Wachovia To Pay Huge Fine For Conspiring With Fraudulent Telemarketers

[Editor's Note: today is the anniversary of an important event in U.S. history. May 1, 2008 is the fifth anniversary of "Mission Accomplished" - the day George W. Bush stood proudly on the aircraft carrier USS Abraham Lincoln and declared major combat operations over in Iraq. 140 U.S. military personnel died before May 1, 2003. During March 2008, the number of U.S. military deaths passed 4,000. Today, Osama Bin Laden has not been brought to justice and still remains at large. I think that it is important to judge a President, his administration, and his policies by the results achieved, and not on good intentions. Now, on to today's post.]

You could have labeled today's post, "When A Bank Goes Bad." The New York Times reported on April 26:

"The Wachovia Corporation agreed on Friday to pay as much as $144 million to end an investigation that accuses the bank of allowing telemarketers to use its accounts to steal millions of dollars. The settlement, one of the largest penalties ever demanded by the federal Office of the Comptroller of the Currency, concludes an 18-month inquiry into Wachovia’s relationships with schemes that investigators say stole from thousands of victims, many of them elderly."

The New York Times also reported:

"Though Wachovia did not admit or deny wrongdoing, the investigation found that Wachovia, one of the country’s largest banks, engaged in unsafe practices — failing to conduct suitable due diligence, failing to monitor accounts used by telemarketers and failing to follow normal procedures that would probably have uncovered the thefts. The bank’s actions were “part of a pattern of misconduct” that resulted in Wachovia’s collecting millions of dollars in fees, regulators wrote. Wachovia has agreed to pay a $10 million fine, contribute $8.9 million to consumer education programs and make restitution to victims that could top $125 million."

For consumers, it's tough enough to protect yourself against identity theft and identity fraud. Your bank should not facilitate identity fraud. For background, also read this February 2008 post about Wachovia. The huge fine is great, but jail time should also apply:

"Internal Wachovia e-mail messages and documents collected as part of that lawsuit showed that high-ranking employees long knew about accusations of fraud, but that some bank workers continued to solicit business from the telemarketing companies accused of crimes. “YIKES!!!!” wrote one Wachovia executive in 2005, warning colleagues that an account used by telemarketers had drawn 4,500 complaints. “DOUBLE YIKES!!!!” But Wachovia continued processing fraudulent transactions for that account and others."

That's 4,500 complaints! Not 45, but 4,500! For perspective, the Hannaford data breach included 1,800 cases of fraud. Thankfully:

"The settlement also does not preclude the United States attorney in Philadelphia, Patrick L. Meehan, from prosecuting Wachovia or bank employees. Mr. Meehan’s office is considering a criminal investigation, according to two people close to the matter who spoke on the condition of anonymity because they are not authorized to speak to the media."

Go Meehan! This type of crap will stop when senior executives serve significant jail time. Otherwise, banks will pass along the cost of the fine to consumers and account-holders through more and higher fees or other mechanisms.

Jury Convicts New Jersey Man Of Identity Theft

I am pleased to forward news when an identity thief receives what they deserve. Empire State News reported:

"The jury convicted Lamar Whitehead, 29, of stealing the identities of local and out-of-state residents and businesses. The scam involved Whitehead’s stealing of identities and applying for loans from online banks using his victims’ names. The defendant often used the loans to buy luxury automobiles, or open equity lines of credit. Whitehead was convicted of 14 counts of first degree identity theft, a felony punishable by 2 1/2 to seven years in prison; three counts of identity theft in the third degree, a misdemeanor, and one count of scheme to defraud, a felony punishable by a prison term of 1 1/3 to four years."

Newsday also reported about the conviction:

"... prosecutors, who portrayed Whitehead as a criminal "ringleader" who used his ex-girlfriend to obtain credit information from a Patchogue car dealership, said the partial verdict showed the jury's diligence in weighing each count. The verdict came after four days of deliberation. Prosecutors said Whitehead's victims stretched as far as Tennessee and Georgia."

The only problem I see with the conviction is that Whitehead should have also been forced to make restitution to his ID-theft victims.

Seattle Man Sentenced To 51 Months In Prison For Identity Theft

I am pleased to forward news when identity thieves receive what they deserve. The Seattle Post-Intelligencer reported:

"Kopiloff pleaded guilty to aggravated identity theft, mail fraud and accessing a protected computer without authorization to further fraud. He victimized more than 50 people and caused about $70,000 in losses, according to court records."

