alleged that Citigroup staff started discussions in 2006 about the possibility of taking a short position:

"... in a specific group of assets by using credit default swaps (CDS) to buy protection on those assets from a CDO that Citigroup would structure and market. After discussions began with Credit Suisse Alternative Capital (CSAC) about acting as the collateral manager for a proposed CDO transaction, Stoker sent an e-mail to his supervisor. He wrote that he hoped the transaction would go forward and described it as the Citigroup trading desk head’s 'prop trade (don’t tell CSAC). CSAC agreed to terms even though they don’t get to pick the assets.' ”

This blog post includes a video that explains briefly and clearly what a CDO is and how they were created. A Citigroup press release this week stated:

"We are pleased to put this matter behind us and are focused on contributing to the economic recovery, serving our clients and growing responsibly. Since the crisis, we have bolstered our financial strength, overhauled the risk management function, significantly reduced risk on the balance sheet, and returned to the basics of banking,"

Citigroup is one of several banks with plans to end free checking accounts by charging consumers monthly fees to use their debit cards. Citibank directly notified its customers during early October about the upcoming fee, while Bank of America has not yet directly informed its customers, who learned of the new fee from news reports.

In my opinion, the settlement payment was far too light. This type of corporate behavior will only stop when executives are jailed.

A 24 Year Old Student Issues The Challenge: Europe Versus Facebook

Whether you use Facebook or not, this bears watching. After researching the issues, a 24 year-old student from Vienna is challenging how Facebook treats members' personal information: data collection and deletion. Not liking what he found, his next steps were a series of 22 clear and well-reasoned complaints submitted to the Irish Data Protection Commissioner, since European users have a relationship with the Facebook subsidiary located in Ireland.

According to Kim Cameron's blog:

"Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel. As part of the documentation, they publicised the procedure Max used to get his personal CD... So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement..."

The article confirms what I found in this prior post about Facebook social plugins: they monitor your usage across the Internet whenever you visit a site with the Like button (or other Facebook social plugins). Using a different web browser may or may not provide the privacy you seek.

For English, click on both the CC and annotation icons to see subtitles in English.

TD Ameritrade Settles Class Action Lawsuit About 2007 Data Breach

SC Magazine reported that a U.S. District Court judge has approved a settlement agreement about a 2007 data breach at TD Ameritrade that affected six milion consumers:

"The settlement, which recently received a final sign-off after being approved by a California federal judge last month, allows individuals who fell victim to identity theft to collect between $50 and $2,500, according to an Associated Press report. TD Ameritrade will pay between $2.5 million and $6.5 million under the agreement."

Attention All Borders Customers! October 15 Deadline Approaches

Attention all customers of the Borders book chain! The Saturday October 15 deadline approaches quickly.

You must act and opt out by the deadline if you do not want your personal contact information and purchase history transmitted to the company which is buying Borders' assets. According too the U.S. Federal Trade Commission (FTC):

"... as part of Borders’ sale of assets in a bankruptcy proceeding, Barnes and Noble is acquiring customer information from Borders, including email addresses and purchase histories. Consumers can opt out of having Borders share that information, but they must do it before the October 15 deadline. An email from Barnes and Noble with a subject line that reads “Important Information Regarding Your Borders Account” explains how you may opt out of having your information transferred to Barnes and Noble."

Opt-out information is also available at Borders.com and BarnesandNoble.com.

Former Countrywide Financial Analyst Sentenced to 18 Months of Prison And Ordered To Repay $1.8 Million

The Los Angeles office of the Federal Bureau of Investigation (FBI) and the U.S. Attorney for the Central District of California announced that a former Countrywide Home Loan employee was sentence on September 28 to 18 months of prison and ordered to pay $1.8 million in restitution to Countrywide, now a unit of Bank of America.

Rene Rebollo, 39, of Pasadena, was arrested in 2008 after an investigation discovered that he had downloaded from Countrywide databases and sold the sensitive personal and financial information of about 2.5 million consumers. Rebollo was employed as a senior financial analyst for Countrywide’s subprime mortgage division in Pasadena. He admitted that that he saved the stolen information to a personal thumb drives and distributed consumers' Social Security numbers in at least 50,000 instances.

"As a result of the data breach, Countrywide underwent considerable expenses, including notification of individuals whose information was improperly disclosed, at a cost of approximately $1.2 million, and providing free credit monitoring for those individuals at a cost of approximately $15.75 million. Countrywide has also estimated that it has expended approximately $13.4 million in civil litigation, including several class action lawsuits, arising from the data breach."

This is a classic case of insider identity theft and the costs companies can incur from a breach. The case also highlights the importance of companies, small and large, to adopt data security measures and comply with Red Flag Rules.

