The 2009 Data Breach Hall Of Shame

This month, Network World magazine released its list of the 2009 Data Breach Hall of Shame. This list includes companies and government agencies that really effed up... they didn't protect consumers' sensitive personal information as they should have. All of these breaches were preventable. Here's who made the list:

1. Transportation Security Administration (TSA) after it accidentally posted on a public Web site a manual that contained complete details on its airport screening procedures,
2. Heartland Payment Systems after it allowed hackers to steal about 130 million credit and debit cards over several months while the company was being certified as PCI compliant for security,
3. Health Net after it lost a hard drive with unencrypted personal, financial, and medical information of 1.5 million consumers and after it waited for six months before notifying government authorities and its breach victims,
4. U.S. Government Printing Office after it posted on a publicly accessible web site a document with details on U.S. civilian nuclear sites marked as "Highly Confidential Safeguards Sensitive,"
5. RockYou Inc after a hacker stole over 32 million consumers' passwords and sign-in credentials that were stored in plain text without any encryption or protection

I agree with Network World. The companies and agencies on this list deserved to be on this list. Their executives were sound asleep when they should have been awake and actively protecting the sensitive information they were entrusted with. In honor of these executives, I'd like to present them with the Data Breach Analysis Flow below, which was first published in this blog in September 2007:

Judge Dismisses Lawsuit About Express Scripts Breach

Last week, SC Magazine reported:

"A federal judge has dismissed a Missouri man's lawsuit against pharmacy benefit management firm Express Scripts, which suffered a data breach that exposed sensitive customer data. John Amburgy alleged that Express Scripts was negligent because it did not secure its database, leaving the system vulnerable to hackers who stole customer data, including names, Social Security numbers, birth dates and prescription information... Amburgy contended that he and other victims faced an increased risk of becoming the victims of identity theft. He sought damages for the time and money he spent protecting his identity after the breach. The case was dismissed last week by U.S. Magistrate Judge Frederick Buckles because Amburgy could not prove that his information was actually used fraudulently."

You may recall that Express Scripts received an extortion letter demanding money, or the thieves would expose the stolen personal information: either use it fraudulently or resell it to other identity criminals. More than 700,000 consumers were affected.

The judge's decision seemed very consumer-unfriendly to me. I guess that a consumer has to actually experience theft of their money or a financial account takeover (or drainage of funds) in order to prove negligence.

Frontline: "The Card Game"

Prior posts in this blog have covered the excesses by banks with consumer credit cards. Frontline's "The Credit Card game" program debuted yesterday. I highly recommend this excellent program:

"As credit card companies face rising public anger, new regulation from Washington and staggering new rates of default and bankruptcy, FRONTLINE correspondent Lowell Bergman investigates the future of the massive consumer loan industry and its impact on a fragile national economy. In The Card Game, a follow-up to the Secret History of the Credit Card and a joint project with The New York Times, Bergman and the Times talk to industry insiders, lobbyists, politicians and consumer advocates as they square off over attempts to reform the way the industry has done business for decades."

If you want to learn about the ways banks have rigged the financial system against consumers, watch this program. In an interview during the program, Nessa Feddis, a lobbyist from the American Bankers Association, made some totally irritating comments.

Check your local PBS station for more broadcast times, or watch the Frontline program "The Card Game" online.

Advice For Consumers About Holiday Shopping With Layaway Plans

Since banks and credit card companies have made it difficult to get and to keep credit, many consumers have turned to layway plans as a method to do their holiday shopping. If this situation describes you, then you should know that the U.S. Federal Trade Commission (FTC) issued an alert to consumers about layaway plans so you don't get "mugged" by a shady store or online retailer:

"... it’s important to ask questions about the layaway plan and the refund policy when considering the layaway option. The alert, “Layaway: Another Way to Buy,” also tells consumers to: check out the business offering the plan; get the merchant’s layaway policy in writing; and keep good records of payments."

To check out a business or retailer, visit the Attorney General’s Web site for your state (www.naag.org), the local consumer protection agency in your state, or the Better Business Bureau in your state. These resources can tell you if other consumers have already filed complaints about the retailer you are considering shopping at -- online or their physical store.

If you shop using layaway plans and encounter a problem, we'd love to hear about it. You can describe your situation below in a comment.

Federal Data Breach Legislation Makes It Way Slowly Through Congress

These two Federal bills are worth watching. From Government Information Security:

"The Personal Data Privacy and Security Act, or S. 1490, designates as fraud unauthorized access of sensitive personally identifiable information, which would lead to racketeering charges. The measure, sponsored by Committee Chairman Patrick Leahy (at left), D.-Vt., also would prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim."

The second bill:

"The Data Breach Notification Act, or S. 139, would require federal agencies and businesses engaged in interstate commerce to notify American residents whose personal information is accessed when a security breach occurs. An exception: if notification would hinder national security or a law enforcement investigation. S. 139, sponsored by Sen. Dianne Feinstein, D.-Calif., also would require notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached has information on more than 1 million people, is owned by the federal government, or involves national security or law enforcement."