Readers should also note:

"The peer-to-peer network Kopiloff exploited is the type that is used to swap music online. Kopiloff used software such as LimeWire to search the computers of members of the file-sharing network for federal income tax returns, student financial aid applications and credit reports, according to prosecutors. The stolen merchandise would be shipped to mailboxes around the Puget Sound region, then sold for about half its retail value."

This story should be a warning to consumers about both the risks with file-sharing software, and the need to properly configure home firewall, wireless network, and anti-virus software.

Hannaford Issues An Apology

I recently read this Associated Press news story:

"Hannaford supermarket shoppers are getting an apology in their shopping bags for a security breach that was announced two weeks ago. CEO Ron Hodge sent a message to customers online and through leaflets left in grocery bags. In the note, he apologizes for the "concern and inconvenience" that was created when 4.2 million credit and debit cards were potentially compromised. At least 1,800 cases of fraud have been reported. He says Hannaford stopped the theft and brought in top security experts to help us guard against any further attacks."

Since I don't shop at Hannaford, I read Hodge's apology at the company's web site. ""Concern and inconvenience?" That seems to be an attempt to minimize a major data breach... to make it sound non-threatening or insignificant.

If your credit card number was stolen, then you probably got it replaced by your credit card issuer. Little problem there for consumers, but a major expense for credit card issuers.

If your debit card number was stolen, your bank probably issued a new checking account. There's the direct expense to the bank to issue a new checking account and debit card. There's also the time and work impact, since consumers have to set up their online banking with their new checking account. Plus, their bank may or may not have replaced any monies stolen from their checking account. I wouldn't describe that as "concern and inconvenience." And I doubt the identity theft victims view the incident as only a "concern and inconvenience."

At least Hodge had the good sense not to use in his statement the typical corporate double-speak (e.g., a lie) of "we have no indication that the personal data has been used for any improper purpose." There's no way to spin 1,800 fraud cases. Plus... theft is theft, and criminals will always attempt to use (or resell) stolen identity data.

The apology is nice but not enough. I understand a retailer's desire to do anything to get shoppers to continue shopping at their store. How about free credit monitoring and credit resolution for 10 years for identity theft victims? How about publication of Hannaford's revised data security processes so customers can feel confident about data security improvements so this doesn't happen again?

What a company does is more important than their words.

Apparantly, several consumers agree. There are several class-action lawsuits claiming Hannaford didn't do enough to protect consumers' personal data. From the Times Hearald-Record:

"Lawyers are seeking to consolidate about nine lawsuits into one federal class-action suit against Hannaford Bros... The motion to consolidate, which was filed in U.S. District Court in Bangor, Maine, on behalf of Greg Doherty and 'all others similarly situated,' charges Hannaford was negligent in not providing adequate data security and did not inform customers of the breach quickly enough. It seeks credit monitoring or similar protection, unspecified damages and attorneys' fees. Attorneys will have a better idea of the scope of damages when they nail down exactly how many card numbers were stolen, which may take some time, said Jon Lambiras, an attorney with the Philadelphia-based law firm Berger & Montague, one of several plaintiffs' firms involved in the lawsuit."

And, there are parallels to the TJ Maxx data breach:

"Hannaford's lack of proactivity is not unusual. Framingham, Mass.-based TJX, which owns stores such as TJ Maxx and Marshalls, offered no credit monitoring after a data breach exposed the personal information of some 45 million customers. It took a class-action lawsuit, filed by the same firm now suing Hannaford, to get credit monitoring."

CVS And The State Of Texas AG Reach An Agreement Regarding Information Security

KLTV reported that the Texas Attorney General's office and CVS Pharmacy, Inc. agreed to a settlement to protect CVS customers from identity theft:

"The settlement resolves the state's April 2007 enforcement action against the nation's largest retail pharmacy, which was charged with violating state laws that govern the disposal of customer records containing sensitive personal information. Under an agreed final judgment obtained by the Attorney General, CVS will overhaul its information security program. The program must be fully documented in writing and contain administrative, technical and physical safeguards designed to protect the personal information of CVS customers. CVS also will pay $315,000 to the State of Texas, which will be appropriated for the investigation and prosecution of other identity theft cases, pursuant to the Identity Theft Enforcement and Protection Act."

The Attorney General's office took action after hundreds of documents containing customers' sensitive personal information (e.g., credit card numbers and expiration dates; prescriptions with date of birth, doctors names, medication type) were unlawfully dumped behind a CVS store in Liberty, Texas. The state will use the money to prosecute other identity theft cases.