Lawsuit Alleges Hulu.com and KISSmetrics Used "Zombie E-Tags" To Track Consumers Without Notice And Consent

Last month, a lawsuit was filed in Central California District Court against Space Pencil and Hulu.com, alleging that the companies tracked consumers online usage without notice or consent using "Zombie Etags," a newer Internet technology. According to the complaint, consumers:

"... that accessed Hulu's website had HTTP cookies respawn via Flash shared objects, HTML 5 Local Storage, and/or cache/ETags after they had been deleted."

"Zombie ETags" refers to the latest combination of Internet technologies used to track online usage: HTML 5 local storage, and/or cached Etags. The Zombie Etags allegedly regenerate any HTML cookies the user has deleted, removing control from the user and preventing privacy. Entity Tags, also known as "Etags," are a mechanism to verify that the page components a web browser displays match the components on the web server hosting the URL or original web page.

According to the complaint (PDF - 6.3 MBytes), Space Pencil is the company doing business as KISSmetrics. Hulu.com is a popular website that streams video of television shows from ABC, CBS, Fox, NBC, and other networks and studios. This is at least the second class-action lawsuit filed against both companies.

This class-action lawsuit (Couch et al versus Space Pencil et al) was filed, in part, because the consumers:

"... accessed the Hulu website, relying on the Hulu's Terms of Service and Privacy Policy which provided assurances against unauthorized tracking..."

What makes this lawsuit a little different from prior lawsuits (e.g., "zombie cookies), is the technology and hacking allegations:

"... Internet users who accessed Hulu's website, and knowingly, without the user's knowledge or consent, "Hacked" the Plaintiffs' and Class Member's Computing Devices in order to conduct covert surveillance of Plaintiffs and Class Members online activities, using web analytics to collect and de-anonymize Plaintiffs' and Class members' online data, providing the mechanism for Hulu to conduct perpetual online tracking of its users and a method to use cross domain tracking..."

This alleged tracking technology allowed Hulu and KISSmetrics to track Hulu.com users' online usage across the Internet and beyond the Hulu.com website. The complaint referenced several working papers about tracking technologies:

• "Flash Cookies And Privacy" by Ashkan Soltani et. al, 2009
• "Respawn Redux" by Ashkan Soltani, 2011

The 2009 working paper documented the extent of company websites using Flash cookies to regenerate HTTP cookies. The 2011 working paper documented the regenerated HTTP cookies practice:

"In our follow-up study, we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the Hulu.com site. Additionally, Hulu, Spotify, and many others were also respawning using code provided by analytics firm KISSmetrics. Hitten Shah, the founder of KISSmetrics, initially confirmed that the research surrounding respawning was correct in an interview with Ryan Singel although he later criticized the findings after a lawsuit was filed."

Both companies supposedly stopped their Zombie Etag tracking on July 29, 2011. KISSmetrics published this response to the July 2011 lawsuit. The class-action plaintiffs want the tracking software and data files removed from their computers. The sensitive personal information:

"... compiled and misappropriated included sensitive information, such as users' video viewing choices revealing personal interests, his/her sexual preference, political views, and even more specific information like health conditions, such as DEPRESSION..."

The attorneys representing the plaintiffs in this class-action lawsuit include Strange & Carpenter, and a name I recognize: the law office of Joseph Malley.

If you want to learn more, I recommend reading this Wired story.

Doctor Paid $40K For Illegal Disposal Of Patients' Files

Last week, North Carolina Attorney General Roy Cooper announced that Dr. Ervin Batchelor, owner and operator of the Carolina Center for Development and Rehabilitation (CCDR), has paid $40,000 for the alleged illegal disposal of patients medical records.

In June of 2010, the CCDR dumped 1,000 patient files at the West Mecklenburg Recycling Center. The files contained names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, insurance account numbers, and health information for 1,600 people. Mecklenburg County officials contacted the Attorney General’s Office, which then launched an investigation into the illegal dumping.

Besides the fine, Dr. Batchelor has agreed to comply with both state and federal data security laws to protect patients' personal financial and medical information. The CCDR has already notified patients of the data breach. North Carolina law requires businesses and local government agencies to notify consumers affected by a data breach.

In North Carolina, organizations must also report data breaches to the Consumer Protection Division. A total of 889 breaches involving information about more than 3.3 million North Carolina consumers have been reported since state laws on security breaches took effect in 2005 and 2006. AG Cooper said:

“Any business you entrust with your information has a duty to keep it safe. Sensitive financial and health information should never be carelessly dumped, putting customers and patients at risk of identity theft.”

I agree. This is a good example of why it is important for all organizations that archive consumers' personal medical and financial information should have data security procedures in place to prevent data breaches. Unfortunately, several special interest groups have lobbied the U.S. Congress for exemptions to Red Flag Rules, notably physicians and accountants. Special interest groups often claim that the Red Flag Rules are an unnecessary and cumbersome burden.