ChoicePoint Settles With The FTC About Its Data Breaches and Security Lapses

I'd written previously about my less than consumer friendly experiences with ChoiceTrust, a service from ChoicePoint, Inc.. Recently, the U.S. Federal Trace Commission (FTC) announced a settlement by ChoicePoint, Inc. after the company's past data breaches and data security lapses:

"In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention. The FTC alleged that if the security software tool had been working, ChoicePoint likely would have detected the intrusions much earlier and minimized the extent of the breach. The FTC also alleged that ChoicePoint’s conduct violated a 2006 court order mandating that the company institute a comprehensive information security program reasonably designed to protect consumers’ sensitive personal information."

Gee, that's extremely poor management. First, the company fails to implement every security feature it had already established. Second, its actions violated a previous court order about data security. How arrogant can a company act?

ChoicePoint's settlement included actions to:

"... strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information... This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000."

Was this fine sufficiently large enough? In my opinion, no.

Will ChoicePoint do the right thing and maintain adequate protections for the consumer data it stores and sells? Will it comply with applicable Red Flag rules by the FTC in 2010? Time will tell. I'm not holding my breath.

I'd love to be able to pull my C.L.U.E. insurance reports and records from Choicetrust, but we consumers don't have that option. Due to ChoicePoint's cozy relationship with the government, the company enjoys a near-oligopoly status regarding C.L.U.E. insurance reports. This is a good example of a "free market" sham. Same for the credit-reporting agencies.

At some point, this crap has to end.

FTC Delays "Red Flag" Enforcement Again

Once again, at the request of members of Congress, the Federal Trade Commission (FTC) has delayed the enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors.

The prior enforcement date had been November 1, 2009. In May of 2009, the FTC changed the enforcement date from May 1, 2009 to August 1, 2009.

As part of the Fair and Accurate Credit Transactions Act, Congress directed the FTC and other agencies to develop regulations requiring financial institutions and creditor companies to address identity theft. The resulting regulations require these companies to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- commonly called "Red Flags" -- that could indicate identity theft.

The FTC regulations are pretty specific about the types of companies covered by these new identity-theft regulations:

"The Rule defines a “financial institution” as: 1) a state or national bank, 2) a state or federal savings and loan association, 3) a mutual savings bank, 4) a state or federal credit union, or 5) any other entity that directly or indirectly holds a “transaction account” belonging to a consumer. “Transaction accounts” are deposits or accounts from which a consumer can make payments or transfers to third parties. Banks, federally chartered credit unions, and savings and loans come under the jurisdiction of the federal bank regulatory agencies or the National Credit Union Administration and should check with them for guidance. The FTC’s jurisdiction extends to state chartered credit unions and other institutions that hold transaction accounts – for example, mutual funds that offer accounts with check writing or debit card privileges or other businesses that offer accounts where consumers can make payments or transfers to third parties. Under the Rule, the definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. The definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing... In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. For example, a third-party debt collector..."

In April of 2009, the FTC launched a Web site to help small and medium-sized businesses comply with the new Red Flag regulations. A U.S. District recently ruled that attorneys are exempt form the new regulations. A different set of regulations apply to hospitals and health care firms.

During the coming weeks and months I will explore the Red Flag rules more closely since the new enforcement data is an opportunity for consumers to demand more from companies that store and user their sensitive personal information. The opportunity is for consumers to be able to ask a company they are considering doing business with for a written statement of how that company protects their sensitive personal data.

Will the June 2010 date hold? Who knows. The FTC's pattern of delays suggests probably not. As this issue moves forward, the I've Been Mugged blog will report about it.

Understanding How Secure Your Medical Information Is And Who Has Access To It

Like most people, I have recently started reading about electronic health records (EHR) and how secure my medical information is. The list of abbreviations and acronyms can be confusing. For example, there are subtle but important differences between the terms: EHR, Personal Health Record (PHR), and Electronic Medical Record (EMR).

You may find this overview article from PrivacyGurus.com helpful with understanding the current state of privacy about your medical information:

"Long-standing laws in many states and the age-old tradition of doctor-patient privilege have been the mainstay of medical privacy protection for decades. But in the 21st century, those privileged to your medical information have increased in number - and not always for the better. The extent of privacy protection given to your medical information often depends on where the records are located and the purpose for which the information was compiled. That means that the laws that cover privacy of medical information vary by situation. Confidentiality is likely to be lost in return for circumstances like insurance coverage, an employment opportunity, your application for a government benefit, or an investigation of health and safety at your work site. That means that you may have a false sense of security based on the highly touted Health Insurance Portability and Accountability Act (HIPAA)."

I found this particularly important:

"... a wide range of people, both in and out of the health care industry, share your medical information, often because you’ve agreed to it. One is the Medical Information Bureau (MIB), which is a central database of medical information of approximately 15 million Americans and Canadians. About 600 insurance firms use the services of the MIB primarily to obtain information about life insurance and individual health insurance policy applicants. The MIB is a consumer-reporting agency subject to the federal Fair Credit Reporting Act (FCRA) and doesn’t fall under HIPAA. It functions more like a credit score for health. The MIB does not have a file on everyone. But if you have an MIB file, you will want to be sure it is correct. You can obtain a free copy once a year by requesting it from their website or by calling (866) 692-6901."