Details about the settlement:

"... CVS must implement a new training program to inform its Texas employees about the company's enhanced information security procedures. The employee training program must provide employees with a review of CVS' privacy procedures and a review of state laws governing the disposal of customer records. The training program also must explain identity theft, its costs to individual consumers and businesses, and the importance of abiding by the company's disposal program."

Only Texas employees? This sounds to me like sensible and appropriate data security actions any and all companies should implement nationwide, without waiting for a state AG to sue them to comply. Forbes Magazine reported:

"... the improper disposal of this information was a violation of [CVS'] record retention and privacy policies, and CVS took appropriate disciplinary action,' the statement said. When the suit was filed last year, CVS said the store manager had been fired. Earlier this month, CVS Caremark agreed to pay almost $37 million to nearly two dozen states and the federal government to settle claims it billed Medicaid programs for a more expensive formulation of an antacid."

When disposing of customers' and employees' records, companies would be well advised to follow the advice in this National Law Journal article: "Shred It Or Regret It."

Data Broker Sued For Selling Social Security Numbers

SC Magazine reported:

"The Missouri Attorney General's Office has filed a lawsuit against a Texas-based data broker that contends the company sold the Social Security numbers of some Missouri residents."

The Missouri AG offices seeks to shut down the site, PublicData.com, and fine its operators. The article quotes Attorney General Jay Nixon as saying:

"This website is a gold mine for identity thieves and needs to be shut down as soon as possible to protect the privacy of Missourians, My office has already seen proof of how this site can be used to destroy the credit of innocent consumers in at least one prominent identity theft case."

According to the company's press release at the PublicData.com web site:

"Irving, TX, February 20, 2008 - PublicData.com was unaware that some Missouri driver’s license numbers were the same as social security numbers. Since Thursday February 7, 2008, PublicData.com has been working with the Missouri Attorney General’s Office to resolve the issue surrounding the use of social security numbers on some Missouri driver’s licenses."

Data brokers buy and sell lists of consumer information, typically name and address information used by companies to mail catalogs or similar mailings. A good data broker is aware of the types of data it buys and sells, and the types of data is shouldn't trade.

The above statement by PublicData sounds like the company is trying to hide behind a claim where they regularly sold driver's license data and didn't know that some driver's licenses contained SSNs. To me, that sounds like a rather shaky or flimsy excuse. Plus, my Massachusetts drivers license number looks far different from a Social Security Number. Again, a good data broker should know what data they trade.

Now, I can't imagine why a person or a company would want to buy somebody else's driver's license data. I can imagine where a private investigator might buy this data while trying to find a person regarding a legal matter or outstanding debt.

If PublicData has sold SSNs, then in my opinion the site should be shut down and the firm's operators fined and jailed.

Experian Sues LifeLock

Last week, things really heated up in the credit monitoring and identity theft industry. Forbes magazine reported that Experian, one of the three major credit bureaus, had filed a lawsuit in California against LifeLock. According to the news report, Experian accused:

"... LifeLock of placing bogus 90-day fraud alerts on hundreds of thousands of credit files maintained by Experian. In the complaint, Experian says it has suffered "millions of dollars" in damages from being forced to process large numbers of initial fraud alerts and mail mandatory notices to customers."

What? Bogus fraud alerts? An increasingly large number of fraud alerts should not be a surprise to anyone in the identity theft/fraud business, given the steady number of corporate data breaches. 2007 was a record year with corporate data breaches. Depending upon the source you use (e.g., Attrition, the Identity Theft Resource Center, or Privacy Rights Clearing house), the number of records lost or stolen in 2007 ranged from 49 to over 100 million. Any source you pick documents an increase in data breaches in 2007 over 2006.

It seems to me that an increasing number of consumers are starting to read and follow the advice available in industry products and services. One of the first steps after a data breach or identity theft event is for the consumer to place a Fraud Alert on their credit reports. This was one of the first steps I took after my data was "lost" (probably stolen) during the February 2007 IBM data breach incident, along with the sensitive data of thousands of current and former IBM employees. Some consumers are willing to pay for convenience; to pay for a service to help them protect their sensitive personal data.

The Forbes news story goes on to report:

"Experian claims that LifeLock keeps its clients' files in a perpetual state of alert by repeatedly "crying wolf" on behalf of its clients. Its suit questions whether LifeLock has the legal right to request the 90-day alerts, which it maintains are meant to be placed only by individuals who have a reasonable suspicion that fraudulent activity has occurred."