Well, post data breach responses are a huge burden on organizations. The above fine is one of many costs. And, the improper disposal or theft of consumers' sensitive personal financial and medical information is a huge burden on consumers. Instead of wasting time and resources looking for ways to avoid protecting consumers' information, these groups should be doing the opposite. Protecting consumers' data is in both their and consumers' best interests.

Consumer Receives Email Inquiry From Calgary Police About Stolen Credit Card

What would you do if you received an e-mail from a police department in another country claiming that your personal and financial information had been stolen? This happened last week to my friend, Beth (her name has been changed upon request). Beth lives in Boston received the e-mail message below:

From: Calgary Police Service
Date: Wed, Aug 3, 2011 at 4:31 PM
Subject: Police Inquiry - Identity information recovered

[Beth's personal information removed for security reasons.]

I am a constable with the Calgary Police Service (CPS) in Calgary, Alberta, Canada. The CPS recently executed a search warrant at a Calgary residence and one of the items seized was a sheet of paper bearing the personal information of 144 people; this information included credit cards, expiry dates, full names and addresses. The above information, accompanied by your e-mail address was listed. It is my intention to charge the suspect with unlawfully possessing credit card and identity information. In order to prosecute, I require confirmation that the above information is (or was) correct.

Your personal information appears to have been compromised. Therefore, I am recommending that you notify the bank that issued your credit card to have it cancelled immediately. I would also encourage you to contact your local credit reporting bureau and check to ensure that your personal information has not been used to obtain any other banking services or products.

This is a legitimate law enforcement inquiry and my credentials can be verified via the Calgary Police Service website at www.calgarypolice.ca. If you are unsure of the legitimacy of this e-mail, please present it to your local law enforcement agency, so they might assist in this investigation.

Cst. K Grier #4572
District 3 GIU
Break and Enter Detail
Calgary Police Service

First, I would like to thank Constable Grier and the CPS for catching and prosecuting identity-theft criminals. It is always good to see local law enforcement in action.

I spoke with Constable Grier about her e-mail. Since most of the identity-theft victims in this case were from other countries outside Canada, CPS notified banks and took the added step of notifying theft victims directly, when possible. Constable Grier suspected that the credit card information was either stolen from a website or accounts were hacked. Like all law enforcement, CPS appreciates the assistance the public and breach victims can provide.

This case has several implications. First, it highlights the fact that identity-theft criminals often commit other types of crimes -- in this case, burgulary. While pursuing a burgulary suspect, CPS discovered the credit card thefts. So prosecuting and jailing identity-theft criminals can also stop other crimes.

Second, this case highlights potential gaps in cross-border breach notification laws. While local law enforcement in another country may promptly notify breach victims' banks, my understanding is that there is no guarantee of data breach notice to U.S. citizens across country borders. I did some light reading and the current Red Flag Rules do not apply to breaches at bank branches located outside the USA (PDF document). Perhaps some legal scholars can expand and clarify on international laws regarding cross-border breach notification.

Third, it highlights the need for breach victims to take action. I am sure many readers want to know what to do should you receive an e-mail like the one above. Beth found this situation scary as she had never visited Calgary. She wondered if the above email was real or a scam.

Since there are so many online scams and phishing e-mail messages, I advise consumers to first verify the e-mail via an alternate method. By "alternate method" I mean an independent, different method than the format of the suspect message. Don't disclose any more personal information until you have verified that the message is real. Example: If the suspect message is an e-mail, don't press the "Reply" button. Instead, independently verify it via the phone (or an in-person visit to your local law enforcement). Example: if the suspect message is a phone call, independently verify it via e-mail or the Internet. Or, ask your local police department for help with verification of an inquiry from another police department.

In this case, verification was easy. I performed a Google search to independently find the CPS website, since I didn't want to rely on the contact information in the e-mail. At the CPS website, I found the main phone number for District 3, and called to verify that Grier is a Constable there.

I shared all of this with Beth, who started to feel better. Later she contacted Grier. The thief had stolen credit-card information for an account Beth had already closed a long time ago. While consumers may ignore the situation because credit-card theft liability is small and often limited to US $50, helping law enforcement is important. As this case highlighted, identity theives often commit other types of crimes. So, prosecution for identity theft can stop other types of crimes, too.

The Calgary Police Service Identity-theft page has advice for consumers to both avoid becoming identity-theft victims, and for identity-theft victims. If you are an identity-theft victim, CPS advises:

• File a report with your local police department and obtain a case number.
• Notify all creditors by phone and in writing about the crime.
• Keep a log of all your contacts.
• Use a credit bureau sample dispute letter.
• Look at the crime before & after the event to learn how it happened. This will often help to lead investigators to multiple crimes.
• Prepare to complete an ID Theft Affidavit.
• Learn as much as you can!!