The U.S. Department of Health & Human Services (HHS) federal agency operates the official HIPAA privacy web site. Several medical experts contribute to the unofficial HIPAA.com site, where you can browse the list of personal data items of consumers protected by HIPAA.

Warnings For Consumers From The Federal Reserve Board

This blog is all about empowering consumers (whether you have been mugged or not) to protect their money and sensitive personal information. Last week, the Federal Reserve Board (FRB) issued a warning to consumers to be aware of:

"... fraudulent solicitations that appear to be made with the approval or involvement of the Federal Reserve, Federal Reserve officials, or other U.S. government officials. These solicitations promise bogus financial services or large sums of money in exchange for either payment or personal information that can then be used to access a consumer's bank account."

This type of warning usually means a rise in the amount and frequency of phishing e-mail messages and/or phishing Web sites -- methods to trick consumers into disclosing their sensitive personal information (e.g., bank account numbers, Social Security number, etc.) to identity criminals. That means you may see official-looking but bogus e-mail message that appear to come from the FRB. The FRB operates this web site for users to file complaints about fraud. You should also notify your local law enforcement and submit a complaint to the FTC.

Recently, the I've Been Mugged blog reported advice for consumers from the FRB about private educational loans, shopping for mortgages, and credit cards.

The Credit Card Industry Struggles With Keeping Consumers' Data Secure

The last few weeks have included a huge increase in identity-theft news. First, we consumers heard on August 17 about the indictment of three hackers -- a Miami man and two Russian accomplices -- in what is probably the largest data breach and theft in the USA. More than 130 million debit and credit card numbers were stolen.

This latest theft of 130 million card numbers covered data breaches from 2006 to 2008 for companies including Heartland Payment Systems, a card payment processor, and retail chains 7-Eleven Inc and Hannaford Brothers. The Heartland breach has affected dozens of banks nationwide.

Second, we learned that this the Miami man, Albert Gonzalez, was also a former government informant for the U.S. Secret Service since 2003 and was already known to government officials, and already in prison for a series of eight retail hacks affecting and additional 40 million credit cards. The thefts of those 40 million additional cards included retail companies such as BJ's Wholesale Club and TJX Companies/T.J.Maxx. So one man (with help from some friends) stole more than 170 million debit/credit cards.

How do three people steal 130 (or 170) million credit cards? Third, we started hearing technical terms like the "SQL injection" technique the criminals used to exploit weaknesses in the way computer system developers write code for credit card databases. According to InternetNews:

"For his crimes, if Gonzalez is convicted in the Heartland incident, he'll face a fine of at least $250,00, and up to 25 years in prison. Gonzalez had servers in California, Illinois, Latvia, the Netherlands and Ukraine..."

Sounds to me like far more than three people are involved. You don't simply set up servers in multiple countries without some help. This theft smells like an organized business. I want law enforcement to capture and prosecute other criminals worldwide (e.g., Hacker-1 and Hacker-2 who are in or near Russia) who aided the thefts and/or resold the stolen data.

Fourth, details then began to emerge about the breaches at specific companies:

"... Dallas-based 7-Eleven, while confirming security breaches, said that only ATMs at some stores were affected... Moreover, the Dallas chain would not say where the affected stores were.... A 7-Eleven statement said the chain became aware of attacks in late 2007, saying they had occurred Oct. 28 through Nov. 8. The indictment said the chain’s network was breached from August 2007... Each card-issuing company made its own decision on what action to take, including replacing cards or putting card numbers on an alert for fraud..."

Like a bad screenplay, we further learned that Gonzalez went by the "soupnazi" online alias and he:

"... reportedly became an informant for the Secret Service in 2003, helping in a sting of a cybercrime syndicate, known as Shadowcrew.com. But afterward, Gonzalez re-established his own hacking group, called "Operation Get Rich or Die Tryin," according to Threat Level..."

Perhaps most troubling:

"Accomplices to the crimes are believed to be on the loose in Russia or other countries where U.S. authorities are less likely to get them. And the underlying security holes mined by the hackers still exist in many payment networks."

Most of this was summarized nicely in the New York Times:

"The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research."

You may remember that the breaches at Heartland and Hannaford occurred while both companies were supposedly within compliance to security requirements. Again, from the New York Times:

"Those standards were set by a council that includes the world's two largest credit card networks, Visa and MasterCard Inc; fast-food leader McDonald's Corp; oil major Exxon Mobil Corp; and big banks Bank of America Corp and Royal Bank of Scotland Plc... Yet some 5 percent of the largest retailers and restaurants still have not met compliance deadlines set in 2007, according to Visa."