Perpetual state of alert? Come on, Experian. That seems to be a far overstatement of the situation.

When a company suffers a data breach and loses the sensitive personal data of employees, former employees, and/or customers the risk of identity theft and fraud doesn't disappear in a few months. The risk doesn't dissolve when the company issues a press release claiming, "there's no evidence that the data was stolen."

The consumers' sensitive data is out there... period... permanently. So, we consumers are forced to continually monitor our accounts and our credit reports for theft, abuse, or unauthorized access... permanently. We consumers are learning to better protect our sensitive personal data. Establishing repeated fraud alerts is one tool; a first step.

The Forbes article also reports:

"In the suit, Experian also charges that LifeLock has used false and misleading advertising to entice consumers into buying its protection, and is exploiting the system by acting as a middleman for services that the credit companies are required to provide to consumers for free, including annual credit reports, removal from mailing lists and fraud alerts."

That may be. I am not a subscriber to LifeLock since I have done by myself the identity-theft deterrence steps LifeLock charges a fee for. I must admit that LifeLock's advertising is everywhere... on radio, television, print ads, and around the web at social bookmarking sites. LifeLock seems to be doing a better job of promoting their service than Experian does of promoting its Family Secure credit monitoring service.

In his blog The Dunning Letter, Jack Dunnning wrote this about Experian:

"Back in August of 2005, the Federal Trade Commission settled a case with Experian Consumer Direct, a subsidiary of the credit bureau, for deception in advertising “free credit reports” by failing to add the customer would be automatically signed up for credit monitoring services costing $79.95 each year. The FTC ordered Experian to give up $950,000 of its “ill-gotten gains."

Regarding deceptive advertising, Experian's history is not squeaky clean either.

I wonder if Experian sees the handwriting on the wall. As more consumers "lock down" their credit reports with Security Freezes, it becomes harder for credit bureaus like Experian to make the same profit amounts by selling only credit reports to potential lenders and creditors. Consumer credit reports with Security Freezes on them are credit reports Experian (and the other two credit bureaus) can't sell to potential lenders.

Combine this with the trend by more consumers to opt out of pre-approved credit offers, and the market for credit reports has to be negatively affected. So, to make the same profit amounts, Experian probably recognizes that it has to expand into new markets for more revenues. One of those new markets is the growing credit monitoring services market.

Fortunately for consumers, there are many choices today for a credit monitoring service. A consumer can monitor their credit report on their own, or subscribe to a credit monitoring service. These services are available from banks, credit card companies, credit bureaus, and independent companies... like LifeLock.

The wide range of choices is good for consumers, but is probably viewed negatively by Experian. The credit monitoring services market is filled with competitors offering a variety of services because the rise of identity theft has changed the marketplace. Consumers are slowly becoming educated about the scams, threats, and the value of theft-deterrence solutions. And companies have rushed to meet that need.

Consumers have also begun to realize that they want more control over who has access to their credit reports. The Security Freeze tool is a key tool for consumers to exercise control over their credit reports. The Security Freeze tool seems far stronger and more secure than the Fraud Alert tool. Starting with California in 2003, many states passed laws giving consumers the right to this Security Freeze tool. By the end of 2007, all three credit bureaus offered the Security Freeze tool nationwide, without waiting for states to pass more legislation.

So, the identity theft marketplace is changing at a fairly rapid pace. Previously, Experian competed against 2 other credit bureaus (e.g., Equifax and TransUnion) to sell consumers' credit reports. Now, Experian has a whole new set of competitors who offer credit monitoring services similar to Experian's credit monitoring service.

Is the lawsuit only about false/deceptive advertising? Maybe. But it may also be about intimidating or limiting competition, given the rapidly changing identity theft/fraud marketplace. What do you think?

Judge Hands Identity Thief The Maximum Sentence

From the St. Louis Today newspaper:

"A federal judge handed down a maximum sentence Friday to an identity thief who authorities said began a new scheme while still serving time in a halfway house for a previous one. The thief, Robert Unique Haines, 43, of the St. Louis area, must serve 14 years in prison, the U.S. attorney's office said. He pleaded guilty in October of conspiracy, aggravated identity theft, fraud with identification documents and escape."

Apparently, Haines recruited employees at an Old Navy store and at United Healthcare to steal customers' personal information. The thieves used the personal data to open credit accounts in the customers' names or take over their accounts. The theft was pretty extensive:

"The shoppers got cash and permission to use the cards for their own purchases, officials said, while Haines and others would sell the merchandise at a discount for cash. Investigators located 58 customer victims and $150,000 in fraudulent purchases or charges, although the companies notified more than 15,000 that their information was at risk.