Clearly, the security standards are insufficient and need to be strengthened. Then, we learned that J.C. Penny, Target, Boston Market, DSW, Office Max, Barnes & Noble, and Sports Authority were affected by the Gonzalez-led breaches. By the end of the week, Gonzalez pled guilty to several charges about the breaches, and would get a maximum of 25 years in prison.

Meanwhile, the banks, credit card networks, and retailers argue about the appropriate security standards and who should pay. What should consumers do?

We consumers can't control the squabbles between the banks, credit card networks, and retailers. We can control which cards we use and when. My advice is this:

1. Shop online with your credit card, since that gives you more protection than a debit card.
2. If you can, use cash for in-store purchases, or use a credit card. Why? Retailers are not honest and transparent about informing consumers of breaches or about which stores in their chain are problematic. (Remember, not all states have data breach notification laws.) And, the credit card industry still hasn't solved its security problems. See this blog post above.
3. Use your debit card at your bank's ATM machines. Regardless of those entertaining Visa and MasterCard advertisements on television, the system isn't as secure as it should be. I avoid ATM machines in convenience stores, and try to use ATM machines only in my bank's branches.
4. Review your monthly credit card statements, since some fraud shows up as tiny charges first (e.g., 25 cents) and since you may spot fraud first. Don't rely on your bank spotting it first. If you spot fraudulent charges, report it quickly to your bank or credit card issuer.

Fact Check The Messages In Your E-mail In-Box Before Forwarding

A few days ago, an acquaintance in Atlanta (who is a doctor) forwarded this e-mail message to me:

"Subject: SOCIAL SECURITY CHANGES

It does not matter if you personally like or dislike Obama. You need to sign this petition and flood his e-mail box with e-mails that tell him that, even if the House passes this bill, he needs to veto it. It is already impossible to live on Social Security alone. If the government gives benefits to 'illegal' aliens who have never contributed, where does that leave those of us who have paid into Social Security all our working lives? As stated below, the Senate voted this week to allow 'illegal' aliens access to Social Security benefits. Attached is an opportunity to sign a petition that requires citizenship for eligibility to that social service. Instructions are below. If you don't forward the petition and just stop it, we will lose all these names. If you do not want to sign it, please just forward it to everyone you know. To add your name, click on 'forward'. Address it to all of your email correspondents, add your name to the list and send it on. When the petition hits 1,000, send it to comment@whitehouse.gov .

Dear Mr. President:
We, the undersigned, protest the bill that the Senate voted on recently which would allow illegal aliens to access our Social Security. We demand that you and all Congressional representatives require citizenship as a pre-requisite for social services in the United States. We further demand that there not be any amnesty give n to illegal aliens, NO free services, no funding, no payments to and for illegal immigrants.
[Names redacted]"

My acquaintance wanted to know what I thought of this message, and if the e-mail message is accurate. First, understand that I am all for citizen participation in a democracy. And that includes petitions.

When I receive an e-mail message like this, I try to verify its accuracy and authenticity. One way I do this is to see if the e-mail message includes any references and/or citations. The citation could be the formal bill number and/or a web site address. Bills written in the U.S. Congress have an HR-xxx number, and bills written in the U.S. Senate have a S-xxx number. This is how everyone tracks Federal legislation, and it assumes you know how the legislative process works. For a complete list of resolution and bill prefixes, see this U.S. Senate site page.

The e-mail message above didn't include a date, any references to bill numbers, any links to Web site pages by the sponsor of the petition, or to related news articles. Maybe this information was deleted as multiple people forwarded the message. Regardless, the message I received didn't provide any means to evaluate the petition's accuracy and authenticity. Hence, this e-mail message is garbage, in my opinion, and I deleted it after sending a reply to my acquaintance.

As a last resort, I suggested that my acquaintance check snopes.com, which does a good job of analyzing and debunking the hoaxes and fictitious e-mail messages. Maybe snopes.com has analyzed this email message. I felt that the message was not worth me wasting any more time on it.

After thinking about this some more, I began to wonder if messages like this are slick attempts at e-mail harvesting.

I also wonder about the thinly disguised bigotry in the message, since it targets undocumented workers in the USA, and not the companies that hire them without perform adequate and sincere background checks. Yes, people who immigrate illegally into the USA often use stolen identification papers in order to gain employment. That usually means using another person's Social Security number (SSN) to get paid. There are severe consequences for a consumer when another person uses your SSN.

This situation is good and bad news. While these undocument workers are working illegally, they pay into Social Security, local taxes, and Federal taxes. Our state and local governments seem happy to receive this tax revenue. The bad news is for the victims -- the consumers whose SSN's are being used by two people. It places the burden on the victims to prove the fraud. Citizens are already urged to check our annual Social Security Statements for fraud, which is a dubious data security process at best. Experts state that this method won't catch all SSN fraud.

In my opinion, the USA needs a better, more secure process for creating, administering, and securing Social Security numbers. A couple computer scientists should not be able to create real Social Security numbers using mathematical formulas. It also means holding companies responsible to perform adequate background checks when hiring workers.