The conspirators also received prison sentences:

"Former United Healthcare employee Clare Hungerford, 37, of the 11000 block of Hidden Lake Drive in St. Louis, was sentenced last month to four years in prison in the case. Former Old Navy employee Timothy Short, 32, of the 900 block of Concordia Lane, was sentenced in November to two years in prison. Six others have also pleaded guilty to related charges and were ordered to serve sentences of probation to 75 months in prison."

While the good news in this story was that the thieves were caught and sentenced, there is a cautionary message. The thefts relied on employees working inside the companies. This should be a signal to companies everywhere that security checks both before and during employment are necessary.

Wachovia Conspires With Telemarketing Fraudsters?

Thanks to Catherine for sharing this New York Times article. This news story caught my eye, not because Wachovia is the fourth largest bank in the USA, but because later this Spring I plan to review and compare the credit monitoring services offered by the major banks.

Anyway, according to the New York Times article, Wachovia did business with (and made big profits from) several telemarketing firms even though the bank allegedly knew in advance that these telemarketers had received numerous complaints:

"Last spring, Wachovia bank was accused in a lawsuit of allowing fraudulent telemarketers to use the bank’s accounts to steal millions of dollars from unsuspecting victims. When asked about the suit, bank executives said they had been unaware of the thefts. But newly released documents from that lawsuit now show that Wachovia had long known about allegations of fraud and that the bank, in fact, solicited business from companies it knew had been accused of telemarketing crimes. Internal Wachovia e-mail, for example, show that high-ranking employees at the nation’s fourth-largest bank frequently warned colleagues about telemarketing frauds routed through its accounts."

Telemarketing fraudsters are usually companies that contact consumers via phone offering a service or product that may not ever be delivered, and/or the consumer is overcharged. And, it gets worse:

"Moreover, executives at other banks, including Bank of America, Wells Fargo, Citizens Bank, the Social Security Administration, and the Justice Department Federal Credit Union also warned Wachovia multiple times that its accounts were being used for fraud, according to the lawsuit against the bank."

A judge will likely rule on this class-action lawsuit during the summer. Want to read more? The Boston Globe and Reuters also covered the story. The Street called the Wachovia story one of the "Five Dumbest things On Wall Street."

Banks handle and store our money. We consumers place a lot of trust in them. So, banks should operate in a manner that is transparent and reinforces consumers' trust. It seems that Wachovia either forgot this or ignored it during its rush to make money.

No Updates From IBM At Its Web Site About Its February 2007 Data Breach

Every few weeks, I check IBM's employee web site for any updates about the company's February 2007 data breach. So far, IBM has not updated the site page. It contains the same content it did when I first visited the site in May 2007 -- eight months ago.

I had hoped that the site would have included updates about the status of the breach and data tape investigation. Maybe IBM will have recovered some or all of the "lost" data tapes by now? Or maybe the investigation might have uncovered some corrupt employees or vendor employees? I had hoped that IBM would have communicated more frequently with the identity-theft victims its breach created.

I am still hoping that during the next few months IBM will update the site with information about extending the credit monitoring service with Kroll after the year of free credit monitoring ends. Who knows, maybe the term of free credit monitoring will be extended.

It's hard to know what's going on with IBM since the page displays the same stale information it did in May 2007. Various news reports have reported that IBM cut the base pay of many employees by 15% after settling various class-action lawsuits which claimed that the company denied the workers overtime pay by illegally classifying them as exempt instead of hourly. Apparently, the pay cuts extend beyond the original group of employees identified in the class-action lawsuits.

Sounds like an attempt by IBM to play hard-ball.

Chicago Woman Gets 8 Years For Identity Theft

I like reading news stories about identity thieves who were caught and convicted. The Chicago Tribune newspaper reported:

"A Chicago woman who used a stolen identity to buy a house and a vehicle was sentenced Monday to 8 years in prison. Denise Williams, 37, bought a $173,000 house in the 6000 block of South May Street and a $24,000 Chevrolet Equinox using the personal information of a woman whose wallet was stolen during a trip to Chicago, said Andy Conklin, a spokesman for the Cook County state's attorney's office. Williams was not accused of stealing the wallet, but she used its contents, including the victim's Social Security card, to buy the home and the vehicle, Conklin said. It's unclear how she obtained the wallet."