Currently, there is no effective way for citizens to protect their SSN from abuse. The only thing you can do is monitor you annual social security statement and if the salary in that does not match what you earned last year, then it's a good chance another person is using your SSN. At that point, you need local law enforcement and a lawyer to help you resolve and unravel things.

There has to be a better way than this current approach. We citizens should demand that of our legislators. That is a more important issue. It's about the integrity of the Social Security system.

Advice And Help From The Federal Reserve Board For Consumers

Three things you should know about so you don't get "mugged" by a loan company or bank:

1. On July 30, 2009 the Federal Reserve Board (FRB) issued updated rules about mandatory disclosure by companies offering private educational loans:

"The Federal Reserve Board on Thursday approved final amendments to Regulation Z (Truth in Lending) that revise the disclosure requirements for private education loans. The amendments implement provisions of the Higher Education Opportunity Act (HEOA) enacted in August 2008. Under the amendments, creditors that extend private education loans must provide disclosures about loan terms and features on or with the loan application and must also disclose information about federal student loan programs that may offer less costly alternatives. Additional disclosures must be provided when the loan is approved and when the loan is consummated... The new disclosure requirements apply to loans made expressly for postsecondary educational expenses but do not apply where educational expenses are funded by credit card advances, or real-estate-secured loans. In addition, the amendments do not apply to education loans made, insured, or guaranteed by the federal government, which are subject to disclosure rules issued by the Department of Education."

The changes go into effect in about 6 months.

2. The FRB also announced the availability of a new publication, "5 Tips for Shopping for a Mortgage," to help consumers make good decisions to select the best home mortgage possible:

"As a starting point, consumers are urged to conduct a financial self-assessment that includes scrutinizing their budget, checking credit reports, and reviewing credit scores. The guide directs consumers to a worksheet for developing a monthly spending plan and strongly suggests setting aside funds for emergencies. It is important for consumers to evaluate their options and avoid expensive loans. The publication recommends taking the time do some comparison shopping by analyzing loan offers from mortgage lenders and mortgage brokers. It also explains the difference between brokers and lenders... The guide advises consumers to take advantage of additional information from other Federal Reserve publications, resources, and websites. It suggests that consumers also seek financial education materials from other trusted sources such as the U.S. Department of Housing and Urban Development and NeighborWorks."

NeighborWorks is a national nonprofit organization created by Congress to provide financial support, technical assistance, and training for community-based revitalization efforts. "5 Tips For Shopping for a Mortgage" is available in both English and Spanish. This publication is a good step given the large amount of mortgage defaults by consumers as part of the financial crisis.

3. During the financial crisis, many consumers have experienced reduced access to credit. Early in March, this blog warned consumers of the coming higher interest rates, additional fees, and reduced limits for credit cardholders. For some home owners, the crisis meant reduced home equity lines of credit (HELOC). For this, the FRB announced a new guide for consumers that:

"... explains consumers' rights and lenders' responsibilities when credit lines are reduced and provides information for those seeking to have a credit line reinstated. "5 Tips for Dealing with a Home Equity Line Freeze or Reduction" explains that lenders can lawfully reduce or limit a consumer's line of credit regardless of whether the consumer has made timely payments. However, the lender must send a written notice of the action no later than three business days after the freeze or reduction goes into effect. The notice must include information about any other changes to the HELOC. The freeze or reduction notice should include specific reasons for the action. The most common reasons for modifying the terms of a HELOC are a decline in the home's value, or a change in financial circumstances."

Tagged Gets 'Tagged' For Alledged E-mail Harvesting

Last week, MediaPost News reported:

"Two California residents have sued social networking site Tagged.com for allegedly duping them into sharing their email contacts and then sending those contacts misleading ads... The California case was brought by Miriam Slater of Santa Barbara and Sara Golden of Los Angeles. Slater, an artist, alleges that she received a Tagged email on June 6 that purported to be from an acquaintance who wanted to share photos. Slater says in the complaint that she visited the site and provided the company with information, but only because she wanted to view the pictures. She alleges that Tagged never disclosed that she was actually registering to join the site or that it would harvest her email addresses and then solicit those contacts."

Earlier this month, the CNN'/Fortune Brainstorm Tech reported:

"Social-networking site Tagged.com has become a target of New York Attorney General Andrew Cuomo and the bane of a multitude of customers... which New York Attorney General Andrew Cuomo says he plans to sue for false advertising, deceptive business, and identity theft. What makes the case timely is that many of Tagged.com's practices, like mass emails and data mining, have become commonplace among social media sites. But Tagged's aggressive combination of these digital promotions set it apart from its competitors, Cuomo charges."

All of this was after Time magazine called Tagged.com the world's most annoying web site. I received one of these e-mail offers from Tagged. It was tempting to act on the e-mail because it appeared to come from somebody I knew. I deleted the e-mail because it seemed odd... the person who sent it to me was unlikely to have uploaded photos to this social media site. If the person had, I felt like they would have sent me another invite to their photos on Tagged. Of course, that second invite never came.

What should consumers make of this?