The story demonstrates the damage identity thieves can do with a SSN, birthdate, and name. The story highlights the fact that identity information is bought and sold by numerous criminals. In my opinion, 8 years in prison sounds about right.

Credit Card Truncation, Identity Theft, and Class Action Lawsuits

At the Credit Slips blog, contributing author Adam Levitin wrote an interesting post about retailers' responsibility to truncate credit card and debit card account numbers on consumers' bills:

"In 2003, Congress enacted the federal credit card truncation statute, 15 U.S.C. § 1681c(g), as part of the Fair and Accurate Credit Transaction Act (FACTA). This law, which was intended to help prevent identity theft, forbids anyone who accepts credit or debit cards from printing more than the last 5 digits of the card number or expiration date on any electronically printed receipt given to the cardholder at point of sale. The law became effective for all new cash registers as of Jan. 1, 2005, and for those registers already in use, as of Dec. 4, 2006."

Adam's post drives home the point about retailers' liability:

"If the merchant was negligent, then the merchant is liable for actual damages and attorneys’ fees/costs. But if the violation was willful—and this is key—meaning—meaning knowing or intentional, not malicious—then the merchant is subject to statutory damages of a minimum of $100 violates, plus punitive damages, and costs/attorneys fees. $100 doesn’t sound like a lot, but multiply that by every transaction made at that register since the truncation statute’s effective date and potential damages are huge."

The Clausen Miller law firm confirmed this in a November 2007 post to their corporate clients:

"Whether large or small, all businesses that are not in compliance with FACTA are potential targets of this litigation. The driving force behind this flurry of class action litigation is financial. Statutory damages for a willful violation of FACTA are between $100 and $1,000 per violation, regardless of whether any actual damages were incurred or whether an individual’s identity was stolen."

The Clausen Miller article also highlighted the resulting class-action lawsuits:

"Entities such as Victoria’s Secret, Toys “R” Us, The Gymboree Corporation, California Pizza Kitchen, In-N-Out Burgers, Adidas Promotional Retail Operators, El Pollo Loco, Costco, and IKEA have all been involved in this litigation."

Want to learn more? Similarly, the Jones Day law firm advises their corporate clients to comply with the FACTA.

So, the next time you go shopping, check to make sure that the retailer's receipts display only a portion of your credit card or debit card number. And, shred any unneeded receipts which contain your personal information.

Appeals Court Upholds Verdict in Sloane v. Equifax

A recent FindLaw article by Anthony Sebok reported:

"The U.S. Court of Appeals for the Fourth Circuit recently upheld a sizable verdict against a credit agency for failing to promptly and efficiently aid a victim of identity theft. The decision in Sloane v. Equifax Information Services does not break new doctrinal ground. It does, however, underscore how identity theft could become a headache not only for individual consumers, but large financial reporting companies."

In 2003, Suzanne Sloane (Sloane) had her SS# stolen at Prince William Hospital in Virginia by a hospital employee named Shovana Sloane. The identity thief quickly ran up a $30,000 debt in Sloane's name. Sloane contacted Equifax of the theft and provided appropriate documentation of the fraudulent charges according to Equifax's instructions. Shovana Sloane was later arrested and convicted of the identity theft crime. At the jury trial, Equifax was found liable through its incompetence to have compounded the problem and never accurately fixed Suzanne Sloane's credit report.

"Finally, in November 2005, Sloane sued all three of the national credit reporting agencies, the Prince William Hospital and the employment agency that had helped place Shovana Sloane. Sloane settled with all the defendants but Equifax."

Here's the most important part of the story for consumers:

"Sloane sued the credit agencies under the Federal Credit Reporting Act, a 1968 law Congress passed to protect consumers from negligently-maintained credit records. The law sets out requirements to ensure that credit reporting agencies maintain accurate records, and it provides for a private right of action by injured consumers, who may seek to recover damages in the event that a credit reporting agency negligently violates any of the statute's requirements. At trial, the jury found that Equifax had violated the FCRA and awarded Sloane $106,000 in economic losses and $245,000 in mental anguish."

The Appeals Court did reduce the amount of Sloane's award to $150,000. Maybe the credit bureaus will now take identity theft more seriously. In my opinion, the reduction was unwise since identity theft strikes at a consumer's ability to take care of their self and their family. In his article, Sebok correctly concludes:

"As the Fourth Circuit itself noted, FCRA cases are changing. Whereas errors used to arise from simple carelessness within the banking industry itself, the possibility of the errors' resulting, instead, from identity theft, as occurred here, is increasing, along with the ubiquity of the Internet, Wi-Fi, and smartphones. Credit reporting agencies will be the means by which much more misinformation will be "published" and the consequences of lax practices for correction will grow even more severe."