1. Read the fine print (e.g., links to a Privacy Policy or Terms & Conditions Statement) of any e-mail you receive asking you to sign up to a social media site.
2. Verify the invite independently with your friend. Text, phone, or e-mail your friend to ask them if they sent an invite for ABC social media site. Ask them if they really are a member of ABC social media site and have content there.
3. Remember, you have a choice. Even if you get satisfactory answers to #2, you don't have to join (yet another) social media site. If it's that important to your friend, they will probably be happy to show you their photos or videos via another social media sites or in-person.
4. If you do register at a new social media site, don't be quick to share your credentials (e.g., ID and password) or apps for other sites with the new site. See how well the new site protects your personal information first. Trust is earned, not given away freely.
5. If you think that you and the people in your e-mail address book got burned by a Tagged e-mail invite, set up a Google or Yahoo alert to follow this lawsuit (e.g., Slater v. Tagged Inc.), and join the lawsuit when it reaches class-action status.

The whole situation reminds me of a line from the film "Unforgiven," an excellent western. See it if you haven't. In one scene, a gunfighter attempts to rationalize the people he has killed by saying, "He had it coming!" It seems to me that the executives at Tagged, Inc. have it coming.

Any company that abuses consumers' privacy and sensitive personal data has it coming. Once again, the Privacy Crusaders strike!

The New York Times Interview of David Vladeck of the F.T.C.

If you follow this blog, then you know that I've covered the U.S. Federal Trade Commission (FTC), especially about behavioral advertising. My opinion of the FTC has been far less than stellar, due to the commission's tendency toward self-regulation and its support of wacky things like basing insurance rates on credit reports.

I worry that that the FTC will become the next Securities & Exchange Commission (SEC), where online advertising becomes so complicated that the FTC becomes unable to keep up -- as many argued that the SEC was unable to keep up with Wall Street's financial practices. One area where the FTC seems to be lagging is with RFID technologies.

With that in mind, I read the New York Times interview of David Vladeck, the new head of the Bureau of Consumer Protection at the FTC. Maybe this interview is damage-control by the FTC. Or maybe it's a frank discussion of some particularly gnarly issues:

"The infrastructure for doing work on privacy is in very good shape. It was time for the agency to reconceptualize its privacy mission and to look for a new framework to approach privacy issues in this incredibly dynamic environment. One thing that was needed was someone in a position of authority to basically say, the frameworks that we’ve been using historically for privacy are no longer sufficient in this incredibly dynamic marketing."

When asked how the FTC will keep up with the advertising industry's rapid pace of change, Vladeck's comments are disappointing:

"We’re hoping that if we have candid conversations with them they’ll be more forthcoming, and this is not our first option, but we can make people talk to us. I would like to think that just by force of my charm and personality they’ll do that but if not there are all sorts of other ways we can get information. We’d prefer to persuade industry it’s in their best interests to cooperate on these sorts of things. If not, we’ll be forced to imagine the worst, and that doesn’t help anybody."

Is he serious? Force of his charm? Behavioral advertising techniques to collect consumers' data are moving at light speed. There are browser cookie based approaches, deep-packet inspection approaches, and lately online behavioral advertising networks are moving towards integrating both  consumers' offline and online habits into the online ads served. There are even more ways to provide opt-out (or opt-in) mechanisms and policy statements online. I'm hoping for leadership from Vladeck, not consensus-building.

About today's online disclosures and privacy statements, Vladeck said:

"Disclosures are now written by lawyers, they’re 17 pages long. I don’t think they’re written principally to communicate information; they’re written defensively. I’m a lawyer, I’ve been practicing law for 33 years. I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. Second of all, consent in the face of these kinds of quote disclosures, I’m not sure that consent really reflects a volitional, knowing act."

No kidding. It has become increasing difficult for consumers to effectively make choices, since so many advertising programs use opt-out instead of opt-in, many have made the opt-out mechanism difficult to find and to use, and few programs provide open, honestly and transparent information about how consumers' data is shared among specific third-party companies and partners. Sites like TOSBack are trying to hlp consumers keep up with the complicated and fast-changing online privacy and web site policies.

One of the more positive comments by Vladeck that shows that the FTC is paying attention to consumers' needs:

"The empirical evidence we’re seeing is that disclosures on their own don’t work, particularly disclosures that are long, they’re written by lawyers, and they’re written largely as a defense to liability cases. Maybe we’re moving into a post-disclosure environment. But there has to be greater transparency about what’s going on. Until I see evidence otherwise, we have to presume that most people don’t understand, and the burden is going to be on industry to persuade us that people really are well informed about this."

The Sears settlement with the FTC was a thread throughout the interview, but Vladeck seemed reluctant to use that case as the basis for future rule-making. When asked about whether privacy policies and/or web site terms and conditions statements alone constituted effect consent for consumers, Vladeck replied:

"You’re trying to get me to revert back to these frameworks. I’m going to resist doing that until we have a better sense of whether there are other ways of making sure consumers are adequately informed that when they go on the Times website all of these different transactions are either happening or possible. And it may be that bubble disclosures or pop-up disclosures or anti-cookie devices, there may be all sorts of way to do this, that substitute for the lengthy, form-written privacy policy disclosures that are written by risk-averse lawyers rather than communication experts."

That sounds like a non-answer to me. The FTC wants to leave it open about how companies' web sites provide consumers with consent and notice, but is reluctant to present specific guidelines or rules.

Yeah, the interview was probably an attempt at damage control. I hope (for all our sakes) that the FTC can and does keep up.

IRS Phone Forum About Online Fraud and Identity Theft

It's good to see the U.S. Internal Revenue Service (IRS) taking action about fraud and identity theft.

On August 19, the IRS will host a free phone forum (e.g., that's a large, public conference call) titled "Everyone's at Risk - Combating the Increasing Threat of Online Fraud and Identity Theft." Th event is for practitioners: tax professionals, attorneys, payroll professionals, small businesses, the IRS' industry partners, and both state and local governments.

Participants will learn about identity protection efforts by the IRS, the process for reporting tax-related identity theft, victim assistance, how to report phishing schemes targeted at taxpayers, and IRS efforts to combat online fraud targeted at taxpayers. Advance registration for the event is required.

You can learn more and register for the event at the IRS site.

It's Time To Enforce the Privacy Of Consumers' Medical Prescriptions

It was infuriating to read this New York Times article, "And you Thought A Prescription Was Private:"

"Like many other people, Ms. Krinsk thought that her prescription information was private. But in fact, prescriptions, and all the information on them — including not only the name and dosage of the drug and the name and address of the doctor, but also the patient’s address and Social Security number — are a commodity bought and sold in a murky marketplace, often without the patients’ knowledge or permission. That may change if some little-noted protections from the Obama administration are strictly enforced. The federal stimulus law enacted in February prohibits in most cases the sale of personal health information, with a few exceptions for research and public health measures like tracking flu epidemics. It also tightens rules for telling patients when hackers or health care workers have stolen their Social Security numbers or medical information..."

Unfortunately:

"The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased... Ms. Krinsk was never able to find out who sold her information, but companies that have been accused in lawsuits of buying and selling personal medical data include drugstore chains like Walgreens and data-mining companies like IMS Health and Verispan. CVS Caremark, which handles prescriptions for corporate clients, has also been accused of violating patients’ privacy.

Once again, California leads the way:

"The ban on marketing is even more strict in California, where Walgreens is fighting off a class-action lawsuit filed on behalf of customers who received the subsidized mailings before the state outlawed them in 2004... The data mining industry, meanwhile, is challenging laws in New Hampshire, Maine and Vermont that ban collecting and selling prescription information to drug makers, which use it to decide which doctors to market to. The companies in the case, IMS Health and Verispan, now part of the private company SDI Health, said the identities of patients were removed."

These companies claim that patients' names are removed or encrypted before data is sold, but who verifies this? How are consumers to know if these companies are doing as they claim?

If this infuriates you (and I sincerely hope that it does), I encourage you to write to you elected officials in Congress today and demand prescriptions privacy, stiff penalties for violators, and enforcement of existing laws. Write to your elected state officials and demand local state laws guaranteeing the privacy of your medical prescriptions. Insist that the transition to electronic medical records (EMR) happens only after privacy is guaranteed.

Chicken Little Congress (Video & Somewhat Political)

[Editor's Note: Today's blog post below is a commentary by Montana Maven, who gave anyone permission to publish it. The commentary sums up pretty well how I feel about the health care discussion in a Congress that is quick to spend $2 billion more to subsidize auto purchases but timid when it comes to health care. Our current system is designed to maximize profits while minimizing the number of people covered, while a truly responsible health care system would maximize the number of persons covered and the number covered with adequate insurance. I am proud to live in a state, Massachusetts, that is trying to solve a difficult problem rather than run away from it. Too often, it seems that too often the attitude in Congress -- or frequently within the "Party of No" -- is to find ways not to do something, rather than find creative ways to solve a problem. When will people realize that a a country is only a strong as the health of its citizens? People are worth more than autos.]

Senator Chuck Grassley pays $356.59 a month for health insurance with a $300 deductible. We pay for his cheap care with our taxes. When asked why we can’t have what he has with our tax money, he told the guy to “Get a job with the Feds”. Hey, Chuck, guess you forgot whom your boss is. It should be us. But like Max who received $3,902,785 from the health care industry over his career, Wellpoint and Blue Cross Blue Shield might have better seats at the Chuck’s table.

Americans are already paying more in taxes for health care than Canadians and are not as healthy. We have the fourth highest infant mortality rate of the 30 developed countries. We are 24th of the 30 countries in life expectancy. That’s because we have a for profit insurance based system. We have great health care providers, but we are often denied full access by some insurance bureaucrat.

Health insurance is not health care. Trying to figure out how to keep the profit in health care is a losing proposition. Other countries use insurance companies to manage bill paying but all of them are non profit.