TJX Settles With New England Banks

According to the Boston Globe newspaper, TJX Companies has agreed with several New England banks to:

"... settle a high-profile lawsuit over payment card security practices in the wake of the record-setting data breach at the Framingham retailer that compromised up to 100 million accounts. TJX, the parent of discount retail chains including TJ Maxx and Marshalls, will pay community banks and trade groups in Massachusetts, Connecticut, and Maine a portion of their legal expenses."

Terms of the settlement were disclosed, but the newspaper added:

"...the deal won't add to the $256 million TJX previously had budgeted to deal with the breach, a spokeswoman said yesterday."

The TJX debacle is far from over:

"TJX still faces claims from an Alabama bank and probes by federal and state officials. Mary Monahan, partner at Javelin Strategy & Research in California, said the deal is a relative win for TJX and no surprise after a decision by a federal district court judge made it harder for the banks to join together to sue TJX as a lass."

If you follow this saga closely, you'll notice that TJX has given cash to everyone except to those that matter most... its customers. TJX has paid off Visa, its lawyers, and now some of the banks -- all with cash. TJX offered checks to a few customers, but most received vouchers to shop at the store. This is not a customer-friendly response to the victims of the TJX data breach, regardless of how appealing its holiday TV commercials might be.

Want to learn more? Read the TJX section of this blog and BusinessWeek. Me? I'm off to Target and Best Buy to finish my holiday shopping.

Whistleblower's Personal Data Published On the Internet

Imagine a doctor has published your most personal information online because that doctor didn't like your opinions of their medical services. Sounds like something far-fetched or science fiction? Nope. This is exactly what happened to Glenn Hagele, a patients' advocate. According to Glenn's web site:

"Glenn Hagele created a nonprofit Lasik patient advocacy organization to help inform the public of the potential risks and benefits of Lasik surgery. The Council for Refractive Surgery Quality Assurance that Glenn Hagele founded evaluates Lasik doctors to determine if their outcomes are at or above the norm. The organization's sister website Complicated Eyes assists those who have poor Lasik outcomes."

Like many people, Glenn believes the individual should have control of their personal information. According to the news release at the VNUNet.com site:

"Within weeks of notifying authorities of what he believed to be bankruptcy fraud, Glenn Hagele, of Sacramento California, learned that archived government documents with his private identity information were being published on the internet."

Apparently, one doctor didn't like Glenn's advocacy effort and retaliated by posting Glenn's most sensitive personal data (e.g., name, birthdate, SS#) on the internet. Some call this type of retaliation "cyber assassination." Obviously, it's meant to intimidate and to cause harm. And it created risks for Glenn where identity thieves could abuse his personal data and wreck his finances.

Glenn took action, researched the situation, sued the doctor, and won. From the VNUNet.com news release:

"A US court had ordered that the personal details of a Californian man be removed from the web, ruling that the information was posted online in retaliation for him blowing the whistle on a bankruptcy fraud case. In a civil lawsuit, Hagele alleges Lauranell Burch, a staff scientist at the National Institute of Health (NIH), used secure government computer resources to manage and hide ownership of the websites controlled through a Thailand intermediary."

Glenn was kind enough to provide a link to the new North Carolina law -- named the Burch Clause. I congratulate the North Carolina legislature for passing the Burch Clause.

This story is important for two reasons. First, consumers should have control over their personal data. Burch did not have Glenn's consent to publish his personal data on the internet, or anywhere else. Second, there has to be penalties when individuals (or companies) willfully publish an individual's personal information without their consent and with intent to harm or intimidate. The North Carolina legislature obviously agreed.

I expect that Glenn will closely monitor his credit reports and financial accounts. And If Glenn becomes an identity theft victim, I expect that he will sue Burch for reimbursement of both credit restoration and credit monitoring costs to repair any damage -- as the North Carolina law allows.

TJX Settles Visa Suit About Data Breach

According to Consumer Affairs:

""TJX Companies Inc., the corporate parent of retail chains T.J. Maxx and Marshalls, has reportedly agreed to a $41 million settlement with Visa in connection with a massive data security breach."

You can read more about this at Reuters, the Boston Globe, and CNN Money. According to CNN:

"In return, Visa will suspend and rescind a portion of the data breach fines it levied on the retailer's U.S. acquirer that remain eligible for appeal. At least 80 percent of the eligible Visa issuers must accept by Dec. 19 for the settlement to finalize."