And we have the money to pay for it. All our Chicken Little legislators do is squawk, “Cost, cost, cost!” like a bunch of hens. We have a $16 Trillion dollar economy. We just spent $160 billion bailing our insurance giant AIG. We spend over $1 Trillion a year on keeping 761 military bases in 150 countries. Come on, close a few of them. A measly $150 billion a year for health care is cheap and money much better spent because it is spent here in the good old U.S.A. on its hard working citizens. Support H.B. 676 Medicare for All. It’s a lot simpler than the Chicken Littles want you to believe.

---

How bad is the influence peddling and lack of accountability by Congressional representatives to their constituents? Watch this:

I love how Olbermann calls on the carpet both Democrats and Republicans, and especially the Blue Dog Democrats:

"You were not elected to create a Democratic majority. You were elected to restore this country. You were not elected to serve the corporations and the trusts who the government has enabled for these last eight years. You were elected to serve the people. And if you fail to pass or support this legislation, the full wrath of the progressive and the moderate movements in this country will come down on your heads. Explain yourselves not to me, but to them. They elected you. And in the blink of an eye, they will replace you."

Here's a link to the transcript, courtesy of JedL at the Daily Kos.

The FTC To Rigorously Study Fraud

In his Bizop News blog, attorney Michael Webster wrote:

"The FTC has finally decided to start studying fraud and not simply rely upon the discredited notion of disclosure for prevention. The FTC held a workshop earlier in the year about consumer fraud. From that workshop, the FTC made a decision to try empirically understand the determinants of consumer fraud."

The FTC program was announced in the U.S. Federal Register (PDF). This is clearly good news since:

"The [FTC] Commission has also conducted telephone surveys in 2003 and 2005 designed to measure the proportion of the U.S. adult population that has fallen victim to various consumer frauds. Despite this, surprisingly little is known about what determines consumers' susceptibility to fraud. For example, the 2003 and 2005 FTC Consumer Fraud surveys found that education was not a significant predictor of fraud victimization. Understanding when and why people are vulnerable to fraud would better inform the FTC's substantial, ongoing efforts to fight fraud through law enforcement and consumer education... study results may aid the FTC's efforts to better target its enforcement actions and consumer education initiatives, and improve future fraud surveys."

The FTC's approach towards a rigorous study of fraud:

"Economic and psychological experiments have identified several decision-making biases, such as impulsivity, over-confidence, overoptimism, and loss aversion, that can cause inaccurate assessments of the risks, costs, and benefits of various choices. FTC staff proposes to conduct an economic laboratory experiment to study whether these types of decision biases are related to consumer susceptibility to fraudulent or deceptive marketing claims. Staff intends to study consumers’ assessment of potentially deceptive advertisements... The FTC proposes to conduct an experiment in a university’s economics laboratory with 250 subjects drawn from the campus community. A sampling of 250 persons enables random assignment of subjects into different experimental conditions..."

According to the Federal Register, interested consumers and companies can submit written comments
electronically or in paper form about proposed study approach. Comments should refer to the "Fraud Susceptibility Experiment, FTC File No. P095501," and include your name and state. You can submit comments online at the FTC Web site on or before August 10, 2009. Comments will be made public so do not disclose any sensitive personal or financial information.

Teach Your Dad About 'Phishing' This Father's Day

To help consumers avoid identity theft, the U.S. Federal Trade Commission has developed an electronic Father's Day card with tips about how to spot bogus phishing e-mail messages. Versions of the FTC e-card are in English and in Spanish.

To learn more about phishing, whaling, v-phising and other scams, browse the Scams and Threats section of this blog. Or, take one of these online identity theft quizzes.

If you or a parent have been the victims of identity theft and fraud, you should report it to both local law enforcement and to the FTC. To file a complaint in English or Spanish, visit the secure FTC Complaint Assistant site, or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad.

Sears Settles With The FTC About Consumer Privacy Abuses With Undisclosed Tracking Software

I've Been Mugged discussed consumer privacy abuses by Sears in 2008. On June 4, 2009, ComputerWorld reported Sears Holdings Management settled with the U.S. Federal Trade Commission about a complaint where Sears failed to inform "My SHC Community" customers about the large amount of sensitive personal data it collected with a downloadable software application:

"Sears Holdings, owner of the Sears and Kmart retail chains, invited some visitors of Sears.com and Kmart.com to become members of the "My SHC Community," paying them $10 if they agreed to download "research" software that would confidentially track their online browsing... the software not only tracked browsing, but also monitored customers' online secure sessions, including sessions on third-party Web sites... The Sears software collected the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size of Web-based e-mail messages... The software would also track some computer activities that were unrelated to the Internet..."

From now through July 6, interested consumers can submit comments to the FTC about this Sears settlement. Before submitting a comment, consumers should read:

• How To File Public Comments by the FTC
• FTC press release about the Sears settlement
• The FTC Complaint and proposed settlement agreement

Based on comments received, the FTC will decide whether or not to proceed with the proposed settlement agreement. I encourage readers to review the proposed settlement. You may feel it is not strong enough, especialy about the sensitive consumer data Sears already collected.