You may remember, the TJX breach happened in 2006 (some say 2005) and wasn't reported until the end of 2006. First, some 45 million records were stolen, but the number was increased to about 90 million records. According to the news report, the credit-card-issuer companies incurred about $65 to $80 million in expenses to replace the stolen consumers' credit cards. Obviously, the card issuers want to be reimbursed by TJX for those expenses since TJX was lax about its data security. If the banks and card issuers have to absorb this expense, then everyone else will effectively pay for TJX's lax data security through higher credit card fees and rates.

Woman Wins $2.7 Mill Verdict Against Equifax

According to a recent UPI press release:

"The Florida Circuit Court jury in Orlando said the Atlanta company must pay medical-transcription worker Angela Williams $219,000 in actual damages and $2.7 million in punitive damages for negligent violation of federal credit-reporting laws..."

Apparently, the jury agreed with the plantiff's argument that Equifax continually and repeatedly confused another person's credit information into Williams' credit report:

"At trial, her attorneys showed how Equifax repeatedly confused Williams with someone who had a similar name but whose credit file was rife with bad debt, the newspaper said. Williams disputed the errors numerous times, but Equifax kept passing along the false information, ruining her credit, she testified. After eight years of trying to resolve the issue, she sued the company in 2003."

UPI reported that this is the largest punitive-damages award ever against Equifax. This court verdict is a sad reminder that it is the individual consumer's responsibility to monitor the accuracy of their credit reports at the three national credit bureaus; and to notify the credit bureaus of any errors. Once notified, it is the credit bureaus' responsibility to fix the credit report.

To learn more, read the Orlando Sentinel article or the Credit Bureaus posts.

Is Second Degree Harassment Appropriate Punishment For This Cyber Crime?

Thanks to Jonathan Feeley for alerting me to this very interesting, if not bizarre, news item from the Boston Globe newspaper:

"A 34-year-old Uncasville woman has been charged with using the Internet to try to get revenge on an old boyfriend by breaking up his marriage. Pilar Stofega has been charged with second-degree harassment and breach of peace and released on $2,500 bond."

What Stofega did:

"... she created phony profiles of the former boyfriend's current wife on some adult Web sites that included the wife's home and work phone numbers and high school yearbook picture."

Stofega did this to create marital problems between her former boyfriend and his wife. Was this identity theft? Or Fraud? Does the punishment fit the crime? To me, Stofega's actions clearly meet the definition of fraud:

"Deceit, trickery, sharp practice, or breach of confidence, perpetrated for profit or to gain some unfair or dishonest advantage." [Source: Dictionary.com]

"Intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right." [Source: Merriam-Webster]

Not all harm to fraud victims is necessarily financial loss. Stofega clearly intended to cause harm by breaking up the victim's (wife's) marriage; plus, perhaps emotional distress to the victim and her husband. One could argue that a divorce would have had financial impacts, too.

Perhaps more importantly, Stofega didn't have the wife's permission to use the wife's identity, phone numbers, and picture to create phony profiles of the wife at social networking sites. So, Stofega's actions seem to meet the standard of identity theft, too... access to personal data the thief shouldn't have access to nor a right to use.

A consumer must be able to control their identity and their personal data. Stofega's crime is enough to give users of social networking sites, like Facebook and My Space, some pause about the personal data they share publicly. (See my prior post about warnings for social networking site users.) The person you date today could fraudulently abuse you online tomorrow.

So, does the punishment fit the crime? I say no. The punishment is not strong enough. What do you think?

TJX Settles Out Of Court On Data Breach Lawsuit

From the September 21 Boston Globe newspaper:

"[Reuters - September 21, 2007] NEW YORK --TJX Cos Inc said Friday it and Fifth Third Bancorp had agreed to settle class action lawsuits brought on behalf of customers in the United States, Puerto Rico and Canada who were victims of a criminal intrusion into TJX's computer system."

This news story also made headlines in Canada. What I found most important in this news article:

"Under the settlement, which is subject to certain conditions, TJX customers who had their drivers license or other identification information stolen after making returns without a receipt, are being offered two to three years of credit monitoring and identity theft insurance and the cost of replacing IDs. Other affected customers are to receive vouchers, the company said."

Note: TJX offered its identity-theft victims 2 to 3 years of credit monitoring, not one year as IBM offered in response to IBM's data breach.